Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unaccounted large amounts of sent packets on network


  • Please log in to reply
3 replies to this topic

#1 ttvmupt

ttvmupt

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 10 March 2009 - 05:27 AM

Hello everyone. Kind of first post here, so please be patient.
For a while now I've noticed that my network [modem, static IP] has some unusual activity, being that the amount of sent packets is much larger than the ones that appear as received. And I am not referring to p2p connections; if I load a web page or download a package over a browser, the sent data always accounts for about 1.5 - 2 times over the amount of received data. I normally assumed some spyware infestation, so I ran multiple scans [Malwarebytes, Spybot, Superantispyware]. Multiple infections were discovered [mainly "backdoor trojans"] and taken care of. But the high rate in traffic persists in the windows' network status. I tried Netlimiter to monitor the traffic rate - it looks normal, the transfer rate for say loading a web page is what it should be and it appears as the only process accessing the network; if the connection is idle, it stays that way. But in windows' network status, the traffic is continuous [it never gets "idle", it just slows down the transfer rate] and, as before, the sent packets are larger then received ones. I am waiting on a HJTlog response, but in case the problem is not spyware related - what could account for this behavior?
Thanks in advance

BC AdBot (Login to Remove)

 


#2 patbox

patbox

  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 10 March 2009 - 06:55 AM

Hello everyone. Kind of first post here, so please be patient.
For a while now I've noticed that my network [modem, static IP] has some unusual activity, being that the amount of sent packets is much larger than the ones that appear as received. And I am not referring to p2p connections; if I load a web page or download a package over a browser, the sent data always accounts for about 1.5 - 2 times over the amount of received data. I normally assumed some spyware infestation, so I ran multiple scans [Malwarebytes, Spybot, Superantispyware]. Multiple infections were discovered [mainly "backdoor trojans"] and taken care of. But the high rate in traffic persists in the windows' network status. I tried Netlimiter to monitor the traffic rate - it looks normal, the transfer rate for say loading a web page is what it should be and it appears as the only process accessing the network; if the connection is idle, it stays that way. But in windows' network status, the traffic is continuous [it never gets "idle", it just slows down the transfer rate] and, as before, the sent packets are larger then received ones. I am waiting on a HJTlog response, but in case the problem is not spyware related - what could account for this behavior?
Thanks in advance


This is very interesting post.

a. You did not mention which internet browser do you use, and what did you do about it? There could be some unnecessary add-ons. If you use IE try installing a new installation of OPERA or FIREFOX internet browser and take a look how the packages behave.

b. You can actually see what connections the computer established: Go to Start/Run and type cmd. Then type the command netstat or netstat -a. If its looks suspicious you could post the results here, but I think is better to market it with the button as [code=auto:0].

c. You could connect to your router, and check out the router log. If you don't use any P2P the logs should be rather easy to read.

Edited by patbox, 10 March 2009 - 06:56 AM.

Message from Patbox: I AM LOOKING FOR A GIRLFRIEND (PM if interested) :-)

#3 ttvmupt

ttvmupt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 10 March 2009 - 12:21 PM

Thanks for the quick reply; will try to sort it out.
1. Mainly Firefox as a browser, though I have Opera installed as well. It varies, I have no particular preferences for either. Never IE. However, the problem I'm having is not limited to browsers [I just used them as a starting point. I have seen some posts regarding similar problems, but people got hung up on p2p issues and that is not the case. It suffices for the network to be enabled]. Even if I'm on Y!, the rate of transfer for the network is largely the same. Also, if it's to be a torrent client active, the displayed data amount doesn't reflect the traffic the torrent client operates; it's waaay higher.
2. Netstat actually... well, today it showed connections to facebook.com or youtube a few minutes after the network connection was enabled. But something is off, as I haven't entered youtube at that time . As for facebook, well I have never accessed that site. Otherwise, it hasn't shown anything to arise suspicions.
3. No router involved.

I can't understand why Netlimiter doesn't see the traffic windows' network detects. When Netlimiter sees the connection as idle, windows still detects some data transfer. Also, there is an active Comodo firewall which is, as well, eluded by windows' traffic charts. I can't seem to account for them anyway. No spyware detected on multiple scans, no viruses.

#4 patbox

patbox

  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 10 March 2009 - 01:46 PM

2. Netstat actually... well, today it showed connections to facebook.com or youtube a few minutes after the network connection was enabled. But something is off, as I haven't entered youtube at that time . As for facebook, well I have never accessed that site. Otherwise, it hasn't shown anything to arise suspicions.


Well number two seems to be an issue. It could be that some people are using your PC to anonymously access internet under your IP. Like people from countries where use of facebook or youtube is prohibited by the government. I am just guessing and yes I watched too many movies :-) But if you never accessed facebook and it shows in netstat this is certainly an issue.

I am not the best guy to tell, but somebody could hack your pc individually, and in that case the anti-virus would not help. Regarding router, how do you access internet with no router? Just modem? I heard many good things about comodo firewall, but never had it myself. Would you consider enabling Windows firewall for a while to see if Windows firewall cold block it?

Overall, I hope some of the more experience guys could give a better advice, and posting HJThis Log in the appropriate forum is definitely a good way forward.

---
Note: Consider getting Spyboot's Teatimer utility or Windows Defender to monitor if the system is doing some changes. I assumed you check out in msconfig, which other services than Microsoft are automatically loading.

Edited by patbox, 10 March 2009 - 01:51 PM.

Message from Patbox: I AM LOOKING FOR A GIRLFRIEND (PM if interested) :-)




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users