TechSpot

Hijackthis logs

By dustin_ds3000
Jan 28, 2010
  1. im having packets coming from my internet modem
    http://i268.photobucket.com/albums/jj10/dustin_ds3000/Untitled.png?t=1264714963

    and im getting wired ips on my routers incoming logs

    ip protocol port rule location
    92.105.11.59 UDP 50684 Dropped Switzerland
    212.118.142.77 UDP 50684 Dropped Saudi Arabia


    i play online games and this is causing me major lag

    also when i look at my Local Area Connection Status i see some data coming in and out without Firefox open

    im using avast 5 free with windows 7 firewall
     

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Where are you located in the World? Argentina? Have you tried resetting the modem/router?
     
  3. dustin_ds3000

    dustin_ds3000 TechSpot Chancellor Topic Starter Posts: 869   +8

    im in the USA and yea i have reset modem/router with out it helping
     
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

  5. dustin_ds3000

    dustin_ds3000 TechSpot Chancellor Topic Starter Posts: 869   +8

    that program only works with windows xp and older. im running windows 7.
     
  6. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Some info that might also help

    1) I don't think UDP packets dropped on the WAN side of your network router means a problem
    > UDP packets can either be addressed to a specific IP address or the packet can be "broadcast"
    > So it's normal for broadcast UDP packets to exist on the WAN and be dropped by a router not expecting a broadcast packet (which just means the broadcast packet is intended for a different network address)

    2) Now as far as getting a better idea of what's happening on your computer's ports on your LAN you can also run currports on each of your computers to see what TCP/IP and UDP ports are open. Note you can also click File->Log Changes and currports will keep a running log as ports are opened/and closed. Might help point to whats sending or soliciting traffic.

    /* edit */
    just to add.. even if a broadcast UDP packet was from malware.. your router is just doing its job and dropping it

    /* edit */
    For currports, also click Options->Resolve IP Addresses to make sure it's checked
    also Options->Autorefresh and set a refresh time. The log file reflects port changes diffs at each refresh
     
  7. dustin_ds3000

    dustin_ds3000 TechSpot Chancellor Topic Starter Posts: 869   +8

    here are three logs from currports. maybe this can help
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Dustin, I've gathered some information for you. Use what you can and ignore the rest.

    First, I'm not sure of what you problem is or if you actually have a problem. Posts 2 & 4 can be ignored as no applicable You're overclocking and obviously a serious gamer.

    Your router should stop UDP packets from the internet. Whether it is wired or unwired, if you looked at your router logs you would see it dropping unwanted packets all the time. I am not convinced anything is going on here, other than you seeing someone on an unsecured wireless network.

    Country Code in US for AR is for Arkansas, not Argerntina.
    Your TCPip NameServer = 64.233.128.10
    IP 64.233.128.10
    OrgName: Ritter Communications, Inc.
    OrgID: RITT
    Address: 3300 One Place
    City: Jonesboro
    StateProv: AR= Arkansas
    PostalCode: 72404
    Country: US

    Is this your ISP?

    You also have this protocol running:
    O18 - Protocol: grooveLocalGWS - this is for Microsoft Office\Office12\GrooveSystemServices.dll
    http://office.microsoft.com/en-us/groove/default.aspx

    The description of this program from Microsoft:
    Is it possible that any of this 'collaboration' is causing the packets. But it seems to me that what you are seeing is normal internet traffic.

    IP 92.105.11.59
    inetnum: 92.105.0.0 - 92.105.191.255
    netname: BLUEWIN-3PLAY-NET
    descr: Bluewin is an LIR and ISP in Switzerland.(Swiscom)
    descr: This range is used for dynamic customer pools.
    country: CH

    SwiResidential Customers:
    The Residential Customers Division is the contact partner for mobile and fixed-line customers, provides Switzerland with broadband Internet access (DSL) and offers digital television (IPTV) with its Bluewin TV service. With www.bluewin.ch it also operates Switzerland’s most-visited Internet site.sscom Switzerland:

    Bluewin AG provides broadband services. The company is based in Zurich, Switzerland. Bluewin AG operates as a subsidiary of Swisscom Fixnet AG

    IP 212.118.142.77
    netname: SAUDINET-INFRASTRUCTURE
    descr: AL_JAWAL 3G IPVPN
    remarks: For any Abuse or Spamming Please send an e-mail to abuse@saudi.net.sa
    country: SA

    Excellent firewall information on Firewall Forensics- What AM I Seeing?
     
  9. dustin_ds3000

    dustin_ds3000 TechSpot Chancellor Topic Starter Posts: 869   +8

    thankz for all the info Bobbye. i have disabled the Microsoft Office Groove Audit Service as it isn't needed. you also got my ISP info right
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome Dustin. I hope it is helpful to you.
     
  11. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Hi dustin_ds3000

    Here's a bit more info

    Currports
    I skimmed the snapshots you provided from currports. Nothing really "jumped out at me" but a few comments
    > Avast, Punkbuster and several Windows services are all keeping different network ports open
    > So aside from firefox, net traffic could also be from their own network activity Possibly downloading updates is one thing that comes to mind that would generate lots of traffic
    > When i first saw hostname www.007guard.com appear several times in the log i was concerned. HOWEVER, it appears it's just a hostname resolution glitch (so need to worry)
    ====> The important fact is the ip address in each case is 127.0.0.1 (which is localhost)
    > There was a curious http connection between Avast and Google. Not sure why Avast connected to google but am sure it was legit

    Netlimiter
    I just happened to find Netlimiter tool. Netlimiter will breakdown system bandwidth to the process level which might also help you figure out where you local traffic is from. Note
    > Windows 7 will require Netlimter v3 (which is still a Beta version)
    > Provides 58 day free evaluation
    > I did download Netlimiter v3 (32 bit) and have been running it on a Win 7 32bit machine since morning with no problem (but it is beta so take due precaution)
    > While in Firefox, I started an ftp download from University of Florida (see snapshot of bandwidth below). If you were to look-up the IP address 128.227.176.226 you'll find it belongs to U of Florida)

    [​IMG]
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for that LookinAround. I hadn't used either one of these programs. I didn't notice any port numbers out of the ordinary, but otherwise wasn't familiar with the program.
     
  13. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    You're most welcome, Bobbye

    I actually just stumbled across Netlimiter today (and we'll have to thank dustin_ds3000 for that as their questions prompted my looking/Googling for that one! :) )
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You know, I sometimes wonder if the people we help know that we also learn!

    That's another facet of what can make computer forums help great!:rolleyes:
     
  15. dustin_ds3000

    dustin_ds3000 TechSpot Chancellor Topic Starter Posts: 869   +8

    thankz for all the help. i guess for right now everything looks ok so i will just keep all my software up to date and do regular scans
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I assume you are recommending the automatic HijackThis site.

    Please see this by the author of the program, Merijn : Post #17:
    Merijn Bellekom is a Dutch programmer and anti-spyware specialist, most known for writing the program HijackThis.
    http://www.wilderssecurity.com/showthread.php?t=62044

    No one who comes here for help should be referred to the automated program.

    Someone here used it recently and had a member remove an entry for a program that was being used. It was a legitimate program, causing no problems or unwanted entries. When I asked why the member had been told to remove it, I was told because "HijackThis de flagged it."
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...