?
Solved

Hidden program use my internet connection?

Posted on 2003-03-14
11
Medium Priority
?
392 Views
Last Modified: 2008-02-01
Usually bytes sent is less than bytes received, if you are not uploading data.
But in my computer, bytes sent is more than 3 times bytes received! and I'm
not uploading data, just browsing the internet (this makes my browsing activity slower than before).
I suspect that there is a hidden program that use my internet connection.
How can track down the problem and eliminate it?
How can I see the data sent away from my computer?
How can I know which programs that use my internet connection?

Thank you,
Andi
0
Comment
Question by:andichan2001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 3

Expert Comment

by:smallbee
ID: 8137760
there are lots of spyware might have already installed in your system

use one of the tools if u r commercial user:

http://www.lavasoftusa.com/software/

get this for FREE for personal use:
http://www.lavasoftusa.com/software/adaware/
0
 

Expert Comment

by:phocus
ID: 8138573
goto command prompt

type netstat -a

this will show you a list of things
your computer is connected to and listeing for, then start going down the list and verifiying

if you find one that has a port open close the port on your firewall, other wise, kill apps that are running that you dont know what they do.

kill them one at a time, and see when the connection goes away.


if you find one you cant get, msg me and i will tell you what it is ...




0
 

Accepted Solution

by:
phocus earned 750 total points
ID: 8138577
goto command prompt

type netstat -a

this will show you a list of things
your computer is connected to and listeing for, then start going down the list and verifiying

if you find one that has a port open close the port on your firewall, other wise, kill apps that are running that you dont know what they do.

kill them one at a time, and see when the connection goes away.


if you find one you cant get, msg me and i will tell you what it is ...




0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 24

Expert Comment

by:SunBow
ID: 8138981
If you have NT, review the Event Logs.

If you want a product, (and you run virus check), then consider personal firewall such as ZoneAlarm that will let you list and block all nature of outgoing TCP/IP traffic.

Try to not allow any program to run at startup. On many OS you get StartUp folder and/or command line capability such as running MsConfig where you can review many of these.

Review task manager, for just what programs are running. Eliminating the new ones one at a time can either identify a culprit or make system ineffective, both of which can be cured through a reboot. So this is a rather intuitive time-consuming, frustrating process, but remains a viable tool when all else fails as interest permits.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8139060
> But in my computer, bytes sent is more than 3 times bytes received!

This is atypical of a good spyware, they don't really have more traffic, on their own, than the displays. They go for the URL, rather than the HTML and JGG files themselves.

If this is sporadic, it may be that you've become open for people borrowing parts of your disk for their downloads. More likely if you've opened up FTP. You running any other 'server' function? Toying with webserver?

If this is continual, a more consistent overall average, then you may have been hit with remote control program, or, a neighborhood jock who is snooping, looking for files, and perhaps trying to monitor your keystrokes. It could also be that you've been nice and agreed somewhere to volunteer your spare CPU cycles.

Most likely, if you set back and apply all upgrades to OS and browser, then add the firewall censor, then your bytes in vs bytes out should become more as you'd anticipate.
0
 
LVL 1

Expert Comment

by:PaulBobby
ID: 8139792
How savvy are you with understanding tcp/ip packets?

Running sniffer would be a good option, if you could make head or tail of the packets.

You could also install Zonealarm. This program will ask you every time something tries to connect to, OR connect _from_ your computer.

The 'connect froms' are the interesting part. If you just fire up your computer, and do nothing, and zonealarm starts bugging you about programs trying to access the Internet... bingo you've found it. By all means deny access to that program until you can figure out how to disable it.

0
 
LVL 2

Expert Comment

by:MCSE-2002
ID: 8141398
you can download a software firewall. It will tell you what programs are accessing the internet. Tiny personal firewall, blackice, zone alarm.

You can download Languard scanner from gfi.com, and scan yourself to see if you have any trojan programs installed.

give me your ip address and I can scan you, and I'll tell you.

luck,
0
 

Author Comment

by:andichan2001
ID: 8142340
It turn out that there isn't any spyware in my machine. From the command netstat -a I found out that the computer is trying to connect to Primary DNS Suffix. As soon as I remove "Primary DNS Suffix of this computer" in Network Identification, the connection's back to normal. BTW, thank you for all your comments.
0
 

Author Comment

by:andichan2001
ID: 8142717
Sorry, it turn out that the problem is now come and go. Sometimes the connection is normal:

=======================
C:\>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    hadinataa:ftp          hadinataa:0            LISTENING
  TCP    hadinataa:smtp         hadinataa:0            LISTENING
  TCP    hadinataa:http         hadinataa:0            LISTENING
  TCP    hadinataa:epmap        hadinataa:0            LISTENING
  TCP    hadinataa:https        hadinataa:0            LISTENING
  TCP    hadinataa:microsoft-ds  hadinataa:0            LISTENING
  TCP    hadinataa:1025         hadinataa:0            LISTENING
  TCP    hadinataa:1027         hadinataa:0            LISTENING
  TCP    hadinataa:1029         hadinataa:0            LISTENING
  UDP    hadinataa:epmap        *:*
  UDP    hadinataa:microsoft-ds  *:*
  UDP    hadinataa:1026         *:*
  UDP    hadinataa:1028         *:*
  UDP    hadinataa:1645         *:*
  UDP    hadinataa:1646         *:*
  UDP    hadinataa:radius       *:*
  UDP    hadinataa:radacct      *:*
  UDP    hadinataa:3456         *:*
  UDP    hadinataa:1030         *:*
  UDP    hadinataa:1031         *:*

C:\>
=======================

but sometimes the problem persist:

=======================
C:\>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    hadinataa:ftp          hadinataa:0            LISTENING
  TCP    hadinataa:smtp         hadinataa:0            LISTENING
  TCP    hadinataa:http         hadinataa:0            LISTENING
  TCP    hadinataa:epmap        hadinataa:0            LISTENING
  TCP    hadinataa:https        hadinataa:0            LISTENING
  TCP    hadinataa:microsoft-ds  hadinataa:0            LISTENING
  TCP    hadinataa:1025         hadinataa:0            LISTENING
  TCP    hadinataa:1027         hadinataa:0            LISTENING
  TCP    hadinataa:1029         hadinataa:0            LISTENING
  TCP    hadinataa:1032         hadinataa:0            LISTENING
  TCP    hadinataa:1143         hadinataa:0            LISTENING
  TCP    hadinataa:1409         hadinataa:0            LISTENING
  TCP    hadinataa:1443         hadinataa:0            LISTENING
  TCP    hadinataa:1650         hadinataa:0            LISTENING
.
.
.
.
  TCP    hadinataa:4938         hadinataa:0            LISTENING
  TCP    hadinataa:4939         hadinataa:0            LISTENING
  TCP    hadinataa:4940         hadinataa:0            LISTENING
  TCP    hadinataa:4941         hadinataa:0            LISTENING
  TCP    hadinataa:4942         hadinataa:0            LISTENING
  TCP    hadinataa:1032         hadinataa:3306         ESTABLISHED
  TCP    hadinataa:3306         hadinataa:1032         ESTABLISHED
  TCP    hadinataa:netbios-ssn  hadinataa:0            LISTENING
  TCP    hadinataa:2331         61-216-15-12.HINET-IP.hinet.net:http  ESTABLISHED
  TCP    hadinataa:2395         p4182-ipad01hodogaya.kanagawa.ocn.ne.jp:http  ESTABLISHED
  TCP    hadinataa:4018         61.149.23.190:http     ESTABLISHED
  TCP    hadinataa:4044         muccollege.co.jp:http  ESTABLISHED
  TCP    hadinataa:4429         r109.asp.mewave.com:http  ESTABLISHED
  TCP    hadinataa:4647         ppp-jt2-d.telkom.net.id:http  SYN_SENT
  TCP    hadinataa:4648         ppp-bdl-a.telkom.net.id:http  SYN_SENT
.
.
.
=======================

Please help me..
0
 

Author Comment

by:andichan2001
ID: 8142850
What can cause this hundreds or even thousands of listening tcp ports?
0
 

Expert Comment

by:rragle
ID: 10743006
I have been reading this thred with interest and am sorry to see that nothing has been added since March 15 (unless I am missing something). I am having the same experience. I have virus software on my computer as have now installed Zone Alarm Pro. My outgoing packets after an hour and a half past restart have reached 3,719,441,683,790 and my incoming is a measly 8,427. netstat gives me this:
Proto  Local Address          Foreign Address        State
  TCP    VALUED-5E2B8C56:http   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:epmap  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:https  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:microsoft-ds  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1024   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1025   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1026   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1027   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1031   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1035   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1042   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1046   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1047   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1048   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1062   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1063   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1064   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1065   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1108   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:kpop   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:2042   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:2043   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:2052   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:2055   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:2522   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:2901   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:5000   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:5001   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:5679   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:8103   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:8110   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:8500   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:9128   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:9130   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:9133   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:9343   VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:19997  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:19998  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:51250  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:51251  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:51712  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:51713  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:1024   localhost:1048         ESTABLISHED
  TCP    VALUED-5E2B8C56:1026   localhost:1064         ESTABLISHED
  TCP    VALUED-5E2B8C56:1042   localhost:9130         ESTABLISHED
  TCP    VALUED-5E2B8C56:1046   localhost:9130         ESTABLISHED
  TCP    VALUED-5E2B8C56:1047   localhost:9130         ESTABLISHED
  TCP    VALUED-5E2B8C56:1048   localhost:1024         ESTABLISHED
  TCP    VALUED-5E2B8C56:1062   localhost:9130         ESTABLISHED
  TCP    VALUED-5E2B8C56:1063   localhost:9130         ESTABLISHED
  TCP    VALUED-5E2B8C56:1064   localhost:1026         ESTABLISHED
  TCP    VALUED-5E2B8C56:ms-sql-s  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:2082   localhost:2081         TIME_WAIT
  TCP    VALUED-5E2B8C56:2085   localhost:2084         TIME_WAIT
  TCP    VALUED-5E2B8C56:2088   localhost:2087         TIME_WAIT
  TCP    VALUED-5E2B8C56:2091   localhost:2090         TIME_WAIT
  TCP    VALUED-5E2B8C56:2094   localhost:2093         TIME_WAIT
  TCP    VALUED-5E2B8C56:2097   localhost:2096         TIME_WAIT
  TCP    VALUED-5E2B8C56:2100   localhost:2099         TIME_WAIT
  TCP    VALUED-5E2B8C56:2103   localhost:2102         TIME_WAIT
  TCP    VALUED-5E2B8C56:2106   localhost:2105         TIME_WAIT
  TCP    VALUED-5E2B8C56:2107   localhost:11523        TIME_WAIT
  TCP    VALUED-5E2B8C56:2108   localhost:11523        TIME_WAIT
  TCP    VALUED-5E2B8C56:2109   localhost:11523        TIME_WAIT
  TCP    VALUED-5E2B8C56:9130   localhost:1042         ESTABLISHED
  TCP    VALUED-5E2B8C56:9130   localhost:1046         ESTABLISHED
  TCP    VALUED-5E2B8C56:9130   localhost:1047         ESTABLISHED
  TCP    VALUED-5E2B8C56:9130   localhost:1062         ESTABLISHED
  TCP    VALUED-5E2B8C56:9130   localhost:1063         ESTABLISHED
  TCP    VALUED-5E2B8C56:11523  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:11523  localhost:2079         TIME_WAIT
  TCP    VALUED-5E2B8C56:51200  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:51201  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:53010  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:53248  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:53249  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:53250  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:53504  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:53632  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:netbios-ssn  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:kpop   169.132.117.39:http    ESTABLISHED
  TCP    VALUED-5E2B8C56:ms-sql-s  VALUED-5E2B8C56:0      LISTENING
  TCP    VALUED-5E2B8C56:2052   berp-fe10.dial.aol.com:5190  ESTABLISHED
  TCP    VALUED-5E2B8C56:2055   64.12.26.153:5190      ESTABLISHED
  UDP    VALUED-5E2B8C56:microsoft-ds  *:*
  UDP    VALUED-5E2B8C56:isakmp  *:*
  UDP    VALUED-5E2B8C56:1030   *:*
  UDP    VALUED-5E2B8C56:1075   *:*
  UDP    VALUED-5E2B8C56:1104   *:*
  UDP    VALUED-5E2B8C56:1105   *:*
  UDP    VALUED-5E2B8C56:ms-sql-m  *:*
  UDP    VALUED-5E2B8C56:3456   *:*
  UDP    VALUED-5E2B8C56:6801   *:*
  UDP    VALUED-5E2B8C56:6802   *:*
  UDP    VALUED-5E2B8C56:ntp    *:*
  UDP    VALUED-5E2B8C56:1086   *:*
  UDP    VALUED-5E2B8C56:1095   *:*
  UDP    VALUED-5E2B8C56:1239   *:*
  UDP    VALUED-5E2B8C56:1717   *:*
  UDP    VALUED-5E2B8C56:1793   *:*
  UDP    VALUED-5E2B8C56:1900   *:*
  UDP    VALUED-5E2B8C56:ntp    *:*
  UDP    VALUED-5E2B8C56:netbios-ns  *:*
  UDP    VALUED-5E2B8C56:netbios-dgm  *:*
  UDP    VALUED-5E2B8C56:1900   *:*
  UDP    VALUED-5E2B8C56:2057   *:*
  UDP    VALUED-5E2B8C56:ntp    *:*
  UDP    VALUED-5E2B8C56:1900   *:*

Does anybody recognize an obvious culprit here? Thanks!
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question