2009-08-14, 07:31 | Link #1 |
Senior Member
Join Date: Dec 2004
Location: Portugal
Age: 44
|
Unknown traffic
Ok recently I noticed that when I closed all my programs I still had traffic in download and upload in DU meter. I simply don't now what program is doing that traffic. I got all automatic updates turned off except for the java and firefox.
I checked with hijackthis and nothing unusual was there. From netstat -a -b ********************************************* Ligações activas Proto Endereço local Endereço externo Estado PID TCP silvermoon:epmap silvermoon:0 LISTENING 1096 c:\windows\system32\WS2_32.dll C:\WINDOWS\system32\RPCRT4.dll c:\windows\system32\rpcss.dll C:\WINDOWS\system32\svchost.exe -- componente(s) desconhecido(s)-- [svchost.exe] TCP silvermoon:microsoft-ds silvermoon:0 LISTENING 4 [System] TCP silvermoon:1025 silvermoon:0 LISTENING 1592 [LEXPPS.EXE] TCP silvermoon:1026 silvermoon:0 LISTENING 1240 [alg.exe] TCP silvermoon:5152 silvermoon:0 LISTENING 1744 [jqs.exe] TCP silvermoon:1048 fx-in-f147.google.com:http ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1049 fx-in-f138.google.com:http ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1050 fx-in-f138.google.com:http ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1051 fx-in-f138.google.com:http ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1052 fx-in-f118.google.com:http ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1053 fx-in-f118.google.com:http ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1063 fk-in-f100.google.com:http ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1077 fx-in-f101.google.com:http ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1084 dl.xs4all.nl:ftp ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1087 dl.xs4all.nl:54763 ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1043 localhost:1044 ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1044 localhost:1043 ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1046 localhost:1047 ESTABLISHED 3640 [firefox.exe] TCP silvermoon:1047 localhost:1046 ESTABLISHED 3640 [firefox.exe] TCP silvermoon:5152 localhost:1045 CLOSE_WAIT 1744 [jqs.exe] TCP silvermoon:1054 freedommail.dlook.com:http TIME_WAIT 0 TCP silvermoon:1075 freedommail.dlook.com:http TIME_WAIT 0 UDP silvermoon:4500 *:* 804 [lsass.exe] UDP silvermoon:10000 *:* 1148 [vsserv.exe] UDP silvermoon:microsoft-ds *:* 4 [System] UDP silvermoon:isakmp *:* 804 [lsass.exe] UDP silvermoon:ntp *:* 1216 c:\windows\system32\WS2_32.dll c:\windows\system32\w32time.dll ntdll.dll C:\WINDOWS\system32\kernel32.dll [svchost.exe] UDP silvermoon:1900 *:* 1300 c:\windows\system32\WS2_32.dll c:\windows\system32\ssdpsrv.dll ntdll.dll C:\WINDOWS\system32\kernel32.dll [svchost.exe] UDP silvermoon:1900 *:* 1300 c:\windows\system32\WS2_32.dll c:\windows\system32\ssdpsrv.dll ntdll.dll C:\WINDOWS\system32\kernel32.dll [svchost.exe] UDP silvermoon:ntp *:* 1216 c:\windows\system32\WS2_32.dll c:\windows\system32\w32time.dll ntdll.dll C:\WINDOWS\system32\kernel32.dll [svchost.exe] ********************************************* The lines after lsass.exe worries me. Can anyone help? BTW, this is the netstat when the problem happened. I turned off the net. :/ Edit: I got winxp sp3 using bitdefender total security 2009 Edit2: -- componente(s) desconhecido(s)-- Means unknown component. Well... the OS is in portuguese. Edit3: Crap... there is tab that monitor traffic in bitdefender... oh well... I check the situation after that unknown traffic appears again.
__________________
Last edited by Tiberium Wolf; 2009-08-14 at 08:04. |
2009-08-14, 13:11 | Link #2 |
Love Yourself
Join Date: Mar 2003
Location: Northeast USA
Age: 38
|
A bit of traffic here and there is normal, especially if it's in the speed range of bytes per second (a few KB/s is probably OK, too). Back when I ran Windows, svchost.exe often tried to access the internet, as well. Not sure why, but I eventually just blocked its access to the internet with my firewall. No negative effects, but your mileage may vary.
I don't see anything particularly unusual there, but I profess that I'm not accustomed to reading hijackthis logs. If you're worried about it, you may want to consider doing the same as I did through your firewall.
__________________
|
2009-08-14, 13:33 | Link #3 |
Senior Member
Join Date: Dec 2004
Location: Portugal
Age: 44
|
Well... I don't usually have du metter window always on so I don't see the speeds. Using freaking 15' monitor now coz I dont have money to buy a new one. I do have limit of 6GB per month and 7h per day of unlimited traffic. I happen to see 1 of those days that I've spent 700MB of the monthly limit. A process must have dled something. Dunno what could have generated so much traffic. I have scanned the computer for virus and adware... and nothing.
__________________
Last edited by Tiberium Wolf; 2009-08-14 at 14:04. |
2009-08-14, 18:44 | Link #5 | |
makes no files now
Join Date: May 2006
|
Quote:
__________________
|
|
2009-08-19, 10:24 | Link #7 |
Senior Member
Join Date: Dec 2004
Location: Portugal
Age: 44
|
Damn... it happen again and I still wasn't able to figure out what was generating download traffic. Bitdefender didn't show witch process was generating traffic. God! Can anyone help? If I could know which process was doing it I could be a big help.
__________________
|
2009-08-19, 12:06 | Link #9 | |
Sleepy Lurker
Graphic Designer
Join Date: Jul 2006
Location: Nun'yabiznehz
Age: 38
|
Quote:
HOWEVER, I suspect that BD only inventories still-active processes and ditches the logs for the items that are no longer receiving/emitting, which might be why the activity tab remains laconic on this matter. A more thorough firewall with (possibly) better logging routines would be Agnitum Outpost Firewall Free Edition - I do hear good things about it, but only from people who know what they're doing with it, not from people who adhere to the 'configure-it-once-and-then-forget-about-it' principle (*glances at Symantec products*). If you don't want to be finicky with it, then keep clear from it.
__________________
Last edited by Renegade334; 2009-08-19 at 12:22. |
|
2009-08-19, 13:17 | Link #10 |
Senior Member
Join Date: Dec 2004
Location: Portugal
Age: 44
|
My pc is connected to a modem... those 3G ones :P. The traffic speed it doesn't matter... It's generating some and eating my monthly limit. Today was 50KB/s. I did shutdown all my usual programs and it still continued. The bitdefender didn't show any of the active processes doing anything nor the inactives... . I dont feel like uninstalled and installing another firewall. I pretty much checked everything and I dont see anything strange in the processes or whatever it starts with windows start up. And this annoys me since I can't seem to see what is generating this traffic out of MY CONTROL! I even installed some programs that could identify the processes and they all seem safe like Hijackthis said also.
__________________
|
2009-08-19, 16:04 | Link #14 |
Recursion...
Join Date: Jul 2009
Location: Russia, Moscow
Age: 38
|
Then it seets deeply in the system... Maybe some update tools?
If it was me, i'll try outpost firewall (someone told about it early). If there is no visible activity, then reinstall OS... I think it's some kind of worm who lives in svchost though... |
2009-08-20, 09:28 | Link #15 |
Senior Member
Author
Join Date: Oct 2007
Location: Philippines
Age: 47
|
I use to know that Windows XP, by default, sets aside some 20% of bandwidth for its own use. It's found in the Group Policy, and is known as the "Limit Reservable Bandwidth" setting.
1.) Run "gpedit.msc" from the Start menu. 2.) Go down to this branch after the console loads up: Local Computer Policy > Computer Configuration > Administrative Templates > QoS Packet Scheduler Also, try getting ProcessExplorer because it also scopes out which processes are using bandwidth and where it's connected to.
__________________
|
Thread Tools | |
|
|