Sending millions of packets

Sunday 2:10pm

Laptop XP PRO, SP2

Millions of packets are sent when starting the computer.

Been on for 40 minutes now, sent 313,532,612,754 packets.
received 28.

Disable the connection and start again: 40 seconds 146 million packets sent.

The network icon in the try displays activity but ZoneAlarm does not show
actual access to the network.

I had uninstalled ZA before installing SP2. I installed ZA to check for
spyware of some sort.

I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found
but no virues/trojans.

Any thoughts?

J

Zone Alarm doesn't check for spyware - it is a software firewall.

--

Star Fleet Admiral Q @ your service

*************************************************

"J" wrote in message
...
Sunday 2:10pm

Laptop XP PRO, SP2

Millions of packets are sent when starting the computer.

Been on for 40 minutes now, sent 313,532,612,754 packets.
received 28.

Disable the connection and start again: 40 seconds 146 million packets
sent.

The network icon in the try displays activity but ZoneAlarm does not show
actual access to the network.

I had uninstalled ZA before installing SP2. I installed ZA to check for
spyware of some sort.

I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found
but no virues/trojans.

Any thoughts?

J

On Sun, 10 Oct 2004 14:09:35 -0400, "J"
wrote:

Sunday 2:10pm

Laptop XP PRO, SP2

Millions of packets are sent when starting the computer.

Been on for 40 minutes now, sent 313,532,612,754 packets.
received 28.

Disable the connection and start again: 40 seconds 146 million packets sent.

The network icon in the try displays activity but ZoneAlarm does not show
actual access to the network.

I had uninstalled ZA before installing SP2. I installed ZA to check for
spyware of some sort.

I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found
but no virues/trojans.

Virus or spyware. Some of the stuff is quite sophisticated and
escapes detection by subverting Norton Anti-Virus.

Sounds like a good description of a zombie computer to me.

My very personal recommendation would be to uninstall everything
named Norton and forget about it. If you don't know where else
to turn to, AVG by www.grisoft.com is a reasonable start, even
their free version, but other good virus scanners are available.

Hans-Georg

--
No mail, please.

Thank you for your reply.

Zone Alarm doesn't check for spyware - it is a software firewall.

This is correct. But it does monitor network activity.

I use it to determine which programs/processes are attempting access.


--

Star Fleet Admiral Q @ your service

*************************************************

"J" wrote in message
...
Sunday 2:10pm

Laptop XP PRO, SP2

Millions of packets are sent when starting the computer.

Been on for 40 minutes now, sent 313,532,612,754 packets.
received 28.

Disable the connection and start again: 40 seconds 146 million packets
sent.

The network icon in the try displays activity but ZoneAlarm does not
show
actual access to the network.

I had uninstalled ZA before installing SP2. I installed ZA to check for
spyware of some sort.

I had completed scans with Spybot, Ad-Aware and NAV2004. Items were
found
but no virues/trojans.

Any thoughts?

J

On Sun, 10 Oct 2004 14:09:35 -0400, "J" wrote:

Sunday 2:10pm

Laptop XP PRO, SP2

Millions of packets are sent when starting the computer.

Been on for 40 minutes now, sent 313,532,612,754 packets.
received 28.

Disable the connection and start again: 40 seconds 146 million packets sent.

The network icon in the try displays activity but ZoneAlarm does not show
actual access to the network.

I had uninstalled ZA before installing SP2. I installed ZA to check for
spyware of some sort.

I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found
but no virues/trojans.

Any thoughts?

J


Jesse,

ZoneAlarm will detect network activity by specific applications. Some crapware
(adware, spyware, viruses) may use system functions to send and receive, and ZA
will look the other way.

How current is your virus protection? Try one or more of these free online
virus scans, which should complement your current protection:
http://www.bitdefender.com/scan/license.php
http://www.pandasoftware.com/activescan
http://www.ravantivirus.com/scan/
http://security.symantec.com/ssc/home.asp
http://housecall.trendmicro.com/housecall/start_corp.asp

Now check for, and learn to defend against, additional problems - adware,
crapware, spyware. Have you downloaded these programs before? Download them
again, as the latest version may be needed to keep up with the current level of
malware being attempted constantly - get the absolutely most current version of
each product listed. They're all free - and most pretty small, so they download
quickly enough.

Start by downloading each of the following additional free tools:
AdAware http://www.lavasoftusa.com/
CWShredder http://www.majorgeeks.com/download4086.html
CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval
http://www.majorgeeks.com/download4113.html
HijackThis http://www.majorgeeks.com/download.php?det=3155
LSP-Fix and WinsockXPFix http://www.cexx.org/lspfix.htm
Spybot S&D http://www.safer-networking.org/index.php?page=download
Stinger http://us.mcafee.com/virusInfo/default.asp?id=stinger

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. AdAware and Spybot S&D have install routines - run them.
The other downloaded programs can be copied into, and run from, any convenient
folder.

First, run Stinger. Have it remove any problems found.

Next, close all Internet Explorer and Outlook windows, and run
CoolWWWSearch.SmartSearchMiniRemoval, then CWShredder. Have the latter fix all
problems found.

Next, run AdAware. First update it ("Check for updates now"), configure for
full scan (http://forum.aumha.org/viewtopic.php?t=5877), then scan. When
scanning finishes, remove all Critical Objects found.

Next, run Spybot S&D. First update it ("Search for updates"), then run a scan
("Check for problems"). Trust Spybot, and delete everything ("Fix Problems")
that is displayed in Red.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
http://forums.spywareinfo.com/index.php?showtopic=227
http://www1.spywareinfo.com/articles/hijacked/prevent.php

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts, here):
Aumha: http://forum.aumha.org/index.php
Net-Integration: http://forums.net-integration.net/
Spyware Info: http://forums.spywareinfo.com/
Spyware Warrior: http://spywarewarrior.com/index.php
Tom Coyote: http://forums.tomcoyote.org/

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

Finally, improve your chances for the future.

Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/

Block Internet Explorer ActiveX scripting from hostile websites (Restricted
Zone).
https://netfiles.uiuc.edu/ehowes/www/main.htm (IE-SpyAd)

Block known dangerous scripts from installing.
http://www.javacoolsoftware.com/spywareblaster.html

Block known spyware from installing.
http://www.javacoolsoftware.com/spywareguard.html

Make sure that the spyware detection / protection products that you use are
reliable:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Harden your operating system. Check at least monthly for security updates.
http://windowsupdate.microsoft.com/

Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).

Maintain your Hosts file (merge / eliminate duplicate entries) with:
eDexter http://www.accs-net.com/hosts/get_hosts.html
Hostess http://accs-net.com/hostess/

Secure your operating system, and applications. Don't use, or leave activated,
any accounts with names or passwords with trivial (guessable) values. Don't use
an account with administrative authority, except when you're intentionally doing
administrative tasks.

Use common sense. Yours. Don't install software based upon advice from unknown
sources. Don't install free software, without researching it carefully. Don't
open email unless you know who it's from, and how and why it was sent.

Educate yourself. Know what the risks are. Stay informed. Read Usenet, and
various web pages that discuss security problems. Check the logs from the
security products that you use regularly, look for things that don't belong, and
take action when necessary.

And Jesse, I wouldn't bet that your email munging technique will fool too many
email address mining viruses. Learn to munge your email address properly, to
keep yourself a bit safer when posting to open forums. Protect yourself and the
rest of the internet - read this article.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Thank you for your time.
(comments at bottom)


Sunday 2:10pm

Laptop XP PRO, SP2

Millions of packets are sent when starting the computer.

Been on for 40 minutes now, sent 313,532,612,754 packets.
received 28.

Disable the connection and start again: 40 seconds 146 million packets
sent.

The network icon in the try displays activity but ZoneAlarm does not show
actual access to the network.

I had uninstalled ZA before installing SP2. I installed ZA to check for
spyware of some sort.

I had completed scans with Spybot, Ad-Aware and NAV2004. Items were found
but no virues/trojans.

Any thoughts?

J


Jesse,

ZoneAlarm will detect network activity by specific applications. Some
crapware
(adware, spyware, viruses) may use system functions to send and receive,
and ZA
will look the other way.

How current is your virus protection? Try one or more of these free
online
virus scans, which should complement your current protection:
http://www.bitdefender.com/scan/license.php
http://www.pandasoftware.com/activescan
http://www.ravantivirus.com/scan/
http://security.symantec.com/ssc/home.asp
http://housecall.trendmicro.com/housecall/start_corp.asp

Now check for, and learn to defend against, additional problems - adware,
crapware, spyware. Have you downloaded these programs before? Download
them
again, as the latest version may be needed to keep up with the current
level of
malware being attempted constantly - get the absolutely most current
version of
each product listed. They're all free - and most pretty small, so they
download
quickly enough.

