Answer the question
In order to leave comments, you need to log in
Spontaneous addition of routes in WinXp
There is a machine with WinXp SP3.
Spontaneous addition of routes is noticed.
A dependence has been noticed - when certain sites (for example, twitter, google) are opened in a browser (Opera / Firefox / Chrome), routes are guaranteed to be added.
Active Routes:
Network Address Mask Mask Address Gateway Metric Interface
0.0.0.0 0.0.0.0 10.77.0.1 10.77.0.77 1
10.77.0.0 255.255.255.0 10.77.0.77 10.77.0.77 10
10.77.0.77 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.2555 255.255.255.255 10.77.0.77 10.77.0.77 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
173.194.69.101 255.255.255.255 10.77.0.1 10.77.0.77 1
173.194.69.113 255.255.255.255 10.77.0.1 10.77. 0.77 1
173.194.69.138 255.255.255.255 10.77.0.1 10.77.0.77 1
209.85.173.104 255.255.255.255 10.77.0.1 10.77.0.77 1
224.0.0.0 0.0.0.0.0 10.77.0.77 10.77.0.77 10
255.255.255.255 255.255.255.255 255.255.255.255. 10.77.0.77 10.77. 0.77 1
Default gateway: 10.77.0.1
Permanent routes:
None
(Left routes are decorated with a link)
I suspect that this is the tail of some trojan or virus.
The system has been checked by Avast, Microsoft essentials, Advanced SystemCare - they all say that there is nothing suspicious.
sfc /scannow - also done
Routes are not added using route.exe - I made a stub that wrote to the log instead of installing. There are no calls.
What else can be done?
PS
I suspect that the routes are added by calling CreateIpForwardEntry (which is in iphlpapi.dll). Whether it is possible by means of any monitor to trace, what dll/exe/sys pulls this function?
Answer the question
In order to leave comments, you need to log in
It is very similar to the so-called ICMP Redirects - they are reported to your machine by the nearest router, or man-in-the-middle located in your network.
To disable, Google advises
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect=0
did not try it myself.
And the routing table can also come via DHCP, but this should have happened at the time of receiving the IP address, and not when you went to the site.
You can also change the routing table through the RIP Listener (an additionally installed standard component in WinXP). Check if it is installed. Control Panel -> Add or Remove Programs -> Add/Remove Windows Components -> Networking Services -> RIP Listener. Unfortunately, I do not know how it is in Russian Windows XP.
PS Both of these technologies can be used by the provider to configure client computers. In my practice, one of the providers used both technologies, eventually settling on the first one as the most practical.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question