gbad00
asked on
Continuous in & out internet traffic started yesterday
Yesterday my computer began a continuous receiving & sending data, as indicated by the twin monitors icon, confirmed by the local area connection dialog box. This happened sometine during the day, absent any unusual incidents. I was editing a local copy of website with MS Frontpage, and accessing Twitter and other CLEAN websites. among other tasks, I was picking up code for Twitter Twee & Follow buttons. These tasks completed OK, and I uploaded revised website to remote server.
On Friday 4/28, I did experience a hang & spontaneous reboot at some point when the monitor was off and no applications beyoond task manager and word pad were loaded. Took several reboots before system restarted with everything running. Initially, desktop loaded with an error message, and Norton Ghost & AV did not start. It is all running fine now.
System connects with internet via Comcast modem, Linksys router. Security: Norton AV 2009 16.8.0.41 updated many times daily, Zonelaram 9.3.014.000 with TrueVector v9.3.014.00, and Spybot updated weekly. Scans with Norton AV & spybot yesterday found no problems.
Attempted solutions:
*Review Task Manager: during continuous send, no additional CPU or process activity. Machine & internet access run at usual fast speed, with no apparent problems.
*Close all apps that might access internet: no change.
*Comment out twitter button code on local copy of web: no change
* engage Zonealarm internet lock. Traffic stops. Releasing lock : No traffic for about 2 minutes, then resumption of continuous activity.
This machine was installed about 2 years ago. Outside of the system problems caused by Firefox, which have all seemed to be self-correcting after a few reboots, it has never exhibited problems, nor has it slowed noticeably, despite the massive accumulation of whatever in that 2 years.
What is happening? This activity cannot possibly be proper, in the absence of any user input or connection to continuously updating sites such as Yahoo Finance. How do I locate & fix?
NOTE: I am NOT an expert, so keep it simple and do not assume advanced knowledge, please.
On Friday 4/28, I did experience a hang & spontaneous reboot at some point when the monitor was off and no applications beyoond task manager and word pad were loaded. Took several reboots before system restarted with everything running. Initially, desktop loaded with an error message, and Norton Ghost & AV did not start. It is all running fine now.
System connects with internet via Comcast modem, Linksys router. Security: Norton AV 2009 16.8.0.41 updated many times daily, Zonelaram 9.3.014.000 with TrueVector v9.3.014.00, and Spybot updated weekly. Scans with Norton AV & spybot yesterday found no problems.
Attempted solutions:
*Review Task Manager: during continuous send, no additional CPU or process activity. Machine & internet access run at usual fast speed, with no apparent problems.
*Close all apps that might access internet: no change.
*Comment out twitter button code on local copy of web: no change
* engage Zonealarm internet lock. Traffic stops. Releasing lock : No traffic for about 2 minutes, then resumption of continuous activity.
This machine was installed about 2 years ago. Outside of the system problems caused by Firefox, which have all seemed to be self-correcting after a few reboots, it has never exhibited problems, nor has it slowed noticeably, despite the massive accumulation of whatever in that 2 years.
What is happening? This activity cannot possibly be proper, in the absence of any user input or connection to continuously updating sites such as Yahoo Finance. How do I locate & fix?
NOTE: I am NOT an expert, so keep it simple and do not assume advanced knowledge, please.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
We call that an "Ooops" around here (my mistake).
Here is the current link:
https://www.experts-exchange.com/questions/26933025/Safe-Mode-Recommendations-for-ComboFix-MBAM.html
I use Malwarebytes (Free and Pro) constantly while repairing malware infections and have never had a bad experience of any kind. Very safe and simple to use. They have a large staff of people working and update it several times a day.
ComboFix is a function entirely of the efforts of one man and is more complicated in the evaluation of the logs that are produced. We do have Experts here on EE who are "Trusted Helpers" for CF - with "rpggamergirl" being the lead.
I would run MBAM first and post the resultant log. Let us take a look at it and then we can suggest actions/other tools to use.
If you do have some kind of infection, most "AV" programs are not designed to either find it or fix it. Their function is prevention, not repair.
I'll continue to monitor this question as I go fix the link in my Article.
Thanks.
Here is the current link:
https://www.experts-exchange.com/questions/26933025/Safe-Mode-Recommendations-for-ComboFix-MBAM.html
I use Malwarebytes (Free and Pro) constantly while repairing malware infections and have never had a bad experience of any kind. Very safe and simple to use. They have a large staff of people working and update it several times a day.
ComboFix is a function entirely of the efforts of one man and is more complicated in the evaluation of the logs that are produced. We do have Experts here on EE who are "Trusted Helpers" for CF - with "rpggamergirl" being the lead.
I would run MBAM first and post the resultant log. Let us take a look at it and then we can suggest actions/other tools to use.
If you do have some kind of infection, most "AV" programs are not designed to either find it or fix it. Their function is prevention, not repair.
I'll continue to monitor this question as I go fix the link in my Article.
Thanks.
ASKER
OK - here is MBAM scan results. Nothing of interest, it seems.
??
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6493
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/2/2011 4:08:45 PM
mbam-log-2011-05-02 (16-08-45).txt
Scan type: Full scan (C:\|H:\|)
Objects scanned: 230336
Time elapsed: 34 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
??
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6493
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/2/2011 4:08:45 PM
mbam-log-2011-05-02 (16-08-45).txt
Scan type: Full scan (C:\|H:\|)
Objects scanned: 230336
Time elapsed: 34 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
MBAM does look clean - did you run any of the "Rogue Process Killers" before starting it?
By way of prevention/checking you can also run TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
"rpg" should be on-line within the next couple of hours if you want to run ComboFix and post that log too.
By way of prevention/checking you can also run TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
"rpg" should be on-line within the next couple of hours if you want to run ComboFix and post that log too.
ASKER
Rogue process killer? I didn't see a reference to that, or I missed it. Are you referring to CCleaner (www.ccleaner.com)? I am suspicious of that, even more so of TDSSKILLER. How do they know what is a necessary file, even if long unused, and what should be deleted? What are the chances of getting into worse trouble?
By the way, the traffic continues! No slowing of operations, no load on the CPU, no slowing of desired connectivity.
By the way, the traffic continues! No slowing of operations, no load on the CPU, no slowing of desired connectivity.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, thank you. I have the Rogue Killer site open and read the directions for use. It suggests closing all open processes. Does that include Zonealarm, NAV, & Spybot? I can imagine such an app "recognizing" them as malware. In fact, zonealarm saw MBAM as malware!
I will use it if you can assure me it will not corrupt or delete these programs.
I will use it if you can assure me it will not corrupt or delete these programs.
ASKER
To repear a previous question: Is there not just a log somewhere of traffic activity that would identify processes using the internet? I looked through Zonelarms programs list, and saw nothing out of line. In a few cases, I changed automatic internet access to "ask each time".
There is also a components list of all the associated .exe's for all the applications. Many have access. Any way to see which ones are sending/receiving when they should not be?
There is also a components list of all the associated .exe's for all the applications. Many have access. Any way to see which ones are sending/receiving when they should not be?
ASKER
OK! Moving right along.
Ran Rogue killer:
+++++++++++
RogueKiller V5.1.0 [05/02/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Ed [Admin rights]
Mode: Scan -- Date : 05/02/2011 18:41:06
Bad processes: 0
Registry Entries: 0
HOSTS File:
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
[...]
++++++++++++++++++++
I see on
http://winhelp2002.mvps.org/hosts.htm
that this is a list of blocked sites that can be added to by Spybot. This site also offers an app that will add substantially to the list. Note that "localhost" is at the top. THAT IS MY VIRTUAL WEBSERVER!! (IIS 5.something) It is clearly NOT being blocked, so I am not sure how this is working.
I would be very happy to add to this file according to the syntax shown on
http://winhelp2002.mvps.org/hosts.htm.
What do you know about this?
So... ran MBAM again - quick scan this time.
+++++++++
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6493
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/2/2011 6:50:40 PM
mbam-log-2011-05-02 (18-50-40).txt
Scan type: Quick scan
Objects scanned: 153792
Time elapsed: 4 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
++++++++++++++++++++++++++
MEANWHILE... TRAFFIC CONTINUES.
What now? I would just accept it, but in a mechanical system, NO CHANGES ARE GOOD UNLESS USER-INIITIATED. It's new, unexpected, and thus bad.
Any ideas?
PS: thanks very much for your attentive help so far. I am learning quite a bit.
Finished : << RKreport[1].txt >>
RKreport[1].txt
Ran Rogue killer:
+++++++++++
RogueKiller V5.1.0 [05/02/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Ed [Admin rights]
Mode: Scan -- Date : 05/02/2011 18:41:06
Bad processes: 0
Registry Entries: 0
HOSTS File:
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
[...]
++++++++++++++++++++
I see on
http://winhelp2002.mvps.org/hosts.htm
that this is a list of blocked sites that can be added to by Spybot. This site also offers an app that will add substantially to the list. Note that "localhost" is at the top. THAT IS MY VIRTUAL WEBSERVER!! (IIS 5.something) It is clearly NOT being blocked, so I am not sure how this is working.
I would be very happy to add to this file according to the syntax shown on
http://winhelp2002.mvps.org/hosts.htm.
What do you know about this?
So... ran MBAM again - quick scan this time.
+++++++++
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6493
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/2/2011 6:50:40 PM
mbam-log-2011-05-02 (18-50-40).txt
Scan type: Quick scan
Objects scanned: 153792
Time elapsed: 4 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
++++++++++++++++++++++++++
MEANWHILE... TRAFFIC CONTINUES.
What now? I would just accept it, but in a mechanical system, NO CHANGES ARE GOOD UNLESS USER-INIITIATED. It's new, unexpected, and thus bad.
Any ideas?
PS: thanks very much for your attentive help so far. I am learning quite a bit.
Finished : << RKreport[1].txt >>
RKreport[1].txt
ASKER
You have been helpful so far. But the behavior persists, and no cause has been found. ANy more ideas?
ASKER
Have you given up on this question? I am still having the problem.
Go to command prompt.
Start > run > cmd > enter.
Type: Netstat -a -b
Do this while you suspect traffic is occurring. Try not to have anything else running.
Then...Post the results here.
Start > run > cmd > enter.
Type: Netstat -a -b
Do this while you suspect traffic is occurring. Try not to have anything else running.
Then...Post the results here.
ASKER
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Ed>Netstat -a -b
Active Connections
Proto Local Address Foreign Address State PID
TCP main1:microsoft-ds main1:0 LISTENING 4
[System]
TCP main1:netbios-ssn main1:0 LISTENING 4
[System]
TCP main1:1088 209.87.209.31:http ESTABLISHED 2176
[ForceField.exe]
TCP main1:1107 a96-6-46-40.deploy.akamait
ESTABLISHED 288
[vsmon.exe]
TCP main1:1051 localhost:1095 TIME_WAIT 0
TCP main1:1089 localhost:1051 TIME_WAIT 0
TCP main1:1091 localhost:1051 TIME_WAIT 0
TCP main1:1093 localhost:1051 TIME_WAIT 0
TCP main1:1097 localhost:1051 TIME_WAIT 0
TCP main1:1099 localhost:1051 TIME_WAIT 0
TCP main1:1101 localhost:1051 TIME_WAIT 0
TCP main1:1103 localhost:1051 TIME_WAIT 0
TCP main1:1105 localhost:1051 TIME_WAIT 0
UDP main1:snmp *:* 2304
[snmp.exe]
UDP main1:isakmp *:* 1364
[lsass.exe]
UDP main1:4500 *:* 1364
[lsass.exe]
UDP main1:microsoft-ds *:* 4
[System]
UDP main1:3456 *:* 1784
[inetinfo.exe]
UDP main1:1900 *:* 1932
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:ntp *:* 1728
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:1900 *:* 1932
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:ntp *:* 1728
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:netbios-ns *:* 4
[System]
UDP main1:netbios-dgm *:* 4
[System]
C:\Documents and Settings\Ed>Netstat -a -b
Active Connections
Proto Local Address Foreign Address State PID
TCP main1:microsoft-ds main1:0 LISTENING 4
[System]
TCP main1:netbios-ssn main1:0 LISTENING 4
[System]
TCP main1:1088 209.87.209.31:http ESTABLISHED 2176
[ForceField.exe]
TCP main1:1117 a96-17-149-58.deploy.akama
ESTABLISHED 2176
[ForceField.exe]
UDP main1:snmp *:* 2304
[snmp.exe]
UDP main1:isakmp *:* 1364
[lsass.exe]
UDP main1:4500 *:* 1364
[lsass.exe]
UDP main1:3456 *:* 1784
[inetinfo.exe]
UDP main1:microsoft-ds *:* 4
[System]
UDP main1:1111 *:* 1988
[iexplore.exe]
UDP main1:1900 *:* 1932
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:ntp *:* 1728
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:netbios-ns *:* 4
[System]
UDP main1:ntp *:* 1728
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:1900 *:* 1932
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:netbios-dgm *:* 4
[System]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Ed>Netstat -a -b
Active Connections
Proto Local Address Foreign Address State PID
TCP main1:microsoft-ds main1:0 LISTENING 4
[System]
TCP main1:netbios-ssn main1:0 LISTENING 4
[System]
TCP main1:1088 209.87.209.31:http ESTABLISHED 2176
[ForceField.exe]
TCP main1:1107 a96-6-46-40.deploy.akamait
ESTABLISHED 288
[vsmon.exe]
TCP main1:1051 localhost:1095 TIME_WAIT 0
TCP main1:1089 localhost:1051 TIME_WAIT 0
TCP main1:1091 localhost:1051 TIME_WAIT 0
TCP main1:1093 localhost:1051 TIME_WAIT 0
TCP main1:1097 localhost:1051 TIME_WAIT 0
TCP main1:1099 localhost:1051 TIME_WAIT 0
TCP main1:1101 localhost:1051 TIME_WAIT 0
TCP main1:1103 localhost:1051 TIME_WAIT 0
TCP main1:1105 localhost:1051 TIME_WAIT 0
UDP main1:snmp *:* 2304
[snmp.exe]
UDP main1:isakmp *:* 1364
[lsass.exe]
UDP main1:4500 *:* 1364
[lsass.exe]
UDP main1:microsoft-ds *:* 4
[System]
UDP main1:3456 *:* 1784
[inetinfo.exe]
UDP main1:1900 *:* 1932
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:ntp *:* 1728
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:1900 *:* 1932
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:ntp *:* 1728
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:netbios-ns *:* 4
[System]
UDP main1:netbios-dgm *:* 4
[System]
C:\Documents and Settings\Ed>Netstat -a -b
Active Connections
Proto Local Address Foreign Address State PID
TCP main1:microsoft-ds main1:0 LISTENING 4
[System]
TCP main1:netbios-ssn main1:0 LISTENING 4
[System]
TCP main1:1088 209.87.209.31:http ESTABLISHED 2176
[ForceField.exe]
TCP main1:1117 a96-17-149-58.deploy.akama
ESTABLISHED 2176
[ForceField.exe]
UDP main1:snmp *:* 2304
[snmp.exe]
UDP main1:isakmp *:* 1364
[lsass.exe]
UDP main1:4500 *:* 1364
[lsass.exe]
UDP main1:3456 *:* 1784
[inetinfo.exe]
UDP main1:microsoft-ds *:* 4
[System]
UDP main1:1111 *:* 1988
[iexplore.exe]
UDP main1:1900 *:* 1932
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:ntp *:* 1728
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:netbios-ns *:* 4
[System]
UDP main1:ntp *:* 1728
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:1900 *:* 1932
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP main1:netbios-dgm *:* 4
[System]
The only traffic that shows is zone alarm.
Do you have zone alarm installed ?
Do you have zone alarm installed ?
ASKER
Yes.
What makes you believe it is traffic/malware related ? " as indicated by the twin monitors" ?
That's not very reliable measurement.
So far you have no signs of any malware infection.
If you have general slowness or strange behaviour, it could be the result of other things besides malware/viruses. An old hard drive may need replacing. Could be a bad network cable. Bad switch. Bad network card.
I'm not sure, but I can tell you that from what you've posted, I see nothing running that implies you have a virus.
That's not very reliable measurement.
So far you have no signs of any malware infection.
If you have general slowness or strange behaviour, it could be the result of other things besides malware/viruses. An old hard drive may need replacing. Could be a bad network cable. Bad switch. Bad network card.
I'm not sure, but I can tell you that from what you've posted, I see nothing running that implies you have a virus.
ASKER
<sigh...>
I agree, there are no signs of a problem - no slowing, no strange behavior except occasional hangs which have been going on for months & I believe is Firefox related.
But the machine is doing something it never did before. The traffic icon is continuously lit, and the Zonealarm activity icon is now continuously active.
If the Netstat analysis is definitive (is it?), then no data is going in or out. Otherwise - what other utility would show where traffic is headed? Can you defi nitely say I can wrap this up and forget about it?
I am not a computer hypochondriac, but my experience is that no machine suddenly starts good things of its own accord.
Thanks for all your assistance so far.
I agree, there are no signs of a problem - no slowing, no strange behavior except occasional hangs which have been going on for months & I believe is Firefox related.
But the machine is doing something it never did before. The traffic icon is continuously lit, and the Zonealarm activity icon is now continuously active.
If the Netstat analysis is definitive (is it?), then no data is going in or out. Otherwise - what other utility would show where traffic is headed? Can you defi nitely say I can wrap this up and forget about it?
I am not a computer hypochondriac, but my experience is that no machine suddenly starts good things of its own accord.
Thanks for all your assistance so far.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"Can you defi nitely say I can wrap this up and forget about it? "
I can definitely say, with a degree of confidence, that it is not traffic related.
I wonder if you disable zonealarm if the problem disapears. Maybe zone alarm is constantly interrogating the NIC causing the light show, but no traffic is actually going in/out.
If you still aren't completely convinced, you can use another traffic sniffer, called netmon.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en
I can definitely say, with a degree of confidence, that it is not traffic related.
I wonder if you disable zonealarm if the problem disapears. Maybe zone alarm is constantly interrogating the NIC causing the light show, but no traffic is actually going in/out.
If you still aren't completely convinced, you can use another traffic sniffer, called netmon.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en
ASKER
I appreciate everyone's persistence in helping to solve the problem. I do not yet know what program is responsible, but I will probably eventually find out. The only other, very low probability factor, is that a malware process that has some new way of hiding from everything is calling one of the exe files whose internet access I just disabled, and creating traffic through that file. Just an amusing speculation. Thanks to all.
ASKER
Thanks for prompt response.
Newer article on router infection was intersesting because I have an old IMB thinkpad XP Pro S1 on same linksys router as main machine. IBM is used only 40 min/day to look at comics strips on mainsteam sites (altjho they do carry a ton of ads - who knows?) and read the NY times. Its NAV 2009 was way out of date; it has only ZA Free version.
I just updated the Virus signatues and run a scan. results - negative.
***More to the point: THE IBM DOES ***NOT*** SHOW CONTINUOUS TRAFFIC*** suggesting it is NOT source of trouble so is probably not router infection. (Make sense?)
In using Combo Fix - where do I find a "helper"? This app seems really dangerous. I cannot afford to lose ANY functionality, not even for one day.
How about MBAM Pro? What are potential side effects there? I prefer not to lose certain of the data it will clean, incl some cookies. Can these be selected? It seems you use it regularly
You suggest
"For an on-going discussion about the proper use of ComboFix (and the proper way to recommend how it is used), please see the open question at: https://www.experts-exchange.com/questions/26896002/Safe-Mode-Scans-for-ComboFix-MBAM.html"
This redirects to https://www.experts-exchange.com/questions/26896002/Safe-Mode-Scans-for-ComboFix-MBAM.html
& msg says "You do not have the proper permissions to access this Question". So that is not helpful.
I wouldn't suppose there might just be a log to look at showing where this traffic is going and coming from? With the process or executable that is handling it or calling it? What do you think?
Thanks for your help!