I’ve noticed a slowdown in processing, especially when playing Unreal Tournament. I thought it may be a trojan so I checked it out with Ad-Aware, Spybot, and ewido. They found a few tracking cookies, but nothing else. The virus scan is also clean.
I’ve tried killing processes, but my attempts are so far worth nothing. As soon as I start up my system, the LAN connection opens to my router, then a second connection connects out to the Internet and the icon show almost continuous use. It’s moving data from one place to another, and I can’t find a process or file responsible- in ths Start menu, among the running processes, or among any applications.
When I try to check the status of the connection, the window closes immediately- which raised my alarm about a trojan.
The only thing I found was an entry in the AVG log for a couple weeks ago- it was Trojan horse Downloader.Zlob.MB - and the log says the file was deleted. The file does not exist on the system, and to be sure I looked up the trojan’s definition entry and tried the removal instructions- which showed no infection.
My system: Sempiron XP 2.0GHz processor, 256MB RAM, running Win XP SP2.
First: can anyone help me?
Second: if not, where do you suggest I go to resolve this? I’ve been searching for 2 days and I’m getting frustrated.
I must admit, it sounds suspicious, but a second connection should mean there’s a second adapter. Is yours a wireless setup? If so, is the computer also still connected to the router by a cable?
One way to get information on what process is trying to communicate would be to install a firewall like Sygate Personal Firewall (discontinued, but still available for free here) - with this installed and running, the first time any process tries to communicate via a network device, you will be informed and asked to permit or deny it.
I second the use of a personal firewall. It will definately tell you if some other program is trying to use your internet connection.
As for virus scanning, it has been my experience that once your computer is infected with a virus, having your computer scan itself is pointless as most viruses today can bypass the scan due to their being in active memory and being able to re-save themselves back to the HD. The best way to scan for virueses IMHO is to either boot from a clean boot disk and then do a scan, or pull the hard drive and scan it on another pc. That way the virus doesn’t get a chance to run and get into memory.
Sygate should be popping up a box telling you what the name of the process is and what it is attempting to do; something like “process.exe is trying to send a [foo] type request to [IP address] on port [bar] - do you want to let it communicate?”
The domain 239.255.255.250 is trying to access my machine.
Also, my computer is trying to contact a Windows update server, and a domain called www.wftv.com, which seems to be a TV station in Orlando- why is my computer calling them?
*A little further research says that the ttempts to use port 1900 by the domain 239.255.255.250 is probably a setup for a denial-of-service attack on someone else. Now, if I could only find the program working on this side of the firewall…
The firewall log should tell you the name of the task or program trying to access. If it lacks such a log might want to consider a trial copy of zone Alarm pro or the like just to pin the problem down.
The error message is Generic Host Process trying to access an exterior site. It’s running svchost.exe, and a process called tcpsvcs.exe is also running.
There have been no responses at the techhelp site, so here’s my HijackThis! log:
Logfile of HijackThis v1.98.2
Scan saved at 3:10:52 PM, on 5/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
As far as I can tell, AGRSMMSG.exe is a driver for a dialup softmodem, but so far, we’ve been talking about a computer that is connected to a broadband router. I wonder if the second connection that is opening is either an old dialup connection, or some other dialler attempting to use the dialup modem.
If you’re not using the modem and it can be physically uninstalled (power down and unplug first, obviously), then I’d go for that, alternatively, disable it in Control Panel>System>Hardware>Device Manager. Once it’s disabled or removed, boot up and see if any program or process complains that it can’t do what it wants, and see if the second connection is still trying to open.