Unrequested Internet Traffic

dondari · 14-Apr-2008, 10:30 PM #1

Hi, I'm using Windows XP Home SP 2. My problem is unrequested internet traffic, which uses 20-50% of my dial-up internet capacity on a continuous basis. I have discounted all apps and automatic updates, so I believe the problem is in the o/s. Two virus scanners (Norton & Trendmicro) can't find the problem.

The traffic starts immediately upon connect (I have noticed it drop off on rare occasion). It shows as a continuous up/down wave on the Networking graph in Windows Task Manager. I installed Microsoft Network Monitor 3.1 but am a newbie at reading the conversations. I have noticed patterns in the frame traffic with unidentified tcp/ip addresses changing every 1,000 or so frames. For example:

Frame Time Source Destination Protocol Description

42 13.418945 me 4.23.40.126 WinUpdV5 WinUpdV5
43 13.888672 4.23.40.126 me HTTP HTTP: Response, HTTP/1.1, Status Code = 206
44 14.002929 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548936010, Win=8410 (scale factor not found)
45 14.431640 4.23.40.126 me HTTP HTTP: HTTP Payload
46 14.606445 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548937470, Win=8760 (scale factor not found)
47 14.976562 4.23.40.126 me HTTP HTTP: HTTP Payload
48 15.109375 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548938930, Win=8760 (scale factor not found)
49 15.480469 4.23.40.126 me HTTP HTTP: HTTP Payload
50 15.712890 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548940390, Win=8760 (scale factor not found)
51 16.023437 4.23.40.126 me HTTP HTTP: HTTP Payload
52 16.215820 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548941850, Win=8760 (scale factor not found)
53 16.271484 4.23.40.126 me HTTP HTTP: HTTP Payload
54 16.416992 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548942603, Win=8007 (scale factor not found)
55 18.139648 me 4.23.40.126 WinUpdV5 WinUpdV5
56 18.607422 4.23.40.126 me HTTP HTTP: Response, HTTP/1.1, Status Code = 206
57 18.730469 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548942953, Win=7657 (scale factor not found)
58 19.152344 4.23.40.126 me HTTP HTTP: HTTP Payload
59 19.435547 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548944413, Win=8760 (scale factor not found)
60 19.695312 4.23.40.126 me HTTP HTTP: HTTP Payload
61 19.836914 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548945873, Win=8760 (scale factor not found)
62 20.191406 4.23.40.126 me HTTP HTTP: HTTP Payload
63 20.441406 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548947333, Win=8760 (scale factor not found)
64 20.736328 4.23.40.126 me HTTP HTTP: HTTP Payload
65 20.843750 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548948793, Win=8760 (scale factor not found)
66 20.951172 4.23.40.126 me HTTP HTTP: HTTP Payload
67 21.246094 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548949482, Win=8071 (scale factor not found)
68 22.833984 me 4.23.40.126 WinUpdV5 WinUpdV5

Some of the frames that have a legible message in the hex are MsgSvcSend frames and are shown below. Note that the IP addresses are not the same as the former traffic:

Frame Time Source Destination Protocol
254 88.821289 24.64.6.24 me MsgSvcSend
255 88.836914 24.64.6.24 me MsgSvcSend
256 88.836914 24.64.6.24 me MsgSvcSend
363 127.442383 221.209.110.7 me MsgSvcSend
364 127.483398 221.209.110.7 me MsgSvcSend
421 146.331054 202.97.238.198 me MsgSvcSend
1025 360.344726 221.208.208.89 me MsgSvcSend
1026 360.522461 221.208.208.89 me MsgSvcSend
1233 432.214844 24.64.114.50 me MsgSvcSend
1234 432.351562 24.64.114.50 me MsgSvcSend
1235 432.367187 24.64.114.50 me MsgSvcSend
1503 525.363281 24.64.162.206 me MsgSvcSend

"CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED...To FIX this problem:.Open Internet Explorer and type: www.registrycleanerxp.com.Once you load the web page, close this message window..After you install the cleaner program you will not receive any more reminders or pop-ups like this...VISIT www.registrycleanerxp.com IMMEDIATELY!...."

Note, I only see the above message through Network Monitor and not as a pop-up.

Do you have any idea what this may be? Thank you.

dondari · 15-Apr-2008, 07:58 PM #2

Further info -- I found similar problems on other website forums but no answers. My firewall shows network connection to remote IP address 204.160.99.123 (OrgName: Level 3 Communications, Inc.) as:

Details: Connection: msgr.dlservice.microsoft.com: http(80).
from <ME>: 3080.
11264 bytes sent.
550169 bytes received.
3:31.921 elapsed time.