Start by downloading each of the following additional free tools:
AdAware http://www.lavasoftusa.com/
CWShredder http://www.majorgeeks.com/download4086.html
CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval
http://www.majorgeeks.com/download4113.html
HijackThis http://www.majorgeeks.com/download.php?det=3155
LSP-Fix and WinsockXPFix http://www.cexx.org/lspfix.htm
Spybot S&D http://www.safer-networking.org/index.php?page=download
Stinger http://us.mcafee.com/virusInfo/default.asp?id=stinger

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. AdAware and Spybot S&D have install routines - run
them.
The other downloaded programs can be copied into, and run from, any
convenient
folder.

First, run Stinger. Have it remove any problems found.

Next, close all Internet Explorer and Outlook windows, and run
CoolWWWSearch.SmartSearchMiniRemoval, then CWShredder. Have the latter
fix all
problems found.

Next, run AdAware. First update it ("Check for updates now"), configure
for
full scan (http://forum.aumha.org/viewtopic.php?t=5877), then scan.
When
scanning finishes, remove all Critical Objects found.

Next, run Spybot S&D. First update it ("Search for updates"), then run a
scan
("Check for problems"). Trust Spybot, and delete everything ("Fix
Problems")
that is displayed in Red.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save
the
HJT Log.
http://forums.spywareinfo.com/index.php?showtopic=227
http://www1.spywareinfo.com/articles/hijacked/prevent.php

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts,
here):
Aumha: http://forum.aumha.org/index.php
Net-Integration: http://forums.net-integration.net/
Spyware Info: http://forums.spywareinfo.com/
Spyware Warrior: http://spywarewarrior.com/index.php
Tom Coyote: http://forums.tomcoyote.org/

If removal of any spyware affects your ability to access the internet
(some
spyware builds itself into the network software, and its removal may
damage your
network), run LSP-Fix and / or WinsockXPFIx.

Finally, improve your chances for the future.

Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/

Block Internet Explorer ActiveX scripting from hostile websites
(Restricted
Zone).
https://netfiles.uiuc.edu/ehowes/www/main.htm (IE-SpyAd)

Block known dangerous scripts from installing.
http://www.javacoolsoftware.com/spywareblaster.html

Block known spyware from installing.
http://www.javacoolsoftware.com/spywareguard.html

Make sure that the spyware detection / protection products that you use
are
reliable:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Harden your operating system. Check at least monthly for security
updates.
http://windowsupdate.microsoft.com/

Block possibly dangerous websites with a Hosts file. Three Hosts file
sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).

Maintain your Hosts file (merge / eliminate duplicate entries) with:
eDexter http://www.accs-net.com/hosts/get_hosts.html
Hostess http://accs-net.com/hostess/

Secure your operating system, and applications. Don't use, or leave
activated,
any accounts with names or passwords with trivial (guessable) values.
Don't use
an account with administrative authority, except when you're intentionally
doing
administrative tasks.

Use common sense. Yours. Don't install software based upon advice from
unknown
sources. Don't install free software, without researching it carefully.
Don't
open email unless you know who it's from, and how and why it was sent.

Educate yourself. Know what the risks are. Stay informed. Read Usenet,
and
various web pages that discuss security problems. Check the logs from the
security products that you use regularly, look for things that don't
belong, and
take action when necessary.

And Jesse, I wouldn't bet that your email munging technique will fool too
many
email address mining viruses. Learn to munge your email address properly,
to
keep yourself a bit safer when posting to open forums. Protect yourself
and the
rest of the internet - read this article.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.


Sunday 4:25pm EDT US

This is a client's computer. Doing the maintenance and update thang, I am

I use (and used) many of the programs you suggested: SB, ad-aware, hijack
this, CWShredder, CoolWWWSearch remover,..... all current versions and defs.
And Bazooka.

ZA at least can identify a program/process attempting network access. Ran
into Home Shopping, or some such last week, that identified itself at a
svchost process.


Various Google searches provided a number of newsgroup messages about the
network sending millions of packets.
Some fixed the problem by removing the netcard drivers and installing such
again. This did not help here.

