1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Unrequested Internet Traffic

Discussion in 'General Security' started by dondari, Apr 14, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. dondari

    dondari Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    12
    Hi, I'm using Windows XP Home SP 2. My problem is unrequested internet traffic, which uses 20-50% of my dial-up internet capacity on a continuous basis. I have discounted all apps and automatic updates, so I believe the problem is in the o/s. Two virus scanners (Norton & Trendmicro) can't find the problem.

    The traffic starts immediately upon connect (I have noticed it drop off on rare occasion). It shows as a continuous up/down wave on the Networking graph in Windows Task Manager. I installed Microsoft Network Monitor 3.1 but am a newbie at reading the conversations. I have noticed patterns in the frame traffic with unidentified tcp/ip addresses changing every 1,000 or so frames. For example:

    Frame Time Source Destination Protocol Description


    42 13.418945 me 4.23.40.126 WinUpdV5 WinUpdV5
    43 13.888672 4.23.40.126 me HTTP HTTP: Response, HTTP/1.1, Status Code = 206
    44 14.002929 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548936010, Win=8410 (scale factor not found)
    45 14.431640 4.23.40.126 me HTTP HTTP: HTTP Payload
    46 14.606445 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548937470, Win=8760 (scale factor not found)
    47 14.976562 4.23.40.126 me HTTP HTTP: HTTP Payload
    48 15.109375 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548938930, Win=8760 (scale factor not found)
    49 15.480469 4.23.40.126 me HTTP HTTP: HTTP Payload
    50 15.712890 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548940390, Win=8760 (scale factor not found)
    51 16.023437 4.23.40.126 me HTTP HTTP: HTTP Payload
    52 16.215820 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548941850, Win=8760 (scale factor not found)
    53 16.271484 4.23.40.126 me HTTP HTTP: HTTP Payload
    54 16.416992 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605132, Ack=1548942603, Win=8007 (scale factor not found)
    55 18.139648 me 4.23.40.126 WinUpdV5 WinUpdV5
    56 18.607422 4.23.40.126 me HTTP HTTP: Response, HTTP/1.1, Status Code = 206
    57 18.730469 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548942953, Win=7657 (scale factor not found)
    58 19.152344 4.23.40.126 me HTTP HTTP: HTTP Payload
    59 19.435547 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548944413, Win=8760 (scale factor not found)
    60 19.695312 4.23.40.126 me HTTP HTTP: HTTP Payload
    61 19.836914 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548945873, Win=8760 (scale factor not found)
    62 20.191406 4.23.40.126 me HTTP HTTP: HTTP Payload
    63 20.441406 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548947333, Win=8760 (scale factor not found)
    64 20.736328 4.23.40.126 me HTTP HTTP: HTTP Payload
    65 20.843750 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548948793, Win=8760 (scale factor not found)
    66 20.951172 4.23.40.126 me HTTP HTTP: HTTP Payload
    67 21.246094 me 4.23.40.126 TCP TCP: Flags=....A..., SrcPort=1879, DstPort=HTTP(80), Len=0, Seq=1737605390, Ack=1548949482, Win=8071 (scale factor not found)
    68 22.833984 me 4.23.40.126 WinUpdV5 WinUpdV5


    Some of the frames that have a legible message in the hex are MsgSvcSend frames and are shown below. Note that the IP addresses are not the same as the former traffic:

    Frame Time Source Destination Protocol
    254 88.821289 24.64.6.24 me MsgSvcSend
    255 88.836914 24.64.6.24 me MsgSvcSend
    256 88.836914 24.64.6.24 me MsgSvcSend
    363 127.442383 221.209.110.7 me MsgSvcSend
    364 127.483398 221.209.110.7 me MsgSvcSend
    421 146.331054 202.97.238.198 me MsgSvcSend
    1025 360.344726 221.208.208.89 me MsgSvcSend
    1026 360.522461 221.208.208.89 me MsgSvcSend
    1233 432.214844 24.64.114.50 me MsgSvcSend
    1234 432.351562 24.64.114.50 me MsgSvcSend
    1235 432.367187 24.64.114.50 me MsgSvcSend
    1503 525.363281 24.64.162.206 me MsgSvcSend

    "CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED...To FIX this problem:.Open Internet Explorer and type: www.registrycleanerxp.com.Once you load the web page, close this message window..After you install the cleaner program you will not receive any more reminders or pop-ups like this...VISIT www.registrycleanerxp.com IMMEDIATELY!...."

    Note, I only see the above message through Network Monitor and not as a pop-up.

    Do you have any idea what this may be? Thank you.
     