The traffic can be terminated by stopping the service Background Intelligent Transfer Service (BITS), which works in the short-term but is far from ideal.

dondari · 28-Apr-2008, 06:28 PM #3

Please post this in the General Security forum. Thx.

dondari · 30-Apr-2008, 02:10 AM #4

Isolated the problematic IP addresses and wrote firewall blocking rules for the key ones (Level 3, Asia Pacific). Again not ideal, but effective. At least I can keep BITS enabled but I have to be vigilant re: IP addresses of which I am unaware. (I am not sure how much impact this solution will have on future browsing.)

4.0.0.0 - 4.255.255.255 Level 3 Communications, Inc.
8.0.0.0 - 8.255.255.255 Level 3 Communications, Inc.
24.64.0.0 - 24.71.255.255 Shaw Communications Inc.
58.0.0.0 - 58.255.255.255 Asia Pacific Network Information Centre
60.0.0.0 - 60.255.255.255 Asia Pacific Network Information Centre
61.0.0.0 - 61.255.255.255 Asia Pacific Network Information Centre
65.192.0.0 - 65.223.255.255 MCI Communications
67.78.0.0 - 67.79.255.255 Road Runner HoldCo LLC
70.80.0.0 - 70.83.255.255 Le Groupe Videotron Ltee
121.0.0.0 - 121.255.255.255 Asia Pacific Network Information Centre
125.0.0.0 - 125.255.255.255 Asia Pacific Network Information Centre
192.221.0.0 - 192.221.255.255 Level 3 Communications, Inc.
198.76.0.0 - 198.79.255.255 Level 3 Communications, Inc.
199.92.0.0 - 199.95.255.255 Level 3 Communications, Inc.
202.0.0.0 - 203.255.255.255 Asia Pacific Network Information Centre
204.160.0.0 - 204.163.255.255 Level 3 Communications, Inc.
205.128.0.0 - 205.131.255.255 Level 3 Communications, Inc.
206.32.0.0 - 206.35.255.255 Level 3 Communications, Inc.
206.172.0.0 - 206.172.255.255 Bell Canada WORLDLINX04
207.120.0.0 - 207.123.255.255 Level 3 Communications, Inc.
208.111.128.0 - 208.111.191.255 Limelight Networks
221.0.0.0 - 221.255.255.255 Asia Pacific Network Information Centre
222.0.0.0 - 222.255.255.255 Asia Pacific Network Information Centre

In addition, blocked the DNS query to msgr.dlservice.microsoft.com (this is a sham use of Microsoft's name) which returns three of the above addresses and seems to launch the whole irritating process. Also blocked MsgSvcSend traffic for good measure.

Still don't know what the malware is doing ...

dondari · 12-May-2008, 07:16 PM #5

Noticed an unrequested (i.e. not me) DNS query to www.download.windowsupdate.com. The query returned three of the problem ip addresses noted above. A browser lookup to the same address returned a successful response at the network level but not at the browser level. My network connection reset itself twice (again not me), which is a new "feature". The malware is not fixed, only caged -- it does escape every once in a while!

lunarlander · 14-May-2008, 01:19 PM #6

HijackThis is a utility which list out the places where applications can autostart. Most malware use these startup points to launch themselves everytime you login. I would post a HijackThis log for a log specialist to take a look. HijackThis is available here:

http://www.trendsecure.com/portal/en...kthis/download

Use "Do a system scan and save a log file", and notepad will open with a log of what it finds, copy and paste the contents here. Don't ask it to fix anything.

**Cookiegal** · 14-Apr-2009, 01:10 PM #7

Thread reopened as requested.

lunarlander · 20-Apr-2009, 10:59 AM #8

So whats the latest news on this?

dondari · 20-Apr-2009, 12:39 PM #9

The malware calls svchost.exe to DNS lookup "msgr.dlservice.microsoft.com". This is a legitimate use of svchost.exe.

The DNS lookup typically resolves to an APNIC or Level 3 Communications IP.

A more effective fix than blocking IP addresses through a firewall is adding the following line to your hosts file (c:\windows\system32\drivers\etc\hosts):

127.0.0.1 msgr.dlservice.microsoft.com # virus redirect

However, this does not get rid of the malware, it simply shuts it down.

lunarlander · 22-Apr-2009, 10:23 AM **#10**

Give MalwareBytes and let it do a scan of your system. Let's see what it finds.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram registry router security slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!