Unrequested Internet Traffic

dondari · 14-Apr-2008, 09:30 PM #1

Hi, I'm using Windows XP Home SP 2. My problem is unrequested internet traffic, which uses 20-50% of my dial-up internet capacity on a continuous basis. I have discounted all apps and automatic updates, so I believe the problem is in the o/s. Two virus scanners (Norton & Trendmicro) can't find the problem.

The traffic starts immediately upon connect (I have noticed it drop off on rare occasion). It shows as a continuous up/down wave on the Networking graph in Windows Task Manager. I installed Microsoft Network Monitor 3.1 but am a newbie at reading the conversations. I have noticed patterns in the frame traffic with unidentified tcp/ip addresses changing every 1,000 or so frames. For example:

Frame Time Source Destination Protocol Description

42 13.418945 me 4.23.40.126 WinUpdV5 WinUpdV5
43 13.888672 4.23.40.126 me HTTP HTTP: Response, HTTP/1.1, Status Code = 206
44 14.002929 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548936010, Win=8410 (scale factor not found)
45 14.431640 4.23.40.126 me HTTP HTTP: HTTP Payload
46 14.606445 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548937470, Win=8760 (scale factor not found)
47 14.976562 4.23.40.126 me HTTP HTTP: HTTP Payload
48 15.109375 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548938930, Win=8760 (scale factor not found)
49 15.480469 4.23.40.126 me HTTP HTTP: HTTP Payload
50 15.712890 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548940390, Win=8760 (scale factor not found)
51 16.023437 4.23.40.126 me HTTP HTTP: HTTP Payload
52 16.215820 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548941850, Win=8760 (scale factor not found)
53 16.271484 4.23.40.126 me HTTP HTTP: HTTP Payload
54 16.416992 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548942603, Win=8007 (scale factor not found)
55 18.139648 me 4.23.40.126 WinUpdV5 WinUpdV5
56 18.607422 4.23.40.126 me HTTP HTTP: Response, HTTP/1.1, Status Code = 206
57 18.730469 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548942953, Win=7657 (scale factor not found)
58 19.152344 4.23.40.126 me HTTP HTTP: HTTP Payload
59 19.435547 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548944413, Win=8760 (scale factor not found)
60 19.695312 4.23.40.126 me HTTP HTTP: HTTP Payload
61 19.836914 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548945873, Win=8760 (scale factor not found)
62 20.191406 4.23.40.126 me HTTP HTTP: HTTP Payload
63 20.441406 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548947333, Win=8760 (scale factor not found)
64 20.736328 4.23.40.126 me HTTP HTTP: HTTP Payload
65 20.843750 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548948793, Win=8760 (scale factor not found)
66 20.951172 4.23.40.126 me HTTP HTTP: HTTP Payload
67 21.246094 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548949482, Win=8071 (scale factor not found)
68 22.833984 me 4.23.40.126 WinUpdV5 WinUpdV5

Some of the frames that have a legible message in the hex are MsgSvcSend frames and are shown below. Note that the IP addresses are not the same as the former traffic:

Frame Time Source Destination Protocol
254 88.821289 24.64.6.24 me MsgSvcSend
255 88.836914 24.64.6.24 me MsgSvcSend
256 88.836914 24.64.6.24 me MsgSvcSend
363 127.442383 221.209.110.7 me MsgSvcSend
364 127.483398 221.209.110.7 me MsgSvcSend
421 146.331054 202.97.238.198 me MsgSvcSend
1025 360.344726 221.208.208.89 me MsgSvcSend
1026 360.522461 221.208.208.89 me MsgSvcSend
1233 432.214844 24.64.114.50 me MsgSvcSend
1234 432.351562 24.64.114.50 me MsgSvcSend
1235 432.367187 24.64.114.50 me MsgSvcSend
1503 525.363281 24.64.162.206 me MsgSvcSend

"CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED...To FIX this problem:.Open Internet Explorer and type: www.registrycleanerxp.com.Once you load the web page, close this message window..After you install the cleaner program you will not receive any more reminders or pop-ups like this...VISIT www.registrycleanerxp.com IMMEDIATELY!...."

Note, I only see the above message through Network Monitor and not as a pop-up.

Do you have any idea what this may be? Thank you.

dondari · 15-Apr-2008, 06:58 PM #2

Further info -- I found similar problems on other website forums but no answers. My firewall shows network connection to remote IP address 204.160.99.123 (OrgName: Level 3 Communications, Inc.) as:

Details: Connection: msgr.dlservice.microsoft.com: http(80).
from <ME>: 3080.
11264 bytes sent.
550169 bytes received.
3:31.921 elapsed time.

The traffic can be terminated by stopping the service Background Intelligent Transfer Service (BITS), which works in the short-term but is far from ideal.

dondari · 28-Apr-2008, 05:28 PM #3

Please post this in the General Security forum. Thx.

dondari · 30-Apr-2008, 01:10 AM #4

Isolated the problematic IP addresses and wrote firewall blocking rules for the key ones (Level 3, Asia Pacific). Again not ideal, but effective. At least I can keep BITS enabled but I have to be vigilant re: IP addresses of which I am unaware. (I am not sure how much impact this solution will have on future browsing.)

4.0.0.0 - 4.255.255.255 Level 3 Communications, Inc.
8.0.0.0 - 8.255.255.255 Level 3 Communications, Inc.
24.64.0.0 - 24.71.255.255 Shaw Communications Inc.
58.0.0.0 - 58.255.255.255 Asia Pacific Network Information Centre
60.0.0.0 - 60.255.255.255 Asia Pacific Network Information Centre
61.0.0.0 - 61.255.255.255 Asia Pacific Network Information Centre
65.192.0.0 - 65.223.255.255 MCI Communications
67.78.0.0 - 67.79.255.255 Road Runner HoldCo LLC
70.80.0.0 - 70.83.255.255 Le Groupe Videotron Ltee
121.0.0.0 - 121.255.255.255 Asia Pacific Network Information Centre
125.0.0.0 - 125.255.255.255 Asia Pacific Network Information Centre
192.221.0.0 - 192.221.255.255 Level 3 Communications, Inc.
198.76.0.0 - 198.79.255.255 Level 3 Communications, Inc.
199.92.0.0 - 199.95.255.255 Level 3 Communications, Inc.
202.0.0.0 - 203.255.255.255 Asia Pacific Network Information Centre
204.160.0.0 - 204.163.255.255 Level 3 Communications, Inc.
205.128.0.0 - 205.131.255.255 Level 3 Communications, Inc.
206.32.0.0 - 206.35.255.255 Level 3 Communications, Inc.
206.172.0.0 - 206.172.255.255 Bell Canada WORLDLINX04
207.120.0.0 - 207.123.255.255 Level 3 Communications, Inc.
208.111.128.0 - 208.111.191.255 Limelight Networks
221.0.0.0 - 221.255.255.255 Asia Pacific Network Information Centre
222.0.0.0 - 222.255.255.255 Asia Pacific Network Information Centre

In addition, blocked the DNS query to msgr.dlservice.microsoft.com (this is a sham use of Microsoft's name) which returns three of the above addresses and seems to launch the whole irritating process. Also blocked MsgSvcSend traffic for good measure.

Still don't know what the malware is doing ...

dondari · 12-May-2008, 06:16 PM #5

Noticed an unrequested (i.e. not me) DNS query to www.download.windowsupdate.com. The query returned three of the problem ip addresses noted above. A browser lookup to the same address returned a successful response at the network level but not at the browser level. My network connection reset itself twice (again not me), which is a new "feature". The malware is not fixed, only caged -- it does escape every once in a while!

lunarlander · 14-May-2008, 12:19 PM #6

HijackThis is a utility which list out the places where applications can autostart. Most malware use these startup points to launch themselves everytime you login. I would post a HijackThis log for a log specialist to take a look. HijackThis is available here:

http://www.trendsecure.com/portal/en...kthis/download

Use "Do a system scan and save a log file", and notepad will open with a log of what it finds, copy and paste the contents here. Don't ask it to fix anything.

npower1 · 15-May-2008, 02:16 PM #7

This is my first post. I have a similar problem, but doesn't appear as severe as for the original poster. The differences are (1) that I have broadband, not dial up. (2) I seem to get a low level of download (1K/s), upload (1 to 3 K/s) activity continuously (I use netmeter to see this). Twice an hour this rises to approximately 8k/s down and 10k/s. This lasts for about 3 minutes each time.
Some background information. I don't know how long this has been happening. I noticed it after I had uninstalled Iplayer. (For those outside the UK this is a download manager/streamer supplied by the BBC.) Hopefully what I have supplied below will help the experts.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:41, on 15/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe
C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaServer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qi.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {D61D7E1A-6613-49CA-B6F9-51DB248E209D} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [five Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:five
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://download.five.tv/Download/Ent..._10_Silent.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7294 bytes

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)