Thread: Unk Processes Triggers Firewall - continuiously communicates with Linksys Router
View Single Post

  #1  
Old 08-16-2004, 07:14 PM
MarkAbrams's Avatar
MarkAbrams Offline
Junior Member
  
Join Date: Aug 2004
Location: Boston, Ma
Posts: 9
Unk Processes Triggers Firewall - continuiously communicates with Linksys Router
I have an unexplained process that has occured with two PCs on seperate networks.

Both PC are sending a massive about of TCP traffic to the routers even with the internet disconnect at the router and all other devices disconnected.

1) Version of XP - Case 1 - XP Professional Case 2 - XP Home
2) Hardware setup:
Case 1- desktop - 2GHz cpu P4, 1GB Ram, 100GB Disk (90%free) all security patches applied SP1. Linksys Router EtherFast® Cable/DSL Router BGFSR41

Case 2 - IBM laptop T40 Pentium M 1.6GHz, 512MB Ram, 40GB disk (75% free) all secrity patches applied SP1

3) What exactly happened leading up to the problem.

Both PC operate normal until IP packets are transmitted. Once an IP starts - there is continious IP transmissions. SVCHOST:1172 is performing OPEN, READ, QUERY INFORMATIO, CLOSE, ... IEXPLORER.EXE:2868 has same operations, CCEVTMGR.EXE write to Symantec\SNDCON.log - the log is unreadable.

Upto 25% of the CPU is consumed. Disconnecting the Router from the WAN does not stop the problem. Any process that connect to the internet triggers this problem. Other PCs on both networks are uneffected.

Both PC create XML, html, and gif files in C:\WINDOWS\System32\Config\systemprofile\Local Settings\ Teporary Internet Files\Content.IE5\IJ23456P

FILES: WANIPConnection[19] 1kb WANCfg[1].gif 4kb WANCommonInterfaceConfig 1kb rootDesc[7] 3kb Class3SoftwarePublishers[1].crl 8kb Certificate Revokation List ...

The files are created continiously. File Monitor from systeminternals.com shows massive traffic opening, quering and closing files.

Sometimes the symantec firewall says that a new connections is being made but it is usually Local Host.

Colasoft Capsa 4.0 (network sniffer) shows transmissions from each PC on 192.168.1.1:6688 to the router @ 11 packets per second or 2kbs. This is all TCP traffic - no UDP, no IP

Soap Headers showrouter settings: GetCommonLinkProperties NewWANAccessType out WANAccess Type NewLayer1UpstreamMaxBitRate out ...

LINKSYS is clueless - claims its not our router. Symantec is no help either. 2 hrs on hold to listen to a tech say this is the worst its ever been ...

Both PCs have current Symantec AV - Case 1 corporate ed, Case 2 - NIS - both run with full scans in safe mode. Also Spy Sweeper was run on both and both are clean. Firewalls disabled, NAV disabled produces the same results.

In closing I suspect a worm. I have now reformated Case 1 and the problem is gone. I would like to know what this is and any info on how to fix it or isolate the problem would be appreciated.

TIA
Mark


Last edited by MarkAbrams : 08-16-2004 at 09:46 PM.
Reply With Quote