Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Network traffic


  • Please log in to reply

#1
BillS

BillS

    New Member

  • Member
  • Pip
  • 8 posts
I've just installed a new [clean] PC on the Network. It has AntiVirus, Firewalls etc etc Win XP Prof on a clean disk...

But the PC is generating a huge amount of network traffic.

I have rebooted/closed all apps/shut down as many services as possible etc etc but i cannot determine where the trafic is coming from.

If i boot in Safe Network mode - the traffic stops!

I've tried AdAware and Hijack This - The PC is REALLY 'clean'.

I have used Sniffers to 'examine' the packet info - but i cannot determine what is/what application is generating the packets.

Any ideas what tools I can use to help me out?

HELP <_<
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Have you checked your firewall logs? They should give you clues by looking at which ports are being used, and IP ranges.
  • 0

#3
BillS

BillS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yeah - all the activity is between this PC and the Router/Gateway / ALl inside the network.

Here's a 'typical' packet that's sent:

.}..@..x..E..ɵ@..L.....
W}....;P.c..POST /EmWeb/UPnP/Control/2 HTTP/1.1.
Content-Type: text/xml; charset="utf-8".
SOAPAction: "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1#GetTotalBytesReceived".
User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x).
Host: 192.168.1.1:2800.
Content-Length: 313.
Connection: Keep-Alive.
Pragma: no-cache.
.
<?xml version="1.0"?>.
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlso...soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlso...alBytesReceived xmlns:m="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"/></SOAP-ENV:Body></SOAP-ENV:Envelope>.
0 R


It's generated many times a second...just can;t figure where the [bleep] it's coming from...
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Just for the heck of it, let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.
  • 0

#5
BillS

BillS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Cracked it!

Firstly disabled the UPnP on the router - this stopped all the 'crap' packets but still allowed access to the Internet.

Secondly, installed a copy of Windows 'Universal Plug and Play' - It doesn;t get installed by default!

And finally, re-enabled Pnp on the router - Voila! ...

...no crazy network traffic anymore!

Thanks for your help <_<
  • 0

#6
BillS

BillS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Arrrggghhh! <_<

Too good to be true!

I rebooted and it's all come back!

Maybe I should just disable UPnp on the router? I have no documentation on it so don;t know if it's required??
  • 0

#7
BillS

BillS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here's the Hijack this Log as you suggested:

Logfile of HijackThis v1.97.7
Scan saved at 15:30:35, on 24/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8092.5740509259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WessexSystems.local
O17 - HKLM\Software\..\Telephony: DomainName = WessexSystems.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WessexSystems.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WessexSystems.local

  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
I'd disable UPnP on your system and router. Here's a good link explaining why and how (at least on your system):
http://www.grc.com/unpnp/unpnp.htm

I don't see anything suspect in your log except SQL server (does that generate internal traffic?) and you O17's are a little unusual (I'll check into it a little more).
  • 0

#9
BillS

BillS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
It's definitely the UPnP - generated from the Router. If I disable the Router from UPnP the problem goes away. The downside is that I don't get the Auto-Detect of router on the PC and the nice little icon in the SysTray that gives me useful stats about what/how much data has been transfered. (Which, by the way, is how I noticed there was a lot of network traffic in the 1st place <_< )

I'll check the article you recommend...
  • 0

#10
BillS

BillS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
BTW: The O17's are cool - I run a small win2k domain here...and they're valid entries...
  • 0

#11
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts

Which, by the way, is how I noticed there was a lot of network traffic in the 1st place

See IRONY :D

BTW: The O17's are cool - I run a small win2k domain here...and they're valid entries...

That's explain 'em <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP