# Fake default gateway



## joe7dust (May 4, 2009)

3 Desktops all running Windows XP SP3
2 of them are HP Pavilions, mine is custom built with ASUS mobo

I've been through 6 different routers of 3 different brands and styles, because it SEEMS like a router issue but it simply cannot be after that many replacements.

Usually we have these 3 IP addy's:
192.168.1.2
192.168.1.3
192.168.1.4

When everything is fine, the default gateway is 192.168.1.1

At random moments ranging from an hour to a week, one of the computers will suddenly have a new default gateway. It is usually something strange and last time it was 15.14.56.1 

NOTE: This can happen on any one of the PCs, seemingly at random. 

When this happens the PC with the bad gateway cannot access the interent, but can ping all other computers on the network at <1ms each. However, if you ping it from another PC on the network its a bit high like 10-13ms

The way I "fix" it is by doing 'ipconfig /release' on each machine, unplugging all cables from the router, power cycling the router and connecting 1 PC at a time in the order of which we need internet access the most. (because sometimes only 2 can connect)

This problem does not occur when only 2 PCs are connected to the router.

I have disabled wireless for the purposes of troubleshooting and it still happens.

I have heard of this problem with Vista specifically, and in that case there is a registry fix related to DHCP / router interactions. I have not heard of it with XP.'

Also, please note this can happen at ANY time. Since it doesn't just happen when turning 1 machine on/off or release/new or plug/unplug cables that may rule out some simpler issues.


----------



## johnwill (Sep 26, 2002)

This is like nothing I've ever heard of for Vista, or any other version of Windows.


Please supply the following info, *exact make and models* of the equipment please.

Name of your ISP (Internet Service Provider).
Make *and* exact model of the broadband modem.
Make *and* exact model and hardware version of the router (if a separate unit).
_Model numbers can usually be obtained from the label on the device._
Connection type, wired or wireless.
If wireless, encryption used, (none, WEP, WPA, or WPA2)
Version and patch level of Windows on all affected machines, i.e. XP (Home or Pro), SP1-SP2-SP3, Vista (Home, Business, Ultimate), etc.
The Internet Browser in use, IE, Firefox, Opera, etc.




Please give an exact description of your problem symptoms, *including the exact text of any error messages.*




If you're using a wireless connection, have you tried a direct connection with a cable to see if that changes the symptoms? 
For wireless issues, have you disabled all encryption on the router to see if you can connect that way? 
Have you connected directly to the broadband modem to see if this is a router or modem/ISP issue?
If there are other computers on the same network, are they experiencing the same issue, or do they function normally?




For the computer with the "strange" gateway, then again after restarting and fixing the issue, from the same computer, please post this.



Hold the *Windows* key and press *R*, then type *CMD* (*COMMAND* for W98/WME) to open a command prompt:

Type the following commands on separate lines, following each one with the *Enter* key:

PING 206.190.60.37

PING yahoo.com

NBTSTAT -n

IPCONFIG /ALL

Right click in the command window and choose *Select All*, then hit *Enter*.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the information to allow pasting it here.


----------



## joe7dust (May 4, 2009)

ISP: Timewarner
SBV5222 Surfboard Digital Voice Modem by Motorola
Netgear WGR614 v7 router (wireless disabled to troubleshoot, still happens)

You can safely rule out the router & modem imo, I tried 3 modem/router combos from them and then insisted on seperate devices so they gave us a standalone modem and I have tried 2 routers with it, this netgear they gave and a Dynex from Best Buy.

I use firefox, but much of my troubleshooting is spent tooling around in the command prompt so I don't think the browser needs to be considered either.

Next time this happens I will get the nbtstat & etc. info you requested. By the way, what is the difference between NETSTAT and NBSTAT? I had never heard of NBSTAT before your post.


----------



## grue155 (May 29, 2008)

Do you have any HP devices on your LAN, like a printer or an all-in-one? 

The IP address 15.14.56.1 is in the hp.com address space. There could be some UPnP setting mixup that an HP device is redirecting the router gateway address.

To confirm the router is getting changed, the quick fix is to turn off UPnP on the router. And probably just for good measure, change the admin password needed to log into the router.

If the change occurs again, then log into the router, and see what the router says it has for a gateway address.

If the change seems to have been fixed, then there is some configuration changes to make in your HP device. Assuming that you have one.


----------



## joe7dust (May 4, 2009)

@grue155 You are the 2nd person to suggest that, but no there are only the 2 HP Pavilions. I have a Canon printer that is offline most of the time and that's it as far as printers in the household. *edit* I take that back, I just noticed that 3 different printers are showing on one of the workgroup computers, and 1 printer on another computer even though there are no physical printers there. This is very strange, worth looking into, and likely the source of our problem.

@johnwill

*edit* Look at the reply above to grue, I just discovered some very useful information I think.

Tonight I had a Pentium II on the network via CAT-5 to demo its amazing web browsing abilities to a buyer *grin*. I tried to get my PC online via a USB wireless card (only 1 ethernet jack in the room) so that I'd have Skype access on my PC while demoing the vintage PC. I was unable to get it to /renew, I had to use the wireless networks GUI and it would take a very long time (like a minute) then it would always get the bad gateway even after like 5 tries so I gave up.

All that was to setup the fact that the logs I am about to show you are atypical. Usually only the gateway is bad but for some reason even after powercycling the router and re-disabling the wireless I also was getting fake IP addresses. 

Also, I was following your instructions from memory so you'll see I ran way more nbtstat commands than you requested just to cover all the bases. Sorry for the wall of text.

My PC

```
Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 15.14.56.7
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1

D:\Documents and Settings\Administrator>ipconfig/release

Windows IP Configuration

No operation can be performed on Local Area Connection 5 while it has its media
disconnected.

Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 15.14.56.181
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 15.14.56.181
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1

D:\Documents and Settings\Administrator>ping www.yahoo.com
Ping request could not find host www.yahoo.com. Please check the name and try ag
ain.

D:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : JOE
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI
Gigabit Ethernet Controller
        Physical Address. . . . . . . . . : 00-13-D4-7B-6F-EF
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 15.14.56.181
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1
        DHCP Server . . . . . . . . . . . : 15.14.56.1
        DNS Servers . . . . . . . . . . . : 69.42.88.21
                                            69.42.88.22
        Lease Obtained. . . . . . . . . . : Sunday, May 17, 2009 10:21:53 PM
        Lease Expires . . . . . . . . . . : Sunday, May 17, 2009 11:21:53 PM

D:\Documents and Settings\Administrator>nbstat
'nbstat' is not recognized as an internal or external command,
operable program or batch file.

D:\Documents and Settings\Administrator>nbtstat

Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
 addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.


D:\Documents and Settings\Administrator>nbtstat -a

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []


Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
 addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.


D:\Documents and Settings\Administrator>nbtstat -r

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------

    Resolved By Broadcast     = 0
    Resolved By Name Server   = 0

    Registered By Broadcast   = 31
    Registered By Name Server = 0

D:\Documents and Settings\Administrator>nbtstat -c

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []

    No names in cache

D:\Documents and Settings\Administrator>nbtstat -n

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    JOE            <00>  UNIQUE      Registered
    JOE            <20>  UNIQUE      Registered
    MSHOME         <00>  GROUP       Registered
    MSHOME         <1E>  GROUP       Registered
    MSHOME         <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered

D:\Documents and Settings\Administrator>nbtstat -S

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []

    No Connections

D:\Documents and Settings\Administrator>nbtstat -s

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []

    No Connections

D:\Documents and Settings\Administrator>nbtstat -R
    Successful purge and preload of the NBT Remote Cache Name Table.

D:\Documents and Settings\Administrator>
```
Roommate #1

```
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Administrator>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : your-4dacd0ea75
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
        Physical Address. . . . . . . . . : 00-18-F3-E7-8D-25
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.5
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1
        DHCP Server . . . . . . . . . . . : 15.14.56.1
        DNS Servers . . . . . . . . . . . : 85.255.112.174
                                            85.255.112.71
        Lease Obtained. . . . . . . . . . : Sunday, May 17, 2009 10:26:29 PM
        Lease Expires . . . . . . . . . . : Sunday, May 17, 2009 11:26:29 PM

Ethernet adapter Bluetooth Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Bluetooth Device (Personal Area Netw
ork)
        Physical Address. . . . . . . . . : 00-0D-3A-A7-E1-F3

C:\Documents and Settings\HP_Administrator>nbtstat -c

Local Area Connection:
Node IpAddress: [192.168.1.5] Scope Id: []

    No names in cache

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

C:\Documents and Settings\HP_Administrator>nbtstat -n

Local Area Connection:
Node IpAddress: [192.168.1.5] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    YOUR-4DACD0EA75<00>  UNIQUE      Registered
    YOUR-4DACD0EA75<20>  UNIQUE      Registered
    MSHOME         <00>  GROUP       Registered
    MSHOME         <1E>  GROUP       Registered
    MSHOME         <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

C:\Documents and Settings\HP_Administrator>nbtstat -r

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------

    Resolved By Broadcast     = 912
    Resolved By Name Server   = 0

    Registered By Broadcast   = 142
    Registered By Name Server = 0

    NetBIOS Names Resolved By Broadcast
---------------------------------------------
           JMULLINS
           JMULLINS
           JMULLINS
           JMULLINS       <00>
           JOE
           JOE
           JMULLINS
           JOE            <00>

C:\Documents and Settings\HP_Administrator>nbtstat -s

Local Area Connection:
Node IpAddress: [192.168.1.5] Scope Id: []

    No Connections

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No Connections

C:\Documents and Settings\HP_Administrator>nbtstat -S

Local Area Connection:
Node IpAddress: [192.168.1.5] Scope Id: []

    No Connections

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No Connections

C:\Documents and Settings\HP_Administrator>nbtstat -R
    Successful purge and preload of the NBT Remote Cache Name Table.

C:\Documents and Settings\HP_Administrator>nbtstat

Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
 addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.


C:\Documents and Settings\HP_Administrator>nbtstat -RR
    The NetBIOS names registered by this computer have been refreshed.


C:\Documents and Settings\HP_Administrator>

C:\Documents and Settings\HP_Administrator>
```
Roommate #2

```
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Administrator>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : jmullins
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
        Physical Address. . . . . . . . . : 00-18-F3-37-76-F5
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.3
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1
        DHCP Server . . . . . . . . . . . : 15.14.56.1
        DNS Servers . . . . . . . . . . . : 69.42.88.21
                                            69.42.88.22
        Lease Obtained. . . . . . . . . . : Sunday, May 17, 2009 10:26:29 PM
        Lease Expires . . . . . . . . . . : Sunday, May 17, 2009 11:26:29 PM

C:\Documents and Settings\HP_Administrator>nbtstat -c

Local Area Connection:
Node IpAddress: [192.168.1.3] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    YOUR-4DACD0EA75<20>  UNIQUE          192.168.1.5         602

C:\Documents and Settings\HP_Administrator>nbtstat -n

Local Area Connection:
Node IpAddress: [192.168.1.3] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    JMULLINS       <00>  UNIQUE      Registered
    JMULLINS       <20>  UNIQUE      Registered
    MSHOME         <00>  GROUP       Registered
    MSHOME         <1E>  GROUP       Registered

C:\Documents and Settings\HP_Administrator>nbtstat -s

Local Area Connection:
Node IpAddress: [192.168.1.3] Scope Id: []

    No Connections

C:\Documents and Settings\HP_Administrator>nbtstat -S

Local Area Connection:
Node IpAddress: [192.168.1.3] Scope Id: []

    No Connections

C:\Documents and Settings\HP_Administrator>nbtstat -r

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------

    Resolved By Broadcast     = 39
    Resolved By Name Server   = 0

    Registered By Broadcast   = 38
    Registered By Name Server = 0

    NetBIOS Names Resolved By Broadcast
---------------------------------------------
           YOUR-4DACD0EA75<00>
           JOE
           JOE            <00>
           JOE
           JOE
           JOE
           JOE            <00>
           JOE

C:\Documents and Settings\HP_Administrator>nbtstat -R
    Successful purge and preload of the NBT Remote Cache Name Table.

C:\Documents and Settings\HP_Administrator>nbtstat -RR
    Failed Release and Refresh of Registered names
    Please retry after 2 minutes

C:\Documents and Settings\HP_Administrator>nbtstat

Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
 addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.


C:\Documents and Settings\HP_Administrator>time
The current time is: 22:38:58.14
Enter the new time:

C:\Documents and Settings\HP_Administrator>date
The current date is: Sun 05/17/2009
Enter the new date: (mm-dd-yy)

C:\Documents and Settings\HP_Administrator>
```


----------



## grue155 (May 29, 2008)

A question then, what does the router think is the default gateway? That may be on it's status screen, or you may have to log into the router to find out.

Edit: Another question. The next time this happens, run this from a command prompt on the PC with the bad gateway:

```
netstat -ano
```
and post the output from netstat here.


----------



## joe7dust (May 4, 2009)

I've deleted a total of 6 devices listed in printers & faxes that didn't physically exist. I fully expect the problem to be fixed now, but only time will tell.  Thanks to everyone that contributed.

I don't see "default gateway" on the router page but here's what I got:


```
Internet Port
MAC Address 	00:18:4D:7D:45:B9
IP Address 	76.187.124.70
DHCP 	DHCPClient
IP Subnet Mask 	255.255.240.0
Domain Name Server
	24.93.41.127
24.93.41.128
 
LAN Port
MAC Address 	00:18:4D:7D:45:B8
IP Address 	192.168.1.1
DHCP 	ON
IP Subnet Mask 	255.255.255.0
```


----------



## grue155 (May 29, 2008)

Looks like we may have cross posted. See my edited post above for a netstat query.

I've done a quick eyeball on the Netgear router. It looks like the gateway detail is on the Connection Status page in the Maintenance category.


----------



## joe7dust (May 4, 2009)

It looks like the issue is still here, I enabled the wireless again and my roommates iPhone got this crap:

IP Address 15.14.56.99
Subnet Mask 255.255.248.0
Router 15.14.56.1

****!

Anyways, here is the info from my router:

IP Address 76.187.124.70
Subnet Mask 255.255.240.0
Default Gateway 76.187.112.1
DHCP Server 10.7.192.1
DNS Server 24.93.41.127
24.93.41.128
Lease Obtained 0 days,17 hrs,52 minutes
Lease Expires 0 days,17 hrs,43 minutes

I will do netstat -ano when it happens on a PC


----------



## joe7dust (May 4, 2009)

I decided to break it on purpose, what I did was just released my ip and renewed it. In order to fix it so I could post this I had to release it again, unplug a roommates PC, and powercycle the router, renew on mine.


```
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

D:\Documents and Settings\Administrator>ipconfig/release

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig/renew

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.4
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1

D:\Documents and Settings\Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       1128
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1028
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       1128
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:21692          0.0.0.0:0              LISTENING       1128
  TCP    127.0.0.1:1025         0.0.0.0:0              LISTENING       1316
  TCP    127.0.0.1:1099         127.0.0.1:1100         ESTABLISHED     3180
  TCP    127.0.0.1:1100         127.0.0.1:1099         ESTABLISHED     3180
  TCP    127.0.0.1:1101         127.0.0.1:1102         ESTABLISHED     3180
  TCP    127.0.0.1:1102         127.0.0.1:1101         ESTABLISHED     3180
  TCP    192.168.1.4:139        0.0.0.0:0              LISTENING       4
  UDP    0.0.0.0:443            *:*                                    1128
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    820
  UDP    0.0.0.0:4500           *:*                                    820
  UDP    0.0.0.0:21692          *:*                                    1128
  UDP    127.0.0.1:123          *:*                                    1068
  UDP    127.0.0.1:1026         *:*                                    1128
  UDP    127.0.0.1:1900         *:*                                    1344
  UDP    127.0.0.1:2019         *:*                                    1068
  UDP    127.0.0.1:2021         *:*                                    1068
  UDP    192.168.1.4:123        *:*                                    1068
  UDP    192.168.1.4:137        *:*                                    4
  UDP    192.168.1.4:138        *:*                                    4
  UDP    192.168.1.4:1900       *:*                                    1344
  UDP    192.168.1.4:2018       *:*                                    1068

D:\Documents and Settings\Administrator>
```


----------



## grue155 (May 29, 2008)

Definitely not a problem with your router. It looks more like a second DHCP server on your LAN that is giving out bad addresses.

To find out, it's going to be necessary to look at the packets on your LAN. But to do that, we first need to stablize one of your PC's so it can reliably get stuff from the Internet. That means giving that PC a static IP address.

Click Start -> Control Panel, and then open Network Connections. On your wired LAN connection, right click to get to properties. Then highlight Internet Protocol, and click Properties. Choose "Use the following address", and fill in the usual LAN address of that PC (like 192.168.1.2, for example). The subnet mask is 255.255.255.0, and the gateway is 192.168.1.1, which is your router. It'd be a good idea to also set the DNS server addresses to match what the router is using: 24.93.41.127 and 24.93.41.128.

That PC should now be able to get to the Internet with no problem. 

Now to get some tools: download the network monitor Wireshark, from www.wireshark.org.

When you have installed Wireshark, its time to do a packet capture. To do that, on the toolbar at the top, select Capture -> Interfaces, choose your wired LAN connection, and click start. Wireshark will now show you what is going on with your LAN traffic.

DHCP traffic is made up of UDP packets using ports 67 and 68. I'm expecting that you will see a bunch of these. Even if you don't, the traffic that Wireshark is recording may be useful.

Collect a few thousand packets (which may be a few seconds to a few minutes, depending). Then stop the capture, on the toolbar Capture -> Stop.

Save the capture data, File -> SaveAs, some filename with the default pcap file format. Since the forum won't allow pcap files to be posted, you'll have to zip the file, then post the zip. I'll look at the capture file, and see what sense I can make of it.

I'm well past the end of my day here, so I'll have to do any followup tomorrow.


----------



## joe7dust (May 4, 2009)

First off let me commend you on your efforts. This is quite possibly the best service I've ever received in any support forum, anywhere, ever. I have also learned a lot, and want to learn more. I sat staring at the packets coming in trying to decipher it all, and some of it made sense; a lot of it did not. Like conspiracy? Googling conspiracy + wireshark didn't even show an answer in the first few hits.

If you have the time to explain what you were looking for in NBTSTAT and how you use the pcap file as well I would appreciate it. I just started a pc repair business on craigslist and its networking issues I have problems with the most. Especially Vista as I think it is a hunk of crap and don't use it personally. This really is my personal network though, I wouldn't feel comfortable having you work on something I was getting paid for by a customer. (well I guess not uncomfortable if you were fine with it, but I'd imagine at some point you would feel used and lose interest in helping me) 

At any rate, this is an excellent opportunity for me to expand my techguy knowledge.

Back to the topic at hand though, something strange just happened. I went to release/renew on another PC that was not running wireshark to ensure that the problem happened during packet capture but it did not. This could be because 1 of the 3 PCs was set to static ip and that alone is enough to fix my problem. (I've never had my issue when only 2 PCs were connected to the router)

Another strange bit, I went to set it back to dynamic ip but it acts as if it were never changed. What I mean is it was already set to dynamic and I'm sure it was the same exact place where I had set it to static. I tried to release and it said "not allowable in this state" as you would expect from a static setup.

So... to sum up what I'm getting at here. The pcap file may not even have what you need within it. I was unable to force the problem to occur as I intended to help you help me. And... now I have this other strange problem with having a static ip that I can't change. (unless it fixes itself after a reboot)

The good news is though you may be right about setting up a static network as the easiest solution. One of my roommates does have quite a lot of wireless stuff and friends that bring over their devices though, I'm sure he'd be very annoyed if we went that route. Not to mention I have no clue how to set an iPhone or similar to have a static IP at yet still able to pick up some quick wi-fi at Starbuck's or wherever.


----------



## joe7dust (May 4, 2009)

whoops here's the file, was too big for the forums

http://uploading.com/files/162DP27N/joe7dust.zip.html


----------



## grue155 (May 29, 2008)

I got the capture file. Thank you. You have a busy LAN there :smile:. It's going to take me a little while to go thru the detail. Just to confirm, you made the capture on the PC at 192.168.1.3. I'm presuming the iPhone was at 1.5, and another PC is active at 1.4. That's the assumptions I made when I was doing the quick eyeball check on the capture.

Re your LAN, as an alternative to setting up a static network, is set up a double-router configuration. You may have enough hardware on hand to do that. You keep your present Internet router. But each PC gets its own private router, and that private router is what connects to your existing Internet router. As a diagram, it looks like this:

Internet
|
Netgear router
|
+----- router ----- PC1
|
+----- router ----- PC2
|
+----- router ----- PC3

What this does, is isolate the PCs from each other, and each gets to keep dynamic addressing as provided by their own private router. That may isolate the immediate problem also. If it does, then there is a good chance that at least one of the PCs has a malware infection that is hosting a rogue DHCP server. A simpler check is to have one PC turned off, and see if the problem disappears, which you've already kind of mentioned, just not in those terms.

Netstat is a TCP/IP tool that reports which ports are open, and the connection status. NBTstat is the Netbios version of Netstat, and reports information about what Windows networking is doing. The information in those reports puts some meaning behind the connections (what process, app is running, etc etc) to say "does this make sense?" The pcap capture file gives the same network information, in down to the bit detail, but no application process details. The tools combined give mutual context, like a really big cross reference.

If you want some conspiracy reading, I'll point you to two fairly recent SANS postings about rogue DHCP servers. One here, and one here. Both of these describe DNS server changes, but other variants play games with gateway addresses. Based on things so far, I can't tell if there is simply a misconfiguration, or a more serious problem. Digging into the capture file may tell more. :grin:


----------



## joe7dust (May 4, 2009)

The two articles you linked are interesting and informative, but I think you misunderstood what I meant by conspiracy. That was listed in the description of some of the packets: "conspiracy". Just an example of one of the things I didn't get. I was able to find out what ACK is, but didn't see anything about this.

I don't have the extra hardware to easily setup the configuration you suggested, so I think static IPs will be my choice if you can't solve the DHCP problem.


----------



## grue155 (May 29, 2008)

Yup, my misunderstanding Nature of the dayjob, keeping all the boxes reasonably secure. Well, kind of. So far. :grin:

Static addrressing will work, but it isn't really a solution, as whatever the cause of the problem is still there, and may come back to bite in other ways. But, as a step to getting the problem fixed, then static is a way to go.

I've looked thru the capture file, and have a few items for you.

First, machine 1.3 seems to have some problem computing TCP packet checksums. Wireshark displays these packets in a black line, and the capture file has a lot of black, as you probably noticed. The thing to check, is the ethernet port configuration options. It's back to the Network Connections page, and the LAN connection properties. Next to the hardware description there is a Configure button. Click the button, and you'll get to driver properties. On the Advanced tab, usually, there is a list of driver specific properties. One of these will say something like "Checksum Offload". Whatever value it has now, needs to be opposite of what it is. probably marked as enabled, and needs to be disabled. Then Wireshark will show green lines in place of black lines, and be a whole lot easier to read.

Second. I don't know if this is relevant or not, but machine 1.3 has an Internet accessible server at TCP port 21692. Not very much traffic either, and the packets are small, in the 40 to 50 byte range. Wireshark doesn't recognize the packet type, and that is unusual. If you know what this is, fine and it's not something to dig into. If you don't know what this is, then it's going to be pick-and-shovel time.

Third. To me, this is unusual, but I don't deal that much with Windows networking, so this could be in realm of normal, as Microsoft considers normal. Machines 1.2 and 1.3 are logging into each other at about 12 minute intervals, and installing printers (I think) or otherwise checking print queues and checking domain definitions. Example in the capture is frames 123 thru 142 (machine 1.3 talking to 1.2), and frames 102 to 120 (machine 1.3 talking to machine 1.4)

To see the Windows networking traffic a bit more clearly, I used this filter in Wireshark:

```
ip.addr == 192.168.1.2/24 and tcp and not ( tcp.port == 80 or tcp.port == 443 )
```
I'm hoping that this is simply some printer driver configuration thing. It also probably has nothing to do with changing gateway addresses. It just strikes me as being very atypical.

A way perhaps to force that DHCP, or whatever it is, is to have Wireshark running when the iPhone comes on the LAN. Wireshark won't see the full packet exchange, but it will see the DHCP broadcast traffic and ARP exchange. That might tell some more details. Another idea is simply to reboot one of the other PCs with a capture running to get the same kind of information.


----------



## joe7dust (May 4, 2009)

1.3 is mine, and no I am not running a server as far as I know. The thing about the printers may just be normal activity when windows "file & printer" sharing is enabled. I removed all items in "printers & faxes" from all machines except the one that actually exists which is my Canon printer.

When my roommate stumbles in from the bar here in a second, I will nab his iPhone and run wireshark before trying to connect it. Also will make sure to change that setting so there are less black lines.

*edit* is it possible the server thing you mentioned is Skype? I know it does periodic internet activity to keep my VoIP service running and address book up to date.

*edit2* I found "TCP/UDP Checksum Offload (IPv4)" and changed it from ON to OFF. What have I done? lol


----------



## joe7dust (May 4, 2009)

OK here's some good bit of info. I had the iPhone grab the fake info and "forget this network" twice just for good measure. You'll see it keeps asking for the bad info over and over.

You can probably ignore packets 1000-5000 as much of this was me searching the net for how to set an iPhone to static ip, then for some reason setting the static ip didn't stick the first THREE TIMES. But now it seems to be finally working and will hopefully stick with that IP.

Do you know how I can make it so that it still joins other networks out of the house?

http://uploading.com/files/NZBFZF7C/joe7dust-2.pcap.html


----------



## grue155 (May 29, 2008)

Got the new capture file. And a first eyeball check is showing a DHCP server running on machine 1.2 (frame 53, 169, and 228 among others). And the DNS addresses in part of the DHCP setup belong to an ISP in New York state. In an earlier post, you said your ISP is TimeWarner. Just based on this, I'd say that machine 1.2 has a problem.

On your machine 1.3, I'd like to get a handle on what that server process is, to have some idea of what that first capture file is trying to tell me. Running "netstat -ano" from a command prompt would be the place to start.

On machine 1.2, running "netstat -ano" would be a first check to see what is running on that box.

I may have some more questions for you after I get a chance to sit back and go thru the new capture file in more detail.

And thank you for the checksum change, the screen is showing a lot more green.


----------



## grue155 (May 29, 2008)

I've looked thru the new capture file in a little more depth. Not really anything that much different from the earlier capture. Machine 1.3 is still showing traffic on port 21692. Use this as a filter in Wireshark to see the traffic:

```
tcp.port == 21692 or udp.port == 21692
```
The IP addresses are kind of all over the place, and are to individual users. A couple of the addresses that I checked showed them to be DSL and cable modem users. And some on the other side of the planet. I'm not familiar with the details of how Skype works, but this doesn't sound like a protocol that makes sense for that service. 

And to home in on the DHCP traffic, use this filter:

```
udp.port == 67 or udp.port == 68
```
and you'll see the traffic in sequence. Looking at the timestamps, machine 1.2 is coming in about 1 millisecond ahead of the router. All it takes...

Depending on what firewalls are installed on the machines, you may be able to use firewall rules to recognize only your router as a DHCP server. If your firewall allows custom rules, and can sequence those rules in a particular order, then this will work. Windows Firewall can't do this, but Comodo and some others can.

The firewall rules are:

```
allow UDP in from 192.168.1.1 src-port 67 to ip-any dst-port 68
block UDP in from ip-any src-port 67 to ip-any dst-port 68
```
You can put these rules on machines 1.3 and 1.4 so they will listen only to the router for DHCP address assignments. That doesn't help the iPhone any, however. The alternative is static addressing. Until such time as that DHCP server in machine 1.2 gets removed.

Nope, sorry, I'm not up on iPhone configuration details. I'm still hoping to upgrade to a quill pen.


----------



## joe7dust (May 4, 2009)

I went ahead and did it on all 3 machines in case that helps. You said earlier that DHCP traffic is UDP on ports 67 / 68 that would mean .2 is the culprit then because of this? " UDP 0.0.0.0:67 *:* 4"

One more comment that may save you some time, .3 was hosting an online video game and about 9 IP addresses should be players, maybe 8. These *should* be on ports 6112-6114 but I've never checked I just know what I have to have open to play the game. Any connections on .2 that aren't backdoors have a good chance of being P2P connections.

.2

```
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1092
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       2084
  TCP    0.0.0.0:3689           0.0.0.0:0              LISTENING       1120
  TCP    0.0.0.0:9485           0.0.0.0:0              LISTENING       1352
  TCP    0.0.0.0:10001          0.0.0.0:0              LISTENING       1340
  TCP    0.0.0.0:64847          0.0.0.0:0              LISTENING       660
  TCP    0.0.0.0:64872          0.0.0.0:0              LISTENING       660
  TCP    127.0.0.1:1032         127.0.0.1:27015        ESTABLISHED     512
  TCP    127.0.0.1:1037         0.0.0.0:0              LISTENING       3120
  TCP    127.0.0.1:1069         127.0.0.1:5354         ESTABLISHED     1360
  TCP    127.0.0.1:1206         127.0.0.1:5354         ESTABLISHED     660
  TCP    127.0.0.1:1217         127.0.0.1:5354         ESTABLISHED     660
  TCP    127.0.0.1:3838         127.0.0.1:3839         ESTABLISHED     488
  TCP    127.0.0.1:3839         127.0.0.1:3838         ESTABLISHED     488
  TCP    127.0.0.1:3846         127.0.0.1:3847         ESTABLISHED     488
  TCP    127.0.0.1:3847         127.0.0.1:3846         ESTABLISHED     488
  TCP    127.0.0.1:4928         127.0.0.1:27015        ESTABLISHED     1120
  TCP    127.0.0.1:4929         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4930         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4931         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4932         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4933         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4934         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4935         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4936         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:5152         0.0.0.0:0              LISTENING       436
  TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING       1928
  TCP    127.0.0.1:5354         127.0.0.1:1069         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:1206         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:1217         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4929         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4930         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4931         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4932         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4933         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4934         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4935         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4936         ESTABLISHED     1928
  TCP    127.0.0.1:5842         0.0.0.0:0              LISTENING       2908
  TCP    127.0.0.1:27015        0.0.0.0:0              LISTENING       1540
  TCP    127.0.0.1:27015        127.0.0.1:1032         ESTABLISHED     1540
  TCP    127.0.0.1:27015        127.0.0.1:4928         ESTABLISHED     1540
  TCP    192.168.1.2:139        0.0.0.0:0              LISTENING       4
  TCP    192.168.1.2:1841       74.86.61.161:443       ESTABLISHED     660
  TCP    192.168.1.2:2038       208.43.208.113:443     ESTABLISHED     660
  TCP    192.168.1.2:2040       69.63.176.195:80       LAST_ACK        488
  TCP    192.168.1.2:2041       208.43.208.113:443     TIME_WAIT       0
  TCP    192.168.1.2:2045       208.43.208.113:443     TIME_WAIT       0
  TCP    192.168.1.2:2047       69.63.176.195:80       ESTABLISHED     488
  TCP    192.168.1.2:2048       208.43.208.113:443     ESTABLISHED     660
  TCP    192.168.1.2:3170       75.126.232.97:443      CLOSE_WAIT      660
  TCP    192.168.1.2:3226       72.247.238.194:80      CLOSE_WAIT      1120
  TCP    192.168.1.2:3227       17.251.200.74:80       CLOSE_WAIT      1120
  TCP    192.168.1.2:3228       72.247.238.192:80      CLOSE_WAIT      1120
  TCP    192.168.1.2:3229       17.250.237.16:80       CLOSE_WAIT      1120
  TCP    192.168.1.2:4021       75.126.232.97:443      CLOSE_WAIT      660
  UDP    0.0.0.0:67             *:*                                    4
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    864
  UDP    0.0.0.0:1028           *:*                                    1928
  UDP    0.0.0.0:3776           *:*                                    2244
  UDP    0.0.0.0:4500           *:*                                    864
  UDP    0.0.0.0:51010          *:*                                    1360
  UDP    0.0.0.0:62798          *:*                                    1928
  UDP    127.0.0.1:123          *:*                                    1236
  UDP    127.0.0.1:1900         *:*                                    2084
  UDP    127.0.0.1:3027         *:*                                    1236
  UDP    127.0.0.1:4908         *:*                                    2880
  UDP    192.168.1.2:123        *:*                                    1236
  UDP    192.168.1.2:137        *:*                                    4
  UDP    192.168.1.2:138        *:*                                    4
  UDP    192.168.1.2:1900       *:*                                    2084
  UDP    192.168.1.2:2049       *:*                                    660
  UDP    192.168.1.2:5353       *:*                                    1928

C:\Documents and Settings\HP_Administrator>
```
.3

```
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

D:\Documents and Settings\Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       244
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       984
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       244
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       1348
  TCP    0.0.0.0:6113           0.0.0.0:0              LISTENING       1700
  TCP    0.0.0.0:21692          0.0.0.0:0              LISTENING       244
  TCP    127.0.0.1:1035         0.0.0.0:0              LISTENING       2072
  TCP    127.0.0.1:3004         127.0.0.1:3005         ESTABLISHED     3668
  TCP    127.0.0.1:3005         127.0.0.1:3004         ESTABLISHED     3668
  TCP    127.0.0.1:3006         127.0.0.1:3007         ESTABLISHED     3668
  TCP    127.0.0.1:3007         127.0.0.1:3006         ESTABLISHED     3668
  TCP    192.168.1.3:139        0.0.0.0:0              LISTENING       4
  TCP    192.168.1.3:1483       76.177.87.56:25532     ESTABLISHED     244
  TCP    192.168.1.3:2869       192.168.1.1:1078       TIME_WAIT       0
  TCP    192.168.1.3:2869       192.168.1.1:1079       TIME_WAIT       0
  TCP    192.168.1.3:3707       63.240.202.131:6112    ESTABLISHED     1700
  TCP    192.168.1.3:3708       63.241.83.11:6112      ESTABLISHED     1700
  TCP    192.168.1.3:3709       174.139.22.67:9367     ESTABLISHED     1700
  TCP    192.168.1.3:3710       174.139.22.67:9367     ESTABLISHED     1700
  TCP    192.168.1.3:6113       63.196.199.50:2155     TIME_WAIT       0
  TCP    192.168.1.3:6113       66.75.25.53:4465       TIME_WAIT       0
  TCP    192.168.1.3:6113       66.223.213.28:52105    ESTABLISHED     1700
  TCP    192.168.1.3:6113       67.58.196.210:1037     TIME_WAIT       0
  TCP    192.168.1.3:6113       67.180.99.135:46211    ESTABLISHED     1700
  TCP    192.168.1.3:6113       67.232.156.20:49325    TIME_WAIT       0
  TCP    192.168.1.3:6113       70.73.157.227:63619    TIME_WAIT       0
  TCP    192.168.1.3:6113       70.74.210.254:62253    TIME_WAIT       0
  TCP    192.168.1.3:6113       70.81.8.194:60484      TIME_WAIT       0
  TCP    192.168.1.3:6113       98.234.203.63:1385     ESTABLISHED     1700
  TCP    192.168.1.3:6113       98.246.124.163:54385   TIME_WAIT       0
  TCP    192.168.1.3:6113       99.155.181.50:49656    ESTABLISHED     1700
  TCP    192.168.1.3:6113       99.155.181.50:51115    ESTABLISHED     1700
  UDP    0.0.0.0:443            *:*                                    244
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    748
  UDP    0.0.0.0:3705           *:*                                    1700
  UDP    0.0.0.0:3711           *:*                                    3148
  UDP    0.0.0.0:4500           *:*                                    748
  UDP    0.0.0.0:5868           *:*                                    3148
  UDP    0.0.0.0:6969           *:*                                    1700
  UDP    0.0.0.0:21692          *:*                                    244
  UDP    127.0.0.1:123          *:*                                    1076
  UDP    127.0.0.1:1025         *:*                                    244
  UDP    127.0.0.1:1900         *:*                                    1348
  UDP    127.0.0.1:4577         *:*                                    1076
  UDP    192.168.1.3:123        *:*                                    1076
  UDP    192.168.1.3:137        *:*                                    4
  UDP    192.168.1.3:138        *:*                                    4
  UDP    192.168.1.3:1900       *:*                                    1348

D:\Documents and Settings\Administrator>
```
.4

```
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\HP_Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1016
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:1028         0.0.0.0:0              LISTENING       2616
  TCP    127.0.0.1:1034         0.0.0.0:0              LISTENING       3204
  TCP    127.0.0.1:5152         0.0.0.0:0              LISTENING       1804
  TCP    127.0.0.1:5152         127.0.0.1:2728         CLOSE_WAIT      1804
  TCP    192.168.1.4:139        0.0.0.0:0              LISTENING       4
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    792
  UDP    0.0.0.0:3776           *:*                                    1052
  UDP    0.0.0.0:4500           *:*                                    792
  UDP    127.0.0.1:123          *:*                                    1112
  UDP    127.0.0.1:1900         *:*                                    420
  UDP    192.168.1.4:123        *:*                                    1112
  UDP    192.168.1.4:137        *:*                                    4
  UDP    192.168.1.4:138        *:*                                    4
  UDP    192.168.1.4:1900       *:*                                    420

C:\Documents and Settings\HP_Administrator>
```


----------



## grue155 (May 29, 2008)

> You said earlier that DHCP traffic is UDP on ports 67 / 68 that would mean .2 is the culprit then because of this? " UDP 0.0.0.0:67 *:* 4"


Yup, that's it. Which in this case is running as pid 4. On an XP box, that is "System", which I don't think it is what it is supposed to be. XP can be a DHCP server if the XP box is set up as an "Internet Connection Host". I don't think machine 1.2 is running as an ICS host, as it's just another PC on your LAN.

Looking at the netstat for machine 1.2, show some interesting things:

```
TCP    0.0.0.0:9485           0.0.0.0:0              LISTENING       1352

  TCP    127.0.0.1:1069         127.0.0.1:5354         ESTABLISHED     1360
  UDP    0.0.0.0:51010          *:*                                    1360

  UDP    0.0.0.0:3776           *:*                                    2244

  TCP    0.0.0.0:64847          0.0.0.0:0              LISTENING       660
  TCP    0.0.0.0:64872          0.0.0.0:0              LISTENING       660
  TCP    127.0.0.1:1206         127.0.0.1:5354         ESTABLISHED     660
  TCP    127.0.0.1:1217         127.0.0.1:5354         ESTABLISHED     660
  TCP    192.168.1.2:1841       74.86.61.161:443       ESTABLISHED     660
  TCP    192.168.1.2:2038       208.43.208.113:443     ESTABLISHED     660
  TCP    192.168.1.2:2048       208.43.208.113:443     ESTABLISHED     660
  TCP    192.168.1.2:3170       75.126.232.97:443      CLOSE_WAIT      660
  TCP    192.168.1.2:4021       75.126.232.97:443      CLOSE_WAIT      660
  UDP    192.168.1.2:2049       *:*                                    660

  TCP    0.0.0.0:3689           0.0.0.0:0              LISTENING       1120
  TCP    127.0.0.1:4928         127.0.0.1:27015        ESTABLISHED     1120
  TCP    127.0.0.1:4929         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4930         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4931         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4932         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4933         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4934         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4935         127.0.0.1:5354         ESTABLISHED     1120
  TCP    127.0.0.1:4936         127.0.0.1:5354         ESTABLISHED     1120
  TCP    192.168.1.2:3226       72.247.238.194:80      CLOSE_WAIT      1120
  TCP    192.168.1.2:3227       17.251.200.74:80       CLOSE_WAIT      1120
  TCP    192.168.1.2:3228       72.247.238.192:80      CLOSE_WAIT      1120
  TCP    192.168.1.2:3229       17.250.237.16:80       CLOSE_WAIT      1120
```
this is showing some amount of traffic, thru several Internet accessible ports. More specifically, TCP ports 9485, 64847, 64872, and 3689. UDP ports 51010, 3776, and 2049. One thing that becomes interesting is that 127.0.0.1:5354 is a common connection.

Looking at those:


```
TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING       1928
  TCP    127.0.0.1:5354         127.0.0.1:1069         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:1206         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:1217         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4929         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4930         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4931         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4932         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4933         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4934         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4935         ESTABLISHED     1928
  TCP    127.0.0.1:5354         127.0.0.1:4936         ESTABLISHED     1928
```
This looks like it might be some kind of control process. The next question, is what is that process. WinXP tool for that query is a command line tool called "tasklist". Use "tasklist /?" to see the options and syntax, but in this instance, the command to run is:

```
tasklist /FI "PID eq 1928"
```
and see if it is anything recognizeable. The same question can be asked of all those processes.

This does not look good for machine 1.2

On to machine 1.3. Here's your game:

```
TCP    0.0.0.0:6113           0.0.0.0:0              LISTENING       1700
  TCP    192.168.1.3:3707       63.240.202.131:6112    ESTABLISHED     1700
  TCP    192.168.1.3:3708       63.241.83.11:6112      ESTABLISHED     1700
  TCP    192.168.1.3:3709       174.139.22.67:9367     ESTABLISHED     1700
  TCP    192.168.1.3:3710       174.139.22.67:9367     ESTABLISHED     1700
  TCP    192.168.1.3:6113       66.223.213.28:52105    ESTABLISHED     1700
  TCP    192.168.1.3:6113       67.180.99.135:46211    ESTABLISHED     1700
  TCP    192.168.1.3:6113       98.234.203.63:1385     ESTABLISHED     1700
  TCP    192.168.1.3:6113       99.155.181.50:49656    ESTABLISHED     1700
  TCP    192.168.1.3:6113       99.155.181.50:51115    ESTABLISHED     1700
  UDP    0.0.0.0:3705           *:*                                    1700
  UDP    0.0.0.0:6969           *:*                                    1700
```
Ports as expected, with players. There are also two open UDP ports: 3705 and 6969. I'm presume the game is as expected.


```
TCP    0.0.0.0:21692          0.0.0.0:0              LISTENING       244
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       244
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       244
  TCP    192.168.1.3:1483       76.177.87.56:25532     ESTABLISHED     244
  UDP    0.0.0.0:21692          *:*                                    244
  UDP    0.0.0.0:443            *:*                                    244
  UDP    127.0.0.1:1025         *:*                                    244
```
There's the mystery port 21692. And a web server, TCP ports 80 and 443. And an unexpected UDP port 443. So what is process 244, as this doesn't seem right.


```
UDP    0.0.0.0:3711           *:*                                    3148
  UDP    0.0.0.0:5868           *:*                                    3148
```
And two more Internet accessible ports. Same question about pid 3148.

That's it for machine 1.3. 

By comparison, machine 1.4 looks like an almost fresh out-of-the-box install. The only thing that looks like it might be out of place, is this:

```
UDP    0.0.0.0:3776           *:*                                    1052
```
Based on what I'm seeing in the netstat reports, I'm going to go back over the packet captures. I had filtered out all web traffic while trying to locate the DHCP thing. If machine 1.3 is running a web server, then I want to check that inbound traffic, if any, to see what might be going on.


----------



## grue155 (May 29, 2008)

I did a check on the capture files, and didn't see any web traffic, or inbound UDP traffic for any port except that 21692. I'll take that much as a good sign, so far.


----------



## grue155 (May 29, 2008)

Too late to edit my last post, so I'll add this:

The tasklist output will give an "image name", but I can't find a way for tasklist to give a full pathname.

So, a two step process: run tasklist to get the image name, and then an old fashioned dir command to get the pathname. Here is an example:

```
C:\WINDOWS\system32>tasklist /FI "PID eq 3040"

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
firefox.exe                 3040 Console                 0     49,016 K

C:\WINDOWS\system32>dir c:\firefox.exe /s /b

c:\Program Files\Mozilla Firefox\firefox.exe
```
For those pid's in question, the full pathname is going to be needed to have any real chance of saying if the application is good, or not.

The alternative, is to download Process Explorer from Microsoft Sysinternals. Then you would right-click on the process with the pid number, select Properties, and you'll know more about that process than you probably want to know.

If you do try Process Explorer, and find you can't download it, or it won't run, then that's an indication of a problem.

If you don't recognize the pathname or the application, then post that pathname here, and I can do some digging to find out what it is, or isn't.


----------



## joe7dust (May 4, 2009)

Thanks again for the mounds of effort you've put into this. You were definitely right about process explorer showing me more than I ever wanted to know. There is so much that it shows, I'm not sure what I'm looking for exactly. But for now I'll look at the path since you mentioned that.

1.2

PID 4: you were right it is system. It says path not available so I'm not sure if I can do anything about it. You mentioned XP can be set up as an Internet Connection Host, how would I double check if it is? I know when you run the Internet Connection Wizard it asks you whether or not the computers on your network connect to the internet via a residential gateway or THIS computer provides internet to the rest. I am pretty sure I ran the wizard on all 3 computers and selected the option to get internet access from a residential gateway. I guess it is always possible that malware is controlling that system process.

PID 1928: C:\Program Files\Bonjour\mDNSResponder.exe This is the service that iTunes uses for the network sharing of music files. I can probably just disable this now that I have copied all of his music directly. (streaming over the network was adversely affecting performance in my online gaming) Actually I take back what I said about disabling it, because I think he streams music from his iPhone to his computer sometimes. Do you think it's causing a problem? One thing that does seem odd, is "current directory" is set to system32.

PID 1352: C:\Program Files\DISC\DiscStreamHub.exe Comes with HP Media PCs, it's for downloading/trying games. I'll recommend he remove this if he doesn't intend to use it.

PID 660: C:\Program Files\Simplify Media\SimplifyMedia.exe Not sure, but he says he uses it regularly and it presents itself on the system tray which makes me feel better than if it was trying to hide.

PID 1120: C:\Program Files\iTunes\iTunes.exe I think we all know what this is. What I didn't know is that it should have nearly a dozen established connections on various ports.

That's all the TCP ones you mentioned, now I have to ask did you separate TCP from UDP for a practical reason or just to be neat and tidy? From what I see, UDP is more difficult to analyze because there is this *.* instead of information.

PID 1360: C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe He uses this to control his PC with his iPhone; I'll assume its fine.

*PID 2244: C:\WINDOWS\ehome\mcrdsvc.exe Something related to Media Center PCs, I'll recommend he disable it since he no longer uses his PC to stream to the TV. On a side note, why the heck would a MC-related process need to listen on an internet port?

*: On machine 1.4 PID 1052 is listening on the same UDP port as the above process (3776). Could be a coincidence but caught my eye... I do not have access to 1.4 right now, but I will check tomorrow.

So in conclusion for 1.2 I don't see any malicious malware based on the path of the files (although the one set to current directory: system32 did seem odd). This machine does seem to have some malware on it though. I noticed some of my clicks were being redirected while searching for process information, but not all of them. Probably just a benign malware that is trying to generate advertising clicks, it all went to what seemed like search engine sites. Here are the URLs below: *note most of these were redirects, all of these resulted from a total of about 6 or 7 actual clicks. The only time I've ever seen his computer do this is via the context menu in Process Explorer "Search Online" but all it seemed to was a google search in firefox for the process name. The bottom left that shows where it will take you did not show any of these sites, it looked like it would go to the page with more information on the process.

```
http://75.102.7.224/click.php?c=f05036f7022f3329abb6f3bfea00
http://64.111.208.122/click.php?c=46ccdadcde6007de74cbe4a42400&d=
http://64.111.208.122/click.php?c=f05440200070f5de74cbe4a4f100&d=
http://www.missngpage.com/search1.php?qq=publishers
http://bridge2.admarketplace.net/xtrk.php?version=1.0.0&enURL=eMzq/KDaykIA3LR0JtzzLGyqZMFsvr2gGYK3XprBpa6XLfDbgeeCZHyh20sVWc+bbWH7N46tBod9ZwW2m5YBIhQKTX1uqFqrlXtEdgnNNXr8W7f7kJB74Iq5FC5gYh6Cvpv710Y+FgR7cIQLUFMUyQQ/k2qgEfr3YU3Sut0H3c4Z7d8zvvmZbm2zhpVBO0Mkq2h9PL+3wbWL7h7ZLgLULtY3VzAYcPI/XAvpmINpxN/M3D2sppSM31Jy0Mp1izt8CB5tC4H41sfh34qG9cmNnKGwp/Ug5TvPQasETgglmT9MzlVqkE/g8JJloY3Du9/Jq65ByYLKoLVDpcdfKZfATI+Qh9YMvEV9D0W8hDyJHv3pKIhCvD38WEDia8Otdv4bbNoiji35kGOeWbBQtYtp9bhxSP0SSLdTCWC5ukVDMoHLZ7ZM8fSW9maDK1L8qUHWRJZn+JWRG7jCe5tuxC3AWkfXz8Hv2x3K++AMTVgFlaMMlxZ5Jtz6I3sKjvOsif3z5u+CV0TL4stYcdceg/2AqivxNLsTsnU1LbuDnGUPF6vOib40ocA7iX3mRdDlLsVyaMZVcV2Ztp3eZqVbkO9qUcG0wXEfl0+q2BITiyRM+Yi2GjfvESgNOfYYDbJQBUZCfIaRVpJO9aFbMvyHO7TNU8isiz8i0LYwFSyLMHhDmKGctJY6EsIC0swmuWIzV/2JHxkY0ts7Udb3lw0hqcaZ9nZXJuHAoQqR/gJsWODiE4tkCNWsnCdpVAwlJHRcWwOaYpYQNCAIKO1mVfCQswPHykG71X4MvWnZJFf/PbaKioamHsIuSecLEnnqftee8PlDYGpt3rOiO0+GoqLlS3iMaDUNJj/vvUnnngUdx2p4Tfq2XUA0gq/ISsLHdZslrFJ8ODjse6xePpGSsLtsRRlcUnsAkfuk7Y/JOWIPSc1kpoA88eZi4XChIHfv1uirSeCvBWo+FU60TAViR+kSDv4qi0WtGqZ+RJDdyTTIcj/oINwdbnTomVvLSx8T3a5mhf51bZve8Dv8/I1SZfoPtZFqJInHKhgIdOE6FDpZm5ZqkE1JQ+W9vs2ML8eRk8j5vKjFLgtEw9dd7ovPapxtmQGN9IU8Nf/FMzcJjy8GoHcqkXJS5ewjhaxV3A==&queryid=19254365350&adid=19254365991&fs=w-app-01&pb=510.0&advn=www.virtuaseeker.com&cp=0.015,1204886867,1919852023,0,pub_crssvalue-2648,publishers,backfill_conducive/l=COND
http://waysteps.com/?2b642b676d7b76726f757b6d53
http://67.210.12.190/in.php?q=publishers
http://main.exoclick.com/click.php?data=Y25ldHN8OHwxLjh8aHR0cDovL3d3dy5hYmNqbXAuY29tL2p1bXAxLz9hZmZpbGlhdGU9ZXhvY2xpY2smc3ViaWQ9Mjc5NDMmdGVybXM9c2ltcGxpZnltZWRpYS5leGUmc2lkPVo2ODEwNDQzMTclNDAlNDBRTWZkak54VXpOM0V6WDNRVE16ODFOaDlGT3o4Rk55SWpONGdqTTBJVE0mYT1ya2JweXZweCZtcj0xJnJjPTB8MTV8c2ltcGxpZnltZWRpYS5leGV8MjYzNnw2MHwxMjQyODg2MjI0fGluZm8tZmVlZC5jb218NzYuMTg3LjEyNC43MHwjRUNQTSN8MHxlZWFjYjM3NTAwMTUyODMxNGMzMzg1NTlmODI3OWE0NQ%3D%3D
http://www.google.com/url?sa=t&source=web&ct=res&cd=3&url=http%3A%2F%2Fforum.wegotserved.com%2Findex.php%3Fshowtopic%3D558&ei=TPAUSqeJJ8aMtgfalOD6DA&usg=AFQjCNHbkOkuE1QfJX5n2P0-LbTtRwOAqw&sig2=uGS-s6NJ8DNc5aAMUpgmVw
http://forum.wegotserved.com/index.php?showtopic=558
http://75.102.7.224/click.php?c=f042973a05584e36b4a9eca0f500
http://216.133.243.28/3.php
http://www.searchgypsy.com/index.php?pub=&q=simplifymedia.exe
http://216.133.243.28/bidclick.php?bid_id=11264488&bid=0.012&site_id=1566&adv_sid=19078&adv_id=7398&said=1936_2636&ron_unique=0&redirect_url=&type=ron&kw=simplifymedia.exe&url=http%3A%2F%2Fwww.searchgypsy.com%2Findex.php%3Fpub%3D%26q%3Dsimplifymedia.exe&timestamp=1242886214&sig=acc75e6420a1879b863893734f498c53&a=1&pid=p_rs01&ip=76.187.124.70
http://216.133.243.28/2.php?sid=1566&keyword=SimplifyMedia.exe&goto=32c3f873779c2027354526bcf3615dbf-wsksuuUswf%094U.wu4.wsk.4f%09%09R_aNfw%09wSUU%09NqQRiqO0QIoqj.IbI%09OqLotitz0atNI%092vvR%3A%2F%2Fnnn.OqLotitz0.EtQ%2FAqoEiqEH.R2R%3FAqo_qo%3DwwsUkkuu%26Wai%3D2vvR%25Fj%25sO%25sOnnn%25sINIjaE2z0RN0%25sIEtQ%25sOqLoIb%25sIR2R%25FORWA%25Fo%25sUM%25FoNqQRiqO0QIoqj%25sIIbI%26joY_Nqo%3Dw3f4u%26joY_qo%3D4F3u%26v0RI%3DatL%26ovN%3Dsff3_fS_sf_sF_wf_wf%26i2L%3DQIvjsU-If%26atL_WLqMWI%3Df%26aIoqaIEv_Wai%3D%26AitEH_joWiv%3Dw%09f.fws%09w3f4u%09w%09w3FU_sUFU%09%09s%09GLqvIo+rvjvIN%09Gr%09nnn.NIjaE2z0RN0.EtQ&objTimStr=0.56168500+1242886210
http://66.250.74.152/click_second_new3.php?go=aHR0cDovLzIxNi4xMzMuMjQzLjI4LzIucGhwP3NpZD0xNTY2JmtleXdvcmQ9U2ltcGxpZnlNZWRpYS5leGUmZ290bz0zMmMzZjg3Mzc3OWMyMDI3MzU0NTI2YmNmMzYxNWRiZi13c2tzdXVVc3dmJTA5NFUud3U0Lndzay40ZiUwOSUwOVJfYU5mdyUwOXdTVVUlMDlOcVFSaXFPMFFJb3FqLkliSSUwOU9xTG90aXR6MGF0TkklMDkydnZSJTNBJTJGJTJGbm5uLk9xTG90aXR6MC5FdFElMkZBcW9FaXFFSC5SMlIlM0ZBcW9fcW8lM0R3d3NVa2t1dSUyNldhaSUzRDJ2dlIlMjVGaiUyNXNPJTI1c09ubm4lMjVzSU5JamFFMnowUk4wJTI1c0lFdFElMjVzT3FMb0liJTI1c0lSMlIlMjVGT1JXQSUyNUZvJTI1c1VNJTI1Rm9OcVFSaXFPMFFJb3FqJTI1c0lJYkklMjZqb1lfTnFvJTNEdzNmNHUlMjZqb1lfcW8lM0Q0RjN1JTI2djBSSSUzRGF0TCUyNm92TiUzRHNmZjNfZlNfc2Zfc0Zfd2Zfd2YlMjZpMkwlM0RRSXZqc1UtSWYlMjZhdExfV0xxTVdJJTNEZiUyNmFJb3FhSUV2X1dhaSUzRCUyNkFpdEVIX2pvV2l2JTNEdyUwOWYuZndzJTA5dzNmNHUlMDl3JTA5dzNGVV9zVUZVJTA5JTA5cyUwOUdMcXZJbytydmp2SU4lMDlHciUwOW5ubi5OSWphRTJ6MFJOMC5FdFEmb2JqVGltU3RyPTAuNTYxNjg1MDArMTI0Mjg4NjIxMA==&b=MC4wMDc=&aff=1936&subaff=2636&time=1242886210&searcher_ip=76.187.124.70&cnt=21843&qq=SimplifyMedia.exe&mode=&seid=eDsYicU70Hs5RZjo8ne7yLK61EYH+B3Rl+8wRgG0&se=ZmluZG9sb2d5&sid=33&pos=3&country=US
http://66.250.74.152/click.php?go=aHR0cDovLzIxNi4xMzMuMjQzLjI4LzIucGhwP3NpZD0xNTY2JmtleXdvcmQ9U2ltcGxpZnlNZWRpYS5leGUmZ290bz0zMmMzZjg3Mzc3OWMyMDI3MzU0NTI2YmNmMzYxNWRiZi13c2tzdXVVc3dmJTA5NFUud3U0Lndzay40ZiUwOSUwOVJfYU5mdyUwOXdTVVUlMDlOcVFSaXFPMFFJb3FqLkliSSUwOU9xTG90aXR6MGF0TkklMDkydnZSJTNBJTJGJTJGbm5uLk9xTG90aXR6MC5FdFElMkZBcW9FaXFFSC5SMlIlM0ZBcW9fcW8lM0R3d3NVa2t1dSUyNldhaSUzRDJ2dlIlMjVGaiUyNXNPJTI1c09ubm4lMjVzSU5JamFFMnowUk4wJTI1c0lFdFElMjVzT3FMb0liJTI1c0lSMlIlMjVGT1JXQSUyNUZvJTI1c1VNJTI1Rm9OcVFSaXFPMFFJb3FqJTI1c0lJYkklMjZqb1lfTnFvJTNEdzNmNHUlMjZqb1lfcW8lM0Q0RjN1JTI2djBSSSUzRGF0TCUyNm92TiUzRHNmZjNfZlNfc2Zfc0Zfd2Zfd2YlMjZpMkwlM0RRSXZqc1UtSWYlMjZhdExfV0xxTVdJJTNEZiUyNmFJb3FhSUV2X1dhaSUzRCUyNkFpdEVIX2pvV2l2JTNEdyUwOWYuZndzJTA5dzNmNHUlMDl3JTA5dzNGVV9zVUZVJTA5JTA5cyUwOUdMcXZJbytydmp2SU4lMDlHciUwOW5ubi5OSWphRTJ6MFJOMC5FdFEmb2JqVGltU3RyPTAuNTYxNjg1MDArMTI0Mjg4NjIxMA==&b=MC4wMDc=&aff=1936&subaff=2636&time=1242886210&searcher_ip=76.187.124.70&cnt=21843&qq=SimplifyMedia.exe&mode=&seid=eDsYicU70Hs5RZjo8ne7yLK61EYH+B3Rl+8wRgG0&se=ZmluZG9sb2d5&sid=33&pos=3
http://www.google.com/url?sa=t&source=web&ct=res&cd=2&url=http%3A%2F%2Fwww.prevx.com%2Ffilenames%2F1142514204590858508-X1%2FSIMPLIFYMEDIA.EXE.html&ei=P_AUSsrvA5_ItgfVnLz9DA&usg=AFQjCNEa2xA5Vgwr7_eCBv6YBgpxuEWMmQ&sig2=frcwISMLJ3XcJSjhXjeb8A
http://www.prevx.com/filenames/1142514204590858508-X1/SIMPLIFYMEDIA.EXE.html
http://75.102.7.224/click.php?c=f030eb4a0d53d28c0e13561a4f00
http://search.look.com/?tpid=10209&ttid=100&st=simplifymedia.exe&6771-2636
http://216.133.243.28/bidclick.php?bid_id=11401352&bid=0.013&site_id=6771&adv_sid=21162&adv_id=7183&said=2636&ron_unique=0&redirect_url=&type=ron&kw=simplifymedia.exe&url=http%3A%2F%2Fsearch.look.com%2F%3Ftpid%3D10209%26ttid%3D100%26st%3Dsimplifymedia.exe%266771-2636&timestamp=1242886197&sig=5e98d8072a3cafaa08657684232c8e59&a=1&pid=p_rs01&ip=76.187.124.70
http://216.133.243.28/2.php?sid=6771&keyword=SimplifyMedia.exe&goto=2affb8b27b39ddc5d35c9f7f852a2c48-wsksuuUw3s%094U.wu4.wsk.4f%09%09R_aNfw%09U44w%09NqQRiqO0QIoqj.IbI%09OqLotitz0atNI%092vvR%3A%2F%2Fnnn.OqLotitz0.EtQ%2FAqoEiqEH.R2R%3FAqo_qo%3DwwkfwFSs%26Wai%3D2vvR%25Fj%25sO%25sONIjaE2%25sIittH%25sIEtQ%25sO%25FOvRqo%25Fowfsf3%25sUvvqo%25Fowff%25sUNv%25FoNqQRiqO0QIoqj%25sIIbI%25sUU44w%25sosUFU%26joY_Nqo%3DswwUs%26joY_qo%3D4wuF%26v0RI%3DatL%26ovN%3Dsff3_fS_sf_sF_f3_SF%26i2L%3DQIvjkU%26atL_WLqMWI%3Df%26aIoqaIEv_Wai%3D%26AitEH_joWiv%3Df%09f.fwF%09swwUs%09w%09sUFU%09%09w%09GLqvIo+rvjvIN%09Gr%09nnn.VttH.EtQ&objTimStr=0.09410200+1242886193
http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fwakoopa.com%2Fexecutables%2Fsimplifymedia-exe&ei=lO8USpePCIOGtgf4ydTbDA&usg=AFQjCNFlr4GeKwjBoEFi8X9cuwl645YMgg&sig2=bUcovuw5O8bwCcNa2NS3oA
http://wakoopa.com/executables/simplifymedia-exe
http://www.google.com/url?sa=t&source=web&ct=res&cd=4&url=http%3A%2F%2Fwww.processlibrary.com%2Fdirectory%2Ffiles%2Fdiscstreamhub%2F&ei=wOwUSuHxCsOltgel1dz-DA&usg=AFQjCNGy4f3QDIE52cMcuUNhcY1-UMy9cA&sig2=2WQV-mhHI4RAZCmGlqI1HQ
http://www.processlibrary.com/directory/files/discstreamhub/
http://75.102.7.224/click.php?c=ecad147c0853cdf5776a2f633600
http://r.looksmart.com/og/pr=Psr;ro=1;rc=2;digest=4a6d7b8c8d91677918fb6944a0883920;kid=4d46befb82a012b6eedfacc6ad910089;t=1242885293;v=6;data=74d2c39d8d2d0ed644e765538db0cf831d9dde1743abc33d7f5b78e0a03088fa83d7c392e8268f89c9f6d25307d56fbac7e9f393668c654122e6182f1662ee6085e22fc29e90467a8192298038f2deaf34e55dd1e5918474a8b662ef0f63daf567d95120279c6874819c5afa25b22c1cbd52fec9ab292f144a16f6f933221a64;la=888241;lm=1175182;ad=695103030;ag=695103030;kw=728617316;qt=discstreamhub%20exe;vr=17;lt=BM;ip=76.187.124.70;pt=;st=184.14.167.0.0.0.0;os=2.0.1.0.70.67.2.5;sy=keyword;my=ROC;geo=894417;vid=0;subid=;ii=8c0.2462.4a14ecad.229f;pn=;to=;tc=2;po=1;pc=2;pi=adks1;ts=;rm=|http://roia.biz/im/n/gb5lvq1BAAGLzEMAAAY1QgAATBJmMQA-A/
http://www.realtor.com/?source=a22149
http://roia.biz/im/n/gb5lvq1BAAGLzEMAAAY1QgAATBJmMQA-A/
http://oneclickresolution.com/c/MOx7R84hyE0sK5Tf8OfGjfS0-90RwxwKOLs-bjPJJCyaEACnasxdotC0onqxvYZN8Sm5JWHYdhVwL29iM3MC9YlyQg2GkCm7tXRqghUNt4ufrE2mPQo-NdEtILvKe_wuYwal7oVlMNCqgNa5AG2Jlk3LiWFNRmw7bajquMBgrrDc44SbBsQjinZwEQmoKNl0xQri_6DRefb_bMg-WV63fUMEd4w2Cm4GE1hF_Dx4iYfeTVMpxMIOzDoSSXJzF5udRvWZSfgyAx4VmHQ7Sg1A5vfvlylNxiEkbjjczD9iGEWiE0r4t8xdrfQPWcC41P_o-JPBfYAjLKHil6_Zs43NTjg6qzzn38Q7Cz2lx4RVRayytdDsvhZK-6M5punPRqp1N116wxYz4ITntMCnuKI2lHkAyXjSDitafH0Y3FQGXd-ADT91FnTHNj4mmXg0wzyubL8Z_Efa45dvdKVmDcLRCG8twgxRJ6P3Qw7yG_KiJTKN07eY1xOxTeuBqznbM4s-jFVJjO4vMYVMaz0r1gU7y69ODhudM4qT3X5bah9lyqz_9LdMmvMUc5xd2qPc76V90GPYDguUta19kxrBe52sG_fSTpB7JOt_aOsk_Xcrs7As3m4cyGTKECFbiOBq3wNpgUA8kbOTfhCZMOgpVHQr_Q7p8tsjCl7tDL4TQ7xi2STVjlJ5IW3g0nfgeV-pLMbExuXV_Vda97joVptEa5QL_FS0Bx5TYQmyu9gISc0YYAPSEHCzAvrc8oqs8YXW3OSJg0Ufsh4e50Tr2xz7DRYvKpfPIdYvoTY3XbrIdF7wBbAwjJk3uDK5Bu0U_nBlzxS5t84vKhMTrBbJIDSNl5b4kaaOjVRpkQE0GpCFnwIBkgWtqAoxiYKi9bzOdMRNiXkDvyy8IEQ90KDu5D-qQBAGeWfWLfAx6en8zfMDhOlS5UlcCA
http://www.google.com/url?sa=t&source=web&ct=res&cd=2&url=http%3A%2F%2Fwww.file.net%2Fprocess%2Fdiscstreamhub.exe.html&ei=quwUSvuAPZultgeQ_OH1DA&usg=AFQjCNE5syXhncyaCOZNLNDBegf0Czk-Ow&sig2=h59LgEiNnlaWrtkI7JjNbQ
http://bridge1.admarketplace.net/bounce?click_id=414595001&m_width=1024&m_height=768&b_width=1002&b_height=617&b_top=0&b_left=14
http://159_48629.mydealhero.com/search.php?keyword=discstreamhub%20exe
http://clicks.smartbizsearch.com/xtr3_new?sid=2331450568&sa=7&p=1&q=DiscStreamHub+exe&rf=http%3A%2F%2Fwww.missngpage.com%2Fsearch1.php%3Fqq%3DDiscStreamHub.exe&enc=WwKy7i4uirj14VgvmO2kXlgl6JRPPrITgRgfdrd84Q%3D%3D&enk=
http://75.102.7.224/click.php?c=3202348fda0a3f6fedf0b5f9e100
http://www.missngpage.com/search1.php?qq=DiscStreamHub.exe
http://www.gottchaonline.com/search.php?keyword=discstreamhub%20exe&source=AMPron%PUB%_%SUB%
http://bridge1.admarketplace.net/xtrk.php?ctcookie_value=1242885279619.04E70263D646EF21F4C626B82939B68C&version=1.0.0&enURL=HNHu+81MXlHRGdGKHIlXsRP7/MVTChClurNeW/1kNlhwRVnC9onhJyGPQsf/IXdK4q9HmXJIZBbMpPUMQ7AcPekQBjweedaGbyZFtL8bze/FJLZSTLaERe/rs7XCpi9h6HkecIGMaAfTDyWdAyFcfVPRs3Nb5Fnq4DLPstne6+Q=&queryid=5538324144&adid=5538324151&fs=e-xml-14&pb=420.0&cp=0.040,2412,955388,0,pub_hostwaypremium-104,discstreamhub%20exe,backfill_conducive/l=COND
http://bridge1.admarketplace.net/xtrk.php?version=1.0.0&enURL=HNHu+81MXlHRGdGKHIlXsRP7/MVTChClurNeW/1kNlhwRVnC9onhJyGPQsf/IXdK4q9HmXJIZBbMpPUMQ7AcPekQBjweedaGbyZFtL8bze/FJLZSTLaERe/rs7XCpi9h6HkecIGMaAfTDyWdAyFcfVPRs3Nb5Fnq4DLPstne6+Q=&queryid=5538324144&adid=5538324151&fs=e-xml-14&pb=420.0&cp=0.040,2412,955388,0,pub_hostwaypremium-104,discstreamhub%20exe,backfill_conducive/l=COND
http://clicks.smartbizsearch.com/xtr_new?q=DiscStreamHub+exe&enc=WwKy7i4uirj14VgvmO2kXlgl6JRPPrITgRgfdrd84Q==
http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fanswers.yahoo.com%2Fquestion%2Findex%3Fqid%3D20060625201703AAodd5Y&ei=k-wUStedN9TJtgfp8b3fDA&usg=AFQjCNENHntsaJRVWtCa9ahJotblsR9-Qw&sig2=YZzM_r_FQ34AErnptGfG_A
```
I will continue replying from my PC in another post. (1.3)


----------



## joe7dust (May 4, 2009)

Hmm, PID 244 and 3148 are no longer running on my system... not sure what to make of this. Perhaps there is a way via PE or something similar to have a visual or audio alarm go off next time this process activates? Or perhaps there is info in the registry on what the process is? I say this because all the PID seem to be the same each time so that info should be on my harddrive somewhere, otherwise PIDs would be getting mixed around between reboots wouldn't they? If not, I'll just keep checking for them periodically.

Back to the 2nd pcap file... shouldn't I have captured something that points to exactly what gave out the bogus DHCP info to the iPhone?

Oh and about the * in the above post, I bet that is the same process because they are both HP Pavilions (although I hadn't realized 1.4 is also a Media Center PC.. and it may or may not be I can't check right now)

And lets not lose sight of the fact that the bogus gateway is in the HP address space... that has to be significant since some of these are HP processes.


----------



## grue155 (May 29, 2008)

Thank you! That answers a whole bunch of questions about what all that stuff is, and is it real.

C:\WINDOWS\ehome\mcrdsvc.exe: seems to be associated with something called a media extender, which seems to be some other LAN device (like a TV or player of some kind). That would explain why the port is open. It's not intended to be Internet accessible, but LAN accessible. So it depends on the firewalls to keep it safe.

mDNSResponder.exe: running from system32. It's running from the directory where it is installed: c:\windows\system32. That's quite common for things that run as machine services.



> now I have to ask did you separate TCP from UDP for a practical reason or just to be neat and tidy?


Not intentional on my part, but a side effect of the sort tools I used to rearrange the netstat report to show what goes with who. Doing that kind of sort by hand gets tedious quickly. Better to let a program do the work.

The URLs that you listed have a couple of known hostile sites, and having a DHCP redirector is typical of the malware, as described in those SANS articles I mentioned a few postings back.



> Back to the 2nd pcap file... shouldn't I have captured something that points to exactly what gave out the bogus DHCP info to the iPhone?


Yes, and no. Wireshark running on machine 1.3 can't tell what process on machine 1.2 is sending stuff. But it did capture all the details that got sent. In the second capture file, in frame 53, is all that detail. And Wireshark is nice enough toreformat it into something readable.

To see that detail in Wireshark, on the toolbar View, and then select Packet Details. It'll have a checkmark by it, and a window will open on the bottom half of the Wireshark screen. 

Click on frame 53 to highlight it, and the details will show up in that Detail window. In the Detail window, you can expand different parts (the plus sign in the box). Expand the line at the very bottom, Bootstrap Protocol. Here you'll see the options that are being set when the iPhone was trying to get an IP address.

The iPhone was being given the IP address 15.14.56.119, and being told to use the router gatway 15.14.56.1. The DNS servers that were intended to be used are the 69.42.88.x entries.

In the rest of the capture file, you'll the iPhone dutifully trying to do stuff, using the 15.14.56.119 address.

The thing is, the 15.x.x.x is the hp.com corporate IP address space. It isn't routable by anybody outside that company. And I really doubt their firewalls will allow any packets in that claim to be from the interior address space. That's a standard security practice to avoid spoofing.

I've been reminded also, that XP Internet Connection Host settings are pretty well hardcoded, to use only the 192.168.0.x address space. The ICH host is always 192.168.0.1, and that is also the gateway address given to LAN machines so they can get to the Internet thru the ICH host.

So this DHCP server that is running on machine 1.2 is definitely not a normal XP ICH setup.

So machine 1.2 defintely has some kind of malware: rougue DHCP server, and search redirection.

On machine 1.3:

Does netstat still show the PID numbers? From machine 1.2, can you connect to the web server running on 1.3? (hxxp://192.168.1.3/ - make the obvious substitition, so the forum won't have a live link here). If Process Explorer doesn't show the PID, and tasklist won't give results either, then machine 1.3 has a problem with a process masking itself.

If you can get the PID to get a pathname, then post it back here. If not, then I'm going to point you to a probable malware cleanup.


----------



## joe7dust (May 4, 2009)

PID 244 & 3148 aren't showing in netstat on 1.3 either. Can you confirm that the PID will always remain the same for the same process between reboots?

Also you said 1.3 has a problem with the process masking itself, but it was showing up before so I'd be more inclined to say it's not running anymore. The only change that I am aware of is I downgraded my Skype from 4.0 to 3.8 due to performance issues.

I typed 192.168.1.3 into firefox from machine 1.2 and it seemed to load a blank web page and just sit there. I tested the same putting in 1.5 and it said "connecting to...." so yea it looks like the answer to your question is yes. I have no idea what this means though.

You said that you think 1.2 is giving out the bogus DHCP info, why then would 1.2 also have had problems before? It seems odd that it could give a DHCP address to itself. Should I run wireshack from 1.2 and force the error again? Maybe that will show more.


----------



## bilbus (Aug 29, 2006)

Can you ping the default gateway (15.xxx.1)? Can you ping it offline and online? how fast does it reply, if its under 5-10ms its on your lan.

Mostlikely its some device on the network handing out dhcp ips.

When that happens again i would download dhcpfind.

Run that on your lan, you should get packets from 15.xxxx

Unplug your wan, if you keep getting dhcp packets, unplug another device ... and continue untill everything is unpluged.

When you no longer get those dhcp packets you will know what device it is.


----------



## joe7dust (May 4, 2009)

PID 244 & 3148 still aren't showing up but I just ran netstat -ano and there is a process listening on TCP port 21692 again, this time its PID 5260 which is Skype. The PID likely changed because I downgraded Skype versions. Makes me feel good I was right about Skype possibly looking like a server/backdoor to you.  I am not completely clueless it seems haha.

@bilbus There are no devices only the 3 computers. It seems that some malware is on one of the computers give out the DHCP info. There is a link in this thread to a documented malware that does this we just haven't found it yet on my network.


----------



## grue155 (May 29, 2008)

> PID 244 & 3148 aren't showing in netstat on 1.3 either. Can you confirm that the PID will always remain the same for the same process between reboots?


Nope. The PID numbers will change from the reboot. A new netstat will give the current PID numbers. If Process Explore can see the current PID, and you recognize it as Skype, then all is good. :grin: Now as to why there would be a live web server, I have no clue. It could be there is, or was at some time, a configuration interface, and the server port just got left over.



> You said that you think 1.2 is giving out the bogus DHCP info, why then would 1.2 also have had problems before? It seems odd that it could give a DHCP address to itself. Should I run wireshack from 1.2 and force the error again? Maybe that will show more.


If the DHCP server was a proper server, it wouldn't do that to itself. In this case, the DHCP server is answering anything that shows up. Running Wireshark on machine 1.2 will likely show a near zero time difference from DHCP request until answer. But the DHCP protocols have some safeguards builtin to avoid loop conditions, and that is likely allowing machine 1.2 to get the 1.2 address, and not get 15.x.x.x address. Otherwise machine 1.2 would have gone offline when the DHCP server went active.

@bilbus. Wireshark capture confirms that machine 1.2 is the source of the DHCP traffic. If it hadn't been coded with a bad gateway address, there would have been a very invisible DNS redirection, putting the entire LAN at risk. Classic man-in-the-middle malware tactics.


----------



## bilbus (Aug 29, 2006)

alright, so if its that pc, turn it off to confirm.

if its that computer you have an app running or some malware ... but i don't see what a malware program could get from the user that would make giving out fake ips worthwhile.


----------



## joe7dust (May 4, 2009)

Sorry for the delay, have been busy. I just did a capture from 1.2 you can probably ignore all before packet 1075 because that was me release/renewing on 1.2 to try and get the bad gateway unsuccessfully. I had to bring in the iPhone again to finally get it.

http://uploading.com/files/8ZD0F07I/pcap1-2.pcap.html


----------



## grue155 (May 29, 2008)

Got it. Thank you. It's late in my day here, so I'll pick this up tomorrow if I have the chance.


----------



## grue155 (May 29, 2008)

I got some time to go thru the new capture file. First thing I checked was the DHCP traffic. 

There's a normal DHCP exchange between the router 1.1 and machine 1.2 at frames 6-11, again at frames 503-510, and again at 1612-1624. These are much easier to see with a Wireshark filter in place:

```
eth.addr == 00:18f3:e7:8d:25
```
which is the MAC address of machine 1.2. 

Compare that normal DHCP exchange with the DHCP traffic at frames 1460-1476, where machine 1.2 is acting as a DHCP server and giving out a bad address. At frame 1477, you'll see the router saying "No, do't use that address", but the timestamp is showing that to be about 4.5 milliseconds late. So the iPhone got the bad address.

Now for the bad news.

With the Wireshark filter in place, at the very end of the displayed capture, at frame 1802, is a TCP SYN packet outbound to 94.247.2.107. 

I've seen that address before, and not in a good way. A google search refreshed my memory, and turned up this ThreatExpert report. At the very bottom of that report is that IP address.

Doing another Wireshark filter:

```
ip.addr == 94.247.2.107
```
shows a bunch of outbound TCP SYN packets, with no replies. This is, in effect, a TCP ping. Something's calling home, and saying "I'm here". I'm taking this as confirmation that machine 1.2 has active malware.

I don't know that this is what the malware is, but Trojan.TDSServ is a known dangerous rootkit. I'll strongly recommend taking machine 1.2 offline, and getting it cleaned up.

All of the malware cleanup forums have heavy traffic. And each have their own "supplicant ritual" as to how to make a posting, and what reports to provide. It works best to follow things exactly, as even report failures tell the helpers something about what they're up against.

These are the forums where I occasionally watch things from the gallery.

The TSF cleanup forum is good, and presently seems to have a response time of 3 days to a week. Spywarehammer are the folks from castlecops.com. They're not so heavily loaded right now, so turnaround is a couple of days. Bleeping Computer is heavily loaded right now, and looks to have a response time of about a week.

At this point, I've taken things as far as I can regarding the mysterious gateway address. It looks like active malware on machine 1.2.


----------



## joe7dust (May 4, 2009)

Thanks for all the help!

*edit* That is an understatement by the way. You did a remarkable job and taught me a lot of things. Noone has ever helped me so throughly on a forum before.


----------



## grue155 (May 29, 2008)

Glad to have been of help :smile:


----------



## johnwill (Sep 26, 2002)

BTW, I was reviewing this thread and noticed that the DNS server address you were getting, 85.255.112.174, is a known malware exploit, so among other things, that machine has malware. :smile:


----------



## grue155 (May 29, 2008)

Good catch, I missed that earlier from focusing on the gateway problem. The 85.255.x.x DNS has been on my radar for a couple of years now. With the focus on the bad gateway, I just didn't see it. ray: Fortunately (maybe), the bad gateway address would block the DNS addresses from being used.

That was for machine 1.4, which is the cleanest of the machines on the LAN, judging from the netstat reports. The bad DNS was likely being provided by the rogue DHCP server on machine 1.2. Still, it'd be a good idea to scan all of the machines on the LAN, just to be sure.


----------



## johnwill (Sep 26, 2002)

Yep, that one is a nasty little bugger, I've seen it on a few machines that come to me for repair. :smile:


----------



## joe7dust (May 4, 2009)

grue155 I miss you! 

I donated because of the wonderful service but now it seems I'm always talking to myself in threads. I don't know if it's because I have to post in the Networking forums to get more attention or the word is out that I'm a tech guy and some avoid that, or my new avatar and such actually has the reverse effect that I wanted...


----------



## grue155 (May 29, 2008)

I'm around :grin: Dayjob has its moments, so I tend to disappear at length as the work loads varies. Forums have their own personality from the collective community, which sometimes mesh with our own, and sometimes not. It just takes browsing around, and posting occasionally to see what fits. Something I've learned is to have an auto-subscribe to any topic that I post in, so that when I log back in to the forum, I can see if anything new needs my attention. That's what got my attention here.


----------



## johnwill (Sep 26, 2002)

I guess since he didn't miss me, I can bypass those posts and save some work. :smile:


----------

