Our pc has recently started to get locked up by what appear in the system
log as continuous strings of attempts to connect (to the router?). If I am
lucky enough to have process explorer open at the time I can kill IE and the
network adapter (v slowly!), otherwise the plug has to be pulled.
Last night I thought I had better do a check with PandaActiveScan on line.
When it finally got to the end of the scan - 'no viruses' - some 2hr later,
the processor was locked up again, but I was lucky enough to be able to shut
off IE and the adaptor without having to pull the plug.
The error log showed a continuous chain of TCP/IP events for the whole time
the pc had been on line doing this scan. These were all of the 'semaphore
time out' type.
Interestingly, today, though there have been no lock ups so far, there have
been two warnings in the error log to say that the 'TCP/IP has reached the
security limit on the number of concurrent (incomplete) TCP connect
attempts'.
Now, I had been looking for just such a 'limit the number of attempts
setting', to try and stop the seize ups: why has the limit only now been
imposed, and what does all this signify for our system? Is it likely to be
a router/wireless problem, or is it an undetected virus or other hijack of
some sort? (I have had some recent HiJackthis scans looked at at AumHa, but
nothing untoward seemed to show up in the reports.)
Any enlightenment would be appreciated.
(We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
router. XP Pro system.)
"spamlet" <spam.morespam@spamola.invalid> wrote in message
news:jr4Yh.302$o42.135@newsfe3-win.ntli.net...
> Our pc has recently started to get locked up by what appear in the system
> log as continuous strings of attempts to connect (to the router?). If I
> am
> lucky enough to have process explorer open at the time I can kill IE and
> the
> network adapter (v slowly!), otherwise the plug has to be pulled.
>
> Last night I thought I had better do a check with PandaActiveScan on line.
> When it finally got to the end of the scan - 'no viruses' - some 2hr
> later,
> the processor was locked up again, but I was lucky enough to be able to
> shut
> off IE and the adaptor without having to pull the plug.
>
> The error log showed a continuous chain of TCP/IP events for the whole
> time
> the pc had been on line doing this scan. These were all of the 'semaphore
> time out' type.
>
> Interestingly, today, though there have been no lock ups so far, there
> have
> been two warnings in the error log to say that the 'TCP/IP has reached the
> security limit on the number of concurrent (incomplete) TCP connect
> attempts'.
>
> Now, I had been looking for just such a 'limit the number of attempts
> setting', to try and stop the seize ups: why has the limit only now been
> imposed, and what does all this signify for our system? Is it likely to
> be
> a router/wireless problem, or is it an undetected virus or other hijack of
> some sort? (I have had some recent HiJackthis scans looked at at AumHa,
> but
> nothing untoward seemed to show up in the reports.)
>
> Any enlightenment would be appreciated.
>
> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
> router. XP Pro system.)
>
You can try a hard reset of the router, setting it back to factory
defaults -- turn the router off for awhile after the reset. It might fix
your problem.
You can also flash the router with the current or later version of the
firmware to see if that fixes your problem - a last resort kind of thing.
"spamlet" <spam.morespam@spamola.invalid> wrote in message
news:jr4Yh.302$o42.135@newsfe3-win.ntli.net...
> Our pc has recently started to get locked up by what appear in the system
> log as continuous strings of attempts to connect (to the router?). If I
> am
> lucky enough to have process explorer open at the time I can kill IE and
> the
> network adapter (v slowly!), otherwise the plug has to be pulled.
>
> Last night I thought I had better do a check with PandaActiveScan on line.
> When it finally got to the end of the scan - 'no viruses' - some 2hr
> later,
> the processor was locked up again, but I was lucky enough to be able to
> shut
> off IE and the adaptor without having to pull the plug.
>
> The error log showed a continuous chain of TCP/IP events for the whole
> time
> the pc had been on line doing this scan. These were all of the 'semaphore
> time out' type.
>
> Interestingly, today, though there have been no lock ups so far, there
> have
> been two warnings in the error log to say that the 'TCP/IP has reached the
> security limit on the number of concurrent (incomplete) TCP connect
> attempts'.
>
> Now, I had been looking for just such a 'limit the number of attempts
> setting', to try and stop the seize ups: why has the limit only now been
> imposed, and what does all this signify for our system? Is it likely to
> be
> a router/wireless problem, or is it an undetected virus or other hijack of
> some sort? (I have had some recent HiJackthis scans looked at at AumHa,
> but
> nothing untoward seemed to show up in the reports.)
>
> Any enlightenment would be appreciated.
>
> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
> router. XP Pro system.)
>
You can try a hard reset of the router, setting it back to factory
defaults -- turn the router off for awhile after the reset. It might fix
your problem.
You can also flash the router with the current or later version of the
firmware to see if that fixes your problem - a last resort kind of thing.
On Apr 26, 12:29 pm, "spamlet" <spam.mores...@spamola.invalid> wrote:
> Our pc has recently started to get locked up by what appear in the system
> log as continuous strings of attempts to connect (to the router?). If I am
> lucky enough to have process explorer open at the time I can kill IE and the
> network adapter (v slowly!), otherwise the plug has to be pulled.
>
> Last night I thought I had better do a check with PandaActiveScan on line.
> When it finally got to the end of the scan - 'no viruses' - some 2hr later,
> the processor was locked up again, but I was lucky enough to be able to shut
> off IE and the adaptor without having to pull the plug.
>
> The error log showed a continuous chain of TCP/IP events for the whole time
> the pc had been on line doing this scan. These were all of the 'semaphore
> time out' type.
>
> Interestingly, today, though there have been no lock ups so far, there have
> been two warnings in the error log to say that the 'TCP/IP has reached the
> security limit on the number of concurrent (incomplete) TCP connect
> attempts'.
>
> Now, I had been looking for just such a 'limit the number of attempts
> setting', to try and stop the seize ups: why has the limit only now been
> imposed, and what does all this signify for our system? Is it likely to be
> a router/wireless problem, or is it an undetected virus or other hijack of
> some sort? (I have had some recent HiJackthis scans looked at at AumHa, but
> nothing untoward seemed to show up in the reports.)
>
> Any enlightenment would be appreciated.
>
> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
> router. XP Pro system.)
>
> Cheers,
> S
Could even be a failure of remote host to do PMTUD (path max trans
unit discovery);
BTDT. Seems that returned packets would be too large, and fail to make
it back.
Meanwhile, lots of entries in NAT data-structures, eventually causing
NAT router to
need reboot to function.
Does this happen with a particular domain/host?
Also, try rebooting router before hard reset or other drastic
measures.
>Our pc has recently started to get locked up by what appear in the system
>log as continuous strings of attempts to connect (to the router?).
- Your "PC" is running what operating system?
- Is this the only machine on your wireless network?
- Does your WHR-G54S-1 cable router do the same thing with a wired
ethernet connection?
- How busy is your system? Does the hard disk light flash
continuously when the system locks up?
>If I am
>lucky enough to have process explorer open at the time I can kill IE and the
>network adapter (v slowly!), otherwise the plug has to be pulled.
This one?
<http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx>
What does it say for CPU usage just before it hangs?
>Last night I thought I had better do a check with PandaActiveScan on line.
>When it finally got to the end of the scan - 'no viruses' - some 2hr later,
>the processor was locked up again, but I was lucky enough to be able to shut
>off IE and the adaptor without having to pull the plug.
My experience with virus scanners is that they catch about 90% of the
junk. The 10% remaining seem to be custom crafted remote control
programs (botnet) that are used to spew spam. These are somewhat
difficult to find but their presence can be recognized by intermittent
heavy outgoing SMTP traffic and unusual open ports. Also, look for
UPnP being on and cannot be disabled or removed.
In addition, there are root kits that are very difficult to detect.
Try this tool:
<http://free.grisoft.com/doc/39798/lng/us/tpl/v5>
>The error log showed a continuous chain of TCP/IP events for the whole time
>the pc had been on line doing this scan. These were all of the 'semaphore
>time out' type.
Thank you for severely editing all the useful information from the
system log. I'll guess that it really said:
"The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server."
Is this correct?
[ ] yes
[ ] no
I have some guesses but I'm lazy today. Kindly supply a single sample
message and I'll try to debug. Also, please describe this PC (CPU,
clock speed, RAM, type of HD) as this error is more common in very
slow and busy machines, particularly if they are lacking in sufficient
RAM.
>Interestingly, today, though there have been no lock ups so far, there have
>been two warnings in the error log to say that the 'TCP/IP has reached the
>security limit on the number of concurrent (incomplete) TCP connect
>attempts'.
I think your machine has been taken over by a Trojan that is running a
botnet. The symptoms are familiar familiar. My guess(tm) is that the
DHCP timeout errors are causing the semaphore errors as it trys to
change IP addresses to hide its presence. The incomplete connections
are from failed attempts to connect to various SMTP servers.
>Now, I had been looking for just such a 'limit the number of attempts
>setting', to try and stop the seize ups: why has the limit only now been
>imposed, and what does all this signify for our system? Is it likely to be
>a router/wireless problem, or is it an undetected virus or other hijack of
>some sort? (I have had some recent HiJackthis scans looked at at AumHa, but
>nothing untoward seemed to show up in the reports.)
Sigh. Get an ethernet hub, not a switch. Plug it between the cable
router and your probably infected computah. Grab a 2nd machine and
run WireShark to sniff the traffic. Look for SMTP (outgoing email)
traffic. If you find a bunch, you've been hijacked. Don't bother
trying to run Wireshark on the infected machine. Also, keep the
wireless out of the picture for now.
>Any enlightenment would be appreciated.
One must suffer before enlightenment.
>(We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
>router. XP Pro system.)
This is all a bit over my head, but the way I see it, as I'm not running as
any kind of high volume sharing device, the important thing is that this
problem has just manifested and why, rather than pointing out a real need to
change the settings.
I will look more closely at all the ideas from Jeff below before deciding if
I really need to change the settings. It seems likely that something
untoward has got in somehow (though so far I have run Jeff's suggested
AVGAntiRootkit and found nothing, but there is lots more to check).
Cheers,
S
"Mr. Arnold" <MR. Arnold@Arnold.com> wrote in message
news:qR6Yh.1104$296.355@newsread4.news.pas.earthli nk.net...
>
> "spamlet" <spam.morespam@spamola.invalid> wrote in message
> news:jr4Yh.302$o42.135@newsfe3-win.ntli.net...
>> Our pc has recently started to get locked up by what appear in the system
>> log as continuous strings of attempts to connect (to the router?). If I
>> am
>> lucky enough to have process explorer open at the time I can kill IE and
>> the
>> network adapter (v slowly!), otherwise the plug has to be pulled.
>>
>> Last night I thought I had better do a check with PandaActiveScan on
>> line.
>> When it finally got to the end of the scan - 'no viruses' - some 2hr
>> later,
>> the processor was locked up again, but I was lucky enough to be able to
>> shut
>> off IE and the adaptor without having to pull the plug.
>>
>> The error log showed a continuous chain of TCP/IP events for the whole
>> time
>> the pc had been on line doing this scan. These were all of the
>> 'semaphore
>> time out' type.
>>
>> Interestingly, today, though there have been no lock ups so far, there
>> have
>> been two warnings in the error log to say that the 'TCP/IP has reached
>> the
>> security limit on the number of concurrent (incomplete) TCP connect
>> attempts'.
>>
>> Now, I had been looking for just such a 'limit the number of attempts
>> setting', to try and stop the seize ups: why has the limit only now been
>> imposed, and what does all this signify for our system? Is it likely to
>> be
>> a router/wireless problem, or is it an undetected virus or other hijack
>> of
>> some sort? (I have had some recent HiJackthis scans looked at at AumHa,
>> but
>> nothing untoward seemed to show up in the reports.)
>>
>> Any enlightenment would be appreciated.
>>
>> (We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
>> router. XP Pro system.)
>>
>
> Long
>
> http://www.google.com/search?hl=en&q...=Google+Search
>
> Short
>
> http://tinyurl.com/yshfd2
>
>
> http://www.psc.edu/networking/projec...tepbystep.html
>
> You can try a hard reset of the router, setting it back to factory
> defaults -- turn the router off for awhile after the reset. It might fix
> your problem.
>
> You can also flash the router with the current or later version of the
> firmware to see if that fixes your problem - a last resort kind of thing.
>
>
>
"spamlet" <spam.morespam@spamola.invalid> wrote in message
news:xRqYh.2779$5O4.1946@newsfe1-gui.ntli.net...
> Thanks for the handy links MrA,
>
> This is all a bit over my head, but the way I see it, as I'm not running
> as any kind of high volume sharing device, the important thing is that
> this problem has just manifested and why, rather than pointing out a real
> need to change the settings.
>
> I will look more closely at all the ideas from Jeff below before deciding
> if I really need to change the settings. It seems likely that something
> untoward has got in somehow (though so far I have run Jeff's suggested
> AVGAntiRootkit and found nothing, but there is lots more to check).
>
Well, use the proper tools and go look, Process Explorer and Active Ports.
Interesting reading but still rather over my head.
Already using ProcessExplorer (which can get very greedy on the cpu of
itself), but still a novice in using it effectively.
Have downloaded Active Ports, but have little idea what is 'normal'
activity.
"Mr. Arnold" <MR. Arnold@Arnold.com> wrote in message
news:musYh.1427$296.470@newsread4.news.pas.earthli nk.net...
>
> "spamlet" <spam.morespam@spamola.invalid> wrote in message
> news:xRqYh.2779$5O4.1946@newsfe1-gui.ntli.net...
>> Thanks for the handy links MrA,
>>
>> This is all a bit over my head, but the way I see it, as I'm not running
>> as any kind of high volume sharing device, the important thing is that
>> this problem has just manifested and why, rather than pointing out a real
>> need to change the settings.
>>
>> I will look more closely at all the ideas from Jeff below before deciding
>> if I really need to change the settings. It seems likely that something
>> untoward has got in somehow (though so far I have run Jeff's suggested
>> AVGAntiRootkit and found nothing, but there is lots more to check).
>>
>
> Well, use the proper tools and go look, Process Explorer and Active Ports.
>
> http://preview.tinyurl.com/klw1
> http://www.microsoft.com/technet/sys...s/default.mspx
> http://www.pcworld.com/downloads/fil...d,23780,00.asp
Appols for the delay in thanking you: you will see from the other strands
that I have been working my way through as much of everyone's advice as I
can.
The pc seems to have gone fairly quiet in the last week, and some of the
TCP/Ip errors have been avoided by turning off the wireless before shutting
down each day. Others my have been related to a recent update of the
Multimap site, as I have noted that the error warnings often occur during
printing of route details from that site.
Mr Arnold suggested I look at the port activity via ActivePorts, and I have
given him a sample of one reading from this, but am not really knowledgeable
enough on the subject to be able to interpret this. Similarly, I fear that
I will have to do a lot more reading to be competent at exploring SMTP
traffic in the way you advise, but I will look into it.
Thanks once again for your helpful advice.
S
"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:lj4433leerob3n7okqo428ngg3cuv0vnbd@4ax.com...
> "spamlet" <spam.morespam@spamola.invalid> hath wroth:
>
>>Our pc has recently started to get locked up by what appear in the system
>>log as continuous strings of attempts to connect (to the router?).
>
> - Your "PC" is running what operating system?
> - Is this the only machine on your wireless network?
> - Does your WHR-G54S-1 cable router do the same thing with a wired
> ethernet connection?
> - How busy is your system? Does the hard disk light flash
> continuously when the system locks up?
>
>>If I am
>>lucky enough to have process explorer open at the time I can kill IE and
>>the
>>network adapter (v slowly!), otherwise the plug has to be pulled.
>
> This one?
> <http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx>
> What does it say for CPU usage just before it hangs?
>
>>Last night I thought I had better do a check with PandaActiveScan on line.
>>When it finally got to the end of the scan - 'no viruses' - some 2hr
>>later,
>>the processor was locked up again, but I was lucky enough to be able to
>>shut
>>off IE and the adaptor without having to pull the plug.
>
> My experience with virus scanners is that they catch about 90% of the
> junk. The 10% remaining seem to be custom crafted remote control
> programs (botnet) that are used to spew spam. These are somewhat
> difficult to find but their presence can be recognized by intermittent
> heavy outgoing SMTP traffic and unusual open ports. Also, look for
> UPnP being on and cannot be disabled or removed.
>
> In addition, there are root kits that are very difficult to detect.
> Try this tool:
> <http://free.grisoft.com/doc/39798/lng/us/tpl/v5>
>
>>The error log showed a continuous chain of TCP/IP events for the whole
>>time
>>the pc had been on line doing this scan. These were all of the 'semaphore
>>time out' type.
>
> Thank you for severely editing all the useful information from the
> system log. I'll guess that it really said:
> "The semaphore timeout period has expired. . Your computer will
> continue to try and obtain an address on its own from the network
> address (DHCP) server."
> Is this correct?
> [ ] yes
> [ ] no
> I have some guesses but I'm lazy today. Kindly supply a single sample
> message and I'll try to debug. Also, please describe this PC (CPU,
> clock speed, RAM, type of HD) as this error is more common in very
> slow and busy machines, particularly if they are lacking in sufficient
> RAM.
>
>>Interestingly, today, though there have been no lock ups so far, there
>>have
>>been two warnings in the error log to say that the 'TCP/IP has reached the
>>security limit on the number of concurrent (incomplete) TCP connect
>>attempts'.
>
> I think your machine has been taken over by a Trojan that is running a
> botnet. The symptoms are familiar familiar. My guess(tm) is that the
> DHCP timeout errors are causing the semaphore errors as it trys to
> change IP addresses to hide its presence. The incomplete connections
> are from failed attempts to connect to various SMTP servers.
>
>>Now, I had been looking for just such a 'limit the number of attempts
>>setting', to try and stop the seize ups: why has the limit only now been
>>imposed, and what does all this signify for our system? Is it likely to
>>be
>>a router/wireless problem, or is it an undetected virus or other hijack of
>>some sort? (I have had some recent HiJackthis scans looked at at AumHa,
>>but
>>nothing untoward seemed to show up in the reports.)
>
> Sigh. Get an ethernet hub, not a switch. Plug it between the cable
> router and your probably infected computah. Grab a 2nd machine and
> run WireShark to sniff the traffic. Look for SMTP (outgoing email)
> traffic. If you find a bunch, you've been hijacked. Don't bother
> trying to run Wireshark on the infected machine. Also, keep the
> wireless out of the picture for now.
>
>>Any enlightenment would be appreciated.
>
> One must suffer before enlightenment.
>
>>(We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
>>router. XP Pro system.)
>
> Ummm... thanks.
>
>
> --
> Jeff Liebermann jeffl@comix.santa-cruz.ca.us
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558
Continuous TCP/IP error messages 
Linear Mode
