Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Pc Sends Data Out When I Log On, What Is It And Where's It Going


  • Please log in to reply
28 replies to this topic

#1 KeithH

KeithH

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 18 February 2008 - 04:18 AM

My PC takes ages to load up and during the startup sequence I notice that the LED on my memory stick flashes a lot. Once it has loaded, when I go on-line, it takes ages for Thunderbird to load and I notice that it sends over 100k to someone. How do I find out what it is and where it is going to? Am I correct in assuming my PC has been 'got at' in some way. While this is happening, I have looked at Task Manager and nothing shows to be going on. Another 30k has gone out while I have been typing this?!?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:25 AM

Posted 18 February 2008 - 12:53 PM

Are you saying that Thunderbird or something unknown on your pc is sending out data? What information is your firewall giving you?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 18 February 2008 - 05:28 PM

I use Kaspersky for anti-virus and Spybot for spyware. Am I being naive - should I be using something else? If so, can you recommend something

#4 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 18 February 2008 - 05:32 PM

Sorry, forgot the Thunderbird question. All this goes on before I kick off anything other than getting on-line so nothing should be running that I am aware of.

I am using a Dell Dimension L800r running W2000

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:25 AM

Posted 18 February 2008 - 06:27 PM

Hello KeithH,

Do you have a firewall installed? If so, which one? If so, can you read the logs to see what program is sending out information at the time in question?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 19 February 2008 - 08:18 PM

Hi Orange Blossom,

I didn't have a firewall and I noticed you used Sunbelt Personal so I downloaded it but I am not sure how to interpret what is going on. Also, why is my memory stick so active at start-up

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:25 AM

Posted 19 February 2008 - 10:52 PM

Hello KeithH,

Here is a tutorial about firewalls which should help you understand what's going on. Did you download Sunbelt's user manual for their firewall? It's filled with information about how to set up the program and interpret what you see.
-------
As for the USB stick, I don't know why it's active. As a security measure, I always stop my USB drives and remove them before logging off or shutting down. Excepting for one time, I've never booted up with them in. That one time, I did notice that the light would flash quite a bit. I think this was caused by the computer recognizing the drive and making the files available and possibly security products scanning it.

NOTE: For security purposes, it is wise to disable auto-play.

Have you run any AV or anti-spyware scans?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 20 February 2008 - 05:02 PM

Hi Orange Blossom,

I have run both Kaspersky AV and SpyBOT and neither show a problem but my machine stays as slow as anything of late.
I have run defrag and ccleaner registry check and all would appear clear except for one thing. Sunbelt shows 8 connected in and out and 12 listing yet only shows 7 line items (4 of which have little snakes (virus?)against their content when expanded.
Is something hiding itself?

I will download the manual tonight but in the mean time if you can suggest anything to look at more closely, I will appreciate it.

Keith

I just noticed the connected out go to 9 for a while then drop back to 8, while the connected in stayed at 8 and listeners remained at 12 and the line items remained at 7

Edited by KeithH, 20 February 2008 - 05:05 PM.


#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:25 AM

Posted 20 February 2008 - 10:54 PM

Hello KeithH,

What you were looking at were the ports that were receiving and sending. What is more pertinent in relation to what you computer is sending out is the network log file. To see this double-click on the blue firewall icon in the system tray, then click on Logs and Alerts, then click on the Logs tab at the top if it isn't already on top, then click on the Network tab at the bottom. Now you will see what applications are sending out and receiving, which are blocked and allowed and the IP addresses of the remote points. Sometimes the firewall will identify the IP by name. You can look up the IP addresses on the internet to find out what they go to. It is in these logs that you will discover what is sending out 100K to someone. Is it Thunderbird that's sending it out? That was a question quietman7 asked earlier triggered by this statement:

it takes ages for Thunderbird to load and I notice that it sends over 100k to someone.


Additional question: Is it necessary for Thunderbird to load at boot-up? My preference is to limit the number of programs that load at boot-up and only open them as needed. The more programs that load at boot-up, the longer it takes to boot.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 21 February 2008 - 06:34 AM

Hi Orange Blossom,

My phrasing mislead you. I don't load Thunderbird at boot up. I only load Kaspersky AV and now Sunbelt. Stuff gets sent as soon as I connect to the net - I suppose it could be Kaspersky AV but I don't know.

If I click on the + sign against it in Overview it shows 2 liines (both with the grey serpent in front)
All: 19780
All: 1110

What are these and why is the first one different from all the others in magnitude

I followed your route into Logs/network and it is empty. Is this because I have not ticked something somewhere or because I am using the 30 day trial version and have yet to register. As I am typing this Sunbelt is once again showing 8 connected in & out, 12 listeners and only 7 line items in overview

Keith

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:25 AM

Posted 22 February 2008 - 02:04 AM

Hello KeithH,

Really, your best bet is to read the manual which will explain how to configure it and understand the program. I've had mine installed so long that I don't really remember what I did and would have to read the manual myself.

I'm not sure what those numbers are. I think those are local port numbers, but I'm not sure. I have far more entries in my Overview, and they are divided by program.

Once you have configured the program you will be able to see what program is connecting to the internet and sending or receiving data.

