Welcome to Netrider ... Connecting Riders!

Interested in talking motorbikes with a terrific community of riders?
Signup (it's quick and free) to join the discussions and access the full suite of tools and information that Netrider has to offer.

More IT help pls... constant data stream being sent out

Discussion in 'The Pub' started by robsalvv, Mar 7, 2007.

  1. I've just noticed that there are more packets of data going out (according to my wireless connection window) than there are coming in.

    Even with no iexplorer windows open, and no email clients active, there's a steady trickle going out... like 10 packets a second on a 1.5Mbyte/sec ADSL connection.

    When I look up the task list, the only applications beyond "system idle process" registering are ccproxy.exe 2% CPU and svchost.exe 2% CPU.

    I downloaded the latest virus signatures and ran a total system full scan... but my system appears clean.

    I've not noticed this behaviour before.

    Interestingly, when I disconnect the wireless connection, both the aforementioned applications drop to zero.

    Soooooo, what's going on??? What the hell data is being sent out??

  2. ccproxy.exe looks like Norton Security. Do you have Norton products installed? http://www.neuber.com/taskmanager/process/ccproxy.exe.html

    Downloading latest signatures and scanning your own system *if* you are infected can also show clean because some (most new ones?) can control your virus scanner and make it appear your system is clean. If you can, remotely scan your computer or run a virus checker from a boot disk/usb/cd so you actually aren't in Windows when you run the virus checker.

    Also, get (detailed) info from your ADSL/2+ router to see if the packets are going to/from the net with something like PRTG (damn good software).

    Well, that's a start to see what's going on
  3. *Shudder*


    Firewall installed?
  4. Cos wireless is... well... wireless ;) it has to keep a "connection alive" signal, now i'm not exactly sure how much info this is, i would have imagined this to be a few packets every couple of seconds, so yours may seem over teh top, however any virus that i've known wont only be sending that little as well...

    I dont like Norton, so if i were you i'd jump to http://www.trendmicro.com.au and do a "housecall" online virus scan. I use it at work if i cant/ dont want to install new stuff on a clients machine.
  5. Yep I have Nortons... and are using the Nortons firewall - which has actually stopped a whole bunch of attacks, so I'm not complaining.

    Well wouldn't you know it... this morning, what I reported last night has stopped!?!?

    There are no packets going out... actually, a couple of packets every 5 seconds... probably the wireless thing Booga mentioned... but otherwise, there doesn't seem to be a trickle out into the big WWW.

    Might still run the web based scan for peace of minds sake, and check out whatever PRTG is...

    Bloody computers??!?!! :?

    Thanks guys.

  6. I'd use taskmgr to kill processes one-by-one (but I know what i'm doing) and see what affects the throughput.

    Less experienced people can get a utility off the web like TCPview or something that tells you all connections on all ports and where they go to, etc. The endpoint should allow you to know if its symantec or something legit.
  7. Taa Harte.

    Years ago, in the win3.1 days, I used to have a utility called netmedic, that would tell you a heap of stuff about your net connection, through put, how many nodes between you and the website, transmission speed, etc etc etc I think the full version included a global map and highlight net traffic jams etc. Very very nifty.

    I don't think anything like that exists anymore.

    I'd be interested in something like TCPview, if only for the curiousity factor. Will have a look for it. Thanks again.


  8. Thx Matt. Will take a look. :)
  9. agree with Matt, ethereal is very good software and should help you identify what is happening.

    There are other ways to check (try using netstat with thw -an switch from the command line).

    Remember, if you have XP in the default config you likely have Automatic Updates enabled. This can download updates in the background as a drip feed. Likewise with Norton updates. On the subject of NAV, I hate TrendMicro with a passion (at least the corporate product). If you have a sub to NAV, just leave that in place.
  10. Heya CJ. Thanks for that suggestion.

    I thought about the auto updates thing... but I turned off automatic updates for XP and Nortons a while ago (manual updates are less obtrusive), so neither should be punching out to ask for updates without me making them...

    The netstat suggestion sounds like a ripper. Will definitely have a look at that too. Here's the MS resource page for netstat:


    I didn't know it existed.

    Awesome guys. Appreciate the help. :)
  11. Ethereal is dead. Long live Wireshark (made by the same people as Ethereal but is a live project).
  12. mmm, sounds like a syntax error!

    (sorry my best friend is in IT and i say that to him all the time....he hates it :LOL: :LOL: :LOL: )
  13. Do you have the computer browser service running? That uses the svchost.exe file and send out packets across the network.
  14. Actually I noticed svchost.exe and iexplorer.exe occasionally registering at 2% as well, even with no browser windows open... the wireless icon would light up and packets would be sent around the same time.

    The data stream leak was happening again lastnight.

    Netstat gave me information that I couldn't really interpret, but there were two interesting website addresses listed that I did not recognise. I downloaded TCPview, but for whatever reason it didn't work... I got the typical ms window frame but no list appeared?!? So... I might have to try that ethereal thing.

    On the positive side, I found a freeware site with lots of utilities which could keep the geeky side occupied for a while. :)

    Basically, I'm trying to determine whether this uploading is something I need to deal with...

    Will have to run a website based virus scan and then maybe ethereal.



    p.s Living... you must be an old pascal / basic programmer from way back to appreciate "syntax error". :grin:
  15. If you are able to obtain the IPs the traffic is going to, you can go to sites like www.arin.net / www.apnic.org and punch in the IP address.

    It will at least show you who owns the IP range the traffic is going to. For instance, if a lot of traffic is going to the 207.46.x.x range, put this in and you will get:

    OrgName: Microsoft Corp
    OrgID: MSFT
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US

    NetRange: -
    NetHandle: NET-207-46-0-0-1
    Parent: NET-207-0-0-0-0
    NetType: Direct Assignment
    NameServer: NS1.MSFT.NET
    NameServer: NS5.MSFT.NET
    NameServer: NS2.MSFT.NET
    NameServer: NS3.MSFT.NET
    NameServer: NS4.MSFT.NET
  16. haha good call. You wouldn't believe how long i spent on the old commodor 64 trying to program in a ball that bounces across the screen :cry: :LOL:
  17. Me !#%$!^!!@#$%^!#@@$!&*(*% too! :LOL:

    if peek(x,y)= [something or other in here] then ((x=x+1) AND (y=y+1));
  18. Hark!

    Nerdy computer talk???

    Internet advice??

    I smell...

  19. LOL Ktulu...

    After my stint with the C64 and Pascal and Fortran at Uni, I gave computers and programming a wide wide berth.

    ...so every now and then, I tap into the vast computing resources of NR with a thread like this... and haven't been lead astray yet. No fertilizer so far mate - just all good stuff.

    Great pic BTW. :LOL:

    Thanks Scottatron - will look at your tips a bit closer. Cheers :)