  2. dondari

    dondari Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    12
    Further info -- I found similar problems on other website forums but no answers. My firewall shows network connection to remote IP address 204.160.99.123 (OrgName: Level 3 Communications, Inc.) as:

    Details: Connection: msgr.dlservice.microsoft.com: http(80).
    from <ME>: 3080.
    11264 bytes sent.
    550169 bytes received.
    3:31.921 elapsed time.

    The traffic can be terminated by stopping the service Background Intelligent Transfer Service (BITS), which works in the short-term but is far from ideal.
     
  3. dondari

    dondari Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    12
    Please post this in the General Security forum. Thx.
     
  4. dondari

    dondari Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    12
    Isolated the problematic IP addresses and wrote firewall blocking rules for the key ones (Level 3, Asia Pacific). Again not ideal, but effective. At least I can keep BITS enabled but I have to be vigilant re: IP addresses of which I am unaware. (I am not sure how much impact this solution will have on future browsing.)

    4.0.0.0 - 4.255.255.255 Level 3 Communications, Inc.
    8.0.0.0 - 8.255.255.255 Level 3 Communications, Inc.
    24.64.0.0 - 24.71.255.255 Shaw Communications Inc.
    58.0.0.0 - 58.255.255.255 Asia Pacific Network Information Centre
    60.0.0.0 - 60.255.255.255 Asia Pacific Network Information Centre
    61.0.0.0 - 61.255.255.255 Asia Pacific Network Information Centre
    65.192.0.0 - 65.223.255.255 MCI Communications
    67.78.0.0 - 67.79.255.255 Road Runner HoldCo LLC
    70.80.0.0 - 70.83.255.255 Le Groupe Videotron Ltee
    121.0.0.0 - 121.255.255.255 Asia Pacific Network Information Centre
    125.0.0.0 - 125.255.255.255 Asia Pacific Network Information Centre
    192.221.0.0 - 192.221.255.255 Level 3 Communications, Inc.
    198.76.0.0 - 198.79.255.255 Level 3 Communications, Inc.
    199.92.0.0 - 199.95.255.255 Level 3 Communications, Inc.
    202.0.0.0 - 203.255.255.255 Asia Pacific Network Information Centre
    204.160.0.0 - 204.163.255.255 Level 3 Communications, Inc.
    205.128.0.0 - 205.131.255.255 Level 3 Communications, Inc.
    206.32.0.0 - 206.35.255.255 Level 3 Communications, Inc.
    206.172.0.0 - 206.172.255.255 Bell Canada WORLDLINX04
    207.120.0.0 - 207.123.255.255 Level 3 Communications, Inc.
    208.111.128.0 - 208.111.191.255 Limelight Networks
    221.0.0.0 - 221.255.255.255 Asia Pacific Network Information Centre
    222.0.0.0 - 222.255.255.255 Asia Pacific Network Information Centre

    In addition, blocked the DNS query to msgr.dlservice.microsoft.com (this is a sham use of Microsoft's name) which returns three of the above addresses and seems to launch the whole irritating process. Also blocked MsgSvcSend traffic for good measure.

    Still don't know what the malware is doing ...
     
  5. dondari

    dondari Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    12
    Noticed an unrequested (i.e. not me) DNS query to www.download.windowsupdate.com. The query returned three of the problem ip addresses noted above. A browser lookup to the same address returned a successful response at the network level but not at the browser level. My network connection reset itself twice (again not me), which is a new "feature". The malware is not fixed, only caged -- it does escape every once in a while!
     
  6. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,821
    HijackThis is a utility which list out the places where applications can autostart. Most malware use these startup points to launch themselves everytime you login. I would post a HijackThis log for a log specialist to take a look. HijackThis is available here:

    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

    Use "Do a system scan and save a log file", and notepad will open with a log of what it finds, copy and paste the contents here. Don't ask it to fix anything.
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,277
    Thread reopened as requested.
     
  8. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,821
    So whats the latest news on this?
     
  9. dondari

    dondari Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    12
    The malware calls svchost.exe to DNS lookup "msgr.dlservice.microsoft.com". This is a legitimate use of svchost.exe.

    The DNS lookup typically resolves to an APNIC or Level 3 Communications IP.

    A more effective fix than blocking IP addresses through a firewall is adding the following line to your hosts file (c:\windows\system32\drivers\etc\hosts):

    127.0.0.1 msgr.dlservice.microsoft.com # virus redirect

    However, this does not get rid of the malware, it simply shuts it down.
     
  10. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,821
    Give MalwareBytes and let it do a scan of your system. Let's see what it finds.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703828

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice