If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Sending millions of packets
Sunday 2:10pm
Laptop XP PRO, SP2 Millions of packets are sent when starting the computer. Been on for 40 minutes now, sent 313,532,612,754 packets. received 28. Disable the connection and start again: 40 seconds 146 million packets sent. The network icon in the try displays activity but ZoneAlarm does not show actual access to the network. I had uninstalled ZA before installing SP2. I installed ZA to check for spyware of some sort. I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found but no virues/trojans. Any thoughts? J |
Ads |
#2
|
|||
|
|||
Sending millions of packets
Zone Alarm doesn't check for spyware - it is a software firewall.
-- Star Fleet Admiral Q @ your service ************************************************* "J" wrote in message ... Sunday 2:10pm Laptop XP PRO, SP2 Millions of packets are sent when starting the computer. Been on for 40 minutes now, sent 313,532,612,754 packets. received 28. Disable the connection and start again: 40 seconds 146 million packets sent. The network icon in the try displays activity but ZoneAlarm does not show actual access to the network. I had uninstalled ZA before installing SP2. I installed ZA to check for spyware of some sort. I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found but no virues/trojans. Any thoughts? J |
#3
|
|||
|
|||
Sending millions of packets
On Sun, 10 Oct 2004 14:09:35 -0400, "J"
wrote: Sunday 2:10pm Laptop XP PRO, SP2 Millions of packets are sent when starting the computer. Been on for 40 minutes now, sent 313,532,612,754 packets. received 28. Disable the connection and start again: 40 seconds 146 million packets sent. The network icon in the try displays activity but ZoneAlarm does not show actual access to the network. I had uninstalled ZA before installing SP2. I installed ZA to check for spyware of some sort. I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found but no virues/trojans. Virus or spyware. Some of the stuff is quite sophisticated and escapes detection by subverting Norton Anti-Virus. Sounds like a good description of a zombie computer to me. My very personal recommendation would be to uninstall everything named Norton and forget about it. If you don't know where else to turn to, AVG by www.grisoft.com is a reasonable start, even their free version, but other good virus scanners are available. Hans-Georg -- No mail, please. |
#4
|
|||
|
|||
Sending millions of packets
Thank you for your reply.
Zone Alarm doesn't check for spyware - it is a software firewall. This is correct. But it does monitor network activity. I use it to determine which programs/processes are attempting access. -- Star Fleet Admiral Q @ your service ************************************************* "J" wrote in message ... Sunday 2:10pm Laptop XP PRO, SP2 Millions of packets are sent when starting the computer. Been on for 40 minutes now, sent 313,532,612,754 packets. received 28. Disable the connection and start again: 40 seconds 146 million packets sent. The network icon in the try displays activity but ZoneAlarm does not show actual access to the network. I had uninstalled ZA before installing SP2. I installed ZA to check for spyware of some sort. I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found but no virues/trojans. Any thoughts? J |
#5
|
|||
|
|||
Sending millions of packets
On Sun, 10 Oct 2004 14:09:35 -0400, "J" wrote:
Sunday 2:10pm Laptop XP PRO, SP2 Millions of packets are sent when starting the computer. Been on for 40 minutes now, sent 313,532,612,754 packets. received 28. Disable the connection and start again: 40 seconds 146 million packets sent. The network icon in the try displays activity but ZoneAlarm does not show actual access to the network. I had uninstalled ZA before installing SP2. I installed ZA to check for spyware of some sort. I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found but no virues/trojans. Any thoughts? J Jesse, ZoneAlarm will detect network activity by specific applications. Some crapware (adware, spyware, viruses) may use system functions to send and receive, and ZA will look the other way. How current is your virus protection? Try one or more of these free online virus scans, which should complement your current protection: http://www.bitdefender.com/scan/license.php http://www.pandasoftware.com/activescan http://www.ravantivirus.com/scan/ http://security.symantec.com/ssc/home.asp http://housecall.trendmicro.com/housecall/start_corp.asp Now check for, and learn to defend against, additional problems - adware, crapware, spyware. Have you downloaded these programs before? Download them again, as the latest version may be needed to keep up with the current