Network TCP always at 100%, System or Svchost.exe

[Bkid]

According to my Firewall (Comodo Personal Firewall) either System or Svchost.exe is using 80-100% of TCP at all times, making it hard for me to use the internet at all. Also, my modem keeps resetting, which my friend told me was some safety thing or something, but I dunno. Ethereal is saying my ARP protocol is peaked at 100% at all times, and when I look at the log, it's a bunch of "WHO HAS [ip]? TELL [ip]."

Someone please tell me what's wrong to I can use the internet without my modem constantly resetting, and get my TCP back down to a reasonable level..

PC Stats in sig.

[GX1_Man]

So you are using a modem and not an Ethernet cable? First thing you need to do is make sure your system is clean:

http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1134123580

Then you may want to disable the onboard NIC

But I suspect you will find the problem before doing that, if you follow the instructions above.  

[Bkid]

No no, it's my cable modem. I'm using an ethernet cable.

EDIT: and btw, I'm not by any means a computer noob. I keep my computer very clean about 90% of the time. I highly doubt there is anything on here that I haven't found yet that could be causing the problem. Just wanted to clear that up.

[Rob Pomeroy]

Does the network traffic decrease if you temporarily disable the firewall?

Do you have a static IP address?

[Bkid]

Static IP: Yes
Firewall: Already down (except for windows firewall. It might be down, but I haven't checked). I'm at school right now, so I can't check to see if my firewalls at home are down. I'll edit back later.

[Rob Pomeroy]

Can you find out from the firewall if you're being hammered by a particular IP address or on particular ports?  Is your firewall running "hardened" - i.e. not responding to any external requests?  What kind of modem do you have (cable/DSL/analogue)?

[Bkid]

Cable modem, and I can find out from Ethereal what ports and IPs. Included is an Ethereal log file with no programs open but Ethereal.

This is what it's usually saying:

Source          Destination          Protocol     Info
68.47.72.1      Broadcast             ARP        Who has 68.47.73.16? Tell 68.47.72.1
68.47.72.1      Broadcast             ARP        Who has 68.47.76.124? Tell 68.47.72.1

It's always Broadcast, and the Tell IP is almost always the same as the source IP. If you have Ethereal you can check the log. If not, I'll post a pic of it.

EDIT: Log pic

[tmml]

open task manager and look at the programs accessing the net. you can check them at www.processlibrary.com

you can also run msconfig and run the startup programs throught the library. you might have a worm.

[Rob Pomeroy]

Unless you're running any peer to peer software that's provoking these requests, I would say it's nothing to do with your machine or your network.  I'm not sure why your cable provider is allowing these through - they clearly have nothing to do with your network.  Perhaps you should check whether they can block them?  Particularly since it seems to be degrading your bandwith so much.

[Bkid]

open task manager and look at the programs accessing the net. you can check them at www.processlibrary.com

you can also run msconfig and run the startup programs throught the library. you might have a worm.

I'll try this first and see where it goes..robpomeroy, what could possibly be sending out "Who has, Tell" so much? I just can't think of anything that might be doing that..I'll try that website above, then post back.

[Bkid]

You need reliable advice on virus/trojan/malware removal and prevention.

I'm sorry, but how does whatever you just said help me in any way? I already Know how to find/remove all of that. I keep my computer almost 100% clean, if a virus/trojan/etc. was the problem, then I would be suprised...

[Fed]

Is 68.47.72.1 your IP address, if so I'd be surprised if you don't have an infection.
If 68.47.72.1 is not you then there is little you can do other than get your IP to track down the culprit or do it yourself & complain.
I suspect it's you, have you run Ewido?

[Scourged]

Ip address 68.47.72.1 resolves to host c-68-47-72-1.hsd1.ga.comcast.net
This georgia usa address is listed in spam and virus transmission databases.

[Rob Pomeroy]

Exactly.  It's a script running on a computer outside of the LAN.

[Fed]

Then his ISP can block the offender's ISP.

[Bkid]

Well, my IP is 68.47.x.x, but not the one that was previously mentioned. Also, that's not my hostname. So, it's like someone spamming my computer from another computer, or what? Do I have to call my ISP and tell them to block that address?

What now?

[Dilbert]

Get HijackThis, run it, save a logfile, zip it and attach it to your next post. I know you say you keep your comp clean, but I have found many viruses on my computer that my standard scanner is too stupid to find. We'll look at it and then it will settle the question of if your PC is as clean as you think it is.

[Bkid]

HijackThis log attached.

[Dilbert]

Inspecting now. I have already found a Trojan... I will post again with more detailed info in a minute...

[Dilbert]

Color Key:

Red - Serious threats that should be immediately removed (Fixing is STRONGLY recommended)
Blue - Programs known to cause problems but are not necessarily the source of the problem (Fixing is recommended unless you recognize and use these programs)
Dark Green - Issues that are not problem-causing, but can be fixed to improve performance (fixing is optional)


O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
Yahoo! Toolbar is known to slow down machines. It isn't our cuplrit, but removal may speed up internet browsing, which is a plus.

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
A part of the Yahoo! Toolbar.

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
Do you use Yahoo! Messenger? If not, removal will improve browsing somewhat.

O23 - Service: Abel - oxid.it - C:\Mozilla Downloads\Cracking\Cain\Abel.exe
Troj/Cain-25 is a downloadable program package primarily designed to steal passwords from other machines in a network. The server is called Abel.exe and the client Cain.exe. Abel.exe will install a service called Abel so that it will always be run on system restart.

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
Do you use AOL Instant messenger? It won't hurt much to have it on there, but even if you do use it, removing this won't hurt it either.

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
Remove only if you don't use AOL Instant Messenger.

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
Do you use real.com a lot? If not, remove it if desired.

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
I'm starting to think you do use AOL. If so, then ignore this like the others. If not (I know AOL comes pre-installed on some machines) then go ahead and fix it.

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Anything with (file missing) can be fixed; doing so has solved several small problems on my PC, but it really isn't necessary.


You certainly do good work on your PC; it's the shortest logfile I've seen posted here in a while. But even the best of scanners may miss a few things.

[Bkid]

Oh dude, no problem. I just got that today. That my little helper, so to speak...I'm sure you don't "encourage" or "promote" any type of less-than-legal activity on this site, and I respect that. But what I do in my spare time is my business, you see. Plus, I've already scanned it, it's fine. I'll say again, this cannot be the problem, seeing as how I just got it today.

[Dilbert]

Wait - You run this? I thought you were infected by it... I'm not going to comment.

[Bkid]

Ok, here we go with the semi-long explaination as to not confuse the youngins...

The problem I've been having has been going on for a WHILE now. I just got C&A, so that cannot be the problem. I haven't even really used C&A yet, other than looking at it for about 5 minutes. Basically it's just sitting there..and yes, it's virus/trojan free (believe me, I've checked and double checked). Even if it wasn't, it still would not explain that problem I've been having.

There.

[Fed]

Did you talk to your ISP or [email protected]

[Bkid]

Well I mean, I wasn't sure that was necessary. :-/ I thought it was just a problem with my computer..I guess I could give it a shot..

[Rob Pomeroy]

As I've said before, this is almost certainly an attack from outside your network.  Unless you have a decent hardware firewall that can silently drop these queries, it is best to get them stopped by your ISP.  Any ISP worth their salt should not be passing this on to the end user anyway!

[Bkid]

Ok, well I sent an email to [email protected], so maybe they'll take care of the problem...Only one thing. I just checked out the status of my internet connection. I went over to the "support" tab and looked at "address type". It said "assigned by DHCP"...o..k? Never seen that before. I always thought it said "automatic" or something like that...Also, my ip is different than it was yesterday. I pulled up cmd and typed ipconfig /all and checked all that out. It says I have IP routing enabled, dhcp enabled, and my ip is different...so...yeah...

[Dilbert]

That would mean you have a dynamic IP address. it changes from time to time. The function of a dynamic IP (besides ticking me off from time to time) is unclear to me, but for some reason a static, unchanging IP is more expensive in general.

Basically, it's the Internet's way of causing minor headaches, esp. if you're hosting a web site.

[Rob Pomeroy]

It said "assigned by DHCP"...o..k? ... I always thought it said "automatic"

DHCP EQUALS automatic.

The function of a dynamic IP (besides ticking me off from time to time) is unclear to me

Imagine you have a network of a thousand computers (not uncommon in large companies, and not uncommon for ISPs).  Would you rather go round each computer, giving it a specific number (what happens when you remove a few and later add a few?) or would you rather let them all receive their numbers automatically?  DHCP makes management much simpler in many ways.

Basically, it's the Internet's way of causing minor headaches, esp. if you're hosting a web site.

Except of course when, like you, you know about dynamic DNS services.