1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Massive packets (receiving and sending)...

Discussion in 'Malware Removal' started by elim, Apr 7, 2006.

  1. elim

    elim Private E-2

    Hey all..

    I just started to get this weird unexplainable problem about a week ago and I know almost everything about computers but this one has me got me.

    Anyway heres what I'm dealing with:

    I'm on a very fast high speed cable modem with a router, 4 hardwire spots, and wireless. At the time we have 2 computers wireless and 2 computers hardwired, my main pc is the one having problems and its hardwired.

    For some odd odd reason my computer is receiving packets anywhere from 100 up to the 10,000s per seconds sometimes more. I have tryed so many things to resolve it and nothing has yet to aleviate this problem.

    As of now all of the other computers on the router are running fine, 1-10 packets per second. I can't figure this out for anything.

    I've try switching wire, I've run 3 different spy ware programs and my anti virus, I've reboot the router, the modem, my computer. I also downloaded a WinSock fix that didnt do anything for it either... I'm confused beyond belief.

    I am a gamer but in game and out of games I get random lag spikes, it will seem steady and then for 3-5 seconds it will stop like the connection broke and come back up just fine after. I can watch my ping jump in Ventrilo(a voice program) from 30 to 900 and go back down after the spike.

    Also just a note it seems like the lag happens every 15 seconds for 3-5 second long spikes.

    So.. any ideas??
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    Do you have a software firewall on this PC?
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
      • Bitdefender
      • Panda Scan
      • HijackThis
    .
    Your alternatives to doing the above would be to install a packet capture program like Ethereal and use it to capture the incoming packets to see where they are coming from, but if this is malware related you will still need to run all of the READ & RUN ME.
     
  3. elim

    elim Private E-2

    I've done online scans as well as multiple Anti Spyware scan, Ad-Aware, Spyhunter, Symantec Nortan AV 10 CE, Bit Defender, Panda Activescan. I downloaded the packet watcher you recommended and I found one consistant line of packets that would drop and seemed like they were dropping in the time frame I counted around 15 second per lag spike.
    SOURCE: DESTINATION: INFO:
    192.168.0.1 239.255.255.250 NOTIFY * HTTP/1.1

    That seemed to be spammed 10-15 times in a row every 15 seconds in the packet logs... could this be whats causing my spikes and if so what is it??
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure about the source and destination address? 192.168.0.1 sounds like an address you would use in your own network but you said it was the source. And 239.255.255.250 is part of a multicast range of addresses normally used for video streams.

    You really should complete the instructions I gave you so I can more completely help you.
     
  5. elim

    elim Private E-2

    I've done all that scanned more than just once with a variety of different scanners. I just pulled up a HJT log for you to see if you see anything. I don't think it could be malware... althought as of right now I really have no idea, I've never had a problem like this before. The HJT Log:

    Edit by chaslang: Inline log attached! HJT installed incorrectly!
     

    Attached Files:

    Last edited by a moderator: Apr 8, 2006
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not post any logs inline. As indicated in my previous message. Also since in many cases HijackThis logs are really not that useful by themseleves, that is why I asked for the other logs from other tools like Bitdefender and PandaActiveScan. HijackThis actually shows very little of the possible infections that could be on a PC. That being said, there is nothing to be concerned with in your HJT log, but again that does not come close to meaning you are clean.

    There are still two questions from my previous posts you have not answered:
    And here are some more:
    1. Have you flushed your DNS cache and have you reset your hosts file to default?
    2. Have you run a rootkit detector like BlackLight or Rootkit Revealer
     
  7. elim

    elim Private E-2

    Do you have a software firewall on this PC?
    Somewhat, Symantec Norton 10 CE or my router, but nothing like Zone Labs etc theyre too much of a pest.

    Are you sure about the source and destination address? 192.168.0.1 sounds like an address you would use in your own network but you said it was the source. And 239.255.255.250 is part of a multicast range of addresses normally used for video streams.
    Thats what it said when it was spammed 10-15 times in Ethereal so I'm assuming thats causing the spikes.

    1. Have you flushed your DNS cache and have you reset your hosts file to default?
    No, but I have done the WinSock fixed that set my registry files for networking to a default(didnt work).

    2. Have you run a rootkit detector like BlackLight or Rootkit Revealer
    No, never heard of the programs.

    Also I ran Bit Defender over night and while it was scanning Symantec Nortan 10 CE found more than it did for some reason, I wasnt running both but the auto protection found and supposedly deleted a few things.

    Bit Defender found:a
    W32.VB.AN@mm(deleted)

    Norton found:
    Trojan.Dropper(deleted)
    W32.Alcra.B(deleted)

    I'm still getting the same hundres of thousands of packets per second.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why would you consider providing yourself with greater protection a pest? You said you know everything about computers. You need a software firewall. It is provides better and more customizable and more frequently updated protection than a Hardware Firewall. Are you sure your Norton software does not include a firewall.