level of malware being attempted constantly - get the absolutely most current version of each product listed. They're all free - and most pretty small, so they download quickly enough. Start by downloading each of the following additional free tools: AdAware http://www.lavasoftusa.com/ CWShredder http://www.majorgeeks.com/download4086.html CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval http://www.majorgeeks.com/download4113.html HijackThis http://www.majorgeeks.com/download.php?det=3155 LSP-Fix and WinsockXPFix http://www.cexx.org/lspfix.htm Spybot S&D http://www.safer-networking.org/index.php?page=download Stinger http://us.mcafee.com/virusInfo/default.asp?id=stinger Create a separate folder for HijackThis, such as C:\HijackThis - copy the downloaded file there. AdAware and Spybot S&D have install routines - run them. The other downloaded programs can be copied into, and run from, any convenient folder. First, run Stinger. Have it remove any problems found. Next, close all Internet Explorer and Outlook windows, and run CoolWWWSearch.SmartSearchMiniRemoval, then CWShredder. Have the latter fix all problems found. Next, run AdAware. First update it ("Check for updates now"), configure for full scan (http://forum.aumha.org/viewtopic.php?t=5877), then scan. When scanning finishes, remove all Critical Objects found. Next, run Spybot S&D. First update it ("Search for updates"), then run a scan ("Check for problems"). Trust Spybot, and delete everything ("Fix Problems") that is displayed in Red. Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the HJT Log. http://forums.spywareinfo.com/index.php?showtopic=227 http://www1.spywareinfo.com/articles/hijacked/prevent.php Finally, have your HJT log interpreted by experts at one or more of the following security forums (and please post a link to your forum posts, here): Aumha: http://forum.aumha.org/index.php Net-Integration: http://forums.net-integration.net/ Spyware Info: http://forums.spywareinfo.com/ Spyware Warrior: http://spywarewarrior.com/index.php Tom Coyote: http://forums.tomcoyote.org/ If removal of any spyware affects your ability to access the internet (some spyware builds itself into the network software, and its removal may damage your network), run LSP-Fix and / or WinsockXPFIx. Finally, improve your chances for the future. Harden your browser. There are various websites which will check for vulnerabilities, here are three which I use. http://www.jasons-toolbox.com/BrowserSecurity/ http://bcheck.scanit.be/bcheck/ https://testzone.secunia.com/browser_checker/ Block Internet Explorer ActiveX scripting from hostile websites (Restricted Zone). https://netfiles.uiuc.edu/ehowes/www/main.htm (IE-SpyAd) Block known dangerous scripts from installing. http://www.javacoolsoftware.com/spywareblaster.html Block known spyware from installing. http://www.javacoolsoftware.com/spywareguard.html Make sure that the spyware detection / protection products that you use are reliable: http://www.spywarewarrior.com/rogue_anti-spyware.htm Harden your operating system. Check at least monthly for security updates. http://windowsupdate.microsoft.com/ Block possibly dangerous websites with a Hosts file. Three Hosts file sources I use: http://www.accs-net.com/hosts/get_hosts.html http://www.mvps.org/winhelp2002/hosts.htm (The third is included, and updated, with Spybot (see above)). Maintain your Hosts file (merge / eliminate duplicate entries) with: eDexter http://www.accs-net.com/hosts/get_hosts.html Hostess http://accs-net.com/hostess/ Secure your operating system, and applications. Don't use, or leave activated, any accounts with names or passwords with trivial (guessable) values. Don't use an account with administrative authority, except when you're intentionally doing administrative tasks. Use common sense. Yours. Don't install software based upon advice from unknown sources. Don't install free software, without researching it carefully. Don't open email unless you know who it's from, and how and why it was sent. Educate yourself. Know what the risks are. Stay informed. Read Usenet, and various web pages that discuss security problems. Check the logs from the security products that you use regularly, look for things that don't belong, and take action when necessary. And Jesse, I wouldn't bet that your email munging technique will fool too many email address mining viruses. Learn to munge your email address properly, to keep yourself a bit safer when posting to open forums. Protect yourself and the rest of the internet - read this article. http://www.mailmsg.com/SPAM_munging.htm Cheers, Chuck Paranoia comes from experience - and is not necessarily a bad thing. |
#6
|
|||
|
|||
Sending millions of packets
Thank you for your time.
(comments at bottom) Sunday 2:10pm Laptop XP PRO, SP2 Millions of packets are sent when starting the computer. Been on for 40 minutes now, sent 313,532,612,754 packets. received 28. Disable the connection and start again: 40 seconds 146 million packets sent. The network icon in the try displays activity but ZoneAlarm does not show actual access to the network. I had uninstalled ZA before installing SP2. I installed ZA to check for spyware of some sort. I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found but no virues/trojans. Any thoughts? J Jesse, ZoneAlarm will detect network activity by specific applications. Some crapware (adware, spyware, viruses) may use system functions to send and receive, and ZA will look the other way. How current is your virus protection? Try one or more of these free online virus scans, which should complement your current protection: http://www.bitdefender.com/scan/license.php http://www.pandasoftware.com/activescan http://www.ravantivirus.com/scan/ http://security.symantec.com/ssc/home.asp http://housecall.trendmicro.com/housecall/start_corp.asp Now check for, and learn to defend against, additional problems - adware, crapware, spyware. Have you downloaded these programs before? Download them again, as the latest version may be needed to keep up with the current level of malware being attempted constantly - get the absolutely most current version of each product listed. They're all free - and most pretty small, so they download quickly enough. Start by downloading each of the following additional free tools: AdAware http://www.lavasoftusa.com/ CWShredder http://www.majorgeeks.com/download4086.html CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval http://www.majorgeeks.com/download4113.html HijackThis http://www.majorgeeks.com/download.php?det=3155 LSP-Fix and WinsockXPFix http://www.cexx.org/lspfix.htm Spybot S&D http://www.safer-networking.org/index.php?page=download Stinger http://us.mcafee.com/virusInfo/default.asp?id=stinger Create a separate folder for HijackThis, such as C:\HijackThis - copy the downloaded file there. AdAware and Spybot S&D have install routines - run them. The other downloaded programs can be copied into, and run from, any convenient folder. First, run Stinger. Have it remove any problems found. Next, close all Internet Explorer and Outlook windows, and run CoolWWWSearch.SmartSearchMiniRemoval, then CWShredder. Have the latter fix all problems found. Next, run AdAware. First update it ("Check for updates now"), configure for full scan (http://forum.aumha.org/viewtopic.php?t=5877), then scan. When scanning finishes, remove all Critical Objects found. Next, run Spybot S&D. First update it ("Search for updates"), then run a scan ("Check for problems"). Trust Spybot, and delete everything ("Fix Problems") that is displayed in Red. Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the HJT Log. http://forums.spywareinfo.com/index.php?showtopic=227 http://www1.spywareinfo.com/articles/hijacked/prevent.php Finally, have your HJT log interpreted by experts at one or more of the following security forums (and please post a link to your forum posts, here): Aumha: http://forum.aumha.org/index.php Net-Integration: http://forums.net-integration.net/ Spyware Info: http://forums.spywareinfo.com/ Spyware Warrior: http://spywarewarrior.com/index.php Tom Coyote: http://forums.tomcoyote.org/ If removal of any spyware affects your ability to access the internet (some spyware builds itself into the network software, and its removal may damage your network), run LSP-Fix and / or WinsockXPFIx. Finally, improve your chances for the future. Harden your browser. There are various websites which will check for vulnerabilities, here are three which I use. http://www.jasons-toolbox.com/BrowserSecurity/ http://bcheck.scanit.be/bcheck/ https://testzone.secunia.com/browser_checker/ Block Internet Explorer ActiveX scripting from hostile websites (Restricted Zone). https://netfiles.uiuc.edu/ehowes/www/main.htm (IE-SpyAd) Block known dangerous scripts from installing. http://www.javacoolsoftware.com/spywareblaster.html Block known spyware from installing. http://www.javacoolsoftware.com/spywareguard.html Make sure that the spyware detection / protection products that you use are reliable: http://www.spywarewarrior.com/rogue_anti-spyware.htm Harden your operating system. Check at least monthly for security updates. http://windowsupdate.microsoft.com/ Block possibly dangerous websites with a Hosts file. Three Hosts file sources I use: http://www.accs-net.com/hosts/get_hosts.html http://www.mvps.org/winhelp2002/hosts.htm (The third is included, and updated, with Spybot (see above)). Maintain your Hosts file (merge / eliminate duplicate entries) with: eDexter http://www.accs-net.com/hosts/get_hosts.html Hostess http://accs-net.com/hostess/ Secure your operating system, and applications. Don't use, or leave activated, any accounts with names or passwords with trivial (guessable) values. Don't use an account with administrative authority, except when you're intentionally doing administrative tasks. Use common sense. Yours. Don't install software based upon advice from unknown sources. Don't install free software, without researching it carefully. Don't open email unless you know who it's from, and how and why it was sent. Educate yourself. Know what the risks are. Stay informed. Read Usenet, and various web pages that discuss security problems. Check the logs from the security products that you use regularly, look for things that don't belong, and take action when necessary. And Jesse, I wouldn't bet that your email munging technique will fool too many email address mining viruses. Learn to munge your email address properly, to keep yourself a bit safer when posting to open forums. Protect yourself and the rest of the internet - read this article. http://www.mailmsg.com/SPAM_munging.htm Cheers, Chuck Paranoia comes from experience - and is not necessarily a bad thing. Sunday 4:25pm EDT US This is a client's computer. Doing the maintenance and update thang, I am I use (and used) many of the programs you suggested: SB, ad-aware, hijack this, CWShredder, CoolWWWSearch remover,..... all current versions and defs. And Bazooka. ZA at least can identify a program/process attempting network access. Ran into Home Shopping, or some such last week, that identified itself at a svchost process. Various Google searches provided a number of newsgroup messages about the network sending millions of packets. Some fixed the problem by removing the netcard drivers and installing such again. This did not help here. I can see the packets-sent number increase while the network icon flashes. But ZA displays NO activity. I am suspecting this is not about spyware. But, none of the messages I found described a clear resolution. Just in case, running an online scan now. I have had essentially no problems with my computers (6), used by me, the wife, and the grandchildren. But I have worked on a few this past year that were completely full of stuff. Today's problem computer had hotbar, and a few cookies. And so on. Thank you for the various pointers. Always too much to learn. J |
#7
|
|||
|
|||
Sending millions of packets
On Sun, 10 Oct 2004 16:28:50 -0400, "J" wrote:
Thank you for your time. (comments at bottom) SNIP This is a client's computer. Doing the maintenance and update thang, I am I use (and used) many of the programs you suggested: SB, ad-aware, hijack this, CWShredder, CoolWWWSearch remover,..... all current versions and defs. And Bazooka. ZA at least can identify a program/process attempting network access. Ran into Home Shopping, or some such last week, that identified itself at a svchost process. Various Google searches provided a number of newsgroup messages about the network sending millions of packets. Some fixed the problem by removing the netcard drivers and installing such again. This did not help here. I can see the packets-sent number increase while the network icon flashes. But ZA displays NO activity. I am suspecting this is not about spyware. But, none of the messages I found described a clear resolution. Just in case, running an online scan now. I have had essentially no problems with my computers (6), used by me, the wife, and the grandchildren. But I have worked on a few this past year that were completely full of stuff. Today's problem computer had hotbar, and a few cookies. And so on. Thank you for the various pointers. Always too much to learn. Jesse, Svchost.exe is the system process that many whitewash, so they don't see ZA alert on that more than once. Then some spyware uses scvhost.exe, sxchost.exe, and so on. Get Port Explorer (free) from http://www.diamondcs.com.au/portexplorer/index.php?page=home to show you what network connections your computer is actually opening, and what processes are opening them. And Process Explorer (free) from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. Provides way more information than Task Manager. There's always something new in alt.privacy.spyware and alt.computer.virus. The bad guys are winning. :-( Thanks for the feedback. Cheers, Chuck Paranoia comes from experience - and is not necessarily a bad thing. |
