Bogus "Internet Connection" Network interface 1

[Seumas13]

Help! I have a Win-XP-Pro PC which I noticed yesterday, whenever it is connected to the Internet (either by cable, or wireless), it gains an interface called "Internet Connection" which claims to be connecting to the Internet via another Computer.

I don't have any computers in this environment which are hosting ICS, because both the wired and wireless connections are connected directly to Broadband routers, and provide direct (via NAT) Internet Access.

Also, the Properties of the interface won't show me the address of the other computer through which it is connecting.

It looks to me like something has installed itself to redirect my internet traffic and allow someone out there to see everything I use.

Neither SpyBot S&D nor Ad-Aware found this.

Any suggestions?

 

[linney]

Does your ISP have any comment?

Is there anything unusual in your Hosts file?

Anything in the Security or System Log of the Event Viewer about what or who you are remotely connecting to?

How about any firewall logging?


This trojan scanner has an online scanner you could try, you could even try the full trial version or free limited download.

Ewido security suite - Protection against Spyware, Trojans, Dialers, Keyloggers and other growing threats.

http://www.ewido.net/en/

This program will tell you what process is connecting to which ports from YOUR computer.

Port Explorer, it has a free 30 day or 50 uses trial.

http://www.diamondcs.com.au/index.php?page=products

Removing adware & spyware
faq608-4650

Microsoft (GIANT Antispyware) Beta available
Thread779-979113

 

[Seumas13]

I'll check these things.

I found the same symptom today on another PC which uses a different ISP.

Also, the first PC I found it on is connected to two ISPs - one via Wireless, the other via the wire. Initially all traffic seemed to be routing through the wireless connection (which is really strange since it is only 11-Mbps to a 384-K ISP, while the wired one is 100-Mbps to a 3-Mbps ISP), but when I disabled the wireless connection, the bogus "Internet Connection" went away briefly, then re-connected via the wired connection.

I tried a traceroute, but that looked normal - as if it were only going through ISPs to the destination.

Then, again, it the phantom host out there is providing my DNS, then it can spoof anything it wants...

I'm still open to other ideas... (not that there was anything wrong with these ones.)

And specifically, has anyone seen this or anything similar?

 

[gx3]

I am really having a hard time understanding this thread! What ISP in your area is transmitting wireless and wired at the same time? If you happen to have wired and wireless active at the same time(not a good idea) and one stops obviously the other will activate. I don't know what you are actually seeing
since I can't see your screen, but I don't think you have a problem.

 

[Seumas13]

1 - My problem took a turn for the worse last night - my computer started sending out tons of data via its wired connection (to the CABLE ISP), even though I was not doing anything online.

2 - Why do you (gx3) say it's not a good idea to be connected to both a wireless network and a wired network at the same time?

3 - My point was that the "Internet Connection" "Gateway" thingie is not related to my ISP, because it appears regardless which ISP I connect to.

4 - Perhaps I should give more details about the environment...

I have two ISPs at home, CABLE and DSL. The DSL connection has a Wireless Portal/Router attached, the CABLE does not.

I use three computers at my home, two desktop and one laptop (I use the laptop at other locations as well).

I will refer to each computer as "A", "B" and "C".

Desktop Computer "A" (Win-XP-Pro-SP2) is my primary PC when I am at home and is connected to both ISPs, both as wired connections.
I had thought that it does not appear to have been affected by this problem, because it does not show the bogus "Internet Connection" in Network Properties. However, I thought my CABLE ISP was down a couple days ago because I saw extremely limited traffic on that connection (like only 1 or 2 incoming bytes).

Desktop computer "B" (Win-XP-Home-SP2) is my wife's computer. It is connected only to the CABLE ISP. That one has been slow for a while, but does not show the bogus "Internet Connection" in Network Properties. Last night it stared not connecting at all - also showing only one or two incoming bytes.
(My wife's user-ID is configured as a "Limited User".)

My Laptop (Computer "C") (Win-XP-Pro-SP2) connects to the DSL via a wireless card, and to the CABLE via the wired network.

On Laptop "C", I use Yahoo! instant messenger, and I get mail via Yahoo. I also have Yahoo! toolbar with Anti-Spy installed.

Last night I notice that Laptop "C" was sending out tons of trafic on the CABLE connection. Desktop "B" was receiving almost no traffic on the CABLE connection. I did not check Desktop "A".

When I un-plugged the CABLE connection from Laptop "C" due to the volume of traffic, the bogus "Internet Conenction" went away, and although the Wireless (DSL) connection appeared to be working, I could not connect to anything on the Internet.

I have also seen the bogus "Internet Connection" on my Mom's computer "D", which uses a completely different CABLE ISP via a wireless router.

I have tried everything (or almost everything) suggested by Reply 1, and the Hijacker FAQ, but have not identified or stopped the problem. Ewido only found cookies...

So, again I ask, has anyone seen this before? Can anyone sugegst anything short of formatting the HDD and re-installing Windows?

Thanks.

 

[Turkbear]

Hi,

A few ideas ( but it is Friday, so be kind):

Try rebooting with the network cable disconnected, and with your wireless access point turned off..

See if, on restarting, any wireless connection is discovered ( Maybe a neighbor's).
If not, then turn your wireless access point back on and reboot..See if that connection is discovered and configured correctly..


Try the same process ( after seeing if the wireless connection is now OK), to re-establish the cable connection.

Also, Perhaps your winsock has gotten corrupted/compromised, try a repair.






To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[linney]

Packets sent = 3,274,290,832,129. Packets received = 83
thread779-526667

 

[Seumas13]

Hi, all. Thanks for the ideas.

I'll try them tonight and post my results at:

http://www.tek-tips.com/viewthread.cfm?qid=1100199&page=1

(I've re-posted a cleaner version of this question in the Virus/Spyware forum.)

Thanks, again!

Seumas

 

[Beowulf005]

Windows XP will respond to most routers as an Internet sharing connection. If you right click and check the properties of the ICS it should show your routers IP adress. This is OK.

In terms of your high packet out and low packet could be due to the two networks. The computer doesn't know what to respond to. How are the IP's setup on the different networks?

 

[Seumas13]

Disabling uPnP seems to have stopped it.

I don't know whether it was my own router(s) appearing, or if it was a uPnP attack, but it is resolved now.

My brother found on my Mom's PC that removing (not just disabling) all of the protocols from the "Internet Connection" allowed him to either disable or delete it.