    What is the range of IP address being provided to your network by your router. Is it part of the 192.168.0.x network. I would bet the 192.168.0.1 address is your router. It is also possible that a spammer is using IP spoofing. Or it could be your own PC is broadcasting the packets. This happens with UPnP. Here is an example:
    You may want to read this: http://www.wilderssecurity.com/archive/index.php/t-30268.html

    Flush your DNS cache.


    You should run one of them but right just to be sure there are no root kits but it seems unlikely this is a rootkit. Seems more likely to be related to something to do with gaming and downloading of video streams.

    If you refuse to follow my instructions and attach the requested logs, I cannot help you.
     
    Last edited: Apr 8, 2006
  9. elim

    elim Private E-2

    Flush your DNS cache.

    How?

    --

    If you refuse to follow my instructions and attach the requested logs, I cannot help you.

    I did follow them, you told me to scan with certain programs and I did, what more can I do, repost your requests so I can review them but I did what you asked.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You implied you were an expert with compters so I did not think I needed to tell you how to do this. Run ipconfig /flushdns from a command prompt!

    I quote from my first message which you did not do any of. You did not even install HJT properly.
     
  11. elim

    elim Private E-2

    It's not my fault I didn't know what an inline command was lol, normally you just post your HJT log in the thread, anyways since it seems like your online right now if you have AIM you should IM me there at: Tactics703.

    I'm running Bit Defender right now, I'll save the log as you asked and will follow it with a Panda Active Scan and HJT.. INLINE! log lol.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I quote from the very first line in the READ & RUN ME:
    I do all of my work here in the forum threads. I do not use any instant messengers to do this. If I did, I would never have time to work in the forums. Thus I stopped using all IM's long ago.
     
  13. elim

    elim Private E-2

    ***IMPORTANT NOTE*** Please DO NOT post HJT logs before running this procedure and DO NOT post logs directly inline with your message. If you do not understand what this means, ask before posting.

    Oops my fault.

    Bit Defender is scanning as we speak. Although while Bit Defender was scanning already Norton Auto-Protect found 4 different Trojan.Dropper items.
    Also the Norton Auto-Protect isnt letting me get a log file so I will post what it is telling me exactly.

    Risk: Action: Count: Filename:

    Trojan.Dropper Partial 2 tmp000020aa
    Trojan.Dropper Deleted 2 TMP000~2
    Trojan.Dropper Partial 2 tmp0000211d
    Trojan.Dropper Deleted 2 TMP000~2
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not useful since it does not provide full path information to the actual file names. In addition it may only be picking up activities from what Bitdefender is doing and it may even be interferring with Bitdefender's scan and cleaning process.
     
  15. elim

    elim Private E-2

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HJT is still installed incorrectly but right now it does not matter since there is nothing we need to fix with it.

    I would ask why this C:\Program Files\mIRC\mirc.exe is always running and how does it load at startup (or are you loading it).

    Try shutting down all the unnecessary programs like Mirc, AIM, Ventrilo, and Steam etc and see if anything changes.

    What do you use the below for:
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    See: http://www.bleepingcomputer.com/startups/PRISMXL.SYS-10410.html

    Did you flush you DNS cache yet?

    I doubt your problems are malware related but let's did a little deeper.

    Also Download & run Blacklight Beta
    • Hit I accept. It will take you to download page.
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that looks like fsbl-xxxxxxx.log
    • Please attach the Blacklight log file here.
     
  17. elim

    elim Private E-2

    I start mIRC myself, I use it for gaming purposes.

    As for shutting down all of the programs I've been checking it when I reboot to see if it was down from the packets and it was the same way with the programs up. I've always ran these programs and it never affected anything.

    As for the PrismXL, I have no idea what it is but I will look into it between now and my next reply...... Nevermind I just checked the bleepingcomputer.com link although I'm not sure why it is starting, would you recommend removing it?

    I flushed the DNS cache a couple of hours of when you said to do so, no change, I'm going to disable my internet and flush it once more.

    Blacklight(found nothing):
    View attachment fsbl-20060409045250.log
     
  18. elim

    elim Private E-2

    I've been trying a few simple things in this lapse of a reply and I still haven't been able to fix it or locate the problem.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don;t understand your message. I want to know what happens when no other processes are running or loading not when they are running. You said " it was the same way with the programs up".

    Yes I would look to see if there is an uninstall for the program.
     
  20. elim

    elim Private E-2

    I meant that with the programs off, I still get the same packets with as I do with the programs turned on.

    There is no uninstall for it in Add/Remove and I'm still unsure what it is... What to do now....
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds