CyberLink

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

I was just setting up a customer's new Dell computer, and I have shut down most
of the unnecessary crap. But there is still one thing that is annoying me.
Every time a new user logs in, the system connects to port 80 on 203.73.25.204.
This address range traces to SeedNet in Taiwan, and the address displays the
home page for CyberLink.

I don't like connections that are made silently in the background, and I
suspect that it is related to the Sonic DVD software loaded on this machine.
The running services are:

Image Name PID Services
========================= ====== =============
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 1020 N/A
CSRSS.EXE 1068 N/A
WINLOGON.EXE 1092 N/A
SERVICES.EXE 1136 Eventlog, Plu
LSASS.EXE 1148 ProtectedStor
SVCHOST.EXE 1388 RpcSs
SVCHOST.EXE 1544 Dnscache
CCSETMGR.EXE 1576 ccSetMgr
CCEVTMGR.EXE 1604 ccEvtMgr
SVCHOST.EXE 1740 AudioSrv, Bro
FastUserSwitc
lanmanserver,
Nla, SENS, Sh
winmgmt
SPOOLSV.EXE 1760 Spooler
AWHOST32.EXE 1844 awhost32
EXPLORER.EXE 2032 N/A
hkcmd.exe 324 N/A
DVDLauncher.exe 336 N/A
PCMService.exe 344 N/A
tfswctrl.exe 276 N/A
CCAPP.EXE 392 N/A
mmtask.exe 408 N/A
CTFMON.EXE 416 N/A
CCPROXY.EXE 588 ccProxy
MDM.EXE 632 MDM
NAVAPSVC.EXE 700 navapsvc
SNDSrvc.exe 808 SNDSrvc
CMD.EXE 1924 N/A
TASKLIST.EXE 2848 N/A
WMIPRVSE.EXE 2884 N/A

J.A. Coutts
 
John said:
I was just setting up a customer's new Dell computer, and I have shut down most
of the unnecessary crap. But there is still one thing that is annoying me.
Every time a new user logs in, the system connects to port 80 on 203.73.25.204.
This address range traces to SeedNet in Taiwan, and the address displays the
home page for CyberLink.

I don't like connections that are made silently in the background, and I
suspect that it is related to the Sonic DVD software loaded on this machine.
The running services are:
Click to expand...

It may be checking for updates. Does the DVD software have an option to
turn that off?

michael
 
1) Download the following item...

Adaware SE
http://www.lavasoftusa.com/

2) Update Adaware with latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Adaware SE, perform a Full Scan of your platform and clean/delete
any parasites found.
6) Restart your PC and perform a "final" Full Scan of your platform using Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point
10) Please report back your results

Dave





| I was just setting up a customer's new Dell computer, and I have shut down most
| of the unnecessary crap. But there is still one thing that is annoying me.
| Every time a new user logs in, the system connects to port 80 on 203.73.25.204.
| This address range traces to SeedNet in Taiwan, and the address displays the
| home page for CyberLink.
|
| I don't like connections that are made silently in the background, and I
| suspect that it is related to the Sonic DVD software loaded on this machine.
| The running services are:
|
| Image Name PID Services
| ========================= ====== =============
| System Idle Process 0 N/A
| System 4 N/A
| SMSS.EXE 1020 N/A
| CSRSS.EXE 1068 N/A
| WINLOGON.EXE 1092 N/A
| SERVICES.EXE 1136 Eventlog, Plu
| LSASS.EXE 1148 ProtectedStor
| SVCHOST.EXE 1388 RpcSs
| SVCHOST.EXE 1544 Dnscache
| CCSETMGR.EXE 1576 ccSetMgr
| CCEVTMGR.EXE 1604 ccEvtMgr
| SVCHOST.EXE 1740 AudioSrv, Bro
| FastUserSwitc
| lanmanserver,
| Nla, SENS, Sh
| winmgmt
| SPOOLSV.EXE 1760 Spooler
| AWHOST32.EXE 1844 awhost32
| EXPLORER.EXE 2032 N/A
| hkcmd.exe 324 N/A
| DVDLauncher.exe 336 N/A
| PCMService.exe 344 N/A
| tfswctrl.exe 276 N/A
| CCAPP.EXE 392 N/A
| mmtask.exe 408 N/A
| CTFMON.EXE 416 N/A
| CCPROXY.EXE 588 ccProxy
| MDM.EXE 632 MDM
| NAVAPSVC.EXE 700 navapsvc
| SNDSrvc.exe 808 SNDSrvc
| CMD.EXE 1924 N/A
| TASKLIST.EXE 2848 N/A
| WMIPRVSE.EXE 2884 N/A
|
| J.A. Coutts
|
 
I was just setting up a customer's new Dell computer, and I have shut down most
of the unnecessary crap. But there is still one thing that is annoying me.
Every time a new user logs in, the system connects to port 80 on 203.73.25.204.
This address range traces to SeedNet in Taiwan, and the address displays the
home page for CyberLink.

I don't like connections that are made silently in the background, and I
suspect that it is related to the Sonic DVD software loaded on this machine.

J.A. Coutts
Click to expand...
**************** REPLY SEPARATER *****************
It turns out that it is related to PCMService.exe (Dell Media Experience) and
not directly to Sonic DVD. I switched users to open the port and then started
shutting down tasks until the connection went to TIME_WAIT. Why on earth would
Dell load a one shot file that connects to an outside Web site every time a new
user signs on? It makes no sense, but then all these large programs want to
appear to load quickly by preloading part of the program at startup.

By the way, if you want to uninstall MSN Messenger, you have to edit
\windows\inf\sysoc.inf file and remove the hide from:

msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7.

This will allow you to uninstall MSN Messenger.

J.A. Coutts
 
John said:
**************** REPLY SEPARATER *****************
It turns out that it is related to PCMService.exe (Dell Media Experience) and
not directly to Sonic DVD. I switched users to open the port and then started
shutting down tasks until the connection went to TIME_WAIT.
Click to expand...

It went to TIME_WAIT because that's one way HTTP works. It doesn't
necessarily make a continous connection. It can use short TCP sessions.

I think your current approach is a red herring. The Whios info is more
revealing. Why don't you log the packets with Ethereal and see what
it's sending?

michael
 
That's a capital suggestion Michael.

Dave



| It went to TIME_WAIT because that's one way HTTP works. It doesn't
| necessarily make a continous connection. It can use short TCP sessions.
|
| I think your current approach is a red herring. The Whios info is more
| revealing. Why don't you log the packets with Ethereal and see what
| it's sending?
|
| michael
 
It went to TIME_WAIT because that's one way HTTP works. It doesn't
necessarily make a continous connection. It can use short TCP sessions.

I think your current approach is a red herring. The Whios info is more
revealing. Why don't you log the packets with Ethereal and see what
it's sending?

michael
Click to expand...
***************** REPLY SEPARATER *******************
Sorry, but the proof is in the pudding. Because HTML is a connectionless
protocol, the port would eventually time out on it's own if you waited long
enough. But when I removed the PCMService.exe program from the registry, the
port no longer opened. Dell's Media Experience still runs fine without it auto
starting.

Note that this is not a well behaved program. There are other programs (such as
Norton's auto-update) that also visit a web site on startup, but these
disconnect properly when they have completed their function, and the port goes
to TIME_WAIT immediately. I dislike all auto-update programs, but the novice
user needs the protection.

J.A. Coutts
 
John said:
***************** REPLY SEPARATER *******************
Sorry, but the proof is in the pudding. Because HTML is a connectionless
protocol, the port would eventually time out on it's own if you waited long
enough. But when I removed the PCMService.exe program from the registry, the
port no longer opened. Dell's Media Experience still runs fine without it auto
starting.
Click to expand...

Well I stand corrected on this. I assumed it was Cyberlink software
(they make Power DVD i think, I didn't know about Sonic DVD).

But to nitpick, HTML is a markup language. You probably mean HTTP,
which often uses TCP, which is a connection oriented protocol. At the
application layer, it can be quasi-connectionless, in that it opens a
quick connection, then closes it. It just depends on the layer of
reference.

Malware (or spyware) theoretically can still use hooks and raw sockets
which won't show up in the netstat output.

michael
 
But to nitpick, HTML is a markup language. You probably mean HTTP,
which often uses TCP, which is a connection oriented protocol. At the
application layer, it can be quasi-connectionless, in that it opens a
quick connection, then closes it. It just depends on the layer of
reference.

Malware (or spyware) theoretically can still use hooks and raw sockets
which won't show up in the netstat output.

michael
Click to expand...
**************** REPLY SEPARATER ****************
Now its my turn to nitpick. Yes I meant HTTP (which is the actual protocol used
by HTML). Unlike other protocols (such as FTP or SMTP) which establish and
maintain a connection, an HTTP request is exactly that; a request that will
time out by itself unless action is taken by the client or server to maintain
that connection (as in the use of the SessionID). Generally, a new request is
sent on a different outbound port. It still connects to port 80 on the other
end, but it is a different connection that is generally serviced and then
dropped. That is why a netstat -an can produce many different connections to
port 80 in the TIME_WAIT state.

The process of servicing a request and then dropping it allows a Web server to
service thousands of requests a second without the fear of running out of
sockets. An FTP or SMTP server on the other hand can only maintain a certain
number of connections, and new requests to connect beyond its predetermined
capacity are rejected. The connection will remain in place until one party or
the other terminates it. Because HTTP is connectionless, a Web server maintains
something called a SessionID. A client may use this ID to re-establish the
connection.

J.A. Coutts
 
Back
Top