Hi everybody, I'd like if I may to pick the brains of VM techs on here. A mystery has

recently come to my attention that, try as I might I can't fathom. VM, including the guys at

Albert Dock haven't been able to give me an answer. Could I have your thoughts.
I am a blind person. I live alone, and nobody else has access to my computer. I have the

50 meg service. I'm not a heavy user. For example, this week I've downloaded four files,

totaling about 70 megs. Both computer and modem are switched off for most of the day. I

don't use a router. I'm not wireless, I'm just plugged directly into my modem. I switched

over from the 20 meg service two years ago owing to lousy service, which VM put down to

heavy demand on the UBR.
Everything's been fine since switching in that respect.
That's the background. Now to the mystery. At the beginning of last week there was an

outage. Luckily service came back on within the day. There was a second outage on Wednesday.
When talking to one of the techs two days later on Friday he happened, in passing, to

refer to me as a heavy user. I said I wasn't. He said that I'd downloaded so far this month

748 gigs, which is a massive amount by any standard, especially since I'm not a gamer, I

don't stream, other for the occasional audio podcast. I was, and still am concerned about

it. Ok, it doesn't seem to bother VM, as there isn't a cap on 50 meg, but it concerns me as

I'm not responsible for it, and there's something wrong somewhere.
I'm scrupulous when it comes to computer security and housekeeping, so I know I haven't

got a nasty.
I asked the guy how long it had been going on, and he said it had been the same last month

as well. It's not just the downstream that's through the roof, it's upstream as well.
I asked if they could investigate, and identify the traffic, what websites were involved

and whatever, and he said they didn't have that information.
Could you let me have your thoughts on it. I'm completely foxed.
Incidentally, it's ages since I posted on here. I hope I've done it right.
Thanks,
John.

You have an outgoing firewall to show connections/traffic when online?

Hi Scrooge, my only firewall is the windows XP firewall. I don't know if it's possible to get a report of traffic.
thanks for the quick reply,
John.

Change your wireless password

Hi everybody, I'd like if I may to pick the brains of VM techs on here. A mystery has

recently come to my attention that, try as I might I can't fathom. VM, including the guys at

Albert Dock haven't been able to give me an answer. Could I have your thoughts.
I am a blind person. I live alone, and nobody else has access to my computer. I have the

50 meg service. I'm not a heavy user. For example, this week I've downloaded four files,

totaling about 70 megs. Both computer and modem are switched off for most of the day. I

don't use a router. I'm not wireless, I'm just plugged directly into my modem. I switched

over from the 20 meg service two years ago owing to lousy service, which VM put down to

heavy demand on the UBR.
Everything's been fine since switching in that respect.
That's the background. Now to the mystery. At the beginning of last week there was an

outage. Luckily service came back on within the day. There was a second outage on Wednesday.
When talking to one of the techs two days later on Friday he happened, in passing, to

refer to me as a heavy user. I said I wasn't. He said that I'd downloaded so far this month

748 gigs, which is a massive amount by any standard, especially since I'm not a gamer, I

don't stream, other for the occasional audio podcast. I was, and still am concerned about

it. Ok, it doesn't seem to bother VM, as there isn't a cap on 50 meg, but it concerns me as

I'm not responsible for it, and there's something wrong somewhere.
I'm scrupulous when it comes to computer security and housekeeping, so I know I haven't

got a nasty.
I asked the guy how long it had been going on, and he said it had been the same last month

as well. It's not just the downstream that's through the roof, it's upstream as well.
I asked if they could investigate, and identify the traffic, what websites were involved

and whatever, and he said they didn't have that information.
Could you let me have your thoughts on it. I'm completely foxed.
Incidentally, it's ages since I posted on here. I hope I've done it right.
Thanks,
John.

Hi John.

It's entirely possible that the agent in Albert Dock got it wrong. 748 Gig is a considerable amount, and if that was going on I think you should have noticed it sooner.

I'd get back to them and ask them to double check their figures.

---------- Post added at 13:45 ---------- Previous post was at 13:43 ----------

Change your wireless password

He doesn't have a router. It's in his post.

Change your wireless password
Hi jb66, I'm not wireless. I'm plugged directly into my modem.
Thanks,
John.

---------- Post added at 01:23 ---------- Previous post was at 01:09 ----------

Hi John.

It's entirely possible that the agent in Albert Dock got it wrong. 748 Gig is a considerable amount, and if that was going on I think you should have noticed it sooner.

I'd get back to them and ask them to double check their figures.

---------- Post added at 13:45 ---------- Previous post was at 13:43 ----------



He doesn't have a router. It's in his post.

Hi Toto, if only it was so easy. It's even worse sence VM customer services have updated their auto answering system, if that's the name of it. The only way I've found of getting through to anyone in tech support other than the indian call centre is going through to retentions. It was only because the guy there didn't have an answer he put me through to Albert Dock. They don't make it easy. If you know of a way I could get through to them could you let me know? This thing's really getting to me.
Thanks,
John.

There are tools such as TCPview that will show all connections in and out from your pc. However I'm not sure if this would be usable if you are blind. Possibly a screen reader might make sense of the display but I've never had occasion to try something like that.

TCPview

http://technet.microsoft.com/en-us/sysinternals/bb897437

Do you live with anyone ?

Hi David, thanks for that. I've downloaded it, and will give it a try, although whether Jaws can see it, or I can understand it we shall see. I'll report back.
Thanks,
John.

---------- Post added at 02:44 ---------- Previous post was at 02:40 ----------

Hi vmfriend, no. I live alone. Neither are there ever unsupervised visitors to my flat.
Thanks,
John.

Out of interest are you completely blind ?

The reason I ask is if you are how do you know you are plugged directly into the modem ?

Hi vmfriend, I know I'm plugged into the modem for the same reason as I know the pc's plugged into the mains. I think you're underestimating blind people. I am registered blind. I have slight guiding vision from one side, but not enough to read, see a screen or do anything that is reliant on seeing. Most of what I do is done by touch.
Thanks,
John.

---------- Post added at 03:32 ---------- Previous post was at 02:58 ----------

Hi David, I've run TCPView, and Jaws can see it, but I can't make head or tail of it. I imagine it's a list of processes. I've pasted what it says here in case you or anyone can enlighten me.
This is what it says:
alg.exe 576 TCP john 1028 john 0 LISTENING
jqs.exe 1652 TCP john 5152 localhost 1081 CLOSE_WAIT
jqs.exe 1652 TCP john 5152 john 0 LISTENING
svchost.exe 784 TCP john epmap john 0 LISTENING
svchost.exe 848 UDP john.cable.virginmedia.net ntp * *
svchost.exe 848 UDP john ntp * *
svchost.exe 956 UDP john.cable.virginmedia.net 1900 * *
svchost.exe 956 UDP john 1900 * *
System 4 TCP john microsoft-ds john 0 LISTENING
System 4 TCP **.**.***.*** netbios-ssn john 0 LISTENING
System 4 UDP john.cable.virginmedia.net netbios-ns * *
System 4 UDP john microsoft-ds * *
System 4 UDP john.cable.virginmedia.net netbios-dgm * * 1 201 1
Thanks,
John.

It may be worth posting on the VM community forums here: http://community.virginmedia.com/ and getting them to clarify how much you have used.

I can't think of anything that could be causing that high a usage level though, you would probably notice if your PC was infected and it was consuming that much bandwidth (but for what?).

To be honest and I may be wrong, but it is possible someone cloned your modem's MAC address and is using it on a chipped modem.

If it is indeed the case, normally I would say get a replacement modem put in for yourself. Of course being registered blind it would be nice of them to get a technician to do it for you as the underside print is hard to see. But.. and a big but.. the 50mb modems no longer are available which would mean you would have to go on a superhub.

Most people don't like the superhub, but it also is a router built in, which comes with it's own firewall. Of course this can be turned off so it just acts as a modem (which I am led to believe from other posts from people who have one).

It is certainly worth trying since you're not a heavy user, and bad days for the customer support who told you to go for 50mb when you don't need it.

I was going to suggest a cloned modem, but dont know enough about it to know how it would appear. Makes sense though.

I'd avoid the superhub, but as you wouldn't be using wireless and arent really a heavy user you could probably live with it. Could be worth contacting the CEO's office to complain about the customer service and see if they can provide you with a replacement modem and not a SH.

Hi Skie, I'll do that. Incidentally, my PC would not only have shown signs of stress, but most probably self destructed. The PC I use for little things like day to day emailing and surfing, in fact the one I'm using now, is an old Dell, which I use because it's very quiet. It's only a 1.66, and it's only got 512 megs of ram. I don't think for a moment it would be capable of that level of throughput.
Thanks,
John.
I can't think of anything that could be causing that high a usage level though, you would probably notice if your PC was infected and it was consuming that much bandwidth (but for what?).[/QUOTE]

---------- Post added at 04:12 ---------- Previous post was at 04:06 ----------

Hi DABhand, That would be scary. I suggested to the guy that either my IP or MAC address had been fished, and he dismissed it pretty much out of hand. It'd certainly explain this nonsense though. IHave you, or in fact has anyone got a number for the CEO's office.
Thanks,
John.

Like I was saying it could be a Cloned MAC address on a chipped modem, this allows people to pick up a docsis file which is registered to the MAC address of your modem, seeing as you are a 50mb customer they would get the 50mb docsis, and with no traffic management (except for specific time frames for peer 2 peer and newsgroup access) they can potentially download heavy amounts without you knowing.

Ask them when you phone if they can track the supposed bandwith to a UBR to see if

1. It is in the same area as you
2. If it is on the same node as you

If its no to both then it is very very likely someone cloned your MAC address.

Getting the Superhub as a replacement means you will have a new MAC address and the other person if they are cloning your MAC address will not be able to get a docsis file for it anymore, which forces them to try and get a new MAC address.

And the bad thing is, MAC address cloning isn't random, the VM staff are the only ones privy to that information.. so one would assume some VM technicians are chipping modems with freshly prepared MAC addresses.

EDIT: Just saw your reply ... give me a couple of minutes and ill get the CEO number.

EDIT2: Sorry have his email address but no phone number, I thought I had it handy.. neil.berkett@virginmedia.co.uk

TCPview logs looks perfectly healthy John.

MOD request: could we have the IP blanked please.

Hi DABhand, thanks for that. I'll email him on Tuesday. Incidentally, what's the downside of a super hub? Is it slower? Are there likely to be more people on it? As I said in my initial post I switched over from 20 meg because of the crap service due to the number of people on the UBR, and hence the enormous demand. For a year I had speeds ranging from 1 meg to 4 megs, which they put down solely to traffic. It was only thanks to a switched on tech in Albert Dock that the problem was sorted. It was noise. I wouldn't want that nonsense again for any consideration.
Secondly, are there limitations I haven't had on 50 meg? Ok, I don't download much, but it's nice to know the option's there. Also, you mentioned turning stuff off and just using it as a modem. I take it that would be in the software and the tech would do it? Would I notice a negative difference?
Thanks,
John.

netstat -no

to see throughput per connection tho you will need an app or 3rd party firewall.

Hi DABhand, thanks for that. I'll email him on Tuesday. Incidentally, what's the downside of a super hub? Is it slower? Are there likely to be more people on it? As I said in my initial post I switched over from 20 meg because of the crap service due to the number of people on the UBR, and hence the enormous demand. For a year I had speeds ranging from 1 meg to 4 megs, which they put down solely to traffic. It was only thanks to a switched on tech in Albert Dock that the problem was sorted. It was noise. I wouldn't want that nonsense again for any consideration.
Secondly, are there limitations I haven't had on 50 meg? Ok, I don't download much, but it's nice to know the option's there. Also, you mentioned turning stuff off and just using it as a modem. I take it that would be in the software and the tech would do it? Would I notice a negative difference?
Thanks,
John.

The superhub has been not so well received due to people seeing a reduced downstream speed, and having problems with gaming. I am not sure if you are a gamer but I will say no.

It would be ok for you, if your just generally browsing etc.

Yes you could easily ask the technician to set the router off if you wish and just have the superhub act as a modem, infact some people have done it themselves as they prefer their own bought routers to it.

Since you don't overuse 50mb, infact I don't see why you should have 50mb to be honest, I am sure many of the users have moved on to 50mb leaving space for the 20mb so you may not get as much problems as you once did, which means you can get a modem for the 20mb easily without the superhub.

Plus it could mean a lower cost monthly for yourself too. Or if you don't mind the superhub you could go for 30mb, if you are in an area that has had an upgrade. But I think 20mb is more than enough for yourself, hell even 10mb is good enough for yourself.

Like I said before the person who suggested you go to 50mb needs shot, did you have to pay for the technician work and activation also? If so that is bad of them.

The superhub has been not so well received due to people seeing a reduced downstream speed, and having problems with gaming. I am not sure if you are a gamer but I will say no.

It would be ok for you, if your just generally browsing etc.

Yes you could easily ask the technician to set the router off if you wish and just have the superhub act as a modem, infact some people have done it themselves as they prefer their own bought routers to it.

Since you don't overuse 50mb, infact I don't see why you should have 50mb to be honest, I am sure many of the users have moved on to 50mb leaving space for the 20mb so you may not get as much problems as you once did, which means you can get a modem for the 20mb easily without the superhub.

Plus it could mean a lower cost monthly for yourself too. Or if you don't mind the superhub you could go for 30mb, if you are in an area that has had an upgrade. But I think 20mb is more than enough for yourself, hell even 10mb is good enough for yourself.

Like I said before the person who suggested you go to 50mb needs shot, did you have to pay for the technician work and activation also? If so that is bad of them.

Agreed, 10Mb would seem adequate since you do not use the internet heavily - and as someone else has mentioned it will provide a new MAC address in the case that someone is using your current one without permission.

Hi DABhand, it could well do the trick. I remember when I first switched, and didn't notice an increase in download speed I spoke to tech support, and the guy said that in order to realise the full bandwidth I'd need to download four large files at a time. As I only download one file at a time 20 or 30 meg would be fine. I'm not a gamer, but it's nice to have the headroom.
As for the charge no, they didn't. It formed part of a compensation arrangement for the lousy 20 meg service.
Thanks,
John.
The superhub has been not so well received due to people seeing a reduced downstream speed, and having problems with gaming. I am not sure if you are a gamer but I will say no.

It would be ok for you, if your just generally browsing etc.

Yes you could easily ask the technician to set the router off if you wish and just have the superhub act as a modem, infact some people have done it themselves as they prefer their own bought routers to it.

Since you don't overuse 50mb, infact I don't see why you should have 50mb to be honest, I am sure many of the users have moved on to 50mb leaving space for the 20mb so you may not get as much problems as you once did, which means you can get a modem for the 20mb easily without the superhub.

Plus it could mean a lower cost monthly for yourself too. Or if you don't mind the superhub you could go for 30mb, if you are in an area that has had an upgrade. But I think 20mb is more than enough for yourself, hell even 10mb is good enough for yourself.

Like I said before the person who suggested you go to 50mb needs shot, did you have to pay for the technician work and activation also? If so that is bad of them.

The superhub has been not so well received due to people seeing a reduced downstream speed, and having problems with gaming. I am not sure if you are a gamer but I will say no.

It would be ok for you, if your just generally browsing etc.

Yes you could easily ask the technician to set the router off if you wish and just have the superhub act as a modem, infact some people have done it themselves as they prefer their own bought routers to it.

Since you don't overuse 50mb, infact I don't see why you should have 50mb to be honest, I am sure many of the users have moved on to 50mb leaving space for the 20mb so you may not get as much problems as you once did, which means you can get a modem for the 20mb easily without the superhub.

Plus it could mean a lower cost monthly for yourself too. Or if you don't mind the superhub you could go for 30mb, if you are in an area that has had an upgrade. But I think 20mb is more than enough for yourself, hell even 10mb is good enough for yourself.

Like I said before the person who suggested you go to 50mb needs shot, did you have to pay for the technician work and activation also? If so that is bad of them.

A tech cannot do this neither can you. We are still waiting for the firmware upgrade to enable this.

I'm sure DAB was refering to wireless, although yes you are correct pip.

Sorry meant wireless :P

Been a funny day.

I thought Virgin had stopped all the cloning ?

I thought Virgin had stopped all the cloning ?

Supposedly.

And the bad thing is, MAC address cloning isn't random, the VM staff are the only ones privy to that information.. so one would assume some VM technicians are chipping modems with freshly prepared MAC addresses.

If you are going to make such accusations, I do hope you have the evidence to back it up.

This forum, for obvious reasons, does not go into detail on how to obtain services without proper subscriptions or to bypass VM's security. Certainly the TV and broadband have become much more secure in the last couple of years. In the past cloning of modems did happen and use of the mac identifier was a significant factor in that. Indeed mac addresses were often sniffed and traded. Vm staff did not need to be involved in that process, so unless you know a lot more than you are letting on about how to clone a modem under the current regime, I suggest you be a bit more careful about the content of your posts.

Personally I don't think this is related to a cloned modem, if cloned modems were still an issue I am sure we would see many posts about it.

Is it possible the OP has been given the wrong information ?

Hi Pip, assuming the problem is one of a cloned MAC address, and that VM have stopped it happening any idea of timescale? I went to 50 meg two years ago. Was it sorted prior to that?
Thanks,
John.

I know a guy who has cloned for years, I will ask him if hes doing it on top tier services ok, my guess is that its resolved on docsis3 but not legacy.

Just re-read the op, 748gb in one month ?

I find it hard to believe that you would not have received a letter from Virgin with that kind of usage based on other posts on this site, are you sure this was the figure, when you say a Virgin tech do you mean on the telephone or in person ?

I just have a feeling they may have been giving you the wrong information, suffice to say the only people who can get to the bottom of it is Virgin.

Have you posted in the community forums ?

---------- Post added at 10:51 ---------- Previous post was at 10:49 ----------

I know a guy who has cloned for years, I will ask him if hes doing it on top tier services ok, my guess is that its resolved on docsis3 but not legacy.

Hopefully one day he will get caught.

Hi Pip, assuming the problem is one of a cloned MAC address, and that VM have stopped it happening any idea of timescale? I went to 50 meg two years ago. Was it sorted prior to that?
Thanks,
John.

It doesn't matter when you changed service or the age of your modem, VM are to have measures in place to make cloning a thing of the past.



And the bad thing is, MAC address cloning isn't random, the VM staff are the only ones privy to that information.. so one would assume some VM technicians are chipping modems with freshly prepared MAC addresses.


That is total rubbish.

Hopefully one day he will get caught.

Well I wont be reporting a friend but even if I did thats not a real solution just banning people who are reported, thats one reason I not bothered as well, the method itself needs to be blocked.

Well I wont be reporting a friend but even if I did thats not a real solution just banning people who are reported, thats one reason I not bothered as well, the method itself needs to be blocked.

Didn't say you should report him, I just stated that hopefully one day he might get caught, it is theft after all.

Doesn't matter if the method exists or not, it's still theft, if someone leaves their car unlocked I can choose to enter and steal their shiny Tom Tom, I don't because it's wrong.

I don't understand why you felt the need to state you knew someone who 'cloned' anyway, you could of just asked him and fed back to the op.

Hi vmfriend, two guys gave me the same figure, both on the telephone. The first was a guy, whose name if I remember rightly was Ross, in retentions, the second a guy in Albert Dock called, if I remember rightly Steven. Steven said he'd look into it and would ring me back the following day, but as the following day was Good Friday I wasn't surprised when he didn't get back to me. I suppose he may ring after the holiday.
In answer to your question as to whether I heard him right, or misunderstood yes, I heard both of them clear as a bell.
Thanks,
John.

I would suggest that VM need to investigate it for you, it is their network after all and they will be able to establish what is going on.

That is total rubbish.

Interesting, then pray tell how people manage to get chipped modems with a cloned MAC addy that is a VM customer's?

So according to yourself someone just randomly flashed a modem with a MAC address at random and it works? Gonna be hard when the modem with a random MAC addy not on the system/cleared through the garden to actually pick up a docsis file.

EDIT: And as said..

I am sure with high probability the people who supply this service to people are or knows VM techs who have access to the list of MAC addies in the garden, you know that little hand held PDA the techs have... wouldn't surprise me if it works both ways of receiving and giving information on MAC addresses.

I am sure that is how the modem gets a specific docsis file, say one neighbour has 20mb and you have 50mb if you take your modem to them I think when plugged in it will pick up a 50mb docsis in their home because of the MAC addy, hence why you can't just use any old modem besides the one you currently use to get a docsis file cause it checks for the addy first.

Before anyone continues this line of discussion, let me remind everyone that discussion of how to hack the modems or network is against the forums terms and conditions. Any attempt will be dealt with.

Hi vmfriend, I agree, they certainly should. If they choose not to I would want a disclaimer from them to the effect that they do not and will not now or at any future time hold me liable for the traffic. It's only fair after all. It isn't as if it's beyond their capability, it's not. There's no such thing as anonymous data on the internet. They are perfectly able to identify it if they care to. If they're not bothered by it that of course is a matter for them, as long as they don't leave it at my door without having taken the appropriate steps to acertain if the traffic originates with me. Something I may have mentioned, although I can't remember if I have is that it wouldn't seem to be having an effect on my line speed or pc performance, which I'd have expected it would.
Thanks,
John.

@Stuart - I am not trying to tell people how it is done, just the theory behind it. And obviously it may pertain to the OP who has been wrongly diagnosed as downloading over 750GB in one month when he doesn't.

And obviously answering Pip's statement also. Don't worry if I knew the exact workings of doing it I wouldn't obviously share that information as it hurts customers.

@Stuart - I am not trying to tell people how it is done, just the theory behind it. And obviously it may pertain to the OP who has been wrongly diagnosed as downloading over 750GB in one month when he doesn't.

And obviously answering Pip's statement also. Don't worry if I knew the exact workings of doing it I wouldn't obviously share that information as it hurts customers.

There were ways and means to harvest every MAC on a given UBR, whether they are still in use I don't know.

I can't be bothered downloading the app to see if it still works.

I know the software you may be talking about, made by an american called Harris I believe, but he got caught 1.5 years ago and was jailed for it iirc. So no more updates for the sniffer etc.

He was also the one who first figured out how to hack into the old Surfboards, using TFTP false server etc.

Of course I can't go into details. But if VM have adequate security up they should be able to stop the now non-updated tools out there. And if they were actually clever they would make sure only MAC addresses on the correct Nodes etc would actually be allowed.

I know the software you may be talking about, made by an american called Harris I believe, but he got caught 1.5 years ago and was jailed for it iirc. So no more updates for the sniffer etc.

He was also the one who first figured out how to hack into the old Surfboards, using TFTP false server etc.

Of course I can't go into details. But if VM have adequate security up they should be able to stop the now non-updated tools out there. And if they were actually clever they would make sure only MAC addresses on the correct Nodes etc would actually be allowed.

they do on docsis3 i think

Hi vmfriend, I agree, they certainly should. If they choose not to I would want a disclaimer from them to the effect that they do not and will not now or at any future time hold me liable for the traffic. It's only fair after all. It isn't as if it's beyond their capability, it's not. There's no such thing as anonymous data on the internet. They are perfectly able to identify it if they care to. If they're not bothered by it that of course is a matter for them, as long as they don't leave it at my door without having taken the appropriate steps to acertain if the traffic originates with me. Something I may have mentioned, although I can't remember if I have is that it wouldn't seem to be having an effect on my line speed or pc performance, which I'd have expected it would.
Thanks,
John.

Which is why I am suspicious of the information you have been given, having no adverse effect on performance (ie STM) despite 750gb of data in one month doesn't stack up.

Good luck with it though.

Hi vmfriend, to demonstrate what I said about performance I've pasted recent test results below. As you'll see, other than for one dip the speeds are pretty normal.
Date Download Speed Upload Speed
Today 14:18 47449 kbps (5.93MB/s) 1667 kbps (208kB/s)
Today 07:39 48499 kbps (6.06MB/s) 1674 kbps (209kB/s)
Yesterday 19:46 42869 kbps (5.36MB/s) 1675 kbps (209kB/s)
Friday 16:55 45150 kbps (5.64MB/s) 1673 kbps (209kB/s)
Friday 13:00 43716 kbps (5.46MB/s) 1662 kbps (208kB/s)
Friday 12:41 29648 kbps (3.71MB/s) 1665 kbps (208kB/s)
Thursday 18:39 43592 kbps (5.45MB/s) 1672 kbps (209kB/s)
Thursday 16:59 44929 kbps (5.62MB/s) 1662 kbps (208kB/s)
Thanks,
John.

Are these while downloading a file ?

Hi vmfriend, no. They're just tests done at random on the mybroadbandspeed.co.uk website.
Sorry the formatting's messed up. I pasted the text into notepad, and that plays havoc with formatting. It could also be down to my screenreader. The first figure is line speed, the second download speed, and the third upload speed.
Thanks,
John.

As I said before, VM are the only ones who will be able to confirm how the data was downloaded.

Tis a strange one.

Hi vmfriend, I've sent an email to neil berkett, so hopefully we'll see some action on it. I'll report back.
Thanks,
John.

Good Luck

Hi vmfriend, just thought I'd post with an update. I emailed CEO. I had requested they email me, but in the event a guy called Raj from CEO rang me yesterday, bank holiday Monday. He said he'd pass the issue to network and would ring me again when there was any news. Given the possibility that a change of modem could sort this I rang VM today. Eventually, having been passed from one department in India to another and getting nowhere the guy put me through to the retention guys in Teasside. Spoke to a guy called Paul who was very helpful. He's arranged for my modem to be changed, at the same time I'm downgrading to the 30 meg service, as I haven't been getting the benefit of 50 meg. He said though that it would be best to hold back from downgrading me on the system until they've got to the bottom of this mystery traffic issue, as were I downgraded with that issue still unsolved I'd be jumped on from the start. The downside is that I'm going still to be charged for the 50 meg service, but only have the 30 meg, so I hope they get their skates on to sort it. I've emailed CEO again to try to contact Raj, the guy who rang me yesterday, asking that he contact me as a matter of urgency, so here's hoping. A friend had suggested also that I run Hijackthis, to check my computer for bots or other nasties, so I have. I've pasted the results here. Could I have your thoughts, or indeed those of anybody who knows what to look out for. Here are the Hijackthis results.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:56:50, on 26/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\JHOOKLDR.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://labs.google.com/accessible/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: SimpleAdblock Class - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Common Files\Simple Adblock\SimpleAdblock.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.UK/
O16 - DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} (VM_ActX_2 Control) - http://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269765047179
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269790138468
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JFWService - Freedom Scientific BLV Group, LLC - C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe
O23 - Service: JTVNCProxy_11.0 - Unknown owner - C:\Program Files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe


Thanks,
John.
--
End of file - 5132 bytes

Just had a look through your log and it looks safe to me
Nothing out of the ordinary.

Edit:
Just checked again and noticed FlashGet, which is a download manager.
Sometimes this has known to be a threat according to http://www.threatexpert.com/files/flashget.exe.html

Are you aware of FlashGet Download manager being on your computer?

Hi Jordan, yes. I've used Flash Get for years. I like it because it's fully screenreader accessible.
Thanks,
John.

Hi Jordan, yes. I've used Flash Get for years. I like it because it's fully screenreader accessible.
Thanks,
John.
Ah, just making sure :)
I do not see any Anti-virus or security programs being used?
Can you confirm whether you are using one or not?

If not, I would recommend Avast since it is free and uses Speech and sound to alert users of viruses or malware - which would be very beneficial to you.

To download Avast, click here (http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button)

Why they making you pay 50mb price on 30mb... that's not right, even if it is for 1 month. Or perhaps it was too late and they already processed your bill for this month and you will get a credit on next bill?

Hi Jordan, I generally use Microsoft Security Essentials. Due to a power problem VM Had as of last week, which slowed the internet and email to a crawl and made life very difficult, MSE was making a bad situation worse by slowing it even more, as it was examining every last thing, so I removed it till they've sorted the power problem and the service is back to normal. Obviously I don't want to be without protection for long, but it really was making it unuseable.
Thanks,
John.

---------- Post added at 07:42 ---------- Previous post was at 07:37 ----------

Hi DABhand, it's anone's guess. Mind you, I've emailed CEO for the attention of the guy who rang me yesterday to update him, and to ask them to get their finger out on finding the problem as I won't appreciate being charged for a service I'm not goint to be getting.
Incidentally, hope you and everybody had a nice Easter,
Thanks,
John.

Easter is like another set of days in the year at my age, at your age... young man. But yeah it's been a long time since I last had a choccy egg :(

Never Mind DABhand, it's ages since I had one too. Thanks for the compliment, by the way.
Thanks,
John.

Hi DABhand, thought I'd give you all an update. As I said earlier for general little day to day things I use a little Dell, which is up to the job, but extremely low on resources. Microsoft Security Essentials hadn't found anything on it, so I'd assumed all was well. What had slipped my mind though was that the scan defaults to quick scan, which doesn't look everywhere, just in the most likely places.
Last night I did a full scan, and it found ten nasties. They were all in the Sun folder. Eight of them had exploit before the name, one was a trojan downloader, and another had open connection in the name. I uninstalled Java, then set folder options to show hidden files, and removed all traces of Sun and java. I then ran regedit and removed all java keys. After that I did another full scan, and it came up clean. I did another full scan this morning, just in case anything had regenerated when I rebooted, but all was clean, with no threats detected. I've done the same on the main computer.
I rang my contact in VM's CEO this morning and told him. He said he'd heard back from networks, and that the colleague who had told me in the first place I was a heavy downloader shouldn't have done, as my useage hadn't been flagged as too high. So it looks as if this whole fiasco has been for nothing.
Incidentally, if anyone ever needs the direct freephone for CEO it's Mod Edit - Unofficial number removed.
Thanks,
John.

Colour me impressed. I don't think a lot of sighted people could deal with a situation like that. Good detective work John.

Now for a 'belt and braces' job you really should run a scan for malware that might be missed by MSE. I'd suggest Malwarebytes Antimalware free version. Make sure it's updated and run a full scan.

Hi David, it's taken me a while to get back as I was waiting for the VM tech. Thanks for the tip about Malware Bytes. I downloaded and installed it and did a full scan. I've pasted the results here. I also did a full scan on the main computer, but it found nothing, totally clear.
Let me just mention the new superhub. I'd seen quite a lot of negative comments about it, but on first impressions I'm extremely pleased with it. My speed, which as you will see from my post the other day was way under 50 meg is now if anything above it. I hope the performance stays as good.
Hope you're enjoying your day, and here are the scan results. Let me know what you think.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6470

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29/04/2011 13:29:37
mbam-log-2011-04-29 (13-29-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 148976
Time elapsed: 29 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\ForceClassicControlPan el (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks,
John.

Should be fine if you've cleaned those nasties out. :)

The Malwarebytes report looks fine. From the report I would guess that you had set your control panel to display in classic mode and also disabled security centre nagging for antivirus and windows updates.

If that is correct then the report is all clear, although you may find those settings have changed in the security centre.

Should be fine if you've cleaned those nasties out. :)

Hi Neo-Tech, I deleted all that MSE found, and Malware Bytes cleared the rest.
Thanks,
John.

---------- Post added at 03:28 ---------- Previous post was at 03:23 ----------

Hi David, yes, classic view and no nags. Thanks for the tip. I'll check on the settings, and change back if they've changed.
Thanks,
John.

good that you have MBM now, keep that updated

question is here

what was the malware DOING with all that traffic?

could it be the real cause of yer poor peformance on 20mb originally?

im on a Camden UBR too, seems fine here, not too congested [north Camden]

50mb seems ecessively spendy for yopur actual usage pattern as described

whatever, should be well snappy now without 'whatever-it-was'

update and normal scan every boot with MBM, full scan less often but regularly

good that you have MBM now, keep that updated

question is here

what was the malware DOING with all that traffic?

could it be the real cause of yer poor peformance on 20mb originally?

im on a Camden UBR too, seems fine here, not too congested [north Camden]

50mb seems ecessively spendy for yopur actual usage pattern as described

whatever, should be well snappy now without 'whatever-it-was'

update and normal scan every boot with MBM, full scan less often but regularly

Read post 60.

Hi Eto, I haven't got a clue what it was doing with all the traffic. A contact in VM CEO reckoned it was some sort of spamming thing, and that nothing was coming to my computer, it was just acting as some sort of relay. As for the previous bad performance no, it wasn't this. There's been several format and reloads since that happened back in 2008. That turned out to be down to channel SNR. I did a speed test as soon as the guy connected the new superhub. I've pasted the results here. It isn't that I need 50 meg, 30 would probably do, but when I suggested to my contact that I downgrade he looked at the state of play and said for the moment to stay on 50.

Date Download Speed Upload Speed
Today 15:17
downstream
50301 kbps (6.29MB/s)
upstream
904 kbps (113kB/s)
Thanks,
John.

john: hmm, guess it depended 'where' in Camden [the previous issue]

anyway you seem well on top of this now, keep us posted

Hi Pip, I will.
Thanks,
John.

---------- Post added at 05:30 ---------- Previous post was at 05:26 ----------

Hi Eto, I will. Here's hoping that performance holds up.
Thanks,
John.

So VM did misinform you about the amount of data. (twice)

At least it prompted a clean up of the PC.

Hi vmfriend, yes they did. There was also a note on the file that one of them read to me to the effect that a warning letter may have been sent. I haven't had one, which is just as well. As you say though something good's come out of it.
I've now shelved the little Dell and am using the main pc now. It was the dell that had had all the nasties on it. This one's been clean as a whistle. I've nevertheless done several full scans with MSE, and likewise with Malwarebytes.
And I've now got a superhub. My line speed's gone up quite a bit, so I suppose they've improved something. The only drawback is the wi-fi. As I said I don't use it, but I don't know how I can make sure it's turned off. I asked the tech to turn it off, and hopefully he did, but you can never tell.
Hope you're having a nice bank holiday,
Thanks,
John.

And they told you to stay on 50mb again >.<

Of course they would it would mean more money :P

But I don't buy that this supposed malware would take over traffic so to speak, you would have noticed it way back yourself. I still think it was someone who cloned your MAC address, but with the new hardware hopefully that will be over with.

Hi DABhand, I'm going to downgrade to 30. I don't get the benefit from 50. The guy in CEO I'm disregarding entirely. He's batting for the company, and as you say has a vested interest in me staying on 50.
Now they've confirmed that they know I wasn't responsible for the traffic I'm planning to downgrade. I want first to get it in writing that they know it was nothing to do with me, so that I don't get traffic managed following downgrade. When I do I'll monitor performance, and if it drops I'd probably upgrade again.
Hope you're having a nice weekend,
John.

It might be possible to find out more about the traffic, if you are still interested John. The java exploits that were found by MSE should have been logged by the antivirus at the time and looking at the log might tell us more about what had been installed.
You mentioned MSE referring to a trojan downloader. Often they are general-purpose tools and can download a range of items. You may for instance have been loaded with a spam relay which was sending out emails from your machine. There are a range of possibilities. One server I worked with a while ago had a whole FTP system on board that the owner knew nothing about. He was busy serving up mp3s and movies totally without his knowledge.

Details from the MSE history might help to guess at what was going on.

From post #60 (as remarked earlier):

I rang my contact in VM's CEO this morning and told him. He said he'd heard back from networks, and that the colleague who had told me in the first place I was a heavy downloader shouldn't have done, as my useage hadn't been flagged as too high. So it looks as if this whole fiasco has been for nothing

It seems there was no mystery traffic after all.

Hi Danielf, from what I can gather there was mystery traffic, but not sufficient to be flagged. Although it's been a concern to me perhaps some good has come of it, providing, as I said in an earlier post that any references in the file arising from it to my detrament are removed.
Thanks,
John.

---------- Post added at 02:35 ---------- Previous post was at 02:13 ----------

Hi David, I'd looked for a log at the time, but there was no sign of one. I looked in the Microsoft Security Client folder in programme files and there was no log at all. I would have expected that it would have saved a log by default. Most anti viruses I've used do. Any idea where MSE puts them?
I've made a list of all files in the Microsoft Security Client folder, and pasted it here. If you can find where the log is in there let me know and I'll post back with it.

C:\Program Files\Microsoft Security Client\
--------------------------------------------------------------------------------
1. CleanUpPolicy.xml 370B
2. ConfigSecurityPolicy.exe 280KB
3. eppmanifest.dll 157KB
4. LegitLib.dll 690KB
5. MsMpRes.dll 417KB
6. msseces.exe 974KB
7. MsseWat.dll 76KB
8. setup.exe 805KB
9. setupres.dll 41KB
10. shellext.dll 293KB
11. sqmapi.dll 191KB

C:\Program Files\Microsoft Security Client\Backup\
--------------------------------------------------------------------------------
12. eppmanifest.dll 157KB
13. setupres.dll 41KB

C:\Program Files\Microsoft Security Client\Backup\en-us\
--------------------------------------------------------------------------------
14. amhelp.chm 133KB
15. epploc.cab 28KB
16. epploc_x86.msi 31KB
17. eula.rtf 103KB
18. setupres.dll.mui 41KB

C:\Program Files\Microsoft Security Client\Backup\x86\
--------------------------------------------------------------------------------
19. dw20shared.msi 1.76MB
20. epp.msi 1.59MB
21. legitlib.dll 690KB
22. mp_ambits.msi 1.84MB
23. setup.exe 805KB
24. sqmapi.dll 191KB
25. windows6.0-kb981889-v2.msu 1.18MB
26. windows6.1-kb981889.msu 886KB

C:\Program Files\Microsoft Security Client\en-us\
--------------------------------------------------------------------------------
27. amhelp.chm 133KB
28. eula.rtf 103KB
29. MsMpRes.dll.mui 83KB
30. setupres.dll.mui 41KB
31. shellext.dll.mui 9KB

================================================== =================
Files: 31 Total Size: 13.62MB List Created: 30/04/2011 15:27:33
Thanks,
John.

John, log files are here:

C:\ProgramData\Microsoft\Microsoft Antimalware\Support

You should see 1 or more .log files with names beginning MPDetection-

You can open them with Notepad or any text reader. Be warned there's a lot of rubbish in there so it will take a while to speak the useful bits.

yeah, dont just post the whole log into 1 post, wrap it in [CODE] tags or something

Hi David, no sign. There are only about 10 folders on c, and nothing called programdata, only program files. I've set folder options to show hidden files and folders and done searches for programData and MPDetection and still nothing. I've searched on both computers. In the anti malware folder inside the Microsoft Security Client folder there were files starting with mp, but no support folder and no logs.
Could the location and names of folders differ with operating system? I'm running XP Pro.
Thanks,
John.

---------- Post added at 04:44 ---------- Previous post was at 04:39 ----------

Hi craigj2k11, no worries, I can't find them, not even one, let alone a bunch of them.
Thanks,
John.

---------- Post added at 05:17 ---------- Previous post was at 04:44 ----------

Hi David, I've had partial success eventually, but the folder microsoft anti malware, which is in c:\documents and settings/all users/application data/microsoft I can only find on the main computer. On the dell there's no sign of it. It's the right folder. As you say, in there there's a folder called support, and inside that folders with names like scans, local copy, definition updates and there are lots of logs. Strange to relate though not on the dell, only on the main computer.
Thanks,
John.

My bad John. I checked the location in Windows 7 and totally forgot you are running XP.

I'm not sure if logs are saved in the same way on an XP machine. I believe log files may be stored at

c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware

can anyone running MSE under XP please confirm this?

Oh well David, one of those things. If there are any there I'll find them in the end.
I've more or less given up on the little dell. Its got its good points, mainly that it's very quiet, but it's so low on resources it's useless for doing much more than surfing and emailing. The main pc's wonderful from a spec point of view, but it's got more fans than michael jackson. I should think it's the noisiest pc I've ever come across.
Hope your day was a good one,
Thanks,
John.

I forgot all about this, I wonder how John got on did everything get sorted out I hope?

Hi DABhand, everything went back to normal once I removed Java, together with the nasties that Malwarebytes had found in the Sun folder. Needless to say I haven't installed Java since. Not having it isn't much of a loss, as I use a screenreader, and screenreaders and Java don't get on. When I say everything's back to normal I assume it is. Virgin haven't been onto me since, so fingers crossed. Given that it was Malwarebytes that picked up on it I've upgraded to the pay version, so now have real time protection.
Hope your day's going well,
John.

Thats good, must have been a fake java installed, as I have it for chatrooms etc. But glad that mysterious traffic is now gone hopefully for good.