Jump to content


Photo

possible trojan or virus???


  • This topic is locked This topic is locked
8 replies to this topic

#1 forkball

forkball

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 July 2004 - 10:48 PM

I need some help... My home PC seems to have been taken over by something that I've had no luck in finding any other occurances of anywhere. Here's the situation... After a moderate uptime period of my WinXP Pro workstation, My network traffic will cease to fuction. I can't get out anywhere. I then kill the Zone Alarm firewall and traffic resumes. However, I notice (by using the traffic indicator icons) that my tx and rx led's are lit up on my network connection, which is Ethernet to Broadband router. Further looking, I run the Etherreal Packet analyzer and I notice that TCP traffic is being sent and recieved on my machine and the TCP port number is 5678 and a range of 2800-3300. The traffic itself is HTTP traffic to a specific webpage which is:

http://schemas.xmlso...g/soap/encoding

The page load requests and server responses just keep looping lke this, until I kill an svchost.exe service that is utilizing in my opinion, way too much of my system memory. Once that happens, the traffic stops completely. Does anyone have any thoughts besides the online virus scanners? I have run both Trendmicro's housecall and Symantec's online tool and both turned up nothing. I've also run the latest Adaware and Spybot tools as well. I have also done the hijackthis thing and it's been deemed clean.



I notice that when this happens, if I kill the svchost.exe process, this behavior stops. Looking further into the situation, I did a tasklist /svc > tasklist.txt to save a copy of the specific services and the effected svchost.exe task has several processes running inside of it. I'm dead sure that once of these processes is the culprit. Here is the log. Does anyone see anything that should not be there? And can someone tell me how to straighten this out, if so? Thanks for all the help.

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 476 N/A
csrss.exe 532 N/A
winlogon.exe 556 N/A
services.exe 600 Eventlog, PlugPlay
lsass.exe 612 ProtectedStorage, SamSs
svchost.exe 772 RpcSs


svchost.exe 844 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
ShellHWDetection, TapiSrv, TermService,
Themes, TrkWks, uploadmgr, W32Time, winmgmt,
wuauserv


svchost.exe 908 Dnscache
svchost.exe 944 LmHosts, RemoteRegistry, SSDPSRV, WebClient
brsvc01a.exe 1096 Brother XP spl Service
spoolsv.exe 1116 Spooler
brss01a.exe 1128 N/A
ati2evxx.exe 1532 Ati HotKey Poller
ExtractorService.exe 1564 DeepsightExtractor
NAVAPSVC.EXE 1628 navapsvc
svchost.exe 1804 stisvc
vsmon.exe 1868 vsmon
explorer.exe 1276 N/A
NAVAPW32.EXE 1428 N/A
zlclient.exe 1436 N/A
TeaTimer.exe 1456 N/A
taskmgr.exe 460 N/A
cmd.exe 1040 N/A
wmiprvse.exe 1416 N/A
tasklist.exe 1324 N/A

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 23 July 2004 - 01:18 AM

Get HijackThis from the link in my signature.

Extract the executable file to C:\hjt. THIS IS VERY IMPORTANT; IT ALLOWS YOU TO MAKE BACKUPS OF ANYTHING THAT MAY BE DELETED.

Run it, then click "Scan Now" and "Save Log." Copy and paste the entirety of the log into a reply to this thread.
Signature file is under revision. This will be back shortly.

#3 forkball

forkball

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 23 July 2004 - 04:09 PM

I actually had done that in another section on this forum site. But.. if you would just like to look to be sure... here it is:


Logfile of HijackThis v1.98.0
Scan saved at 8:05:36 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\brss01a.exe
F:\WINDOWS\System32\Ati2evxx.exe
d:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\System32\taskmgr.exe
F:\Documents and Settings\John\Desktop\HJT\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "d:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] F:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#4 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 23 July 2004 - 04:53 PM

Don't see anything here that could be considered a Trojan.

This, though, should be removed. Close all programs, tick it for removal in HJT, and click "Fix Checked:"

O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com...te/UCSearch.CAB

By moderate period of uptime, I assume you're talking about a day or so? And what version of ZoneAlarm are you using? Are you using a touer with logviewer capabilities or anything like that?

And can you packet-sniff your connection?

Edited by Tuxedo Jack, 23 July 2004 - 04:54 PM.

Signature file is under revision. This will be back shortly.

#5 forkball

forkball

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 23 July 2004 - 06:54 PM

moderate amount of uptime means a couple of hours. I'm running the latest version of the FREE zone Alarm. Yes I can packet sniff... I have Etherreal and could save the next flurry of traffic if you want to see it. Can you do Etherreal traces?

#6 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 23 July 2004 - 11:49 PM

I can read Ethereal dumps, yes.

Here's an idea, though - what about installing an old build of ZoneAlarm? The new ones are bloated and crappy. Try one in the 2 versions.

http://oldversion.co...am.php?n=zalarm

Worse comes to worse, I have the installers from versions 2 and 4 lying around somewhere on my Installers hard drive.
Signature file is under revision. This will be back shortly.

#7 forkball

forkball

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 24 July 2004 - 02:37 PM

I'm trying version 2 now. In the meantime, the pc is right now behaving as I mentioned. No firewall up, and internet traffic is being utilized without any internet applications opened. attached is the capture of the traffic. also I did another hijack log. here is that as well. Thanks for your help.

Logfile of HijackThis v1.98.0
Scan saved at 2:56:14 PM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\brss01a.exe
F:\WINDOWS\System32\Ati2evxx.exe
d:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Creative\Shared Files\CAMTRAY.EXE
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\System32\taskmgr.exe
F:\Documents and Settings\John\Desktop\HJT\HijackThis.exe
F:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "d:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] F:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#8 forkball

forkball

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 24 July 2004 - 04:04 PM

Here is the captured data... This is basically repeated indefinitly. BTW version 2 of zone alarm is not helping.


No. Time Source Destination Protocol Info
1 0.000000 192.168.0.100 192.168.0.1 TCP 2187 > 5678 [FIN, ACK] Seq=0 Ack=0 Win=63682 Len=0

Frame 1 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:a0:c9:8f:f9:9d, Dst: 00:0d:88:1f:ca:2a
Internet Protocol, Src Addr: 192.168.0.100 (192.168.0.100), Dst Addr: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 2187 (2187), Dst Port: 5678 (5678), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol Info
2 0.000787 192.168.0.1 192.168.0.100 TCP 5678 > 2187 [ACK] Seq=0 Ack=1 Win=8760 Len=0

Frame 2 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0d:88:1f:ca:2a, Dst: 00:a0:c9:8f:f9:9d
Internet Protocol, Src Addr: 192.168.0.1 (192.168.0.1), Dst Addr: 192.168.0.100 (192.168.0.100)
Transmission Control Protocol, Src Port: 5678 (5678), Dst Port: 2187 (2187), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
3 0.002879 192.168.0.100 192.168.0.1 TCP 2188 > 5678 [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460

Frame 3 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:a0:c9:8f:f9:9d, Dst: 00:0d:88:1f:ca:2a
Internet Protocol, Src Addr: 192.168.0.100 (192.168.0.100), Dst Addr: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 2188 (2188), Dst Port: 5678 (5678), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol Info
4 0.004596 192.168.0.1 192.168.0.100 TCP 5678 > 2188 [SYN, ACK] Seq=0 Ack=1 Win=8760 Len=0 MSS=1460

Frame 4 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0d:88:1f:ca:2a, Dst: 00:a0:c9:8f:f9:9d
Internet Protocol, Src Addr: 192.168.0.1 (192.168.0.1), Dst Addr: 192.168.0.100 (192.168.0.100)
Transmission Control Protocol, Src Port: 5678 (5678), Dst Port: 2188 (2188), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
5 0.004668 192.168.0.100 192.168.0.1 TCP 2188 > 5678 [ACK] Seq=1 Ack=1 Win=64240 Len=0

Frame 5 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:a0:c9:8f:f9:9d, Dst: 00:0d:88:1f:ca:2a
Internet Protocol, Src Addr: 192.168.0.100 (192.168.0.100), Dst Addr: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 2188 (2188), Dst Port: 5678 (5678), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
6 0.004923 192.168.0.100 192.168.0.1 TCP 2188 > 5678 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=631

Frame 6 (685 bytes on wire, 685 bytes captured)
Ethernet II, Src: 00:a0:c9:8f:f9:9d, Dst: 00:0d:88:1f:ca:2a
Internet Protocol, Src Addr: 192.168.0.100 (192.168.0.100), Dst Addr: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 2188 (2188), Dst Port: 5678 (5678), Seq: 1, Ack: 1, Len: 631
Data (631 bytes)

0000 50 4f 53 54 20 2f 57 41 4e 43 6f 6d 6d 6f 6e 49 POST /WANCommonI
0010 6e 74 65 72 66 61 63 65 43 6f 6e 66 69 67 20 48 nterfaceConfig H
0020 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 74 65 6e 74 TTP/1.1..Content
0030 2d 54 79 70 65 3a 20 74 65 78 74 2f 78 6d 6c 3b -Type: text/xml;
0040 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 charset="utf-8"
0050 0d 0a 53 4f 41 50 41 63 74 69 6f 6e 3a 20 22 75 ..SOAPAction: "u
0060 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d rn:schemas-upnp-
0070 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 43 org:service:WANC
0080 6f 6d 6d 6f 6e 49 6e 74 65 72 66 61 63 65 43 6f ommonInterfaceCo
0090 6e 66 69 67 3a 31 23 47 65 74 54 6f 74 61 6c 42 nfig:1#GetTotalB
00a0 79 74 65 73 53 65 6e 74 22 0d 0a 55 73 65 72 2d ytesSent"..User-
00b0 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 Agent: Mozilla/4
00c0 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 .0 (compatible;
00d0 55 50 6e 50 2f 31 2e 30 3b 20 57 69 6e 64 6f 77 UPnP/1.0; Window
00e0 73 20 39 78 29 0d 0a 48 6f 73 74 3a 20 31 39 32 s 9x)..Host: 192
00f0 2e 31 36 38 2e 30 2e 31 3a 35 36 37 38 0d 0a 43 .168.0.1:5678..C
0100 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 ontent-Length: 3
0110 30 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 09..Connection:
0120 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 50 72 61 67 Keep-Alive..Prag
0130 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a ma: no-cache....
0140 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 <?xml version="1
0150 2e 30 22 3f 3e 0d 0a 3c 53 4f 41 50 2d 45 4e 56 .0"?>..<SOAP-ENV
0160 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a :Envelope xmlns:
0170 53 4f 41 50 2d 45 4e 56 3d 22 68 74 74 70 3a 2f SOAP-ENV="http:/
0180 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 /schemas.xmlsoap
0190 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f .org/soap/envelo
01a0 70 65 2f 22 20 53 4f 41 50 2d 45 4e 56 3a 65 6e pe/" SOAP-ENV:en
01b0 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 codingStyle="htt
01c0 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 p://schemas.xmls
01d0 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 oap.org/soap/enc
01e0 6f 64 69 6e 67 2f 22 3e 3c 53 4f 41 50 2d 45 4e oding/"><SOAP-EN
01f0 56 3a 42 6f 64 79 3e 3c 6d 3a 47 65 74 54 6f 74 V:Body><m:GetTot
0200 61 6c 42 79 74 65 73 53 65 6e 74 20 78 6d 6c 6e alBytesSent xmln
0210 73 3a 6d 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 s:m="urn:schemas
0220 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 -upnp-org:servic
0230 65 3a 57 41 4e 43 6f 6d 6d 6f 6e 49 6e 74 65 72 e:WANCommonInter
0240 66 61 63 65 43 6f 6e 66 69 67 3a 31 22 2f 3e 3c faceConfig:1"/><
0250 2f 53 4f 41 50 2d 45 4e 56 3a 42 6f 64 79 3e 3c /SOAP-ENV:Body><
0260 2f 53 4f 41 50 2d 45 4e 56 3a 45 6e 76 65 6c 6f /SOAP-ENV:Envelo
0270 70 65 3e 0d 0a 0d 0a pe>....