#8
|
|||
|
|||
Sending millions of packets
On Sun, 10 Oct 2004 16:28:50 -0400, "J"
wrote: I can see the packets-sent number increase while the network icon flashes. But ZA displays NO activity. Ha, Zone Alarm subverted. Interesting! The zombie computer business is about big money these days. The programmers are professionals, unlike the script kiddies of yesteryear. If ZA doesn't show traffic although there clearly is traffic, then you might as well uninstall it. Perhaps reinstalling it could even repair it, but I suspect it would be subverted again within a split second. I may be wrong, it could be something else, but you definitely want to find out which program it is that is communicating without your consent and kill it. I see that Chuck has already planned out the route and recommended the right tools, like Process Explorer. A simple choice for viewing the network connections would be TCPView, also from www.sysinternals.com. Hans-Georg -- No mail, please. |
#9
|
|||
|
|||
Sending millions of packets
On Mon, 11 Oct 2004 08:26:16 +0200, Hans-Georg Michna
wrote: On Sun, 10 Oct 2004 16:28:50 -0400, "J" wrote: I can see the packets-sent number increase while the network icon flashes. But ZA displays NO activity. Ha, Zone Alarm subverted. Interesting! The zombie computer business is about big money these days. The programmers are professionals, unlike the script kiddies of yesteryear. If ZA doesn't show traffic although there clearly is traffic, then you might as well uninstall it. Perhaps reinstalling it could even repair it, but I suspect it would be subverted again within a split second. I may be wrong, it could be something else, but you definitely want to find out which program it is that is communicating without your consent and kill it. I see that Chuck has already planned out the route and recommended the right tools, like Process Explorer. A simple choice for viewing the network connections would be TCPView, also from www.sysinternals.com. Hans-Georg HG, I have used both Port Explorer and TCPView in the past, and have found that there is a noticeable difference between the two. Port Explorer, by design, has a better ability to identify ports in use. There is a document somewhere on the DiamondCS website explaining the design of PE, and why it is better than other port monitors. I don't think it's pure advertising. TCPView integrates well with Process Explorer, both being SysInternals products. But Port Explorer is more accurate. Since both are free (noting that Port Explorer is cripple ware - but the free version of Port Explorer has more functionality than TCPView), I recommend Port Explorer. Particularly when searching for possible hostile code generating massive volumes of network traffic. Cheers, Chuck Paranoia comes from experience - and is not necessarily a bad thing. |
#10
|
|||
|
|||
Sending millions of packets
On 11 Oct 2004 01:46:18 -0500, Chuck wrote:
On Mon, 11 Oct 2004 08:26:16 +0200, Hans-Georg Michna wrote: I see that Chuck has already planned out the route and recommended the right tools, like Process Explorer. A simple choice for viewing the network connections would be TCPView, also from www.sysinternals.com. I have used both Port Explorer and TCPView in the past, and have found that there is a noticeable difference between the two. Port Explorer, by design, has a better ability to identify ports in use. There is a document somewhere on the DiamondCS website explaining the design of PE, and why it is better than other port monitors. I don't think it's pure advertising. TCPView integrates well with Process Explorer, both being SysInternals products. But Port Explorer is more accurate. Since both are free (noting that Port Explorer is cripple ware - but the free version of Port Explorer has more functionality than TCPView), I recommend Port Explorer. Particularly when searching for possible hostile code generating massive volumes of network traffic. Chuck, thanks for the good hint! I just installed it and looked at it more closely. Very good program indeed, and has incomparably more functions than TCPView. Perhaps TCPView still serves a purpose for a quick check by a beginner who doesn't need all these functions. It's a lightweight program. But I like to have Port Explorer for myself. (:-) Hans-Georg -- No mail, please. |
