1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Massive packets (receiving and sending)...

Discussion in 'Malware Removal' started by elim, Apr 7, 2006.

  1. elim

    elim Private E-2

    Hey all..

    I just started to get this weird unexplainable problem about a week ago and I know almost everything about computers but this one has me got me.

    Anyway heres what I'm dealing with:

    I'm on a very fast high speed cable modem with a router, 4 hardwire spots, and wireless. At the time we have 2 computers wireless and 2 computers hardwired, my main pc is the one having problems and its hardwired.

    For some odd odd reason my computer is receiving packets anywhere from 100 up to the 10,000s per seconds sometimes more. I have tryed so many things to resolve it and nothing has yet to aleviate this problem.

    As of now all of the other computers on the router are running fine, 1-10 packets per second. I can't figure this out for anything.

    I've try switching wire, I've run 3 different spy ware programs and my anti virus, I've reboot the router, the modem, my computer. I also downloaded a WinSock fix that didnt do anything for it either... I'm confused beyond belief.

    I am a gamer but in game and out of games I get random lag spikes, it will seem steady and then for 3-5 seconds it will stop like the connection broke and come back up just fine after. I can watch my ping jump in Ventrilo(a voice program) from 30 to 900 and go back down after the spike.

    Also just a note it seems like the lag happens every 15 seconds for 3-5 second long spikes.

    So.. any ideas??
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    Do you have a software firewall on this PC?
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
      • Bitdefender
      • Panda Scan
      • HijackThis
    .
    Your alternatives to doing the above would be to install a packet capture program like Ethereal and use it to capture the incoming packets to see where they are coming from, but if this is malware related you will still need to run all of the READ & RUN ME.
     
  3. elim

    elim Private E-2

    I've done online scans as well as multiple Anti Spyware scan, Ad-Aware, Spyhunter, Symantec Nortan AV 10 CE, Bit Defender, Panda Activescan. I downloaded the packet watcher you recommended and I found one consistant line of packets that would drop and seemed like they were dropping in the time frame I counted around 15 second per lag spike.
    SOURCE: DESTINATION: INFO:
    192.168.0.1 239.255.255.250 NOTIFY * HTTP/1.1

    That seemed to be spammed 10-15 times in a row every 15 seconds in the packet logs... could this be whats causing my spikes and if so what is it??
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure about the source and destination address? 192.168.0.1 sounds like an address you would use in your own network but you said it was the source. And 239.255.255.250 is part of a multicast range of addresses normally used for video streams.

    You really should complete the instructions I gave you so I can more completely help you.
     
  5. elim

    elim Private E-2

    I've done all that scanned more than just once with a variety of different scanners. I just pulled up a HJT log for you to see if you see anything. I don't think it could be malware... althought as of right now I really have no idea, I've never had a problem like this before. The HJT Log:

    Edit by chaslang: Inline log attached! HJT installed incorrectly!
     

    Attached Files:

    Last edited by a moderator: Apr 8, 2006
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not post any logs inline. As indicated in my previous message. Also since in many cases HijackThis logs are really not that useful by themseleves, that is why I asked for the other logs from other tools like Bitdefender and PandaActiveScan. HijackThis actually shows very little of the possible infections that could be on a PC. That being said, there is nothing to be concerned with in your HJT log, but again that does not come close to meaning you are clean.

    There are still two questions from my previous posts you have not answered:
    And here are some more:
    1. Have you flushed your DNS cache and have you reset your hosts file to default?
    2. Have you run a rootkit detector like BlackLight or Rootkit Revealer
     
  7. elim

    elim Private E-2

    Do you have a software firewall on this PC?
    Somewhat, Symantec Norton 10 CE or my router, but nothing like Zone Labs etc theyre too much of a pest.

    Are you sure about the source and destination address? 192.168.0.1 sounds like an address you would use in your own network but you said it was the source. And 239.255.255.250 is part of a multicast range of addresses normally used for video streams.
    Thats what it said when it was spammed 10-15 times in Ethereal so I'm assuming thats causing the spikes.

    1. Have you flushed your DNS cache and have you reset your hosts file to default?
    No, but I have done the WinSock fixed that set my registry files for networking to a default(didnt work).

    2. Have you run a rootkit detector like BlackLight or Rootkit Revealer
    No, never heard of the programs.

    Also I ran Bit Defender over night and while it was scanning Symantec Nortan 10 CE found more than it did for some reason, I wasnt running both but the auto protection found and supposedly deleted a few things.

