What is a TCP/IP ARP command and Why is it hogging my CPU?

[MrOmnos]

I am running windows 8.1 on my laptop. And recently I have been noticing this 'TCP/IP arp command' named task hooging my cpu all the time. It uses 40-50% of my cpu which is a 2.8Ghz dual core i5. So, I always ended up killing the task. What is it? And Why is it hogging my cpu?

[3db]

Basically ARP maps IP addresses to MAC addresses.
It shouldn't be hogging your CPU.
DO you have more than one switch on your network ?
Use the ARP command to look at the ARP table to see if it's changing
Try and find which process is actually hogging the CPU
The free  Sysinternals software suite from Microsoft might help.
You could use tcpview to see what your computer is connecting to

[rob77]

ARP is a protocol (address resolution protocol which maps logical IP address to physical MAC address), there is no such thing as "TCP/IP arp command" there is an arp.exe command on windows which displays the arp cache of your system and it ends immediately after that so there is no way it could eat up you CPU. i bet you're hosting some malware on your PC which is consuming your CPU

[rob77]

ok. actually they really call it "TCP/IP Arp Command" , but what i said before still apply - it can't eat your cpu. there is no such service..

quote from MSDN:

TCP/IP Arp Command

The TCP/IP ARP Command component provides the functionality to add, delete, or display the IP address for Media Access Control (MAC) address translation.
Services
There are no services for this component.
Associated Components
No other components interact with this component.
Settings
There are no configurable settings for this component.

[MrOmnos]

lol


I am pretty sure it's malware. How do I clean this up? How do I protect my computer without paying money. I don't have money for security applications and anti-virus.

[rstofer]

What happens if you click the End Task button with the TCP/IP Arp Command selected?

Look in the startup tab of Task Manager and see if you recognize all of the programs being started at boot time.  Use Google to check the names of programs.

I don't know anything about Win 8 but on Win 10 there is a Windows Defender tool that scans for malware.  I don't know how effective it is.  Find it and make sure the data files are current then run a full scan.

[PA0PBZ]

Right click on the name and choose "open file location". Where is the program, is it in the windows or system folder?

[retiredcaps]

You likely have malware/virus as per

https://www.herdprotect.com/iscsiwm.exe-e0734dececa890d614f3da3c4154092cfac5732a.aspx

When I ran windows back in 2014, I used Malwarebytes.  Free and very thorough.

https://www.malwarebytes.com/

Just be sure to click and use the free one and opt of offers, trials, etc.  I usually let Malwarebytes run through at least twice to ensure complete removal.

Having said that, technically, the tcp/ip stack in Windows could be responding to an arp broadcast storm.  This arp broadcast storm could be coming from a local malfunctioning device or another local infected computer.

[tablatronix]

certainly sounds like a fake app or virus to me, there is no arp that runs constantly or is called "TCP Arp Command" sounds sketchy

[retiredcaps]

How do I protect my computer without paying money.

For future avoidance of malware/viruses, try to use two computers, one for just banking and trusted applications, and the other for general websurfing and downloading.  If the latter gets infected, wipe, reinstall windows and start over. 

Or on the second computer switch to linux which is less likely, but not impossible, to get infected.

I also use adblockers, privacy blockers and keep my OS update to date on a daily basis.  I also use chrome beta to ensure I get the earliest patches and fixes.  Chrome beta gets updated weekly with patches and fixes.

My OS is Lubuntu 16.04 and 17.04.  16.04 on my trusted computer and 17.04 on the general all purpose computer.  Lubuntu is free to use and download.

[nctnico]

How do I protect my computer without paying money.

Microsoft has a program called defender and there are loads of free programs out there. AVG Free works fine for me even though the recent versions try hard to trick you into getting the paid version.

[retiredcaps]

Microsoft has a program called defender and there are loads of free programs out there.

According to this wiki entry

https://en.wikipedia.org/wiki/Windows_Defender

"In Windows 8 and Windows 10, Windows Defender is on by default."

I'm assuming this also applies to 8.1? If true, either

a) OP turned it off,
b) ignoring some message from defender that he has a virus,
c) defender isn't getting updates
d) or it doesn't realize this is a potential virus.
e) malware/virus has completed disabled defender somehow

Since I haven't run Windows in over 3 years now, I have no interest in keeping up with that world.

[MrOmnos]

So, I downloaded Bitdefender free version and ran a full system scan. It found 6 infect files. I quarantined two of them and deleted four of them. But this TCP/IP ARP is not going away.



I went to the file location and it is located in system 32.


When I kill the task nothing happens. Everything is normal. But it comes back again after restart and starts hogging my cpu. So, I checked the start up tab and found this

Is it normal for the power shell to start during start up?
And those two 'Zogg', what are those? 

'Zogg from Betelgeuse' is my PC name.  It's weird.

[rstofer]

Not only is PowerShell running, the little arrow makes me believe it is running a script.  No, it shouldn't run at startup unless you have written a startup script.  I have done this on a couple of machines to delete browser files and stuff like that.  In general, it shouldn't be running.

I did a search of c:\windows for arp.exe and there are 4 copies installed in various subdirectories.  Two copies are 22k bytes and 2 copies are 25k bytes.  In broad terms, the 25k versions match yours in size but mine is a much newer version since I am running Win 10.

If ARP is really running at such a high rate, you should be able to see a lot of LEDs blinking around the network gear.  Try looking at the RJ45 on your PC (if wired) and perhaps look at your router.  See what happens if you pull the network cable or shut down the WiFi.

See what script PowerShell is running first.  The script could be hammering ARP.

[MrOmnos]

You were right, it is running a lot of scripts.


I tried to see the file locations but noting happens, I also tried to see the properties of these console hosts but noting happens. I am disabling powershell from start up. I use University wifi network so I don't know where the router is. I also have a Ethernet cable in my room but the connector is broken so, may be I will look at the leds tomorrow morning.
 Meanwhile I found this article online.
https://www.bleepingcomputer.com/virus-removal/remove-console-window-host-conhost.exe-monero-miner

I am pretty sure  i am a victim.  Damn you Russians. 

[PA0PBZ]

There's a good chance that it is started from one of these 2 registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If you have a look in there you can probably see what script it is running and what it is doing.

[nctnico]

I doubt it will be that simple but it is worth to try. Years ago I tried to clean a Windows PC which was sending spam. I ran several anti-virus and malware removers (including Linux based ones) but none where able to remove. In the end the PC needed a format and re-installing Windows.

[Mr. Scram]

I doubt it will be that simple but it is worth to try. Years ago I tried to clean a Windows PC which was sending spam. I ran several anti-virus and malware removers (including Linux based ones) but none where able to remove. In the end the PC needed a format and re-installing Windows.

It is better to always reinstall after an infection. If something takes hold, there's no telling what it did and where it might still be hiding. It is quite feasible that malware presents some low-hanging fruit, so users think they cleared their systems, only to log your bank account data in the background. Anything a random stranger could do to your system with full administrator rights might have been done by this malware. That means pretty much anything and everything.

It's not worth the risk. Make proper backups before any infections and reinstall after an infection.

[amyk]

Your version of Windows is new enough that in the detail view in Task Manager, you can right-click the column headings and select columns, choose Command Line, and then you can see exactly what script and where those PowersHell instances are running.

[abraxa]

I am pretty sure  i am a victim.  Damn you Russians. 

Just because the offending domain ends on .ru doesn't mean that the people doing this are Russian. We're talking about the internet here, tracing any kind of activity back to its real origin without any kind of doubt is impossible.

Yes, it sucks that you have a mining trojan on your system but it's not proven (and won't ever be) that "the Russians" are behind it.

[MrOmnos]

Look we all know it's probably Russians. They are the experts. I am saying it as a compliment. No offense.

[rstofer]

You were right, it is running a lot of scripts.

 Meanwhile I found this article online.
https://www.bleepingcomputer.com/virus-removal/remove-console-window-host-conhost.exe-monero-miner

I am pretty sure  i am a victim.  Damn you Russians. 

It looks like you have a path forward.  Please post back and let us know how it worked out.  Since there is a well established process for cleaning up this mess, you can be certain you aren't the only one with the problem.  It would be nice to know the solution before it happens to me.

[Mr. Scram]

Look we all know it's probably Russians. They are the experts. I am saying it as a compliment. No offense.

Saying it's 'the Russians' sounds like a throwback to the Cold War and doesn't really take the international nature of digital crime into account. These are large networks of highly skilled criminals from all parts of the world.

[hermit]

Pretty well documented if you care to look that it is pretty easy to get cheap server space in Russia.  Mom & Pop operations that will take anything if you pay.  Many legitimately don't know what their hosting, most don't care if they do.  The government won't step in because, well, they use the same services.  It provides cover to their operations.  If they bust some sites the ones that remain are obviously there with government blessing.    So, yeah, the Russians permit a small cesspool because it serves there larger goal to do so.  It's the one instance they seem to fully support a 'free market economy'.

This doesn't mean things coming from Russia originated there.  They could be renting that space from anywhere.  Also, it the domain ends in .ru it would be up to that top level domain registrar to clean up rogue sites.  That won't happen either.  See above.

[Mr. Scram]

Pretty well documented if you care to look that it is pretty easy to get cheap server space in Russia.  Mom & Pop operations that will take anything if you pay.  Many legitimately don't know what their hosting, most don't care if they do.  The government won't step in because, well, they use the same services.  It provides cover to their operations.  If they bust some sites the ones that remain are obviously there with government blessing.    So, yeah, the Russians permit a small cesspool because it serves there larger goal to do so.  It's the one instance they seem to fully support a 'free market economy'.

This doesn't mean things coming from Russia originated there.  They could be renting that space from anywhere.  Also, it the domain ends in .ru it would be up to that top level domain registrar to clean up rogue sites.  That won't happen either.  See above.

You make an important distinction there. Rather than saying it is the Russians, you say it's unknown people using Russian infrastructure. That is much more accurate, at least in this case.

To what degree the people providing the infrastructure are responsible is a difficult subject with very profound consequences.