I can see the packets-sent number increase while the network icon flashes.
But ZA displays NO activity.
I am suspecting this is not about spyware. But, none of the messages I found
described a clear resolution.

Just in case, running an online scan now.

I have had essentially no problems with my computers (6), used by me, the
wife, and the grandchildren.

But I have worked on a few this past year that were completely full of
stuff.

Today's problem computer had hotbar, and a few cookies.

And so on.

Thank you for the various pointers. Always too much to learn.

J

On Sun, 10 Oct 2004 16:28:50 -0400, "J" wrote:

Thank you for your time.
(comments at bottom)

SNIP

This is a client's computer. Doing the maintenance and update thang, I am

I use (and used) many of the programs you suggested: SB, ad-aware, hijack
this, CWShredder, CoolWWWSearch remover,..... all current versions and defs.
And Bazooka.

ZA at least can identify a program/process attempting network access. Ran
into Home Shopping, or some such last week, that identified itself at a
svchost process.


Various Google searches provided a number of newsgroup messages about the
network sending millions of packets.
Some fixed the problem by removing the netcard drivers and installing such
again. This did not help here.

I can see the packets-sent number increase while the network icon flashes.
But ZA displays NO activity.
I am suspecting this is not about spyware. But, none of the messages I found
described a clear resolution.

Just in case, running an online scan now.

I have had essentially no problems with my computers (6), used by me, the
wife, and the grandchildren.

But I have worked on a few this past year that were completely full of
stuff.

Today's problem computer had hotbar, and a few cookies.

And so on.

Thank you for the various pointers. Always too much to learn.

Jesse,

Svchost.exe is the system process that many whitewash, so they don't see ZA
alert on that more than once. Then some spyware uses scvhost.exe, sxchost.exe,
and so on.

Get Port Explorer (free) from
http://www.diamondcs.com.au/portexplorer/index.php?page=home to show you what
network connections your computer is actually opening, and what processes are
opening them.
And Process Explorer (free) from
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. Provides way more
information than Task Manager.

There's always something new in alt.privacy.spyware and alt.computer.virus. The
bad guys are winning. :-(

Thanks for the feedback.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

On Sun, 10 Oct 2004 16:28:50 -0400, "J"
wrote:

I can see the packets-sent number increase while the network icon flashes.
But ZA displays NO activity.

Ha, Zone Alarm subverted. Interesting!

The zombie computer business is about big money these days. The
programmers are professionals, unlike the script kiddies of
yesteryear.

If ZA doesn't show traffic although there clearly is traffic,
then you might as well uninstall it. Perhaps reinstalling it
could even repair it, but I suspect it would be subverted again
within a split second.

I may be wrong, it could be something else, but you definitely
want to find out which program it is that is communicating
without your consent and kill it.

I see that Chuck has already planned out the route and
recommended the right tools, like Process Explorer. A simple
choice for viewing the network connections would be TCPView,
also from www.sysinternals.com.

Hans-Georg

--
No mail, please.

On Mon, 11 Oct 2004 08:26:16 +0200, Hans-Georg Michna
wrote:

On Sun, 10 Oct 2004 16:28:50 -0400, "J"
wrote:

I can see the packets-sent number increase while the network icon flashes.
But ZA displays NO activity.

Ha, Zone Alarm subverted. Interesting!

The zombie computer business is about big money these days. The
programmers are professionals, unlike the script kiddies of
yesteryear.

If ZA doesn't show traffic although there clearly is traffic,
then you might as well uninstall it. Perhaps reinstalling it
could even repair it, but I suspect it would be subverted again
within a split second.

I may be wrong, it could be something else, but you definitely
want to find out which program it is that is communicating
without your consent and kill it.

I see that Chuck has already planned out the route and
recommended the right tools, like Process Explorer. A simple
choice for viewing the network connections would be TCPView,
also from www.sysinternals.com.

Hans-Georg

HG,

I have used both Port Explorer and TCPView in the past, and have found that
there is a noticeable difference between the two. Port Explorer, by design, has
a better ability to identify ports in use. There is a document somewhere on the
DiamondCS website explaining the design of PE, and why it is better than other
port monitors. I don't think it's pure advertising.

TCPView integrates well with Process Explorer, both being SysInternals products.
But Port Explorer is more accurate. Since both are free (noting that Port
Explorer is cripple ware - but the free version of Port Explorer has more
functionality than TCPView), I recommend Port Explorer. Particularly when
searching for possible hostile code generating massive volumes of network
traffic.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

On 11 Oct 2004 01:46:18 -0500, Chuck wrote:

On Mon, 11 Oct 2004 08:26:16 +0200, Hans-Georg Michna
wrote:

I see that Chuck has already planned out the route and
recommended the right tools, like Process Explorer. A simple
choice for viewing the network connections would be TCPView,
also from www.sysinternals.com.

I have used both Port Explorer and TCPView in the past, and have found that
there is a noticeable difference between the two. Port Explorer, by design, has
a better ability to identify ports in use. There is a document somewhere on the
DiamondCS website explaining the design of PE, and why it is better than other
port monitors. I don't think it's pure advertising.

TCPView integrates well with Process Explorer, both being SysInternals products.
But Port Explorer is more accurate. Since both are free (noting that Port
Explorer is cripple ware - but the free version of Port Explorer has more
functionality than TCPView), I recommend Port Explorer. Particularly when
searching for possible hostile code generating massive volumes of network
traffic.

Chuck,

thanks for the good hint! I just installed it and looked at it
more closely. Very good program indeed, and has incomparably
more functions than TCPView.

Perhaps TCPView still serves a purpose for a quick check by a
beginner who doesn't need all these functions. It's a
lightweight program. But I like to have Port Explorer for
myself. (:-)

Hans-Georg

--
No mail, please.

Another possiblity is that the NIC driver just has a bug. That's my guess
based on the insane number of outgoing packets and the fact that ZA doesn't
show anything.

When you reinstalled the NIC driver did you get an updated version or just
install the same one again.

Still a network traffic analyzer is worth a look if you are worried.

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


"Hans-Georg Michna" wrote in message
...
On Sun, 10 Oct 2004 16:28:50 -0400, "J"
wrote:

I can see the packets-sent number increase while the network icon flashes.
But ZA displays NO activity.

Ha, Zone Alarm subverted. Interesting!

The zombie computer business is about big money these days. The
programmers are professionals, unlike the script kiddies of
yesteryear.

If ZA doesn't show traffic although there clearly is traffic,
then you might as well uninstall it. Perhaps reinstalling it
could even repair it, but I suspect it would be subverted again
within a split second.

I may be wrong, it could be something else, but you definitely
want to find out which program it is that is communicating
without your consent and kill it.

I see that Chuck has already planned out the route and
recommended the right tools, like Process Explorer. A simple
choice for viewing the network connections would be TCPView,
also from www.sysinternals.com.

Hans-Georg

--
No mail, please.

I vote with Ken Wickes on a bug.
See:
http://support.microsoft.com/default...&Product=winxp

Some adapter driver authors use bytes instead of packets, and I had one Sony
Vaio notebook that with the original driver was reporting bits. You can get
some pretty astronomical numbers in the Status report as a result, which
always represents the traffic as being packets.
Bill Castner MS-MVP Windows Networking



"Ken Wickes [MSFT]" wrote in message
...
Another possiblity is that the NIC driver just has a bug. That's my guess
based on the insane number of outgoing packets and the fact that ZA
doesn't show anything.

When you reinstalled the NIC driver did you get an updated version or just
install the same one again.

Still a network traffic analyzer is worth a look if you are worried.

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no
rights.


"Hans-Georg Michna" wrote in message
...
On Sun, 10 Oct 2004 16:28:50 -0400, "J"
wrote:

I can see the packets-sent number increase while the network icon
flashes.
But ZA displays NO activity.

Ha, Zone Alarm subverted. Interesting!

The zombie computer business is about big money these days. The
programmers are professionals, unlike the script kiddies of
yesteryear.

If ZA doesn't show traffic although there clearly is traffic,
then you might as well uninstall it. Perhaps reinstalling it
could even repair it, but I suspect it would be subverted again
within a split second.

I may be wrong, it could be something else, but you definitely
want to find out which program it is that is communicating
without your consent and kill it.

I see that Chuck has already planned out the route and
recommended the right tools, like Process Explorer. A simple
choice for viewing the network connections would be TCPView,
also from www.sysinternals.com.

Hans-Georg

--
No mail, please.