No. Time Source Destination Protocol Info
7 0.011949 192.168.0.1 192.168.0.100 TCP 5678 > 2188 [PSH, ACK] Seq=1 Ack=632 Win=8760 Len=474

Frame 7 (528 bytes on wire, 528 bytes captured)
Ethernet II, Src: 00:0d:88:1f:ca:2a, Dst: 00:a0:c9:8f:f9:9d
Internet Protocol, Src Addr: 192.168.0.1 (192.168.0.1), Dst Addr: 192.168.0.100 (192.168.0.100)
Transmission Control Protocol, Src Port: 5678 (5678), Dst Port: 2188 (2188), Seq: 1, Ack: 632, Len: 474
Data (474 bytes)

0000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0010 0a 43 4f 4e 54 45 4e 54 2d 4c 45 4e 47 54 48 3a .CONTENT-LENGTH:
0020 33 34 34 0d 0a 43 4f 4e 54 45 4e 54 2d 54 59 50 344..CONTENT-TYP
0030 45 3a 74 65 78 74 2f 78 6d 6c 0d 0a 44 41 54 45 E:text/xml..DATE
0040 3a 20 53 61 74 2c 20 32 34 20 4a 75 6c 20 32 30 : Sat, 24 Jul 20
0050 30 34 20 32 30 3a 31 33 3a 34 37 20 47 4d 54 0d 04 20:13:47 GMT.
0060 0a 45 58 54 3a 0d 0a 53 45 52 56 45 52 3a 42 53 .EXT:..SERVER:BS
0070 44 2f 34 2e 33 20 55 50 6e 50 2f 31 2e 30 0d 0a D/4.3 UPnP/1.0..
0080 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d ..<?xml version=
0090 22 31 2e 30 22 3f 3e 0d 0a 3c 73 3a 45 6e 76 65 "1.0"?>..<s:Enve
00a0 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 lope xmlns:s="ht
00b0 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c tp://schemas.xml
00c0 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e soap.org/soap/en
00d0 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 velope/" s:encod
00e0 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f ingStyle="http:/
00f0 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 /schemas.xmlsoap
0100 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 .org/soap/encodi
0110 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 0a 3c 75 ng/"><s:Body>.<u
0120 3a 47 65 74 54 6f 74 61 6c 42 79 74 65 73 53 65 :GetTotalBytesSe
0130 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 ntResponse xmlns
0140 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d :u="urn:schemas-
0150 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 upnp-org:service
0160 3a 57 41 4e 49 50 43 6f 6e 6e 65 63 74 69 6f 6e :WANIPConnection
0170 3a 31 22 3e 3c 4e 65 77 54 6f 74 61 6c 42 79 74 :1"><NewTotalByt
0180 65 73 53 65 6e 74 3e 31 35 38 34 36 39 33 33 36 esSent>158469336
0190 3c 2f 4e 65 77 54 6f 74 61 6c 42 79 74 65 73 53 </NewTotalBytesS
01a0 65 6e 74 3e 3c 2f 75 3a 47 65 74 54 6f 74 61 6c ent></u:GetTotal
01b0 42 79 74 65 73 53 65 6e 74 52 65 73 70 6f 6e 73 BytesSentRespons
01c0 65 3e 3c 2f 73 3a 42 6f 64 79 3e 20 3c 2f 73 3a e></s:Body> </s:
01d0 45 6e 76 65 6c 6f 70 65 3e 00 Envelope>.

No. Time Source Destination Protocol Info
8 0.012528 192.168.0.1 192.168.0.100 TCP 5678 > 2188 [FIN, ACK] Seq=475 Ack=632 Win=8760 Len=0

#9 forkball

forkball

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 24 July 2004 - 06:52 PM

PROBLEM SOLVED!!!!!

Well through various research and a tenacious will to win, I've solved the problem. Turns out that the universal plug and play component was the culprit all along. My machine is clean. I just simply disabled the services involving that crapware ala microsoft, and viola... In the interim, I blocked all outgoing packets with the TCP dest. port of 5678 just in case. But looking at the trace, the packets were destined for the private IP of my router so I was thinking that maybe the traffic wasn't working it's way out of my network but whatever... the problem is solved and the crisis is over. Thanks for all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button