Massive packets (receiving and sending)...

[elim]

Hey all..

I just started to get this weird unexplainable problem about a week ago and I know almost everything about computers but this one has me got me.

Anyway heres what I'm dealing with:

I'm on a very fast high speed cable modem with a router, 4 hardwire spots, and wireless. At the time we have 2 computers wireless and 2 computers hardwired, my main pc is the one having problems and its hardwired.

For some odd odd reason my computer is receiving packets anywhere from 100 up to the 10,000s per seconds sometimes more. I have tryed so many things to resolve it and nothing has yet to aleviate this problem.

As of now all of the other computers on the router are running fine, 1-10 packets per second. I can't figure this out for anything.

I've try switching wire, I've run 3 different spy ware programs and my anti virus, I've reboot the router, the modem, my computer. I also downloaded a WinSock fix that didnt do anything for it either... I'm confused beyond belief.

I am a gamer but in game and out of games I get random lag spikes, it will seem steady and then for 3-5 seconds it will stop like the connection broke and come back up just fine after. I can watch my ping jump in Ventrilo(a voice program) from 30 to 900 and go back down after the spike.

Also just a note it seems like the lag happens every 15 seconds for 3-5 second long spikes.

So.. any ideas??

[chaslang]

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Do you have a software firewall on this PC?

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.
Your alternatives to doing the above would be to install a packet capture program like Ethereal and use it to capture the incoming packets to see where they are coming from, but if this is malware related you will still need to run all of the READ & RUN ME.

[elim]

I've done online scans as well as multiple Anti Spyware scan, Ad-Aware, Spyhunter, Symantec Nortan AV 10 CE, Bit Defender, Panda Activescan. I downloaded the packet watcher you recommended and I found one consistant line of packets that would drop and seemed like they were dropping in the time frame I counted around 15 second per lag spike.
SOURCE: DESTINATION: INFO:
192.168.0.1 239.255.255.250 NOTIFY * HTTP/1.1

That seemed to be spammed 10-15 times in a row every 15 seconds in the packet logs... could this be whats causing my spikes and if so what is it??

[chaslang]

Are you sure about the source and destination address? 192.168.0.1 sounds like an address you would use in your own network but you said it was the source. And 239.255.255.250 is part of a multicast range of addresses normally used for video streams.

You really should complete the instructions I gave you so I can more completely help you.

[elim]

I've done all that scanned more than just once with a variety of different scanners. I just pulled up a HJT log for you to see if you see anything. I don't think it could be malware... althought as of right now I really have no idea, I've never had a problem like this before. The HJT Log:

Edit by chaslang: Inline log attached! HJT installed incorrectly!

[chaslang]

Please do not post any logs inline. As indicated in my previous message. Also since in many cases HijackThis logs are really not that useful by themseleves, that is why I asked for the other logs from other tools like Bitdefender and PandaActiveScan. HijackThis actually shows very little of the possible infections that could be on a PC. That being said, there is nothing to be concerned with in your HJT log, but again that does not come close to meaning you are clean.

There are still two questions from my previous posts you have not answered:

Quote:

Do you have a software firewall on this PC?

Quote:

Are you sure about the source and destination address? 192.168.0.1 sounds like an address you would use in your own network but you said it was the source. And 239.255.255.250 is part of a multicast range of addresses normally used for video streams.

And here are some more:

1. Have you flushed your DNS cache and have you reset your hosts file to default?
2. Have you run a rootkit detector like BlackLight or Rootkit Revealer

[elim]

Do you have a software firewall on this PC?
Somewhat, Symantec Norton 10 CE or my router, but nothing like Zone Labs etc theyre too much of a pest.

Are you sure about the source and destination address? 192.168.0.1 sounds like an address you would use in your own network but you said it was the source. And 239.255.255.250 is part of a multicast range of addresses normally used for video streams.
Thats what it said when it was spammed 10-15 times in Ethereal so I'm assuming thats causing the spikes.

1. Have you flushed your DNS cache and have you reset your hosts file to default?
No, but I have done the WinSock fixed that set my registry files for networking to a default(didnt work).

2. Have you run a rootkit detector like BlackLight or Rootkit Revealer
No, never heard of the programs.

Also I ran Bit Defender over night and while it was scanning Symantec Nortan 10 CE found more than it did for some reason, I wasnt running both but the auto protection found and supposedly deleted a few things.

Bit Defender found:a
W32.VB.AN@mm(deleted)

Norton found:
Trojan.Dropper(deleted)
W32.Alcra.B(deleted)

I'm still getting the same hundres of thousands of packets per second.

[chaslang]

Quote:

Originally Posted by elim

Do you have a software firewall on this PC?
Somewhat, Symantec Norton 10 CE or my router, but nothing like Zone Labs etc theyre too much of a pest.

Why would you consider providing yourself with greater protection a pest? You said you know everything about computers. You need a software firewall. It is provides better and more customizable and more frequently updated protection than a Hardware Firewall. Are you sure your Norton software does not include a firewall.

Quote:

Originally Posted by elim

Are you sure about the source and destination address? 192.168.0.1 sounds like an address you would use in your own network but you said it was the source. And 239.255.255.250 is part of a multicast range of addresses normally used for video streams.
Thats what it said when it was spammed 10-15 times in Ethereal so I'm assuming thats causing the spikes.

What is the range of IP address being provided to your network by your router. Is it part of the 192.168.0.x network. I would bet the 192.168.0.1 address is your router. It is also possible that a spammer is using IP spoofing. Or it could be your own PC is broadcasting the packets. This happens with UPnP. Here is an example:

Quote:

"Generic Host Process for Win32 Services (svchost.exe) is trying to braodcast to {239.255.255.250}using remote port 1900 {SSDP - Simple Service Discovery Protocol}. Do you want to allow this program to access the network?"

You may want to read this: http://www.wilderssecurity.com/archive/index.php/t-30268.html

Quote:

Originally Posted by elim

1. Have you flushed your DNS cache and have you reset your hosts file to default?
No, but I have done the WinSock fixed that set my registry files for networking to a default(didnt work).

Flush your DNS cache.

Quote:

Originally Posted by elim

2. Have you run a rootkit detector like BlackLight or Rootkit Revealer
No, never heard of the programs.

You should run one of them but right just to be sure there are no root kits but it seems unlikely this is a rootkit. Seems more likely to be related to something to do with gaming and downloading of video streams.

Quote:

Originally Posted by elim

Also I ran Bit Defender over night and while it was scanning Symantec Nortan 10 CE found more than it did for some reason, I wasnt running both but the auto protection found and supposedly deleted a few things.

Bit Defender found:a
W32.VB.AN@mm(deleted)

Norton found:
Trojan.Dropper(deleted)
W32.Alcra.B(deleted)
.

If you refuse to follow my instructions and attach the requested logs, I cannot help you.

[elim]

Flush your DNS cache.

How?

--

If you refuse to follow my instructions and attach the requested logs, I cannot help you.

I did follow them, you told me to scan with certain programs and I did, what more can I do, repost your requests so I can review them but I did what you asked.

[chaslang]

Quote:

Originally Posted by elim

Flush your DNS cache.

How?

You implied you were an expert with compters so I did not think I needed to tell you how to do this. Run ipconfig /flushdns from a command prompt!

Quote:

Originally Posted by elim

If you refuse to follow my instructions and attach the requested logs, I cannot help you.

I did follow them, you told me to scan with certain programs and I did, what more can I do, repost your requests so I can review them but I did what you asked.

I quote from my first message which you did not do any of. You did not even install HJT properly.

Quote:

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

[elim]

It's not my fault I didn't know what an inline command was lol, normally you just post your HJT log in the thread, anyways since it seems like your online right now if you have AIM you should IM me there at: Tactics703.

I'm running Bit Defender right now, I'll save the log as you asked and will follow it with a Panda Active Scan and HJT.. INLINE! log lol.

[chaslang]

Quote:

Originally Posted by elim

It's not my fault I didn't know what an inline command was lol, normally you just post your HJT log in the thread, .

I quote from the very first line in the READ & RUN ME:

Quote:

***IMPORTANT NOTE*** Please DO NOT post HJT logs before running this procedure and DO NOT post logs directly inline with your message. If you do not understand what this means, ask before posting.

I do all of my work here in the forum threads. I do not use any instant messengers to do this. If I did, I would never have time to work in the forums. Thus I stopped using all IM's long ago.

[elim]

***IMPORTANT NOTE*** Please DO NOT post HJT logs before running this procedure and DO NOT post logs directly inline with your message. If you do not understand what this means, ask before posting.

Oops my fault.

Bit Defender is scanning as we speak. Although while Bit Defender was scanning already Norton Auto-Protect found 4 different Trojan.Dropper items.
Also the Norton Auto-Protect isnt letting me get a log file so I will post what it is telling me exactly.

Risk: Action: Count: Filename:

Trojan.Dropper Partial 2 tmp000020aa
Trojan.Dropper Deleted 2 TMP000~2
Trojan.Dropper Partial 2 tmp0000211d
Trojan.Dropper Deleted 2 TMP000~2

[chaslang]

Quote:

Originally Posted by elim

Also the Norton Auto-Protect isnt letting me get a log file so I will post what it is telling me exactly.

Risk: Action: Count: Filename:

Trojan.Dropper Partial 2 tmp000020aa
Trojan.Dropper Deleted 2 TMP000~2
Trojan.Dropper Partial 2 tmp0000211d
Trojan.Dropper Deleted 2 TMP000~2

Not useful since it does not provide full path information to the actual file names. In addition it may only be picking up activities from what Bitdefender is doing and it may even be interferring with Bitdefender's scan and cleaning process.

[elim]

Ok, I did all three scans in order as you requested.

Bitdefender:
Found nothing.

Panda Activescan:
Activescan.txt

HJT Log:
hijackthis.log

So what are we looking at here?

[chaslang]

HJT is still installed incorrectly but right now it does not matter since there is nothing we need to fix with it.

I would ask why this C:\Program Files\mIRC\mirc.exe is always running and how does it load at startup (or are you loading it).

Try shutting down all the unnecessary programs like Mirc, AIM, Ventrilo, and Steam etc and see if anything changes.

What do you use the below for:
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

See: http://www.bleepingcomputer.com/star...SYS-10410.html

Did you flush you DNS cache yet?

I doubt your problems are malware related but let's did a little deeper.

Also Download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that looks like fsbl-xxxxxxx.log
• Please attach the Blacklight log file here.

[elim]

I start mIRC myself, I use it for gaming purposes.

As for shutting down all of the programs I've been checking it when I reboot to see if it was down from the packets and it was the same way with the programs up. I've always ran these programs and it never affected anything.

As for the PrismXL, I have no idea what it is but I will look into it between now and my next reply...... Nevermind I just checked the bleepingcomputer.com link although I'm not sure why it is starting, would you recommend removing it?

I flushed the DNS cache a couple of hours of when you said to do so, no change, I'm going to disable my internet and flush it once more.

Blacklight(found nothing):
fsbl-20060409045250.log

[elim]

I've been trying a few simple things in this lapse of a reply and I still haven't been able to fix it or locate the problem.

[chaslang]

Quote:

Originally Posted by elim

I start mIRC myself, I use it for gaming purposes.

As for shutting down all of the programs I've been checking it when I reboot to see if it was down from the packets and it was the same way with the programs up. I've always ran these programs and it never affected anything.

I don;t understand your message. I want to know what happens when no other processes are running or loading not when they are running. You said " it was the same way with the programs up".

Quote:

Originally Posted by elim

As for the PrismXL, I have no idea what it is but I will look into it between now and my next reply...... Nevermind I just checked the bleepingcomputer.com link although I'm not sure why it is starting, would you recommend removing it?

Yes I would look to see if there is an uninstall for the program.

[elim]

I meant that with the programs off, I still get the same packets with as I do with the programs turned on.

There is no uninstall for it in Add/Remove and I'm still unsure what it is... What to do now....