Continuous internet activity

  • Thread starter Thread starter MikeM
  • Start date Start date
M

MikeM

For the past few days the internet activity monitor has been solid
green whenever my router is switched on and connecting to broadband.
When I first noticed it the duration was nearly 4 hours. I had been
leaving the router on 24\7 since I got it and the icons didn't show
continuous activity unless I was uploading or downloading something.
Task Manager doesn't show any unusual programs active.

I am using XP, there is a firewall in the router and I have Trend
Micro firewall enabled and just now enabled the Windows firewall.
Scans with PC-Cillin, AdAware haven't found any problems. How can I
check which program is sending/receiving?

Thanks
Mike
 
MikeM said:
For the past few days the internet activity monitor has been solid
green whenever my router is switched on and connecting to broadband.
When I first noticed it the duration was nearly 4 hours. I had been
leaving the router on 24\7 since I got it and the icons didn't show
continuous activity unless I was uploading or downloading something.
Task Manager doesn't show any unusual programs active.

I am using XP, there is a firewall in the router and I have Trend
Micro firewall enabled and just now enabled the Windows firewall.
Scans with PC-Cillin, AdAware haven't found any problems. How can I
check which program is sending/receiving?

Thanks
Mike
Click to expand...
ctrl/alt/del, and keep the taskmanager open.
when in doubt, take peek at the taskmanager list to see who
is using cycles.
 
I have checked the task manager several time. Usually the only entries
with activity are the usual ones that have been there a long time. I
don't know what most of them are, but I assume they are connected with
Windows or other applications I have been running for years. One thing
I can't remember seeing, there are 8 entires for svchost. For a while
there was a lot of activity on 1 of them but it has now stopped. Just
an occasional small amount of activity on one of them.

The only high activity is on the application I am running. I tried
stopping it but the activity continued unchanged. The activity monitor
is still solid green and the led on the router is flashing so I assume
it is still sending/receiving.

Thanks
Mike
 
Your situation is different from mine. When I first got cable internet
access, the green light activated when there was activity.

Starting a few years back, the light has been solid green.

Back when I was using zone alarm, nothing popped up saying, 'this program is
trying to access the internet.'

Also, I did a new build a few months back (and new install of xp), and the
activity light was solid green from the start of when the computer was first
hooked up to the net.

--g
 
For the past few days the internet activity monitor has been solid green
whenever my router is switched on and connecting to broadband. When I
first noticed it the duration was nearly 4 hours. I had been leaving the
router on 24\7 since I got it and the icons didn't show continuous
activity unless I was uploading or downloading something. Task Manager
doesn't show any unusual programs active.

I am using XP, there is a firewall in the router and I have Trend Micro
firewall enabled and just now enabled the Windows firewall. Scans with
PC-Cillin, AdAware haven't found any problems. How can I check which
program is sending/receiving?

Thanks
Mike
Click to expand...

It might be useful to determine what the activity consists of. Download
wireshark (http://www.wireshark.org/ ). After installing it, quit all
your internet based applications and then run the packet analyser. Post
your results.
 
MikeM said:
I have checked the task manager several time. Usually the only entries
with activity are the usual ones that have been there a long time. I
don't know what most of them are, but I assume they are connected with
Windows or other applications I have been running for years. One thing
I can't remember seeing, there are 8 entires for svchost. For a while
there was a lot of activity on 1 of them but it has now stopped. Just
an occasional small amount of activity on one of them.

The only high activity is on the application I am running. I tried
stopping it but the activity continued unchanged. The activity monitor
is still solid green and the led on the router is flashing so I assume
it is still sending/receiving.

Thanks
Mike
Click to expand...

A program like Wireshark might be used, to see what the packets
contain and where they're going. There is nothing stopping a malware
application, from using compression or encryption of the stream,
preventing you from learning anything. But at least you'll get an
IP address out of the exercise (dest address for the packets).

http://en.wikipedia.org/wiki/Wireshark

If you select View:Name Resolution:Network Layer, the captured
Ethernet packets will have the IP addresses resolved to symbolic
addresses. Which saves the nuisance of looking them up separately.

After that, Capture:Interfaces, and clicking the Start button
for your actual network interface, starts the capture.

Some malware, is aware of programs like Wireshark, and may
respond in some way once it is started. For example, a key logger
may store key presses locally, until a time arrives where
Wireshark is not running, and then it is "safe" to transmit
the passwords or credit card numbers.

The continuous activity, at least to me, suggests
something like Back Orifice - like something has
your machine under some degree of control, and
the continuous packets are for monitoring purposes.

You could also be part of a botnet, and DDOSing some
node on the Internet, or sending spam emails and so
on. It could be, that the control connection is
only made intermittently, and most of the traffic is
the scripted activity entrusted to your node.

There is a small probability of a networking problem, where
something is tied in a loop. I have seen looped behavior
between my router and my ADSL modem, and power cycling them
stopped it. To debug problems like that, you'd need a box
which could be inserted between devices and transparently capture
all transmit and receive traffic. Wireshark only covers the
cases, where a computer is at one end of the link.