    Bit Defender found:a
    W32.VB.AN@mm(deleted)

    Norton found:
    Trojan.Dropper(deleted)
    W32.Alcra.B(deleted)

    I'm still getting the same hundres of thousands of packets per second.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why would you consider providing yourself with greater protection a pest? You said you know everything about computers. You need a software firewall. It is provides better and more customizable and more frequently updated protection than a Hardware Firewall. Are you sure your Norton software does not include a firewall.

    What is the range of IP address being provided to your network by your router. Is it part of the 192.168.0.x network. I would bet the 192.168.0.1 address is your router. It is also possible that a spammer is using IP spoofing. Or it could be your own PC is broadcasting the packets. This happens with UPnP. Here is an example:
    You may want to read this: http://www.wilderssecurity.com/archive/index.php/t-30268.html

    Flush your DNS cache.


    You should run one of them but right just to be sure there are no root kits but it seems unlikely this is a rootkit. Seems more likely to be related to something to do with gaming and downloading of video streams.

    If you refuse to follow my instructions and attach the requested logs, I cannot help you.
     
    Last edited: Apr 8, 2006
  9. elim

    elim Private E-2

    Flush your DNS cache.

    How?

    --

    If you refuse to follow my instructions and attach the requested logs, I cannot help you.

    I did follow them, you told me to scan with certain programs and I did, what more can I do, repost your requests so I can review them but I did what you asked.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You implied you were an expert with compters so I did not think I needed to tell you how to do this. Run ipconfig /flushdns from a command prompt!

    I quote from my first message which you did not do any of. You did not even install HJT properly.
     
  11. elim

    elim Private E-2

    It's not my fault I didn't know what an inline command was lol, normally you just post your HJT log in the thread, anyways since it seems like your online right now if you have AIM you should IM me there at: Tactics703.

    I'm running Bit Defender right now, I'll save the log as you asked and will follow it with a Panda Active Scan and HJT.. INLINE! log lol.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I quote from the very first line in the READ & RUN ME:
    I do all of my work here in the forum threads. I do not use any instant messengers to do this. If I did, I would never have time to work in the forums. Thus I stopped using all IM's long ago.
     
  13. elim

    elim Private E-2

    ***IMPORTANT NOTE*** Please DO NOT post HJT logs before running this procedure and DO NOT post logs directly inline with your message. If you do not understand what this means, ask before posting.

    Oops my fault.

    Bit Defender is scanning as we speak. Although while Bit Defender was scanning already Norton Auto-Protect found 4 different Trojan.Dropper items.
    Also the Norton Auto-Protect isnt letting me get a log file so I will post what it is telling me exactly.

    Risk: Action: Count: Filename:

    Trojan.Dropper Partial 2 tmp000020aa
    Trojan.Dropper Deleted 2 TMP000~2
    Trojan.Dropper Partial 2 tmp0000211d
    Trojan.Dropper Deleted 2 TMP000~2
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not useful since it does not provide full path information to the actual file names. In addition it may only be picking up activities from what Bitdefender is doing and it may even be interferring with Bitdefender's scan and cleaning process.
     
  15. elim

    elim Private E-2

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HJT is still installed incorrectly but right now it does not matter since there is nothing we need to fix with it.

    I would ask why this C:\Program Files\mIRC\mirc.exe is always running and how does it load at startup (or are you loading it).

    Try shutting down all the unnecessary programs like Mirc, AIM, Ventrilo, and Steam etc and see if anything changes.

    What do you use the below for:
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    See: http://www.bleepingcomputer.com/startups/PRISMXL.SYS-10410.html

    Did you flush you DNS cache yet?

    I doubt your problems are malware related but let's did a little deeper.

    Also Download & run Blacklight Beta
    • Hit I accept. It will take you to download page.
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that looks like fsbl-xxxxxxx.log
    • Please attach the Blacklight log file here.
     
  17. elim

    elim Private E-2

    I start mIRC myself, I use it for gaming purposes.

    As for shutting down all of the programs I've been checking it when I reboot to see if it was down from the packets and it was the same way with the programs up. I've always ran these programs and it never affected anything.

    As for the PrismXL, I have no idea what it is but I will look into it between now and my next reply...... Nevermind I just checked the bleepingcomputer.com link although I'm not sure why it is starting, would you recommend removing it?

