• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 910
  • Last Modified:

Continuous in & out internet traffic started yesterday

Yesterday my computer began a continuous receiving &  sending data, as indicated by the twin monitors icon, confirmed by the local area connection  dialog box. This happened sometine during the day, absent any unusual incidents. I was editing a local copy of website with MS Frontpage, and accessing Twitter and other CLEAN websites. among other tasks, I was picking up code for Twitter Twee & Follow buttons. These tasks completed OK, and I uploaded revised website to remote server.
On Friday 4/28, I did experience a hang & spontaneous reboot at some point when the monitor was off and no applications beyoond task manager and word pad were loaded. Took several reboots before system restarted with everything running. Initially, desktop loaded with an error message, and Norton Ghost & AV did not start.  It is all running fine now.
System connects with internet via Comcast modem, Linksys router. Security: Norton AV 2009 16.8.0.41 updated many times daily, Zonelaram 9.3.014.000 with TrueVector v9.3.014.00, and Spybot updated weekly. Scans with Norton AV & spybot yesterday found no problems.

Attempted solutions:
*Review Task Manager: during continuous send, no additional CPU or process activity. Machine & internet access run at usual fast speed, with no apparent problems.
*Close all apps that might access internet: no change.
*Comment out twitter button code on local copy of web: no change
* engage Zonealarm internet lock.  Traffic stops. Releasing lock : No traffic for about 2 minutes, then resumption of continuous activity.

This machine was installed about 2 years ago. Outside of the system problems caused by Firefox, which have all seemed to be self-correcting after a few reboots, it has never exhibited problems, nor has it slowed noticeably, despite the massive accumulation of whatever in that 2 years.

What is happening? This activity cannot possibly be proper, in the absence of any user input or connection to continuously updating sites such as Yahoo Finance. How do I locate & fix?

NOTE: I am NOT an expert, so keep it simple and do not assume advanced knowledge, please.
0
gbad00
Asked:
gbad00
  • 12
  • 4
  • 4
  • +1
3 Solutions
 
younghvCommented:
There are a couple of EE Articles that will get you started on your trouble-shooting.

This one is brand new:
http://www.experts-exchange.com/A_5327.html

This one is older, but has some good basic stuff:
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
0
 
gbad00Author Commented:
younghv:
Thanks for prompt response.
Newer article on router infection was intersesting because I have an old IMB thinkpad XP Pro S1 on same linksys router as main machine. IBM is used only 40 min/day to look at comics strips on mainsteam sites (altjho they do carry a ton of ads - who knows?) and read the NY times.  Its NAV 2009 was way out of date; it has only ZA Free version.
I just updated the Virus signatues and run a scan. results - negative.

***More to the point:  THE IBM DOES ***NOT*** SHOW CONTINUOUS TRAFFIC***  suggesting it is NOT source of trouble so is probably not router infection. (Make sense?)

In using Combo Fix - where do I find a "helper"?  This app seems really dangerous. I cannot afford to lose ANY functionality, not even for one day.

How about MBAM Pro?  What are potential side effects there?  I prefer not to lose certain of the data it will clean, incl some cookies. Can these  be selected? It seems you use it regularly

You suggest
"For an on-going discussion about the proper use of ComboFix (and the proper way to recommend how it is used), please see the open question at: http://www.experts-exchange.com/Q_26896002.html"
This redirects to http://www.experts-exchange.com/Community_Support/Hidden/Private_Discussions/Q_26896002.html
& msg says "You do not have the proper permissions to access this Question". So that is not helpful.
I wouldn't suppose there might just be a log to look at showing where this traffic is going and coming from?  With the process or executable that is handling it or calling it? What do you think?
Thanks for your help!
0
 
younghvCommented:
We call that an "Ooops" around here (my mistake).

Here is the current link:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_26933025.html

I use Malwarebytes (Free and Pro) constantly while repairing malware infections and have never had a bad experience of any kind. Very safe and simple to use. They have a large staff of people working and update it several times a day.

ComboFix is a function entirely of the efforts of one man and is more complicated in the evaluation of the logs that are produced. We do have Experts here on EE who are "Trusted Helpers" for CF - with "rpggamergirl" being the lead.

I would run MBAM first and post the resultant log. Let us take a look at it and then we can suggest actions/other tools to use.

If you do have some kind of infection, most "AV" programs are not designed to either find it or fix it. Their function is prevention, not repair.

I'll continue to monitor this question as I go fix the link in my Article.

Thanks.
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
gbad00Author Commented:
OK - here is MBAM scan results.  Nothing of interest, it seems.
??

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6493

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/2/2011 4:08:45 PM
mbam-log-2011-05-02 (16-08-45).txt

Scan type: Full scan (C:\|H:\|)
Objects scanned: 230336
Time elapsed: 34 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0
 
younghvCommented:
MBAM does look clean - did you run any of the "Rogue Process Killers" before starting it?

By way of prevention/checking you can also run TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

"rpg" should be on-line within the next couple of hours if you want to run ComboFix and post that log too.
0
 
gbad00Author Commented:
Rogue process killer? I didn't see a reference to that, or I missed it.  Are you referring to  CCleaner (www.ccleaner.com)? I am suspicious of that, even more so of TDSSKILLER. How do they know what is a necessary file, even if long unused, and what should be deleted? What are the chances of getting into worse trouble?
By the way, the traffic continues! No slowing of operations, no load on the CPU, no slowing of desired connectivity.  
0
 
younghvCommented:
Many variants of malware include a "rogue process" that will prevent your scanning tools from loading/running properly.

The three that I can personally recommend are here:

RogueKiller: http://www.geekstogo.com/forum/files/file/413-roguekiller/ 

Rkill: http://www.bleepingcomputer.com/download/anti-virus/rkill

TheKiller
•Download TheKiller to your Desktop
http://www.osvemu.com/thekiller/explorer.exe

•Note that TheKiller is renamed as explorer.exe
•Run it by double click
•Press OK button after program finish
•Do not restart your system after this step, but immediately run the next scan: MalwareBytes, TDSSKiller, ComboFix

I discuss the basic use in these Articles:
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
0
 
gbad00Author Commented:
Yes, thank you. I have the Rogue Killer site open and read the directions for use.  It suggests closing all open processes.  Does that include Zonealarm, NAV, & Spybot?  I can imagine such an app "recognizing" them as malware. In fact, zonealarm saw MBAM as malware!
I will use it if you can assure me it will not corrupt or delete these programs.
0
 
gbad00Author Commented:
To repear a previous question: Is there not just a log somewhere of traffic activity that would identify processes using the internet?  I looked through Zonelarms programs list, and saw nothing out of line. In a few cases, I changed automatic internet access to "ask each time".
There is also a components list of all the associated .exe's for all the applications.  Many have access.  Any way to see which ones are sending/receiving when they should not be?
0
 
gbad00Author Commented:
OK!  Moving right along.
Ran Rogue killer:
+++++++++++
RogueKiller V5.1.0 [05/02/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Ed [Admin rights]
Mode: Scan -- Date : 05/02/2011 18:41:06
Bad processes: 0
Registry Entries: 0

HOSTS File:
127.0.0.1       localhost
127.0.0.1      www.007guard.com
127.0.0.1      007guard.com
127.0.0.1      008i.com
127.0.0.1      www.008k.com
127.0.0.1      008k.com
127.0.0.1      www.00hq.com
127.0.0.1      00hq.com
127.0.0.1      010402.com
127.0.0.1      www.032439.com
127.0.0.1      032439.com
127.0.0.1      www.0scan.com
127.0.0.1      0scan.com
127.0.0.1      www.1000gratisproben.com
127.0.0.1      1000gratisproben.com
127.0.0.1      www.1001namen.com
127.0.0.1      1001namen.com
127.0.0.1      100888290cs.com
127.0.0.1      www.100888290cs.com
127.0.0.1      100sexlinks.com
[...]
++++++++++++++++++++
I see on
http://winhelp2002.mvps.org/hosts.htm
that this is a list of blocked sites that can be added to by Spybot. This site also offers an app that will add substantially to the list. Note that "localhost" is at the top.  THAT IS MY VIRTUAL WEBSERVER!! (IIS 5.something)  It is clearly NOT being blocked, so I am not sure how this is working.
I would be very happy to add to this file according to the syntax shown on
http://winhelp2002.mvps.org/hosts.htm.  
What do you know about this?

So... ran MBAM again - quick scan this time.
+++++++++
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6493

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/2/2011 6:50:40 PM
mbam-log-2011-05-02 (18-50-40).txt

Scan type: Quick scan
Objects scanned: 153792
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
+++++++++++++++++++++++++++++++++
MEANWHILE... TRAFFIC CONTINUES.
What now? I would just accept it, but in a mechanical system, NO CHANGES ARE GOOD UNLESS USER-INIITIATED. It's new, unexpected, and thus bad.
Any ideas?
 PS: thanks very much for your attentive help so far.  I am learning quite a bit.


Finished : << RKreport[1].txt >>
RKreport[1].txt
0
 
gbad00Author Commented:
You  have been helpful so far. But the behavior persists, and no cause has been found.  ANy more ideas?
0
 
gbad00Author Commented:
Have you given up on this question? I am still having the problem.
0
 
Ron MalmsteadInformation Services ManagerCommented:
Go to command prompt.
Start > run > cmd > enter.

Type:   Netstat -a -b

Do this while you suspect traffic is occurring.  Try not to have anything else running.
Then...Post the results here.

0
 
gbad00Author Commented:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Ed>Netstat -a -b

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    main1:microsoft-ds     main1:0                LISTENING       4
  [System]

  TCP    main1:netbios-ssn      main1:0                LISTENING       4
  [System]

  TCP    main1:1088             209.87.209.31:http     ESTABLISHED     2176
  [ForceField.exe]

  TCP    main1:1107             a96-6-46-40.deploy.akamaitechnologies.com:http
ESTABLISHED     288
  [vsmon.exe]

  TCP    main1:1051             localhost:1095         TIME_WAIT       0
  TCP    main1:1089             localhost:1051         TIME_WAIT       0
  TCP    main1:1091             localhost:1051         TIME_WAIT       0
  TCP    main1:1093             localhost:1051         TIME_WAIT       0
  TCP    main1:1097             localhost:1051         TIME_WAIT       0
  TCP    main1:1099             localhost:1051         TIME_WAIT       0
  TCP    main1:1101             localhost:1051         TIME_WAIT       0
  TCP    main1:1103             localhost:1051         TIME_WAIT       0
  TCP    main1:1105             localhost:1051         TIME_WAIT       0
  UDP    main1:snmp             *:*                                    2304
  [snmp.exe]

  UDP    main1:isakmp           *:*                                    1364
  [lsass.exe]

  UDP    main1:4500             *:*                                    1364
  [lsass.exe]

  UDP    main1:microsoft-ds     *:*                                    4
  [System]

  UDP    main1:3456             *:*                                    1784
  [inetinfo.exe]

  UDP    main1:1900             *:*                                    1932
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    main1:ntp              *:*                                    1728
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    main1:1900             *:*                                    1932
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    main1:ntp              *:*                                    1728
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    main1:netbios-ns       *:*                                    4
  [System]

  UDP    main1:netbios-dgm      *:*                                    4
  [System]


C:\Documents and Settings\Ed>Netstat -a -b

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    main1:microsoft-ds     main1:0                LISTENING       4
  [System]

  TCP    main1:netbios-ssn      main1:0                LISTENING       4
  [System]

