Continuous TCP/IP error messages

You can try a hard reset of the router, setting it back to factory defaults -- turn the router off for awhile after the reset. It might fix your problem.

You can also flash the router with the current or later version of the firmware to see if that fixes your problem - a last resort kind of thing.

Long

Short

You can try a hard reset of the router, setting it back to factory defaults -- turn the router off for awhile after the reset. It might fix your problem.

You can also flash the router with the current or later version of the firmware to see if that fixes your problem - a last resort kind of thing.

Could even be a failure of remote host to do PMTUD (path max trans unit discovery); BTDT. Seems that returned packets would be too large, and fail to make it back. Meanwhile, lots of entries in NAT data-structures, eventually causing NAT router to need reboot to function.

Does this happen with a particular domain/host?

Also, try rebooting router before hard reset or other drastic measures.

HTH, J

"spamlet" hath wroth:

- Your "PC" is running what operating system?

- Is this the only machine on your wireless network?

- Does your WHR-G54S-1 cable router do the same thing with a wired ethernet connection?

- How busy is your system? Does the hard disk light flash continuously when the system locks up?

This one?

What does it say for CPU usage just before it hangs?

My experience with virus scanners is that they catch about 90% of the junk. The 10% remaining seem to be custom crafted remote control programs (botnet) that are used to spew spam. These are somewhat difficult to find but their presence can be recognized by intermittent heavy outgoing SMTP traffic and unusual open ports. Also, look for UPnP being on and cannot be disabled or removed.

In addition, there are root kits that are very difficult to detect. Try this tool:

Thank you for severely editing all the useful information from the system log. I'll guess that it really said: "The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server." Is this correct? [ ] yes [ ] no I have some guesses but I'm lazy today. Kindly supply a single sample message and I'll try to debug. Also, please describe this PC (CPU, clock speed, RAM, type of HD) as this error is more common in very slow and busy machines, particularly if they are lacking in sufficient RAM.

I think your machine has been taken over by a Trojan that is running a botnet. The symptoms are familiar familiar. My guess(tm) is that the DHCP timeout errors are causing the semaphore errors as it trys to change IP addresses to hide its presence. The incomplete connections are from failed attempts to connect to various SMTP servers.

Sigh. Get an ethernet hub, not a switch. Plug it between the cable router and your probably infected computah. Grab a 2nd machine and run WireShark to sniff the traffic. Look for SMTP (outgoing email) traffic. If you find a bunch, you've been hijacked. Don't bother trying to run Wireshark on the infected machine. Also, keep the wireless out of the picture for now.

One must suffer before enlightenment.

Ummm... thanks.

Thanks for the handy links MrA,

This is all a bit over my head, but the way I see it, as I'm not running as any kind of high volume sharing device, the important thing is that this problem has just manifested and why, rather than pointing out a real need to change the settings.

I will look more closely at all the ideas from Jeff below before deciding if I really need to change the settings. It seems likely that something untoward has got in somehow (though so far I have run Jeff's suggested AVGAntiRootkit and found nothing, but there is lots more to check).

Cheers,

S

Well, use the proper tools and go look, Process Explorer and Active Ports.

Thanks again MrA.

Interesting reading but still rather over my head. Already using ProcessExplorer (which can get very greedy on the cpu of itself), but still a novice in using it effectively. Have downloaded Active Ports, but have little idea what is 'normal' activity.

Here is a sample readout: System 4 192.168.11.2 138 LISTEN UDP System 4 192.168.11.2 137 LISTEN UDP System 4 0.0.0.0 445 LISTEN UDP System 4 192.168.11.2 139 LISTEN TCP System 4 0.0.0.0 445 LISTEN TCP msimn.exe 344 127.0.0.1 1451 LISTEN UDP C:\\Program Files\\Outlook Express\\msimn.exe lsass.exe 476 0.0.0.0 4500 LISTEN UDP C:\\WINDOWS\\system32\\lsass.exe lsass.exe 476 0.0.0.0 500 LISTEN UDP C:\\WINDOWS\\system32\\lsass.exe svchost.exe 680 0.0.0.0 135 LISTEN TCP C:\\WINDOWS\\system32\\svchost.exe svchost.exe 716 192.168.11.2 123 LISTEN UDP C:\\WINDOWS\\System32\\svchost.exe svchost.exe 764 0.0.0.0 1599 LISTEN UDP C:\\WINDOWS\\System32\\svchost.exe svchost.exe 764 0.0.0.0 1183 LISTEN UDP C:\\WINDOWS\\System32\\svchost.exe svchost.exe 764 0.0.0.0 1048 LISTEN UDP C:\\WINDOWS\\System32\\svchost.exe svchost.exe 804 192.168.11.2 1900 LISTEN UDP C:\\WINDOWS\\System32\\svchost.exe svchost.exe 804 192.168.11.2 2869 192.168.11.1 2066 CLOSE_WAIT TCP C:\\WINDOWS\\System32\\svchost.exe GoogleDesktopIndex.exe 1960 127.0.0.1 4664 LISTEN TCP C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktopIndex.exe alg.exe 2072 127.0.0.1 1026 LISTEN TCP C:\\WINDOWS\\System32\\alg.exe

Does it ring any security bells for you?

Cheers,

S

Thanks Barry,

Have noticed it has a tendency to happen during printing from websites such as Multimap, and, in following other leads both from here and at AumHa, have found that the initial TCIP/IP errors at start up only occur if the wireless adapter is enabled. Enabling the adapter after the services have all loaded and the AV and AVGGuard have finished scanning, gets it started with no TCP/IP erors. I presume the adapter needs the services in order to make a proper connection. This probably won't help the other errors that happen in 'normal' use after this initial start up glitch though.

Cheers,

May I suggest that you post to alt.comp.antivirus where they can better help you if you suspect a malware issue.

Thanks Jeff,

Appols for the delay in thanking you: you will see from the other strands that I have been working my way through as much of everyone's advice as I can.

The pc seems to have gone fairly quiet in the last week, and some of the TCP/Ip errors have been avoided by turning off the wireless before shutting down each day. Others my have been related to a recent update of the Multimap site, as I have noted that the error warnings often occur during printing of route details from that site.

Mr Arnold suggested I look at the port activity via ActivePorts, and I have given him a sample of one reading from this, but am not really knowledgeable enough on the subject to be able to interpret this. Similarly, I fear that I will have to do a lot more reading to be competent at exploring SMTP traffic in the way you advise, but I will look into it.

Thanks once again for your helpful advice.

S