    I flushed the DNS cache a couple of hours of when you said to do so, no change, I'm going to disable my internet and flush it once more.

    Blacklight(found nothing):
    View attachment fsbl-20060409045250.log
     
  18. elim

    elim Private E-2

    I've been trying a few simple things in this lapse of a reply and I still haven't been able to fix it or locate the problem.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don;t understand your message. I want to know what happens when no other processes are running or loading not when they are running. You said " it was the same way with the programs up".

    Yes I would look to see if there is an uninstall for the program.
     
  20. elim

    elim Private E-2

    I meant that with the programs off, I still get the same packets with as I do with the programs turned on.

    There is no uninstall for it in Add/Remove and I'm still unsure what it is... What to do now....
     
  21. elim

    elim Private E-2

    I just found a file named SIFXINST.exe that was supposedly a trojan that sent info and I got rid of it through RegRun Security Suite and still nothing, I'm looking into PrismXL and I have a Gateway and it seems to be that only Gateways have it so I'm going to see if I can find it and possibly remove it temporarily. Any more suggestions?
     
  22. elim

    elim Private E-2

    PrismXL was not the problem I deleted it and backed it up to a different folder so it wouldnt start, sorry for the three posts in a row wouldnt let me edit but now I'm just clueless man.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is part of the PrismXL stuff. It is not a trojan. It just may be something you do not want of your PC especially if you did not install and do not need or want the feature.

    See: http://www.liutilities.com/products/wintaskspro/processlibrary/sifxinst/

    You cannot just delete the files. The O23 line is a service and the serive must be stopped and disabled. I'm very surprised nothing appears in Add/Remove programs for this. You may need to figure out what name they used (PrismXP , Lanovation,
    Lanovation Prism, New Boundary Technologies)

    I don't believe you are having malware problems. I still feel it is because of something you have installed and are running. Possibly from the other PCs on the network too. Try disconnect all the other PCs or shutting them down. Does it still happen? Could be related to your game stuff. Again I still think you are in the wrong forum. I could be wrong, but I have not seen and malware stuff making use of multicast IP addressing like this. Your games my be setup to send IGMP Joins (part of multicast protocol) to a video server of some sort.
     
    Last edited: Apr 12, 2006
  24. elim

    elim Private E-2

    I looked for all of the names New Boundary Technologies was the folder it was in and it did not show up in Add/Remove as the others didnt either.

    Although, I found something quite interesting. I turned all of my current running programs off and ran Ethereal and some how it picked up some things so I'm going to post what it found in roughly 1 minute of being on. It seems like it's something internal actually...

    ... Ok I can't upload the capture file from Ethereal how can I get it to you?
     
  25. elim

    elim Private E-2

  26. elim

    elim Private E-2

    I would like to get rid of the 100 packets per second and try to get it down to 10-20 a second but if not I will settle for no lag spikes lol :D
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  28. elim

    elim Private E-2

    Any ideas of why the packet flow is still high??
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No but I don't believe it has anything to do with malware. You probably should check into the Software or maybe Networking forums for ideas. I think it is related to your own network or software you are running on your PC.

    Have you ever check to see if it occurs after booting in safe mode?
    Does it occur if you disconnect the WAN side (internet side) of your router from the cable company's modem? This would isolate your network from the external world. And if it still occurs you would definitely need to check what is going on in your own network.
     
  30. elim

    elim Private E-2

    I actually have tried to connect wireless and received the same packets. 100+ a second.
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But that is not what I suggested. You are still connecting to the internet.
     
  32. elim

    elim Private E-2

    Hello again Chaslang, I don't believe it and you may not either... These random spikes have started again with the same code as before found in Ethereal. The fix I did for UPnP before is still in place and it has some how started again. This time it is on both of my computers up here not just one. Any ideas of what could be happened now please let me know ASAP.
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! But from what I remember (without reading thru the whole thread) this was not a malware problem anyway.

    Perhaps you would be better served in the Software Forum.
     
  34. elim

    elim Private E-2

    Could you possibly move the thread?
     
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I could do that but you would be better off starting a new thread and describing your current problem/symptoms. And reference this thread in the malware forum to indicate what has already been done.. If we move this whole thread (with 34 messages already in it) to the software forum, it may not get read and you may get no responses.
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds