AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > Support > Tech Support

Notices

Reply
 
Thread Tools
Old 2009-08-14, 07:31   Link #1
Tiberium Wolf
Senior Member
 
 
Join Date: Dec 2004
Location: Portugal
Age: 44
Unknown traffic

Ok recently I noticed that when I closed all my programs I still had traffic in download and upload in DU meter. I simply don't now what program is doing that traffic. I got all automatic updates turned off except for the java and firefox.

I checked with hijackthis and nothing unusual was there.
From netstat -a -b
*********************************************
Ligações activas

Proto Endereço local Endereço externo Estado PID
TCP silvermoon:epmap silvermoon:0 LISTENING 1096
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- componente(s) desconhecido(s)--
[svchost.exe]

TCP silvermoon:microsoft-ds silvermoon:0 LISTENING 4
[System]

TCP silvermoon:1025 silvermoon:0 LISTENING 1592
[LEXPPS.EXE]

TCP silvermoon:1026 silvermoon:0 LISTENING 1240
[alg.exe]

TCP silvermoon:5152 silvermoon:0 LISTENING 1744
[jqs.exe]

TCP silvermoon:1048 fx-in-f147.google.com:http ESTABLISHED 3640

[firefox.exe]

TCP silvermoon:1049 fx-in-f138.google.com:http ESTABLISHED 3640

[firefox.exe]

TCP silvermoon:1050 fx-in-f138.google.com:http ESTABLISHED 3640

[firefox.exe]

TCP silvermoon:1051 fx-in-f138.google.com:http ESTABLISHED 3640

[firefox.exe]

TCP silvermoon:1052 fx-in-f118.google.com:http ESTABLISHED 3640

[firefox.exe]

TCP silvermoon:1053 fx-in-f118.google.com:http ESTABLISHED 3640

[firefox.exe]

TCP silvermoon:1063 fk-in-f100.google.com:http ESTABLISHED 3640

[firefox.exe]

TCP silvermoon:1077 fx-in-f101.google.com:http ESTABLISHED 3640

[firefox.exe]

TCP silvermoon:1084 dl.xs4all.nl:ftp ESTABLISHED 3640
[firefox.exe]

TCP silvermoon:1087 dl.xs4all.nl:54763 ESTABLISHED 3640
[firefox.exe]

TCP silvermoon:1043 localhost:1044 ESTABLISHED 3640
[firefox.exe]

TCP silvermoon:1044 localhost:1043 ESTABLISHED 3640
[firefox.exe]

TCP silvermoon:1046 localhost:1047 ESTABLISHED 3640
[firefox.exe]

TCP silvermoon:1047 localhost:1046 ESTABLISHED 3640
[firefox.exe]

TCP silvermoon:5152 localhost:1045 CLOSE_WAIT 1744
[jqs.exe]

TCP silvermoon:1054 freedommail.dlook.com:http TIME_WAIT 0
TCP silvermoon:1075 freedommail.dlook.com:http TIME_WAIT 0
UDP silvermoon:4500 *:* 804
[lsass.exe]

UDP silvermoon:10000 *:* 1148
[vsserv.exe]

UDP silvermoon:microsoft-ds *:* 4
[System]

UDP silvermoon:isakmp *:* 804
[lsass.exe]

UDP silvermoon:ntp *:* 1216
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP silvermoon:1900 *:* 1300
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP silvermoon:1900 *:* 1300
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP silvermoon:ntp *:* 1216
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
*********************************************


The lines after lsass.exe worries me. Can anyone help?
BTW, this is the netstat when the problem happened. I turned off the net. :/


Edit: I got winxp sp3 using bitdefender total security 2009

Edit2: -- componente(s) desconhecido(s)-- Means unknown component. Well... the OS is in portuguese.

Edit3: Crap... there is tab that monitor traffic in bitdefender... oh well... I check the situation after that unknown traffic appears again.
__________________

Last edited by Tiberium Wolf; 2009-08-14 at 08:04.
Tiberium Wolf is offline   Reply With Quote
Old 2009-08-14, 13:11   Link #2
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 38
A bit of traffic here and there is normal, especially if it's in the speed range of bytes per second (a few KB/s is probably OK, too). Back when I ran Windows, svchost.exe often tried to access the internet, as well. Not sure why, but I eventually just blocked its access to the internet with my firewall. No negative effects, but your mileage may vary.

I don't see anything particularly unusual there, but I profess that I'm not accustomed to reading hijackthis logs. If you're worried about it, you may want to consider doing the same as I did through your firewall.
__________________
Ledgem is offline   Reply With Quote
Old 2009-08-14, 13:33   Link #3
Tiberium Wolf
Senior Member
 
 
Join Date: Dec 2004
Location: Portugal
Age: 44
Well... I don't usually have du metter window always on so I don't see the speeds. Using freaking 15' monitor now coz I dont have money to buy a new one. I do have limit of 6GB per month and 7h per day of unlimited traffic. I happen to see 1 of those days that I've spent 700MB of the monthly limit. A process must have dled something. Dunno what could have generated so much traffic. I have scanned the computer for virus and adware... and nothing.
__________________

Last edited by Tiberium Wolf; 2009-08-14 at 14:04.
Tiberium Wolf is offline   Reply With Quote
Old 2009-08-14, 18:37   Link #4
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 40
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
The only open connections in that netstat output seem to be from Firefox. Most everything else is just a process listening on a port.

If you really want to see the network traffic you'll have to use a packet sniffer like Wireshark.
Epyon9283 is offline   Reply With Quote
Old 2009-08-14, 18:44   Link #5
martino
makes no files now
 
 
Join Date: May 2006
Quote:
Originally Posted by Ledgem View Post
A bit of traffic here and there is normal, especially if it's in the speed range of bytes per second (a few KB/s is probably OK, too). Back when I ran Windows, svchost.exe often tried to access the internet, as well. Not sure why, but I eventually just blocked its access to the internet with my firewall. No negative effects, but your mileage may vary.

I don't see anything particularly unusual there, but I profess that I'm not accustomed to reading hijackthis logs. If you're worried about it, you may want to consider doing the same as I did through your firewall.
I believe svchost.exe has something to do with Windows Updates, to some extent, so maybe hence why the traffic.
__________________
"Light and shadow don't battle each other, because they're two sides of the same coin"
martino is offline   Reply With Quote
Old 2009-08-14, 18:46   Link #6
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 40
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
Quote:
Originally Posted by martino View Post
I believe svchost.exe has something to do with Windows Updates, to some extent, so maybe hence why the traffic.
svchost.exe is a generic service host. It hosts most services running in windows.
Epyon9283 is offline   Reply With Quote
Old 2009-08-19, 10:24   Link #7
Tiberium Wolf
Senior Member
 
 
Join Date: Dec 2004
Location: Portugal
Age: 44
Damn... it happen again and I still wasn't able to figure out what was generating download traffic. Bitdefender didn't show witch process was generating traffic. God! Can anyone help? If I could know which process was doing it I could be a big help.
__________________
Tiberium Wolf is offline   Reply With Quote
Old 2009-08-19, 11:49   Link #8
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 40
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
How much traffic are you seeing? Is your machine directly connected to the internet or is it behind a firewall? If it's behind a firewall is it on a network with a lot of other computers?
Epyon9283 is offline   Reply With Quote
Old 2009-08-19, 12:06   Link #9
Renegade334
Sleepy Lurker
*Graphic Designer
 
 
Join Date: Jul 2006
Location: Nun'yabiznehz
Age: 38
Quote:
Originally Posted by Tiberium Wolf View Post
Damn... it happen again and I still wasn't able to figure out what was generating download traffic. Bitdefender didn't show witch process was generating traffic. God! Can anyone help? If I could know which process was doing it I could be a big help.
...Normally BitDefender SHOULD be displaying which module/object is generating traffic in the 'activity' tab (that is, if they haven't once again overhauled the entire GUI and hid this somewhere inside the 'expert' mode interface). Mine is even showing svchost (0kb uploaded, 0kb downloaded), which is perfectly normal (in XP Pro, I have four-five svchost processes active at all times - perfectly benign) as well as lsass (0kb, 0kb), which normally should be a security policy-related process.

HOWEVER, I suspect that BD only inventories still-active processes and ditches the logs for the items that are no longer receiving/emitting, which might be why the activity tab remains laconic on this matter.

A more thorough firewall with (possibly) better logging routines would be Agnitum Outpost Firewall Free Edition - I do hear good things about it, but only from people who know what they're doing with it, not from people who adhere to the 'configure-it-once-and-then-forget-about-it' principle (*glances at Symantec products*). If you don't want to be finicky with it, then keep clear from it.
__________________
<< -- Click to enter my (dead) GFX thread.

Last edited by Renegade334; 2009-08-19 at 12:22.
Renegade334 is offline   Reply With Quote
Old 2009-08-19, 13:17   Link #10
Tiberium Wolf
Senior Member
 
 
Join Date: Dec 2004
Location: Portugal
Age: 44
My pc is connected to a modem... those 3G ones :P. The traffic speed it doesn't matter... It's generating some and eating my monthly limit. Today was 50KB/s. I did shutdown all my usual programs and it still continued. The bitdefender didn't show any of the active processes doing anything nor the inactives... . I dont feel like uninstalled and installing another firewall. I pretty much checked everything and I dont see anything strange in the processes or whatever it starts with windows start up. And this annoys me since I can't seem to see what is generating this traffic out of MY CONTROL! I even installed some programs that could identify the processes and they all seem safe like Hijackthis said also.
__________________
Tiberium Wolf is offline   Reply With Quote
Old 2009-08-19, 14:49   Link #11
Dreamtale
Recursion...
 
Join Date: Jul 2009
Location: Russia, Moscow
Age: 38
Something lives in your svchost it's pretty common thing. Antispyware/antivirus could save the day. Or just kill OS (most easy way)
Dreamtale is offline   Reply With Quote
Old 2009-08-19, 15:44   Link #12
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 40
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
Was this 50KB/sec up or down? Anyway, I would still suggest using Wireshark the next time you notice this occurring so you can see what the traffic is.
Epyon9283 is offline   Reply With Quote
Old 2009-08-19, 15:57   Link #13
Tiberium Wolf
Senior Member
 
 
Join Date: Dec 2004
Location: Portugal
Age: 44
50KB/s down... I'll check on Wireshark tomorrow.

I did a scan with spybot only thing found are the usually cookies things... I know all of them. Bitdefender virus scan and nothing too.
__________________
Tiberium Wolf is offline   Reply With Quote
Old 2009-08-19, 16:04   Link #14
Dreamtale
Recursion...
 
Join Date: Jul 2009
Location: Russia, Moscow
Age: 38
Then it seets deeply in the system... Maybe some update tools?

If it was me, i'll try outpost firewall (someone told about it early). If there is no visible activity, then reinstall OS... I think it's some kind of worm who lives in svchost though...
Dreamtale is offline   Reply With Quote
Old 2009-08-20, 09:28   Link #15
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 47
I use to know that Windows XP, by default, sets aside some 20% of bandwidth for its own use. It's found in the Group Policy, and is known as the "Limit Reservable Bandwidth" setting.

1.) Run "gpedit.msc" from the Start menu.
2.) Go down to this branch after the console loads up:
Local Computer Policy > Computer Configuration > Administrative Templates > QoS Packet Scheduler

Also, try getting ProcessExplorer because it also scopes out which processes are using bandwidth and where it's connected to.
__________________
sa547 is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 03:40.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
We use Silk.