I know on MY computer, if I didn't block it, Windows Genuine Advantage would always send data as soon as I connect to the internet. If I hadn't removed the Java Updater from start-up, that too would send and receive data at boot up or rather as soon as I connect to the internet. My AV and BOCleaner do send and receive data as soon as I connect to the internet.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 23 February 2008 - 10:54 AM

Hi Orange Blossom

Well, I finally got network logging to work and all manner of things showed up.

The first thing that I found was that avp.exe (something to do with Kaspersky Virus Checker seems to be the process that is attempting to send things out that I have no knowledge of.

Here is a list of some of the things that my PC tried to connect to without me touching it

194.145.148.243 big-bam-1.inet.ntl.com
192.221.106.123 ***???
65.55.13.190 ***???
8.12.136.30 ***???
207.46.209.124 ***???
65.55.185.29 ***???
65.55.13.190 ***???
65.55.184.157 ***???
63.245.213.11 static-mozcom.nllb01.nl.mozilla.com
63.245.12.190 63.245.12.190.cstmr.multidatahn.net
218.10.137.142 ***???
24.64.240.145 S01060017ee8ee0ca.cg.shawcable.net
24.64.18.32 ***???
24.64.4.160 ***???


66.249.93.91 ug-in-f91.google.com
64.233.183.147 nf-in-f147.google.com
74.125.77.104 ew-in-f104.google.com
24.64.240.145 S01060017ee8ee0ca.cg.shawcable.net
24.64.181.57 S01060050babda4a4.lb.shawcable.net
81.165.34.246 d51A522F6.access.telenet.be
24.64.124.141 S01060080ad7a23e9.cg.shawcable.net
216.55.244.38 pap-a38.conexion.com.py
24.64.18.156 ***???
66.249.93.100 ug-in-f100.google.com
64.233.183.99 nf-in-f99.google.com
63.245.213.21 static-fxfeeds.nllb.nl.mozilla.com
72.14.217.91 bu-in-f91.google.com
24.64.52.232
64.233.183.99 nf-in-f99.google.com

There's loads more but how do I work out what to do next. Just because it says it is avp.exe is responsible for the attempt, is it to blame itself or are things driving via it?

As an extra bit of concern, Sunbelt was closed down by something a couple of times and while I worked offline for about an hour yesterday morning something tried to connect me to the net automatically about 5 times.

The very first thing in the list above is some sort of internet war game which I have never looked at or got involved in. How come something on my PC is trying to connect with that? Is my pc hosting something?

The plot thickens!!

Edited by KeithH, 23 February 2008 - 11:07 AM.


#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:25 AM

Posted 23 February 2008 - 03:18 PM

Hello KeithH,

Are you certain these are all OUT-going connection attempts? Or are some of these IN-coming connection attempts?

avp.exe is part of Kaspersky. Do you have Kaspersky set up to do automatic updates? Which specific IP's is avp.exe trying to connect to?

Here is a tutorial that explains IP addresses. It will provide you with more information about what KIND of IP is trying to connect or that your computer is trying to connect to.

Hmm. Programs on the computer that you haven't run . . .

Just to see if something is lurking, let's see what SUPERAntiSpyware will find. Please do a scan in Safe Mode. You will, of course, install it in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#14 KeithH

KeithH
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 23 February 2008 - 08:06 PM

Hi Orangeblossom

I did all that and the scan found 2 things but I don't understand what they were. The log you asked for follows:

***********************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/24/2008 at 00:06 AM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 02:55:10

Memory items scanned : 149
Memory threats detected : 0
Registry items scanned : 4962
Registry threats detected : 2
File items scanned : 55216
File threats detected : 0

AdwareFilter Toolbar
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{1028F737-81E7-452B-A860-E50CAD90A08C}
HKU\S-1-5-21-1993962763-1708537768-854245398-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{1028F737-81E7-452B-A860-E50CAD90A08C}



******************************************


When I rebooted my pc, Sunbelt now showed the following to the point just before I loaded Firefox :

in & out 194.168.4.100 (cache1.ntli.net)
in & out 194.168.8.100 (cache2.ntli.net)
out 209.85.27.168 (superantispyware.com)
out 64.128.133.140 (www.sunbelt-software.com)
in (denied) S010600016c297d22.cg.shawcable.net

When I loaded Firefox, all the following went out (Google is my default screen).
All I did was to access the bookmark to our thread and log in

64.233.183.147
66.249.93.100
64.233.183.147
64.233.183.104
72.14.217.91
74.125.77.147
63.245.213.21 static-fxfeeds.nllb.nl.mozilla.com
212.58.226.29 newslb12.thdo.bbc.co.uk
216.213.19.27 www.bleepingcomputer.com
64.233.183.164
74.125.77.147
204.11.109.155 (can't identify this one?)

What would cause something to try and access the bbc? and what is the last one

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:25 AM

Posted 24 February 2008 - 12:12 AM

Hello KeithH,

Thank you for the log. According to my research these

AdwareFilter Toolbar
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{1028F737-81E7-452B-A860-E50CAD90A08C}
HKU\S-1-5-21-1993962763-1708537768-854245398-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{1028F737-81E7-452B-A860-E50CAD90A08C}


are related to rogue security programs. It is possible that they are responsible for some of the unwanted traffic on your computer. At this point, I'm going to turn this thread over to someone with more experience than I.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users