Network TCP always at 100%, System or Svchost.exe

[Bkid]

Well, my IP is 68.47.x.x, but not the one that was previously mentioned. Also, that's not my hostname. So, it's like someone spamming my computer from another computer, or what? Do I have to call my ISP and tell them to block that address?

What now?

[Dilbert]

Get HijackThis, run it, save a logfile, zip it and attach it to your next post. I know you say you keep your comp clean, but I have found many viruses on my computer that my standard scanner is too stupid to find. We'll look at it and then it will settle the question of if your PC is as clean as you think it is.

[Bkid]

HijackThis log attached.

[Dilbert]

Inspecting now. I have already found a Trojan... I will post again with more detailed info in a minute...

[Dilbert]

Color Key:

Red - Serious threats that should be immediately removed (Fixing is STRONGLY recommended)
Blue - Programs known to cause problems but are not necessarily the source of the problem (Fixing is recommended unless you recognize and use these programs)
Dark Green - Issues that are not problem-causing, but can be fixed to improve performance (fixing is optional)


O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
Yahoo! Toolbar is known to slow down machines. It isn't our cuplrit, but removal may speed up internet browsing, which is a plus.

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
A part of the Yahoo! Toolbar.

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
Do you use Yahoo! Messenger? If not, removal will improve browsing somewhat.

O23 - Service: Abel - oxid.it - C:\Mozilla Downloads\Cracking\Cain\Abel.exe
Troj/Cain-25 is a downloadable program package primarily designed to steal passwords from other machines in a network. The server is called Abel.exe and the client Cain.exe. Abel.exe will install a service called Abel so that it will always be run on system restart.

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
Do you use AOL Instant messenger? It won't hurt much to have it on there, but even if you do use it, removing this won't hurt it either.

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
Remove only if you don't use AOL Instant Messenger.

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
Do you use real.com a lot? If not, remove it if desired.

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
I'm starting to think you do use AOL. If so, then ignore this like the others. If not (I know AOL comes pre-installed on some machines) then go ahead and fix it.

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Anything with (file missing) can be fixed; doing so has solved several small problems on my PC, but it really isn't necessary.


You certainly do good work on your PC; it's the shortest logfile I've seen posted here in a while. But even the best of scanners may miss a few things.

[Bkid]

Oh dude, no problem. I just got that today. That my little helper, so to speak...I'm sure you don't "encourage" or "promote" any type of less-than-legal activity on this site, and I respect that. But what I do in my spare time is my business, you see. Plus, I've already scanned it, it's fine. I'll say again, this cannot be the problem, seeing as how I just got it today.

[Dilbert]

Wait - You run this? I thought you were infected by it... I'm not going to comment.

[Bkid]

Ok, here we go with the semi-long explaination as to not confuse the youngins...

The problem I've been having has been going on for a WHILE now. I just got C&A, so that cannot be the problem. I haven't even really used C&A yet, other than looking at it for about 5 minutes. Basically it's just sitting there..and yes, it's virus/trojan free (believe me, I've checked and double checked). Even if it wasn't, it still would not explain that problem I've been having.

There.

[Fed]

Did you talk to your ISP or [email protected]

[Bkid]

Well I mean, I wasn't sure that was necessary. :-/ I thought it was just a problem with my computer..I guess I could give it a shot..

[Rob Pomeroy]

As I've said before, this is almost certainly an attack from outside your network.  Unless you have a decent hardware firewall that can silently drop these queries, it is best to get them stopped by your ISP.  Any ISP worth their salt should not be passing this on to the end user anyway!

[Bkid]

Ok, well I sent an email to [email protected], so maybe they'll take care of the problem...Only one thing. I just checked out the status of my internet connection. I went over to the "support" tab and looked at "address type". It said "assigned by DHCP"...o..k? Never seen that before. I always thought it said "automatic" or something like that...Also, my ip is different than it was yesterday. I pulled up cmd and typed ipconfig /all and checked all that out. It says I have IP routing enabled, dhcp enabled, and my ip is different...so...yeah...

[Dilbert]

That would mean you have a dynamic IP address. it changes from time to time. The function of a dynamic IP (besides ticking me off from time to time) is unclear to me, but for some reason a static, unchanging IP is more expensive in general.

Basically, it's the Internet's way of causing minor headaches, esp. if you're hosting a web site.

[Rob Pomeroy]

It said "assigned by DHCP"...o..k? ... I always thought it said "automatic"

DHCP EQUALS automatic.

The function of a dynamic IP (besides ticking me off from time to time) is unclear to me

Imagine you have a network of a thousand computers (not uncommon in large companies, and not uncommon for ISPs).  Would you rather go round each computer, giving it a specific number (what happens when you remove a few and later add a few?) or would you rather let them all receive their numbers automatically?  DHCP makes management much simpler in many ways.

Basically, it's the Internet's way of causing minor headaches, esp. if you're hosting a web site.

Except of course when, like you, you know about dynamic DNS services.