  TCP    main1:1088             209.87.209.31:http     ESTABLISHED     2176
  [ForceField.exe]

  TCP    main1:1117             a96-17-149-58.deploy.akamaitechnologies.com:htt
  ESTABLISHED     2176
  [ForceField.exe]

  UDP    main1:snmp             *:*                                    2304
  [snmp.exe]

  UDP    main1:isakmp           *:*                                    1364
  [lsass.exe]

  UDP    main1:4500             *:*                                    1364
  [lsass.exe]

  UDP    main1:3456             *:*                                    1784
  [inetinfo.exe]

  UDP    main1:microsoft-ds     *:*                                    4
  [System]

  UDP    main1:1111             *:*                                    1988
  [iexplore.exe]

  UDP    main1:1900             *:*                                    1932
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    main1:ntp              *:*                                    1728
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    main1:netbios-ns       *:*                                    4
  [System]

  UDP    main1:ntp              *:*                                    1728
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    main1:1900             *:*                                    1932
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    main1:netbios-dgm      *:*                                    4
  [System]
0
 
Ron MalmsteadInformation Services ManagerCommented:
The only traffic that shows is zone alarm.

Do you have zone alarm installed ?
0
 
gbad00Author Commented:
Yes.
0
 
Ron MalmsteadInformation Services ManagerCommented:
What makes you believe it is traffic/malware related ?  " as indicated by the twin monitors" ?

That's not very reliable measurement.
So far you have no signs of any malware infection.

If you have general slowness or strange behaviour, it could be the result of other things besides malware/viruses.   An old hard drive may need replacing.  Could be a bad network cable.  Bad switch.  Bad network card.

I'm not sure, but I can tell you that from what you've posted, I see nothing running that implies you have a virus.
0
 
gbad00Author Commented:
<sigh...>
I agree, there are no signs of a problem - no slowing, no strange behavior except occasional hangs which have been going on for months & I believe is Firefox related.
But the machine is doing something it never did before. The traffic icon is continuously lit, and the Zonealarm activity icon is now continuously active.
If the Netstat analysis is definitive (is it?), then no data is going in or out. Otherwise - what other utility would show where traffic is headed? Can you defi nitely say I can wrap this up and forget about it?
I am not a computer hypochondriac, but my experience is that no machine suddenly starts good things of its own accord.
Thanks for all your assistance so far.
0
 
Jim Dettman (Microsoft MVP/ EE MVE)PresidentCommented:
A suggestion:

  If I can't pin down what's causing a lot of traffic, then one low tech way to go after that is to clear all the execeptions/approved programs in the firewall.  Then fire things back up.  Then get an alert each time an app tries to use the internet and need to allow or block once again.  Often, I find it is some software updater running that is causing the traffic.

  I'm not familer with Zone Alarm, but you should be able to do the same thing easily enough.  Just look for something along the lines of "program control" in the fiewall section.  You should see a list of programs with "allow" or "block".

  Also, a lot of firewall software has a "reset" feature to put it back to the way it was when installed.  That also clears out the approved program list.

  Maybe someone else with Zone Alarm will post with specifics on the above.

HTH,
JimD.



0
 
Ron MalmsteadInformation Services ManagerCommented:
"Can you defi nitely say I can wrap this up and forget about it? "

I can definitely say, with a degree of confidence, that it is not traffic related.

I wonder if you disable zonealarm if the problem disapears.  Maybe zone alarm is constantly interrogating the NIC causing the light show, but no traffic is actually going in/out.

If you still aren't completely convinced, you can use another traffic sniffer, called netmon.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en
0
 
gbad00Author Commented:
I appreciate everyone's persistence in helping to solve the problem.  I do not yet know what program is responsible, but I will probably eventually find out. The only other, very low probability factor, is that a malware process that has some new way of hiding from everything is calling one of the exe files whose internet access I just disabled, and creating traffic through that file. Just an amusing speculation. Thanks to all.
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 12
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now