What is this internet activity on my HP?

Discussion in 'privacy problems' started by pclaptop, Aug 22, 2012.

Thread Status:
Not open for further replies.
  1. pclaptop

    pclaptop Registered Member

    Joined:
    Aug 21, 2012
    Posts:
    10
    Location:
    USA
    On a HP desk top at screwy times of the day and night this activity is recorded. And what is this IP address that is referred to? It is not MY Modems IP adress 24.0.187.75

    Starting: hpslpsvc32.dll
    20120511225823:0003B91E4:0001(0000-0000)(2204)+++ From: cprogram files\hp\digital imaging\bin
    20120511225823:0003B97F2:0001(0000-0000)(2204)+++Command Line: CWindows\system32\svchost.exe -k HPService
    20120511225823:0003B9D38:0001(0000-0000)(2204)+++ File Size: 634880
    20120511225823:0003BA220001(0000-0000)(2204)+++ Version: hpslpsvc32.dll 120.0.194.0 Release
    20120511225823:0003BA7FF:0001(0000-0000)(2204)+++ Built on: Oct 16 2008 18:22:43
    20120511225823:0003BAE40101(0000-0000)(2204)+++ PI 2196 HPSLPSVC0182.log (CWindows\system32\svchost.exe )
    20120511225823:0003E0D19:0001(0000-0000)(2204){Loaded 0 devices}
    20120511225823:000425260201(0000-0000)(2356)<Using adapter at index A for [Local Area Connection](NVIDIA nForce 10/100 Mbps Ethernet ) IP=192.168.2.5 Type=6>
    20120511225823:000427B5B:0101(0000-0000)(2356)<FOUND 1 connected adapter(s), error=0>
    20120511225823:0004460F5:0001(0000-0000)(2356)<Monitoring adapter ip=192.168.2.5, subnet=192.168.2.0/24 at index A for NVIDIA nForce 10/100 Mbps Ethernet [status=1, flags=3e5] type=6>
    20120511225823:000450A8A:0001(0000-0000)(252:cool:Heartbeat event initialized for subnet=192.168.2.0/24
    20120511225823:000459F0C:0101(0000-0000)(2356)<STARTED manager for(192.168.2.0/24)>
    20120511225823:00045CBDE:0101(0000-0000)(2356)<FOUND 1 connected adapter(s)>
    20120511225823:00045EC26:0001(0000-0000)(2532)<MONITORING subnet 192.168.2.0/24 on LOCAL ADDRESS 192.168.2.5>
    20120511225823:0004613D0101(0000-0000)(2356)<STARTED MANAGER FOR OFF-SUBNET 2560>
    20120511225823:000462AD3:0001(0000-0000)(2560)<MONITORING OFF-SUBNET>
    20120511225823:0004639C5:0101(0000-0000)(2532)[SENDING MULTICAST REQUEST->192.168.2.0/24]
    20120511225823:00046435C:0101(0000-0000)(2532)<FINISHED STARTUP for 192.168.2.5>
    20120511225823:000470D8B:0001(0000-0000)(254:cool:Heartbeat event initialized for subnet=
    20120511225824:0005659B1:0101(0001-0001)(2560)<FINISHED STARTUP for OFF_SUBNET>
    20120511225824:000566635:0101(0001-0000)(2560)<SERVICE STARTUP FINISHED in 1700 mSec>
    20120511225829:0000976E9:0101(0006-0004)(2532)[SENDING MULTICAST REQUEST->192.168.2.0/24]
    20120512004422:00030AF67:0101(6369-0002)(2356)<IP ADDRESS TABLE CHANGED>
    20120512004422:00030CF87:0101(6369-0000)(2356)<IP CHANGE NOTIFICATION SCHEDULED>
    20120512004422:00031ACA3:0101(6369-0000)(2356)<RESCAN SUBNETS> S=1, R=0
    20120512014735:000777FE4:0001(0162-3792)(5452)<MONITORING OFF-SUBNET>
    20120512014739:0001D6701:0001(0166-0000)(2204)Media sense re-started
    20120512014739:0001FE678:0101(0166-0000)(2356)<RESUMING>
    20120512014739:00022BB9E:0101(0166-0000)(2356)<RESCAN SUBNETS> S=0, R=1
    20120512014739:00024148B:0001(0166-0000)(2204)Already awake
     
    Last edited by a moderator: Aug 22, 2012
  2. pclaptop

    pclaptop Registered Member

    Joined:
    Aug 21, 2012
    Posts:
    10
    Location:
    USA
    OK here is some additional info:

    OK here is some additional info:

    These are the IP's Mentioned . . . .
    my IP: 174.57.91.xxx last three octets are deleted on purpose

    suspicious #2 IP: 68.37.228.207 (text c/p below shows location also see attached pic 205)

    suspicious #3 IP: 69.248.177.14


    These c/p's comes from a windows temp directory, and it seems as though it is automatically recorded in files like this HPSLPSVC0205.log c/p

    20120614150401:0003CCB01:0001(0000-0000)(2320)+++ Starting: hpslpsvc32.dll
    20120614150401:0003E5381:0001(0000-0000)(2320)+++ From: cprogram files\hp\digital imaging\bin
    20120614150401:0003FA6E8:0001(0000-0000)(2320)+++Command Line: CWindows\system32\svchost.exe -k HPService
    20120614150401:00040FB03:0001(0000-0000)(2320)+++ File Size: 634880
    20120614150401:00041C6EC:0001(0000-0000)(2320)+++ Version: hpslpsvc32.dll 120.0.194.0 Release
    20120614150401:000427EF4:0001(0000-0000)(2320)+++ Built on: Oct 16 2008 18:22:43
    20120614150401:000435E39:0101(0000-0000)(2320)+++ PI 2312 HPSLPSVC0205.log (CWindows\system32\svchost.exe )
    20120614150401:00044EA1A:0001(0000-0000)(2320){Loaded 0 devices}
    20120614150401:00046EAC3:0201(0000-0000)(3012)<Using adapter at index A for [Local Area Connection](NVIDIA nForce 10/100 Mbps Ethernet ) IP=68.37.228.207 Type=6>
    20120614150401:00047CBF3:0101(0000-0000)(3012)<FOUND 1 connected adapter(s), error=0>
    20120614150401:000482D41:0001(0000-0000)(3012)<Monitoring adapter ip=68.37.228.207, subnet=68.37.228.0/23 at index A for NVIDIA nForce 10/100 Mbps Ethernet [status=1, flags=3e5] type=6>
    20120614150401:0004905B7:0101(0000-0000)(3012)<STARTED manager for(68.37.228.0/23)>
    20120614150401:000499B13:0001(0000-0000)(3016)Heartbeat event initialized for subnet=68.37.228.0/23
    20120614150402:0004A5405:0001(0000-0000)(3020)<MONITORING subnet 68.37.228.0/23 on LOCAL ADDRESS 68.37.228.207>
    20120614150402:0004B10E5:0101(0000-0000)(3012)<FOUND 1 connected adapter(s)>
    20120614150402:0004B1909:0101(0000-0000)(3020)[SENDING MULTICAST REQUEST->68.37.228.0/23]
    20120614150402:0004B24CF:0101(0000-0000)(3020)<FINISHED STARTUP for 68.37.228.207>
    20120614150402:0004B2CBA:0001(0000-0000)(3024)Heartbeat event initialized for subnet=
    20120614150402:0004B3526:0001(0000-0000)(302:cool:<MONITORING OFF-SUBNET>
    20120614150402:0004B3CC4:0101(0000-0000)(3012)<STARTED MANAGER FOR OFF-SUBNET 3028>
    20120614150403:0005A8612:0101(0001-0001)(302:cool:<FINISHED STARTUP for OFF_SUBNET>
    20120614150403:0005AA263:0101(0001-0000)(302:cool:<SERVICE STARTUP FINISHED in 1467 mSec>
    20120614150408:0000E5C10101(0006-0005)(3020)[SENDING MULTICAST REQUEST->68.37.228.0/23]

    that was only part of a 27kb log file.

    see attached screen shot logrecords.jpg of temp files (hplog files) and see the screen shot 205log.jpg of the section of that log file pasted above from HPSLPSVC0205.log.

    cant seem to u/l pics right now!
     

    Attached Files:

    Last edited: Aug 23, 2012
  3. pclaptop

    pclaptop Registered Member

    Joined:
    Aug 21, 2012
    Posts:
    10
    Location:
    USA
    and a little more

    And why would HP digital imaging be going OUT of my HOME network 174.57.91.xxx to the internet to other IP addresses (24.0.187.75, 68.37.228.207, 69.248.177.14)to see if there were new printers on the network?

    How many different "HP" homes is MY computer calling out to? and how come they are all in Franklinville, about 5 miles from where I actually live?

    Is it possible that someone(unknown to me) has added these IP addys as networked stations/clients/VPN and the HP query is including them as well, regardless of the distance/location??

    thanks for any replies insight

    pclaptop
     
    Last edited: Aug 23, 2012
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    If you believe your machine is infected or communicating in a way that was not intended per normally expected Windows installation behaviour, see the preceeding link for suggestions.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Re: and a little more

    It just looks to be harmless multicast broadcasts, where other hosts can choose whether or not to join in the group. Maybe you can shut off the hp service responsible for it if it concerns you?
     
  6. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    How about removing all the crapware that HP load on thats not needed for normal daily windows operation.
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Exactly, HP are notorious for loading extraneous software to MSCONFIG and Services.
     
  8. pclaptop

    pclaptop Registered Member

    Joined:
    Aug 21, 2012
    Posts:
    10
    Location:
    USA
    ok thanks guys I finally uploaded the screenshots.

    It seems like 2-3 times a day, that HP service is "phoning home".

    Christ, ET didn't phone home that much!!
     
  9. pclaptop

    pclaptop Registered Member

    Joined:
    Aug 21, 2012
    Posts:
    10
    Location:
    USA
    double posted one of the IP's the third should be 69.248.177.14
     
  10. pclaptop

    pclaptop Registered Member

    Joined:
    Aug 21, 2012
    Posts:
    10
    Location:
    USA
    To give you an idea how I've come to this point, I've got a 320 gb hd and windows is only seeing 50 gb! I was getting a message "HD is full"! Can't be! I opened the PC case, looked at HD, and it is printed on HD case label "320 gb"

    I used Paragon Partition Mgr and Ontrack Data Recovery to find out that 236gb has been un-partitioned to something other than NTFS or FAT, (Win 7 doesn't even see this 236gb) and that Ontrack found 671 files in there that pertain to evidence and documents and pictures and mpg videos for a current ongoing MAJOR LAWSUIT!

    Now I'm pretty damn sure this HD did NOT come from the factory with 236 gb un-accessable, and I'm just as sure that those 671 files weren't there from the factory as well!

    thanks pcplatop
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Your computer is a bot and in need of a format of a new windows 7.:p Just joking about the bot but not the format.
     
    Last edited: Aug 23, 2012
  12. pclaptop

    pclaptop Registered Member

    Joined:
    Aug 21, 2012
    Posts:
    10
    Location:
    USA
    I was thinking of chaining it to the back of my truck and taking a few laps around the parking lot!

    Where do the IP addresses come from that this HP activity uses? Are they embedded in the hpslpsvc32.dll file? Can they be altered?
     
  13. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I really can't answer where they come from but I understand your frustration.I Would not feel safe with all that going on.Did you buy the computer new or used.
     
  14. pclaptop

    pclaptop Registered Member

    Joined:
    Aug 21, 2012
    Posts:
    10
    Location:
    USA
    I don't understand why it has chosen so many IP's to update from (assuming this is a legit activity) seems like a different IP EVERY day!

    Would be an interesting way for a hacker to get remote access having the HP Imagining software call out to his computer!! No trace of the HACKER computer calling out, just this computer multicasting to his! Just alter the dll file with the ip address you want(assuming it's in the hpslpsvc32.dll that the directed/designated IP's come from) and have it do it's normal software update check!!

    Can somebody beat me with a stick if this all sounds impossible/improbable!
     
Loading...
Thread Status:
Not open for further replies.