Routers, Pings and DoS

Associate
Joined
21 Sep 2007
Posts
453
Ok, heres a strange one for you. In my house, one of the computers hooked up to the network will suck our bandwidth dry as long as its connected to the router. Unplug it, and within seconds, it springs into life, with the internet speeding up, and game pings dropping from 500+ to 20.

Now, i've blocked (i.w. follewed the manual) ports that where showing up in the router logs, but i noticed a lot of DoS attacks coming in (and hopefully being stopped by the router!)

Now, could these be generated via the vampiric PC, i.e. a virus?

Any insight is welcome!
 
could well be something along those lines.

i'd run the usual spyware / malware / virus removal tools and see what comes up.

may even be worth installing a software firewall like zone alarm and see what trys to access the net.
 
Its not my PC, its a friends, but i shall have a word with him. Does it help/hinder matters that hes using Vista?

I was looking at the router itself, and the corresponding light for his connection was going mental, when the others where just flickering once or twice every minute.
 
yeah somethings doing something

and it shouldnt hinder that hes using vista, if anytthing it should make it more secure

tell him to go to control panel >> windows firewall >> change settings

if hes got UAC on, he will be asked to click continue at this point. This opens up another box on top. Go to the exceptions tab and look down the list. Ideally your looking for something dodgy that hes allowed through the firewall as vista has a software outgoing firewall already.

So if theres a trojan or whatever, i would have thought it would be listed as an exception in that list. So look for anything that you dont obviously recognize, if your stuck, post it on here and ill compare it with whats in my list.
 
also go into the Network connection propeties (It takes a bit of digging to find it - but it's the same as you'd get in XP)
You should find things like Client for MS networks and the like ticked.

De-check IPv6 (leave IPv4 checked). IPV6 near damn killed our network when they decided to connect a 'test' machine... Had a similar effect to me at home too...
 
de-checked IPv6 - no difference

checked programs in Execptions, nothing odd in there. Unless war3.exe is bad? But i think thats warcraft 3 lol!

Making him download Zone Alarm now, and have told him to run Ad-Aware and Spybot Search & Destroy
 
ok, i have a hijackthis log if thats anyhelp to you lot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:30:45, on 27/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\MSN Messenger\msnmsgr.exe
C:\Program Files (x86)\DAEMON Tools\daemon.exe
C:\Program Files (x86)\XpertVision\TBPANEL.exe
C:\Program Files (x86)\AGEIA Technologies\TrayIcon.exe
C:\Program Files (x86)\Kontiki\KHost.exe
C:\Program Files (x86)\eDimensional\E-D Driver\5.0\EDController.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9d.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.secret7000.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files (x86)\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files (x86)\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [Gainward] "C:\Program Files (x86)\XpertVision\TBPanel.exe" /A
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] "C:\Program Files (x86)\AGEIA Technologies\TrayIcon.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files (x86)\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [eDimensional] "C:\PROGRA~2\EDIMEN~1\E-DDRI~1\5.0\EDController.exe" /Autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files (x86)\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files (x86)\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files (x86)\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7925 bytes
 
Hmm, as an experiment, i blocked all outgoing ports to his LAN IP, made no difference to the bandwidth!

So im certain now something on his PC is causing us to get these DoS attacks, or we have spirits that dont like his PC being hooked upto the router =/
 
I see he has the KHost process running. This is used by many free internet On Demand services (e.g. BBC player/4oD) as a client to download content to your PC. However, what is not so clearly publicised is that it also acts as a file sharing server and a seed for anyone else trying to dowload a program he has got and downloaded previously. So, it may be that he is downloading a TV show or many shows without realising the bandwidth implications, and also that these are then being uploaded back over the internet at various times.

This issue annoyed me so much when I had the BBC player that I ended up uninstalling it.
 
ok, we stopped the KHOST.exe, and uninstalled 4od (couldnt find the kontiki folder though, unless it was the 4od thing)

just refreshing servers on STEAM, still not the numbers they should be, hmm
 
no, ive blocked all his torrent activity, shows up in the router log as blocked, but along with those horrible DoS attacks.

i googled Kontiki, seems it causes a lot of trouble, and simply closing it in task manager may not of stopped it

EDIT - seems we zapped Khost.exe for good, doesnt show in services. Also, i just unplugged him from the router, less then 5 seconds later, STEAM pings are down from 600+ to 20-30. what gives?!?!?!!!!!!!
 
Last edited:
I agree, it seems likely to be a hardware problem at this stage. Try disconnecting your mate's PC (I assume he is wired), then get another PC and plug it into this cable wherever your mate's PC is. If the problem lies somewhere between the PC and the router, the problem should arise again.
 
Back
Top Bottom