Jump to content

cs9.WAC.phicdn.net found in pc

Recommended Posts

Hi. So a few years ago , we got a new HP slim desktop 260-a010 PC running windows 10, and in the few years weve had it, it has always had trouble using and connecting to internet. Out of the box it couldn't even connect to the internet without BITS off and logs cleared out. When our mobile carrier gives us extra speed it gets faster. But this past month, it didnt.

I tried various steps to 'optimize' the pc by turning off auto-updates of various programs and features, but no matter how much I tried, it wouldn't improve. So then, I was looking at how much data all the programs use in the windows settings, and I found that the System Process with pid  4 was hogging it all. In process hacker, system 4 was apparently ntskrnl.exe sending data into udp port 137. Using nirsoft Cports, the domain of that port was cs9.wac.phicdn.net.

Also, ports 135,136,137 and 139 were listening and so were 80, 445 and 443. I took measures to close the ports in the firewall, but only 136 & 137 were sucessfully closed. For 139 , i tried binding loopback tracing, but it is still open, and for 445 I set it to http..

I have theorized that the speed is so slow because of DNS client, which in process hacker keeps getting highlighted green or red and at the same time the kbps in taskmanger drops to 0 every few seconds

I'd really like some help on this problem.. I hope its not a trojan trying to download our data.. I suspect it could be from IV webcam which we installed a few months ago, but I did uninstall it right after we got it, so I could be wrong, but it does come from China.

Is there any thing log I can upload to help identify the problem?

Link to post
Share on other sites

  • Root Admin

Hello @GoodConduct

Let us get some logs please so that we can take a look and see what might be going on.


Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you



Link to post
Share on other sites

  • Root Admin

The computer is having networking issues. Do any other computers or smartphones in the home have issues with connecting to the Internet using the router in the home?


Just one of the examples of errors.

Error: (10/24/2021 11:16:39 PM) (Source: NetBT) (EventID: 4311) (User: )
Description: Initialization failed because the driver device could not be created.
Use the string "9822EF92A51B" to identify the interface for which initialization
failed. It represents the MAC address of the failed interface or the
Globally Unique Interface Identifier (GUID) if NetBT was unable to
map from GUID to MAC address. If neither the MAC address nor the GUID were
available, the string represents a cluster device name.

Error: (10/24/2021 11:13:14 PM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.


You have what appears to be at least 22 different virtual network connections from VirtualBox that seems rather excessive. I have both VirtualBox and VMware myself and several hosts set up and between all of them I don't think I'm using that many virtual network connections. Are those all valid for you?


We can do some clean up of the system in general and do some factory reset work on the networking but that would affect your Virtualbox network settings possibly too.

Please let me know more about the computer and how it's being used before we proceed to try to clean up and reset things.

Thanks @GoodConduct


Link to post
Share on other sites

Well, we don't use any of those Virtualbox connections, so those can be cleared up.

We have a lot of files and not a lot of places to back them up on, I know that.. 

The networking error might be coming from how I blocked some of the active ports in Firewall?

Well, as far as the network setup goes, it would be okay to change it as long as it won't modify our Edge, Firefox data in any way. 

Link to post
Share on other sites

Okay, well let's do it! :)

Also, I'd like to tell you about something else I found. Apparently, in Wireshark there seems to be a listing for several ARP (not sure what that is) that are in a state called 'broadcast' and are called LiteonTe_92 and they are trying to connect to a mac address (which is asking for my local address) From what I know, liteon is a Taiwanese electronic manufacturer.. And I don't use a router, either. Would a Canon printer be causing this? 


If possible, Id like some help with everything I'm seeing in Wireshark, unless resetting the network will help

Link to post
Share on other sites

  • Root Admin

Everything broadcasts. More than likely just a red herring if you will, meaning nothing wrong in that area. We'll clean up and go from there.


Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.




Link to post
Share on other sites

  • Root Admin

I'm sorry but tracking where things actually came from falls under forensics which we do not offer. Basically you take and image the system and then review that image physically to determine where something originated. That can cost hundreds to thousands of dollars depending on what level of review you're going to do.

We provide free basic review of what we find running on the computer and provide methods to remove it.


Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • 3 months later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.