Anyway, I've been having Internet issues lately that I won't go into here. I was examining my router's event log to see if I could spot anything that could give me a clue what was going on. And while I'm not sure if it's related to my problem, I did see something very very fishy going on.
At least 75% of the entries in my router's event log said that my PC's IP address was trying to connect to port 80 (which I know is HTTP) on 172.16.30.115 (which I know is a private IP address) and that the router was dropping traffic to the network 172.16.0.0/12. The reason this is strange is because my home network uses the 192.168.1.0/24 network EXCLUSIVELY. I don't know WHY my PC would be repeatedly trying to access a private IP that is NOT in use on my network, so I decided to try and figure it out.
Hours of sorting through Google search results later, I was no closer to having any clue what kind of drugs my computer was taking, so I posted a question on Yahoo Answers to see if anyone else had ideas that I hadn't thought of. One user did: "Could be a malware trying to contact its Command and Control server, but the malware writer forgot to change the hard-coded IP address to that of CC, I'm not sure. Use netstat to see what program/process is doing that on your computer, and then google-search it." - Yahoo Answers user bohemian9485
I know what netstat is and vaguely what it does, but I'm not proficient with any command-line utilities, so I Googled how to use it. After reading its Wikipedia article, I decided to run the command "netstat -b 10" (-b shows which process is in charge of that connection, 10 tells it to scan again every 10 seconds.) After staring at my screen for about 5 minutes, I finally spotted this scrolling past:
"TCP 192.168.1.x:56814 172.16.30.115:http SYN_SENT
While I was glad to finally see something trying to access 172.16.30.115, I was disappointed that the most ambiguous process in the world appeared to be the culprit. So then I googled some more, and discovered that I could find out which services were running as svchost.exe by running the command "tasklist /svc /fi "imagename eq svchost.exe"" <-double quotation there to include the quotations that are part of the command as well as enclosing the entire command in quotes
I don't know what all the parameters there do, but it returned a list of PIDs for various services running as svchost.exe. I no longer have that result pulled up, so I can't post it here. But I opened up Task Manager and looked through the Services tab to find out the names of the services that were running as svchost.exe. All of them appeared to be legit Microsoft services.
So now I'm as bewildered as I am when I started, maybe more. SOMETHING running as svchost.exe is repeatedly trying to access the private IP address 172.16.30.115 on a network that uses the 192.168.1.0/24 network EXCLUSIVELY. Does anyone know what is causing this and/or how I can get it to stop? I don't know whether it is having a significant impact on my Internet connection, but even if it isn't, I don't want a useless network query being made repeatedly.
I am running Windows 7 Ultimate 64-bit, and the router whose logs I viewed is the standard AT&T U-Verse modem/router combo.
I have AVG Free installed on my computer. It runs weekly whole-computer scans, and I ran another scan just before deciding to post this. The scan I did came up negative, as have all scheduled scans since like February when it found I-don't-remember-what-but-it-fortunately-wasn't-affecting-me-yet. I also haven't had AVG Free miss an infection that WAS affecting me since like 2007, and that one was probably partially my fault anyway since I had a slow computer and I always cancelled the virus scans when they started. Also I was still using Internet Explorer back then. But my point is, I can't FIND any malware, but my computer is being weird and I have no clue what to do from here.
Today I came up with the idea of downloading Wireshark and using it to capture the network traffic coming in and out of my PC's wireless card. (If I knew how Wireshark worked I'd have just captured the traffic between my PC and 172.16.30.115, but I don't.) So I had it run for 30 minutes while I perused the router's log more carefully to figure out how the router was displaying the time.
I figured out from the router log that this mysterious transmission sends three packets from my PC to 172.16.30.115 every ten minutes, within two seconds each time. Like clockwork. Except more exact. So every timestamp, in 24 hour format, is xx:x8:16 or xx:x8:17. (The x's get filled in by what time it is.) So right now it's 6:17 PM, which means that it'll happen again in a minute. CREEPY.
To make things more creepy, we have the Wireshark capture results. After the capture finished, I looked in the Wireshark help document for how to filter what I was seeing, and I discovered that I could show just the stuff sent to or from 172.16.30.115 by entering "ip.addr==172.16.30.115" into the filter field. So I did that, and discovered that there are packets coming to my computer from 172.16.30.115, in a network that only uses the 192.168.1.0/24 network. Not only that, but there is one packet sent from 172.16.30.115 to my computer for every packet sent to 172.16.30.115 by my computer. So there must be SOMETHING that is SOMEHOW using the IP address 172.16.30.115. I just don't have any idea how.
And it gets creepier. As anyone who has used Wireshark probably knows, it is possible to "read" packets that are captured. I say "read" because, in my experience, they've always been gibberish. When you "open" a packet, it shows a protocol analysis of the packet, along with the data it sees inside. The data is composed of a bunch of hex garbage along with Wireshark's "translation" of the hex garbage. Again, I say "translation" because a lot of the hex garbage is actually header stuff for the various protocols, and it's easier to just look at the analysis for that; also any encrypted data will show up as nonsense in the "translation."
The packets that my computer is sending to 172.16.30.115 are exactly as unclear as I'm used to. No English shows up in the "translation," and in fact, from what I can tell, there is no actual data inside these packets. So my computer is sending empty TCP packets to 172.16.30.115 every 10 minutes. From what I can tell, the only important thing in these packets is that the SYN flag is always set. I don't know the significance of that, but that seems to be the only thing worth noting. (I'm reluctant to simply post exactly what Wireshark gave me since I don't know what kind of data might be in there or who might be able to use it for harm.)
The packets that 172.16.30.115 sends to my computer are a different story. In terms of analysis, these ones have the RST and the ACK flags set, and Wireshark has marked two out of every set of three with the label [TCP Retransmission]. The creepy part is the "translation:" it contains the nonsense BUT it also contains the text "Go away, we're not home." When I right-click any of the packets sent in either direction and click "Follow TCP Stream," which (as far as I'm aware) is meant to show everything, including session establishment stuff, in English, the only thing that shows up in the window is the text "Go away, we're not home."
So basically, I'm terrified now. Every ten minutes - exact to the SECONDS - my computer sends empty packets to 172.16.30.115, a PRIVATE IP ADDRESS that is NOT BEING USED on my network, and every ten minutes SOMETHING RESPONDS saying "Go away, we're not home."
I'm so scared. Is this a form of malware? If it is malware, is it just there to scare people who know how to use Wireshark, or is it somehow sending information? What is my PC trying to accomplish? Why is an IP address that shouldn't exist in my network able to respond telling my computer to go away because it's not home? And most importantly, how do I make all of this stop?
I'm pretty much about to start crying. That's how scared I am.
Please help me!
Edited by amykathleen2, 01 August 2012 - 06:45 PM.