My computer is always transferring data even if im not doing anything?

Discussion in 'OT Technology' started by 2die4, Aug 31, 2004.

  1. 2die4

    2die4 New Member

    Joined:
    Mar 11, 2004
    Messages:
    711
    Likes Received:
    0
    Location:
    Sydney, Australia
    Howdy

    I have a slight problem with the internet. It seems no matter what I do my computer is sending and receiving data non stop, even when im not actively using the internet. This slows me down when im surfing the web. I have hijack this, would posting a log help?

    Any help will be greatly appreciated.

    Note: I have norton autoprotect running in the background. Ive run adaware and spybot.
     
  2. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    When you're not doing anything, goto start->run->cmd and type netstat -an at the prompt. These are your active connections to people on the net. You can track them down by ping -a xxx.xxx.xxx.xxx to find out where they go (-a will resolve the name). You can also tracert xxx.xxx.xxx.xxx the IP, which will show you the paths that the traffic is going (sometimes the final destination doesn't reveal anything but the path does). Anything that you're not aware of is most likely spyware, at which point you can go to the effort of figuring out what kind it is.
     
  3. 2die4

    2die4 New Member

    Joined:
    Mar 11, 2004
    Messages:
    711
    Likes Received:
    0
    Location:
    Sydney, Australia
    Im an engineer but I have no clue on network engineering so ill explain it as best as i can.


    when i netstat -an I get a first column with tcp then a second column of numbers and a third column of number followed by a status(listening, syn_sent etc).

    Dos prompt is weird so when all this info is displayed the first entry occupies the top line of the dos prompt, so i dont see any headings.

    Im assuming the middle left column is me and the middle right column is somewhere else.

    all numbers in both columns start 210.50.xxx.xxx:xxx but in my column this can further be extended to 210.50.176.82:xxxxx with the x's counting up (sort of).

    In the other column the numbers following the entries beginning 210.50 are random except for this entries 140.164.26.100:6667 and 128.253.97.112:9136

    it seems i cant punch in the 6667 and 9136 so i get

    140.164.26.100 www.geomare.na.cnr.it.edu
    128.253.97.112 r253097112.resnet.cornell

    both of these have the established tag

    there are about forty other entries with syn_sent tag are these of significance(these begin 210.50) ?
     
  4. 2die4

    2die4 New Member

    Joined:
    Mar 11, 2004
    Messages:
    711
    Likes Received:
    0
    Location:
    Sydney, Australia
    Im getting so frustrated interne takes 5 mins to load a page, heres my hijack this log if its of any assistance.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\rpcxctx.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\d\oldwinamp\winamp.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\msnmsgr.exe
    D:\d\downloads\SpywareRemoval\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Microsoft Update] msnmsgr.exe
    O4 - HKLM\..\Run: [MSVsmt] rpcxctx.exe
    O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\Run: [Window Monitor] winmon32.exe
    O4 - HKLM\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] msnmsgr.exe
    O4 - HKLM\..\RunServices: [MSVsmt] rpcxctx.exe
    O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
    O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] w32usb2.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Update] msnmsgr.exe
    O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
    O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O17 - HKLM\System\CCS\Services\Tcpip\..\{29ECFD4C-2203-4766-9966-6537B425D676}: NameServer = 203.134.64.66 203.134.65.66
     
  5. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    The 210.xxx.xxx.xxx is probably your IP address so obviously that's okay (you can check it by typing in ipconfig). There's a scroll bar on the right - or there should be - on the dos window. I'm interested in the two that you did point out though - port 6667 is an IRC port - unless you are talking to someone, that's a sure sign of spyware or trojan ware - ie someone's hijacked your computer and is probably using it for DoS attacks on other people.

    So yes, you need to run all of those cleaners and get yourself a firewall (download Zonealarm for starters).
     
  6. 2die4

    2die4 New Member

    Joined:
    Mar 11, 2004
    Messages:
    711
    Likes Received:
    0
    Location:
    Sydney, Australia
    sorry for being a pest, but when I restarted the computer I got to separate messages that a program wanted to connect to these to addresses


    00.spazbox.net

    owjgp.gamezmax.net
     
  7. 2die4

    2die4 New Member

    Joined:
    Mar 11, 2004
    Messages:
    711
    Likes Received:
    0
    Location:
    Sydney, Australia
    Thank you for the help.:bowdown:
     
  8. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    What was requesting? Does that mean you did download Zonealarm and run it? Then it's doing it's job - stopped two programs from accessing the interweb. This doesn't clean your computer of the pests, but it should stop them from tieing up the line.
     
  9. 2die4

    2die4 New Member

    Joined:
    Mar 11, 2004
    Messages:
    711
    Likes Received:
    0
    Location:
    Sydney, Australia
    No this was before I downloaded zonealarm, windows informed me of this. Zone alarm did advise several processes were trying to access the net. One of these I was real sus about is winmon32.exe it appears several times in my hijackthis log. Shall I post all processes that try to access the net?
     
  10. Little Spunky $#!T

    Little Spunky $#!T :cool:

    Joined:
    Jul 16, 2001
    Messages:
    3,539
    Likes Received:
    0
    You may also have a virus that is sending out data constantly......

    Boot into safe mode, and do a virus scan to make sure you are virus free.
     

Share This Page