Paul
 
MikeM said:
For the past few days the internet activity monitor has been solid
green whenever my router is switched on and connecting to broadband.
When I first noticed it the duration was nearly 4 hours. I had been
leaving the router on 24\7 since I got it and the icons didn't show
continuous activity unless I was uploading or downloading something.
Task Manager doesn't show any unusual programs active.

I am using XP, there is a firewall in the router and I have Trend
Micro firewall enabled and just now enabled the Windows firewall.
Scans with PC-Cillin, AdAware haven't found any problems. How can I
check which program is sending/receiving?

Thanks
Mike
Click to expand...

You running a Torrent client?
 
A couple of hours ago I ran the free version of AVG. It didn't find
anything, but while it was running PC-Cillin gave 3 warnings of Adware
Cydoor that I removed. Since then the activity monitor has stopped
glowing, but there is still some activity, but apparently not as much.

I download Wireshark but when I try run it, it crashes.

Mike
 
MikeM said:
A couple of hours ago I ran the free version of AVG. It didn't find
anything, but while it was running PC-Cillin gave 3 warnings of Adware
Cydoor that I removed. Since then the activity monitor has stopped
glowing, but there is still some activity, but apparently not as much.

I download Wireshark but when I try run it, it crashes.

Mike
Click to expand...

My spider sense is tingling...

I wonder what other malware is hiding in there.

Paul
 
MikeM said:
A couple of hours ago I ran the free version of AVG. It didn't find
anything, but while it was running PC-Cillin gave 3 warnings of Adware
Cydoor that I removed. Since then the activity monitor has stopped
glowing, but there is still some activity, but apparently not as much.

I download Wireshark but when I try run it, it crashes.

Mike
Click to expand...

You tried running Adaware and Spybot as well? Might be worth a go.
 
Since my last post PC-Cillin has has quarantined many copies of
Adware_MemWatch.

I have run AdAware and Spybot. Spybot didn't find anything but AdAware
found 25 tracking cookies, as usual when I do any surfing. I run it
every time I finish for the day.

So far still activity monotor still not green, just small red dots at
the bottom of the activity monitor and the router led is blinking.

Mike
 
For the past few days the internet activity monitor has been solid
green whenever my router is switched on and connecting  to broadband.
When  I first noticed it the duration was nearly 4 hours. I had been
leaving the router on 24\7 since I got it and the icons didn't show
continuous activity unless I was uploading or downloading something.
Task Manager doesn't show any unusual programs active.

I am using XP, there is a firewall in the router and I have Trend
Micro firewall enabled and just now enabled the Windows firewall.
Scans with PC-Cillin, AdAware haven't found any problems. How can I
check which program is sending/receiving?

Thanks
Mike
Click to expand...

You've had a good suggestion in shutting down all processes one by one
already to see what's misbehaving. Preventing startup of the baddie in
msconfig or Autoruns should do it.

If you've still got problems, a simple option is to reinstall the OS.
Very often messed up OSes are either beyond repair or the work
required is excessive. Be sure to recover all drivers first, backup
data, check your OS install cd/hdd is ok, and wipe out the hdd data
structure totally to get rid of everything that might lurk. If you
hahve a spare hdd you can install OS on that before wiping the first
hdd - but only have one of them in the machine at any one time.


NT
 
The PC-Cillin scan found a lot of trojans that weremn't picked up by
Spybot. When it finished I rebooted and now only the local network
activity monitor is solid. Other computers on the network are not on.
And the router is still blinking.

The status of the Internet activity monitor shows my computer as
sending and receiving continuously but the internet gateway and
internet show no activity.

For the local network monitor the status shows packets are being sent
and received, even with no computers on the local network being
switched on. I switched one on and its status showed a bit of activity
but now shows no activity, even though the status on my main computer
still shows send and receive activity.

Does this sound like some sort of loop someone mentioned?
 
The PC-Cillin scan found a lot of trojans that weremn't picked up by
Spybot. When it finished I rebooted and now only the local network
activity monitor is solid. Other computers on the network are not on.
And the router is still blinking.

The status of the Internet activity monitor shows my computer as
sending and receiving continuously but the internet gateway and internet
show no activity.

For the local network monitor the status shows packets are being sent
and received, even with no computers on the local network being switched
on. I switched one on and its status showed a bit of activity but now
shows no activity, even though the status on my main computer still
shows send and receive activity.

Does this sound like some sort of loop someone mentioned?
Click to expand...

It could just be ARP and UPNP traffic. To prove it, try re-installing
Wireshark. If PC-Cillin has indeed removed some malware, wireshark may be
able to hook the TCP stack sucessfully this time. If you are successful,
post the packet trace. Make sure no internet applications are running so
that the trace doesn't contain lots of crap.
 
Wireshark still won't run.

Mike


It could just be ARP and UPNP traffic. To prove it, try re-installing
Wireshark. If PC-Cillin has indeed removed some malware, wireshark may be
able to hook the TCP stack sucessfully this time. If you are successful,
post the packet trace. Make sure no internet applications are running so
that the trace doesn't contain lots of crap.
Click to expand...
 
Back
Top