Computer downloading for no apparent reason (was WTF are VM upto now??)
 

Right, I have just noticed something VERY strange with my internet connection, I reboot my pc, log into windows (with wireless disabled & wired unplugged) I have nothing at all open that accesses the net, (I have even deleted the automatic updater for my internet security for this test too), no MSN, no IncrediMail open, but as soon as I enable my wireless connection for the internet, it gets an IP address and then I notice in DU meter, something starts downloading, now it starts off with a few KB/s and then after exactly 18 seconds its as big as 247.8KB/s as the maximum transfer rate, and within a minute, I have downloaded over 7MB of data???

Now as I said before, I dont have anything running when this happens, hell I have even done a fresh install of XP, only other software installed is DU meter, and also TaskManager backs this downloaded data up as the graph is consistant with DU meter, so my question is; WTF is happening and what is this data that is being downloaded??

I am writing this with my wireless disabled, so I know that nothing is getting on this pc!

PLEASE HELP!!!!

Re: WTF are VM upto now??
 

Id get hold of virgin if i was you, sounds like someone doesnt like you :p:

Re: WTF are VM upto now??
 

I'd rather say a LOT of people dont like me, but hey, thats life!

What with the recent security issues, it is starting to make me a bit para, and I know this has never happened before!

Could somebody that has DU meter please test this for me?

Even better, does anyone know of any software (free or otherwise) that can instantly tell you which application you have open is sending / recieving data to the internet, and how much?

Re: WTF are VM upto now??
 

ever thought of somebody hacked your wireless? try wired sstraight to laptop see if it still show up in du meter

Re: WTF are VM upto now??
 

Yes of course I thought of that :)

So I logged into my router, viewed the DHCP table, and the only ones in the list are my desktop pc, mine & my partner's laptops & the Wii, nothing else, then again,I do have my security tighter than a ducks backside, but thats just me!

Re: WTF are VM upto now??
 

if u say fresh install of xp maybe its ms updates in bg

---------- Post added at 01:45 ---------- Previous post was at 01:38 ----------

Look for something in task manager called wuauclt.exe if its there then thats your problem

Re: WTF are VM upto now??
 

I think the router transfers basic information through the network depending on what you have enabled. For example, I have folders on my PC that I can access through my laptop.

It's all I can think of.

Re: WTF are VM upto now??
 

Nope, I have that turned off by default mate!

I have task manager open constantly, and as such, I know every process thats open, and it certainly aint that!

To aid help, it is booted up and all the clutter MSN, IncrediMail, mouse drivers and the like are quit, so its basically the standard, default essential stuff thats open,I dont have any spyware (unless VM are deploying Phorm via silent, unattended setup) and certainly no viruses or any other parasites (well, unless you count Microsoft products lol)

I really do not know what else to do, I cannot connect direct to the modem, as the house wouldn't be impressed if the little un got woken up as the modem & router is in her room ontop of a wardrobe.

Re: WTF are VM upto now??
 

lol erm u can try kerio just googled its shows the process what hogging the bandwith

http://www.kerio.co.uk/kerio.html

can u post a netstat

do netstat -a
in cmd

---------- Post added at 02:00 ---------- Previous post was at 01:54 ----------

ok forget that download this http://download.sysinternals.com/Fil...ssExplorer.zip
run this look at the meter in the top right hand corner

Re: WTF are VM upto now??
 

Thanks so much Johnathan, the results are:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP lappy007:epmap lappy007:0 LISTENING
TCP lappy007:microsoft-ds lappy007:0 LISTENING
TCP lappy007:3389 lappy007:0 LISTENING
TCP lappy007:1025 lappy007:0 LISTENING
TCP lappy007:1025 localhost:1032 TIME_WAIT
TCP lappy007:1025 localhost:1034 TIME_WAIT
TCP lappy007:1025 localhost:1037 ESTABLISHED
TCP lappy007:1025 localhost:1039 FIN_WAIT_2
TCP lappy007:1025 localhost:1051 TIME_WAIT
TCP lappy007:1025 localhost:1055 TIME_WAIT
TCP lappy007:1025 localhost:1060 TIME_WAIT
TCP lappy007:1025 localhost:1069 TIME_WAIT
TCP lappy007:1025 localhost:1071 TIME_WAIT
TCP lappy007:1025 localhost:1073 TIME_WAIT
TCP lappy007:1025 localhost:1074 TIME_WAIT
TCP lappy007:1025 localhost:1077 TIME_WAIT
TCP lappy007:1025 localhost:1078 TIME_WAIT
TCP lappy007:1025 localhost:1079 TIME_WAIT
TCP lappy007:1025 localhost:1080 TIME_WAIT
TCP lappy007:1025 localhost:1081 TIME_WAIT
TCP lappy007:1025 localhost:1082 TIME_WAIT
TCP lappy007:1025 localhost:1083 TIME_WAIT
TCP lappy007:1025 localhost:1084 TIME_WAIT
TCP lappy007:1025 localhost:1087 TIME_WAIT
TCP lappy007:1025 localhost:1093 TIME_WAIT
TCP lappy007:1025 localhost:1094 TIME_WAIT
TCP lappy007:1025 localhost:1095 TIME_WAIT
TCP lappy007:1025 localhost:1096 TIME_WAIT
TCP lappy007:1025 localhost:1097 TIME_WAIT
TCP lappy007:1025 localhost:1098 TIME_WAIT
TCP lappy007:1027 lappy007:0 LISTENING
TCP lappy007:1028 lappy007:0 LISTENING
TCP lappy007:1037 localhost:1025 ESTABLISHED
TCP lappy007:1039 localhost:1025 CLOSE_WAIT
TCP lappy007:1049 localhost:1050 ESTABLISHED
TCP lappy007:1050 localhost:1049 ESTABLISHED
TCP lappy007:1053 localhost:1054 ESTABLISHED
TCP lappy007:1054 localhost:1053 ESTABLISHED
TCP lappy007:1057 localhost:1025 TIME_WAIT
TCP lappy007:1059 localhost:1025 TIME_WAIT
TCP lappy007:1061 localhost:1025 TIME_WAIT
TCP lappy007:1065 localhost:1025 TIME_WAIT
TCP lappy007:1066 localhost:1025 TIME_WAIT
TCP lappy007:netbios-ssn lappy007:0 LISTENING
TCP lappy007:1038 by2msg2043119.phx.gbl:1863 ESTABLISHED
TCP lappy007:1048 207.46.26.253:7001 TIME_WAIT
TCP lappy007:1048 207.46.26.254:7001 TIME_WAIT
TCP lappy007:1058 server3.cableforum.co.uk:http TIME_WAIT
TCP lappy007:1063 server3.cableforum.co.uk:http TIME_WAIT
TCP lappy007:1064 server3.cableforum.co.uk:http TIME_WAIT
TCP lappy007:1067 server3.cableforum.co.uk:http TIME_WAIT
TCP lappy007:1068 server3.cableforum.co.uk:http TIME_WAIT
UDP lappy007:microsoft-ds *:*
UDP lappy007:isakmp *:*
UDP lappy007:1030 *:*
UDP lappy007:1031 *:*
UDP lappy007:4500 *:*
UDP lappy007:ntp *:*
UDP lappy007:1029 *:*
UDP lappy007:discard *:*
UDP lappy007:ntp *:*
UDP lappy007:netbios-ns *:*
UDP lappy007:netbios-dgm *:*


>netstat -o -a

Active Connections

Proto Local Address Foreign Address State PID
TCP lappy007:epmap lappy007:0 LISTENING 1156
TCP lappy007:microsoft-ds lappy007:0 LISTENING 4
TCP lappy007:3389 lappy007:0 LISTENING 1092
TCP lappy007:1025 lappy007:0 LISTENING 1444
TCP lappy007:1027 lappy007:0 LISTENING 2264
TCP lappy007:1028 lappy007:0 LISTENING 2468
TCP lappy007:netbios-ssn lappy007:0 LISTENING 4
UDP lappy007:microsoft-ds *:* 4
UDP lappy007:isakmp *:* 912
UDP lappy007:1030 *:* 1252
UDP lappy007:1031 *:* 1252
UDP lappy007:4500 *:* 912
UDP lappy007:ntp *:* 1196
UDP lappy007:ntp *:* 1196
UDP lappy007:netbios-ns *:* 4
UDP lappy007:netbios-dgm *:* 4

Now the first 1 gave me some concern, but most of the first lot were PID 0 (system idle process) and I waited a few mins, then did another, which is a bit better!

The PID codes are:
0 - System Idle process
4 - System
912 - lsass.exe
1092 - svchost.exe (There are 6 of these, 3 as SYSTEM, 2 in NETWORK SERVICE, 1 as LOCAL SERVICE)
1444 - CCPROXY.EXE (internet security - norton)
2464 - ALG.EXE (Local Service)

So I cant see anything out of the ordinary so far, but will definately check them links out!

Thanks again! :)

Re: WTF are VM upto now??
 

make sure u check out sysinternal that sthe one i tested it i downlaoed a file and it showed up iexplore 481 Kb's

Re: WTF are VM upto now??
 

I have just downloaded it and was gonna ask what it was for & how to use it, so now your answeringmy questions before Ive asked them lol :)

Re: WTF are VM upto now??
 

could you do a hijackthis log instead? its a bit more in depth.

As much as id love to believe everybody who says they are spyware and virus free, its always nice to be safe ;)

Re: WTF are VM upto now??
 

ok basically its just an advanced task manager open procexp and look at the top right of the windows u might see blue or purple line not sure i can't tell hover your mouse over it will tell you what is using the bandwith



example link

http://bayimg.com/jAJIMaabH

Re: WTF are VM upto now??
 

Ok, here's the log:

@Johnathan: thanks I have only just worked that out, but at the moment there is nothing untoward showing up.

Re: WTF are VM upto now??
 

does du meter show enything like u said earlier

Re: WTF are VM upto now??
 

Not anymore, I did all the steps I did earlier, but nothing now, this IS strange!

Maybe VM have given up trying to force PhormWare onto me now lol :angel:

Re: WTF are VM upto now??
 

lol if it happens again use that proce xp thingy only tool i know off (after 5 mins of google) that pinpoints the culprit enyway glad u got it sorted

Re: WTF are VM upto now??
 

lol thanks, me too!

Now maybe I can crawl into my pit now I have this sorted out :)

Thanks again for all your help :)
Rep point on its way to you :)

Re: WTF are VM upto now??
 

its a long shot, but i know what lenovos are like, and judging by that log, your machine is no exception.

Lenovos come with lots of crap installed, 3rd party stuff and ibm/lenovo's own rubbish. You really could do with removing a load of that, you dont really need any of it. n Norton is just a waste of resources, but thats your choice.

If you connect with another machine does the downloading resume?

As for connections, going off your netstat, the only thing actually making a connection (apart from some sort of RPC loopback) is an MSN server, so you could try end tasking any msn messenger related stuff in your task manager and reconnecting.

Edit: okay was too slow :p

Re: WTF are VM upto now??
 

thanks very much glad to help going to bed now

Re: WTF are VM upto now??
 

Lol hardly, I've had this laptop around 9 months, and before that I've been told it's ex-SAS equipment, and came with nothing on at all!

It's actually an IBM Thinkpad T41, and them Lenovo bits are essential for me, such as the Active shock protection, easy eject (mainly for the docking station) and the system driver!

Trust me, if it aint necessary then it gets removed (hence some files in the log reported as being not found or removed) :)

I've been an active system builder now for the last 12 years, and the problem I posted about I have never seen it before.

I have just tested every single PC in the house (with the grateful help of a massive Ethernet lead) and it dont seem to be happening again, maybe it was just I dunno really, I am stumped lol!

But thanks also for your help, if it wasnt for helpful people like you & Johnathan, I'd be pulling my hair out!

Thanks again, rep on its way to you :)

Re: WTF are VM upto now??
 

Re: WTF are VM upto now??
 

Pleased to read that TehTech's problem seems to have vanished.

A quick way of checking which applications have active connections is to do a netstat -b.

Re: WTF are VM upto now??
 

MSN server? You havent got anybody sharing files with you through the msn shared folders have you? if they were online when you went on the files carry on transferring (I think), just something else to check anyway

Re: WTF are VM upto now??
 

Might want the thread header changed as well then, as there appears to be no evidence that VM are "up to" anything..... ;)

Re: WTF are VM upto now??
 

i was going to say that, its amazing how many jump to the conclusion it must be VM that causes the problems rather than something else such as hardware or software

Re: WTF are VM upto now??
 

Norton 2008 is much improved but even earlier I've not noticed much of an issue. It does like to auto update though, especially it's virus definitions and so on. This can be configured to happen in the background silent like.

In UNIX you have things like lsof, wireshark, snoop etc that you can use to check the traffic on you network. Don't know what's there in Ol' Bills offering. I do use the firewall logs though as they can help.

You could try blocking all traffic on Norton and then check the log as to what is trying to connect and see what complains.

Re: WTF are VM upto now??
 

For once, well as far as we know anyway!


No, I have deleted all relevant files to this and disabled it as it is no use to me, Id rather use the normal way if I want to send file(s) to my contacts :)


No it was NOT norton, as I said a few posts back, I have deleted the live update program(s) as even though I set it to check ONLY once every 24 hours, it still pops up, makes my CPU usage go to 100%, hogs ALL memory (1GB) and is a pain, so I manually update, and it wasnt Windows Updates either, as this is also disabled & deleted the executables.

I did actually use Norton 360 for a while, but after numerous complaints to them, even "live chat" they couldnt answer 1 simple question : how many times does it have to update before it has the latest versions, as I was constantly updating all day, and it STILL came up with updates, so this was not trusted, and I dropped down to the only reliable version I had purchased, NIS 2005.

Re: WTF are VM upto now??
 

Changed.

Re: WTF are VM upto now??
 

In XP with nothing running you should have listed only between 7 and 10 TCP and UDP connections, if you have that many then you must have Spyware.

When you do a nestat do it as netstat -an for clearer results.

If you want to resolve what those connections are then download TCPVIEW from the following link http://technet.microsoft.com/en-us/s.../bb897437.aspx

You could also try Sam spade from this link http://www.pcworld.com/downloads/fil...scription.html

Also Process Explorer http://technet.microsoft.com/en-us/s.../bb896653.aspx

All 3 of the above tools are useful give them a go as you are more likely to have Spyware.

Re: WTF are VM upto now??
 

Aaah, the old "guilty until proved innocent" ploy.......... :D