#11
|
|||
|
|||
Sending millions of packets
Another possiblity is that the NIC driver just has a bug. That's my guess
based on the insane number of outgoing packets and the fact that ZA doesn't show anything. When you reinstalled the NIC driver did you get an updated version or just install the same one again. Still a network traffic analyzer is worth a look if you are worried. -- Ken Wickes [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. "Hans-Georg Michna" wrote in message ... On Sun, 10 Oct 2004 16:28:50 -0400, "J" wrote: I can see the packets-sent number increase while the network icon flashes. But ZA displays NO activity. Ha, Zone Alarm subverted. Interesting! The zombie computer business is about big money these days. The programmers are professionals, unlike the script kiddies of yesteryear. If ZA doesn't show traffic although there clearly is traffic, then you might as well uninstall it. Perhaps reinstalling it could even repair it, but I suspect it would be subverted again within a split second. I may be wrong, it could be something else, but you definitely want to find out which program it is that is communicating without your consent and kill it. I see that Chuck has already planned out the route and recommended the right tools, like Process Explorer. A simple choice for viewing the network connections would be TCPView, also from www.sysinternals.com. Hans-Georg -- No mail, please. |
#12
|
|||
|
|||
Sending millions of packets
I vote with Ken Wickes on a bug.
See: http://support.microsoft.com/default...&Product=winxp Some adapter driver authors use bytes instead of packets, and I had one Sony Vaio notebook that with the original driver was reporting bits. You can get some pretty astronomical numbers in the Status report as a result, which always represents the traffic as being packets. Bill Castner MS-MVP Windows Networking "Ken Wickes [MSFT]" wrote in message ... Another possiblity is that the NIC driver just has a bug. That's my guess based on the insane number of outgoing packets and the fact that ZA doesn't show anything. When you reinstalled the NIC driver did you get an updated version or just install the same one again. Still a network traffic analyzer is worth a look if you are worried. -- Ken Wickes [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. "Hans-Georg Michna" wrote in message ... On Sun, 10 Oct 2004 16:28:50 -0400, "J" wrote: I can see the packets-sent number increase while the network icon flashes. But ZA displays NO activity. Ha, Zone Alarm subverted. Interesting! The zombie computer business is about big money these days. The programmers are professionals, unlike the script kiddies of yesteryear. If ZA doesn't show traffic although there clearly is traffic, then you might as well uninstall it. Perhaps reinstalling it could even repair it, but I suspect it would be subverted again within a split second. I may be wrong, it could be something else, but you definitely want to find out which program it is that is communicating without your consent and kill it. I see that Chuck has already planned out the route and recommended the right tools, like Process Explorer. A simple choice for viewing the network connections would be TCPView, also from www.sysinternals.com. Hans-Georg -- No mail, please. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Explorer Sending Unnecessary Packets | Networking and the Internet with Windows XP | 0 | October 6th 04 04:43 PM | |
SP 2: Local Area Connection sending out billions of packets? | SA | General XP issues or comments | 2 | August 29th 04 06:56 AM |
Firewire 1394 speed/connection problem | Kevin Brault | Networking and the Internet with Windows XP | 4 | August 22nd 04 10:31 PM |
Internet is not sending but receiving data | cronological | Networking and the Internet with Windows XP | 0 | August 12th 04 11:35 PM |