Continuous TCP/IP error messages

Our pc has recently started to get locked up by what appear in the system
log as continuous strings of attempts to connect (to the router?). If I am
lucky enough to have process explorer open at the time I can kill IE and the
network adapter (v slowly!), otherwise the plug has to be pulled.

Last night I thought I had better do a check with PandaActiveScan on line.
When it finally got to the end of the scan - 'no viruses' - some 2hr later,
the processor was locked up again, but I was lucky enough to be able to shut
off IE and the adaptor without having to pull the plug.

The error log showed a continuous chain of TCP/IP events for the whole time
the pc had been on line doing this scan. These were all of the 'semaphore
time out' type.

Interestingly, today, though there have been no lock ups so far, there have
been two warnings in the error log to say that the 'TCP/IP has reached the
security limit on the number of concurrent (incomplete) TCP connect
attempts'.

Now, I had been looking for just such a 'limit the number of attempts
setting', to try and stop the seize ups: why has the limit only now been
imposed, and what does all this signify for our system? Is it likely to be
a router/wireless problem, or is it an undetected virus or other hijack of
some sort? (I have had some recent HiJackthis scans looked at at AumHa, but
nothing untoward seemed to show up in the reports.)

Any enlightenment would be appreciated.

(We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
router. XP Pro system.)

Cheers,
S

"spamlet" <(E-Mail Removed)> wrote in message
news:jr4Yh.302$(E-Mail Removed)...
> Our pc has recently started to get locked up by what appear in the system
> log as continuous strings of attempts to connect (to the router?). If I
> am
> lucky enough to have process explorer open at the time I can kill IE and
> the
> network adapter (v slowly!), otherwise the plug has to be pulled.
>
> Last night I thought I had better do a check with PandaActiveScan on line.
> When it finally got to the end of the scan - 'no viruses' - some 2hr
> later,
> the processor was locked up again, but I was lucky enough to be able to
> shut
> off IE and the adaptor without having to pull the plug.
>
> The error log showed a continuous chain of TCP/IP events for the whole
> time
> the pc had been on line doing this scan. These were all of the 'semaphore
> time out' type.
>
> Interestingly, today, though there have been no lock ups so far, there
> have
> been two warnings in the error log to say that the 'TCP/IP has reached the
> security limit on the number of concurrent (incomplete) TCP connect
> attempts'.
>
> Now, I had been looking for just such a 'limit the number of attempts
> setting', to try and stop the seize ups: why has the limit only now been
> imposed, and what does all this signify for our system? Is it likely to
> be
> a router/wireless problem, or is it an undetected virus or other hijack of
> some sort? (I have had some recent HiJackthis scans looked at at AumHa,
> but
> nothing untoward seemed to show up in the reports.)
>
> Any enlightenment would be appreciated.
>
> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
> router. XP Pro system.)
>

http://www.google.com/search?hl=en&q...=Google+Search

http://www.psc.edu/networking/projec...tepbystep.html

You can try a hard reset of the router, setting it back to factory
defaults -- turn the router off for awhile after the reset. It might fix
your problem.

You can also flash the router with the current or later version of the
firmware to see if that fixes your problem - a last resort kind of thing.

"spamlet" <(E-Mail Removed)> wrote in message
news:jr4Yh.302$(E-Mail Removed)...
> Our pc has recently started to get locked up by what appear in the system
> log as continuous strings of attempts to connect (to the router?). If I
> am
> lucky enough to have process explorer open at the time I can kill IE and
> the
> network adapter (v slowly!), otherwise the plug has to be pulled.
>
> Last night I thought I had better do a check with PandaActiveScan on line.
> When it finally got to the end of the scan - 'no viruses' - some 2hr
> later,
> the processor was locked up again, but I was lucky enough to be able to
> shut
> off IE and the adaptor without having to pull the plug.
>
> The error log showed a continuous chain of TCP/IP events for the whole
> time
> the pc had been on line doing this scan. These were all of the 'semaphore
> time out' type.
>
> Interestingly, today, though there have been no lock ups so far, there
> have
> been two warnings in the error log to say that the 'TCP/IP has reached the
> security limit on the number of concurrent (incomplete) TCP connect
> attempts'.
>
> Now, I had been looking for just such a 'limit the number of attempts
> setting', to try and stop the seize ups: why has the limit only now been
> imposed, and what does all this signify for our system? Is it likely to
> be
> a router/wireless problem, or is it an undetected virus or other hijack of
> some sort? (I have had some recent HiJackthis scans looked at at AumHa,
> but
> nothing untoward seemed to show up in the reports.)
>
> Any enlightenment would be appreciated.
>
> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
> router. XP Pro system.)
>

Long

http://www.google.com/search?hl=en&q...=Google+Search

Short

http://tinyurl.com/yshfd2


http://www.psc.edu/networking/projec...tepbystep.html

You can try a hard reset of the router, setting it back to factory
defaults -- turn the router off for awhile after the reset. It might fix
your problem.

You can also flash the router with the current or later version of the
firmware to see if that fixes your problem - a last resort kind of thing.

On Apr 26, 12:29 pm, "spamlet" <spam.mores...@spamola.invalid> wrote:
> Our pc has recently started to get locked up by what appear in the system
> log as continuous strings of attempts to connect (to the router?). If I am
> lucky enough to have process explorer open at the time I can kill IE and the
> network adapter (v slowly!), otherwise the plug has to be pulled.
>
> Last night I thought I had better do a check with PandaActiveScan on line.
> When it finally got to the end of the scan - 'no viruses' - some 2hr later,
> the processor was locked up again, but I was lucky enough to be able to shut
> off IE and the adaptor without having to pull the plug.
>
> The error log showed a continuous chain of TCP/IP events for the whole time
> the pc had been on line doing this scan. These were all of the 'semaphore
> time out' type.
>
> Interestingly, today, though there have been no lock ups so far, there have
> been two warnings in the error log to say that the 'TCP/IP has reached the
> security limit on the number of concurrent (incomplete) TCP connect
> attempts'.
>
> Now, I had been looking for just such a 'limit the number of attempts
> setting', to try and stop the seize ups: why has the limit only now been
> imposed, and what does all this signify for our system? Is it likely to be
> a router/wireless problem, or is it an undetected virus or other hijack of
> some sort? (I have had some recent HiJackthis scans looked at at AumHa, but
> nothing untoward seemed to show up in the reports.)
>
> Any enlightenment would be appreciated.
>
> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
> router. XP Pro system.)
>
> Cheers,
> S

Could even be a failure of remote host to do PMTUD (path max trans
unit discovery);
BTDT. Seems that returned packets would be too large, and fail to make
it back.
Meanwhile, lots of entries in NAT data-structures, eventually causing
NAT router to
need reboot to function.

Does this happen with a particular domain/host?

Also, try rebooting router before hard reset or other drastic
measures.

HTH,
J

"spamlet" <(E-Mail Removed)> hath wroth:

>Our pc has recently started to get locked up by what appear in the system
>log as continuous strings of attempts to connect (to the router?).

- Your "PC" is running what operating system?
- Is this the only machine on your wireless network?
- Does your WHR-G54S-1 cable router do the same thing with a wired
ethernet connection?
- How busy is your system? Does the hard disk light flash
continuously when the system locks up?

>If I am
>lucky enough to have process explorer open at the time I can kill IE and the
>network adapter (v slowly!), otherwise the plug has to be pulled.

This one?
<http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx>
What does it say for CPU usage just before it hangs?

>Last night I thought I had better do a check with PandaActiveScan on line.
>When it finally got to the end of the scan - 'no viruses' - some 2hr later,
>the processor was locked up again, but I was lucky enough to be able to shut
>off IE and the adaptor without having to pull the plug.

My experience with virus scanners is that they catch about 90% of the
junk. The 10% remaining seem to be custom crafted remote control
programs (botnet) that are used to spew spam. These are somewhat
difficult to find but their presence can be recognized by intermittent
heavy outgoing SMTP traffic and unusual open ports. Also, look for
UPnP being on and cannot be disabled or removed.

In addition, there are root kits that are very difficult to detect.
Try this tool:
<http://free.grisoft.com/doc/39798/lng/us/tpl/v5>

>The error log showed a continuous chain of TCP/IP events for the whole time
>the pc had been on line doing this scan. These were all of the 'semaphore
>time out' type.

Thank you for severely editing all the useful information from the
system log. I'll guess that it really said:
"The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server."
Is this correct?
[ ] yes
[ ] no
I have some guesses but I'm lazy today. Kindly supply a single sample
message and I'll try to debug. Also, please describe this PC (CPU,
clock speed, RAM, type of HD) as this error is more common in very
slow and busy machines, particularly if they are lacking in sufficient
RAM.

>Interestingly, today, though there have been no lock ups so far, there have
>been two warnings in the error log to say that the 'TCP/IP has reached the
>security limit on the number of concurrent (incomplete) TCP connect
>attempts'.

I think your machine has been taken over by a Trojan that is running a
botnet. The symptoms are familiar familiar. My guess(tm) is that the
DHCP timeout errors are causing the semaphore errors as it trys to
change IP addresses to hide its presence. The incomplete connections
are from failed attempts to connect to various SMTP servers.

>Now, I had been looking for just such a 'limit the number of attempts
>setting', to try and stop the seize ups: why has the limit only now been
>imposed, and what does all this signify for our system? Is it likely to be
>a router/wireless problem, or is it an undetected virus or other hijack of
>some sort? (I have had some recent HiJackthis scans looked at at AumHa, but
>nothing untoward seemed to show up in the reports.)

Sigh. Get an ethernet hub, not a switch. Plug it between the cable
router and your probably infected computah. Grab a 2nd machine and
run WireShark to sniff the traffic. Look for SMTP (outgoing email)
traffic. If you find a bunch, you've been hijacked. Don't bother
trying to run Wireshark on the infected machine. Also, keep the
wireless out of the picture for now.

>Any enlightenment would be appreciated.

One must suffer before enlightenment.

>(We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
>router. XP Pro system.)

Ummm... thanks.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Thanks for the handy links MrA,

This is all a bit over my head, but the way I see it, as I'm not running as
any kind of high volume sharing device, the important thing is that this
problem has just manifested and why, rather than pointing out a real need to
change the settings.

I will look more closely at all the ideas from Jeff below before deciding if
I really need to change the settings. It seems likely that something
untoward has got in somehow (though so far I have run Jeff's suggested
AVGAntiRootkit and found nothing, but there is lots more to check).

Cheers,

S


"Mr. Arnold" <MR. (E-Mail Removed)> wrote in message
news:qR6Yh.1104$(E-Mail Removed) nk.net...
>
> "spamlet" <(E-Mail Removed)> wrote in message
> news:jr4Yh.302$(E-Mail Removed)...
>> Our pc has recently started to get locked up by what appear in the system
>> log as continuous strings of attempts to connect (to the router?). If I
>> am
>> lucky enough to have process explorer open at the time I can kill IE and
>> the
>> network adapter (v slowly!), otherwise the plug has to be pulled.
>>
>> Last night I thought I had better do a check with PandaActiveScan on
>> line.
>> When it finally got to the end of the scan - 'no viruses' - some 2hr
>> later,
>> the processor was locked up again, but I was lucky enough to be able to
>> shut
>> off IE and the adaptor without having to pull the plug.
>>
>> The error log showed a continuous chain of TCP/IP events for the whole
>> time
>> the pc had been on line doing this scan. These were all of the
>> 'semaphore
>> time out' type.
>>
>> Interestingly, today, though there have been no lock ups so far, there
>> have
>> been two warnings in the error log to say that the 'TCP/IP has reached
>> the
>> security limit on the number of concurrent (incomplete) TCP connect
>> attempts'.
>>
>> Now, I had been looking for just such a 'limit the number of attempts
>> setting', to try and stop the seize ups: why has the limit only now been
>> imposed, and what does all this signify for our system? Is it likely to
>> be
>> a router/wireless problem, or is it an undetected virus or other hijack
>> of
>> some sort? (I have had some recent HiJackthis scans looked at at AumHa,
>> but
>> nothing untoward seemed to show up in the reports.)
>>
>> Any enlightenment would be appreciated.
>>
>> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
>> router. XP Pro system.)
>>
>
> Long
>
> http://www.google.com/search?hl=en&q...=Google+Search
>
> Short
>
> http://tinyurl.com/yshfd2
>
>
> http://www.psc.edu/networking/projec...tepbystep.html
>
> You can try a hard reset of the router, setting it back to factory
> defaults -- turn the router off for awhile after the reset. It might fix
> your problem.
>
> You can also flash the router with the current or later version of the
> firmware to see if that fixes your problem - a last resort kind of thing.
>
>
>

"spamlet" <(E-Mail Removed)> wrote in message
news:xRqYh.2779$(E-Mail Removed)...
> Thanks for the handy links MrA,
>
> This is all a bit over my head, but the way I see it, as I'm not running
> as any kind of high volume sharing device, the important thing is that
> this problem has just manifested and why, rather than pointing out a real
> need to change the settings.
>
> I will look more closely at all the ideas from Jeff below before deciding
> if I really need to change the settings. It seems likely that something
> untoward has got in somehow (though so far I have run Jeff's suggested
> AVGAntiRootkit and found nothing, but there is lots more to check).
>

Well, use the proper tools and go look, Process Explorer and Active Ports.

http://preview.tinyurl.com/klw1
http://www.microsoft.com/technet/sys...s/default.mspx
http://www.pcworld.com/downloads/fil...d,23780,00.asp

Thanks again MrA.

Interesting reading but still rather over my head.
Already using ProcessExplorer (which can get very greedy on the cpu of
itself), but still a novice in using it effectively.
Have downloaded Active Ports, but have little idea what is 'normal'
activity.

Here is a sample readout:
System 4 192.168.11.2 138 LISTEN UDP
System 4 192.168.11.2 137 LISTEN UDP
System 4 0.0.0.0 445 LISTEN UDP
System 4 192.168.11.2 139 LISTEN TCP
System 4 0.0.0.0 445 LISTEN TCP
msimn.exe 344 127.0.0.1 1451 LISTEN UDP C:\Program Files\Outlook
Express\msimn.exe
lsass.exe 476 0.0.0.0 4500 LISTEN UDP C:\WINDOWS\system32\lsass.exe
lsass.exe 476 0.0.0.0 500 LISTEN UDP C:\WINDOWS\system32\lsass.exe
svchost.exe 680 0.0.0.0 135 LISTEN TCP C:\WINDOWS\system32\svchost.exe
svchost.exe 716 192.168.11.2 123 LISTEN UDP
C:\WINDOWS\System32\svchost.exe
svchost.exe 764 0.0.0.0 1599 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 764 0.0.0.0 1183 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 764 0.0.0.0 1048 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 804 192.168.11.2 1900 LISTEN UDP
C:\WINDOWS\System32\svchost.exe
svchost.exe 804 192.168.11.2 2869 192.168.11.1 2066 CLOSE_WAIT TCP
C:\WINDOWS\System32\svchost.exe
GoogleDesktopIndex.exe 1960 127.0.0.1 4664 LISTEN TCP C:\Program
Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
alg.exe 2072 127.0.0.1 1026 LISTEN TCP C:\WINDOWS\System32\alg.exe

Does it ring any security bells for you?

Cheers,

S



"Mr. Arnold" <MR. (E-Mail Removed)> wrote in message
news:musYh.1427$(E-Mail Removed) nk.net...
>
> "spamlet" <(E-Mail Removed)> wrote in message
> news:xRqYh.2779$(E-Mail Removed)...
>> Thanks for the handy links MrA,
>>
>> This is all a bit over my head, but the way I see it, as I'm not running
>> as any kind of high volume sharing device, the important thing is that
>> this problem has just manifested and why, rather than pointing out a real
>> need to change the settings.
>>
>> I will look more closely at all the ideas from Jeff below before deciding
>> if I really need to change the settings. It seems likely that something
>> untoward has got in somehow (though so far I have run Jeff's suggested
>> AVGAntiRootkit and found nothing, but there is lots more to check).
>>
>
> Well, use the proper tools and go look, Process Explorer and Active Ports.
>
> http://preview.tinyurl.com/klw1
> http://www.microsoft.com/technet/sys...s/default.mspx
> http://www.pcworld.com/downloads/fil...d,23780,00.asp

Thanks Barry,

Have noticed it has a tendency to happen during printing from websites such
as Multimap, and, in following other leads both from here and at AumHa, have
found that the initial TCIP/IP errors at start up only occur if the wireless
adapter is enabled. Enabling the adapter after the services have all loaded
and the AV and AVGGuard have finished scanning, gets it started with no
TCP/IP erors. I presume the adapter needs the services in order to make a
proper connection. This probably won't help the other errors that happen in
'normal' use after this initial start up glitch though.

Cheers,

S
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> On Apr 26, 12:29 pm, "spamlet" <spam.mores...@spamola.invalid> wrote:
>> Our pc has recently started to get locked up by what appear in the system
>> log as continuous strings of attempts to connect (to the router?). If I
>> am
>> lucky enough to have process explorer open at the time I can kill IE and
>> the
>> network adapter (v slowly!), otherwise the plug has to be pulled.
>>
>> Last night I thought I had better do a check with PandaActiveScan on
>> line.
>> When it finally got to the end of the scan - 'no viruses' - some 2hr
>> later,
>> the processor was locked up again, but I was lucky enough to be able to
>> shut
>> off IE and the adaptor without having to pull the plug.
>>
>> The error log showed a continuous chain of TCP/IP events for the whole
>> time
>> the pc had been on line doing this scan. These were all of the
>> 'semaphore
>> time out' type.
>>
>> Interestingly, today, though there have been no lock ups so far, there
>> have
>> been two warnings in the error log to say that the 'TCP/IP has reached
>> the
>> security limit on the number of concurrent (incomplete) TCP connect
>> attempts'.
>>
>> Now, I had been looking for just such a 'limit the number of attempts
>> setting', to try and stop the seize ups: why has the limit only now been
>> imposed, and what does all this signify for our system? Is it likely to
>> be
>> a router/wireless problem, or is it an undetected virus or other hijack
>> of
>> some sort? (I have had some recent HiJackthis scans looked at at AumHa,
>> but
>> nothing untoward seemed to show up in the reports.)
>>
>> Any enlightenment would be appreciated.
>>
>> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
>> router. XP Pro system.)
>>
>> Cheers,
>> S
>
> Could even be a failure of remote host to do PMTUD (path max trans
> unit discovery);
> BTDT. Seems that returned packets would be too large, and fail to make
> it back.
> Meanwhile, lots of entries in NAT data-structures, eventually causing
> NAT router to
> need reboot to function.
>
> Does this happen with a particular domain/host?
>
> Also, try rebooting router before hard reset or other drastic
> measures.
>
> HTH,
> J
>

<snipped>

> Does it ring any security bells for you?
>

May I suggest that you post to alt.comp.antivirus where they can better help
you if you suspect a malware issue.