Unexplained downloads

Mark1

I hope this is right place to ask this question.

Os windows xp Local area Connection Status
Packets sent 8,276 Received 7,194
Connected for 3 hours 19 mins
10.0 Mbps Speed

ISP Clearwire good connection
no streaming or torrent
Win Patrol, Avg, Zonealarm
show nothing out of ordinary

Window Task manager system 99% idle

Gives connection usage between 0.00 and 0.35%
Says I have downloaded 32,869,000 Bytes and up loaded 917,00 Bytes
appart from a couple of 3K emails have and am not at moment down loading anything
The activity shown by task manager is not there all the time and might be 0 to 0.01 for 10 minites or more in a typicle day it says I down load approx 100MBytes. If I am I don't know where it is going.
Is this normal? Should I worry.

Foxwood

Mark1 wrote:

I hope this is right place to ask this question.

Os windows xp Local area Connection Status
Packets sent 8,276 Received 7,194
Connected for 3 hours 19 mins
10.0 Mbps Speed

ISP Clearwire good connection
no streaming or torrent
Win Patrol, Avg, Zonealarm
show nothing out of ordinary

Window Task manager system 99% idle

Gives connection usage between 0.00 and 0.35%
Says I have downloaded 32,869,000 Bytes and up loaded 917,00 Bytes
appart from a couple of 3K emails have and am not at moment down loading anything
The activity shown by task manager is not there all the time and might be 0 to 0.01 for 10 minites or more in a typicle day it says I down load approx 100MBytes. If I am I don't know where it is going.
Is this normal? Should I worry.

AVG sould be downloading it's udates every day, Windows should be checking for updates on a regular basis, your mail client should be checking for new mail every so often, if you're running Windows Messenger or any other IM client, there'll be constant traffic.

You can check what IP addresses you re commuicating with by opening a command prompt and typing NETSTAT. It's not something I'd be overly worried about, unless you find something else.

Mark1

Thank you Foxwood
This is downloading I cannot find out why
no programmes updating in background
It isn't any thing that I am knowingly running and using win patrol to turn off/ disable every running programme this download continues
If i was on dial up this would be a big chunk of available bandwidth assuming my sums correct

Foxwood

Mark1 wrote:

Thank you Foxwood
This is downloading I cannot find out why
no programmes updating in background
It isn't any thing that I am knowingly running and using win patrol to turn off/ disable every running programme this download continues
If i was on dial up this would be a big chunk of available bandwidth assuming my sums correct

What does NETSTAT show? If there's anything downloading, it'll show what IP address you're connection to.

You say you're with ClearWire. Does that mean that your PC gets a public IP address, and you don't have a NAT device between your PC and the Internet?

Mark1

computer connects lan to Clearwire AerialBox/transcever


Active Connections

Proto Local Address Foreign Address State
TCP Workcomputer:2587 85-124-175-223.dynamic.xdsl-line.inode.at:57237
ESTABLISHED
TCP Workcomputer:3366 static-fxfeeds.nslb.sj.mozilla.com:http ESTABLI
SHED
TCP Workcomputer:3370 216.239.51.99:http ESTABLISHED
TCP Workcomputer:4894 localhost:4895 ESTABLISHED
TCP Workcomputer:4895 localhost:4894 ESTABLISHED

Did a second try one address gone but still downloading

Active Connections

Proto Local Address Foreign Address State
TCP Workcomputer:2587 85-124-175-223.dynamic.xdsl-line.inode.at:57237
ESTABLISHED
TCP Workcomputer:4894 localhost:4895 ESTABLISHED
TCP Workcomputer:4895 localhost:4894 ESTABLISHED

Foxwood

Mark1 wrote:

computer connects lan to Clearwire AerialBox/transcever

85-124-175-223.dynamic.xdsl-line.inode.at:57237

Port 57237 is the port for a Java based IRC Bt tool called pircbot.

Unless you have a known good reason for being connected to a machine in Austria, I'd begin to be a bit concerned.

Mark1

I have no know reason to be connected to Austria
What is picbot
spybot and adware did not locate it
does it need removing? if so how?
Sorry for delay in response was unable to connect to Boards.ie

Foxwood

Mark1 wrote:

I have no know reason to be connected to Austria
What is picbot

That's pIRCbot. IRC is internet Relay Chat, a predecessor of Instant Messaging, and is notoriously used as a channel for managing "zombie" PCs. That's what concerns me. (I can't find anything bad about pircbot specifically in Google, but the words "bot" and "irc" in the same sentence worry me).

spybot and adware did not locate it
does it need removing? if so how?

If it was me, the first thing I'd do is to open regedt32 and check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If that doesn't mean anything to you, you can try running MSCONFIG (Start/Run, enter MSCONFIG and click Enter) and look at the Startup tab. If there's anything in there that you can't identify, uncheck it and reboot.

If the problem persists, you're going to need more in depth help that I can offer here.

Mark1

did this
open regedt32 and check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4 enteries AVG Winpatrol Zonealarm and 1 other that would not delete

Went other route MSCONFIG (Start/Run, enter MSCONFIG and click Enter) and look at the Startup tab.
1 unidentified entry unchecked before I could reboot Winpatrol had detected a new startup

Microsoftr Windowsr Operating System
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

clicked no and rebooted
then did regedt32 and check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4th entry unidentified entry still there

Mark1

Active connections now

Active Connections

Proto Local Address Foreign Address State
TCP Workcomputer:1063 87.192.16.217:37622 ESTABLISHED
TCP Workcomputer:1236 72.14.221.147:http ESTABLISHED
TCP Workcomputer:1244 mozilla.ussg.indiana.edu:http ESTABLISHED
TCP Workcomputer:1065 localhost:1066 ESTABLISHED
TCP Workcomputer:1066 localhost:1065 ESTABLISHED

ran again and mozilla entry gone
down loads continue 6Mbyte since re boot

Foxwood

Mark1 wrote:

87.192.16.217:37622

That's an Irish Broadband address - are they somehow linked to Clearwire?

72.14.221.147:http

A Google address. Do you use Google as your home page?

mozilla.ussg.indiana.edu:http

Are you using Firefox? There was an update released earlier this week, and it may be downloading the atest version (auto updates are a feature of recent releases).

ran again and mozilla entry gone
down loads continue 6Mbyte since re boot

Without doing some testing of my own, 6MB of downloads on startup wouldn't necessarily faze me, at least not in this day and age of auto updaters, time protocols, etc. Keep an eye on it, and on Netstat.

And give seriuos thought to putting some protective hardware between you and that open internet connection. Personally, I don't believe that broadband ISPs should be allowed to put end users directly on the internet without a NAT firewall in place.

Mark1

Hi Foxwood
had already checked as best I could and knew one was google and other was firefox update
Connections this morning
Active Connections

Proto Local Address Foreign Address State
TCP Workcomputer:2512 adsl-59841bc8.monradsl.monornet.hu:24343 ESTABL
ISHED
TCP Workcomputer:2549 localhost:2550 ESTABLISHED
TCP Workcomputer:2550 localhost:2549 ESTABLISHED
Have now been on line for over an hour downloads under 1.5MBytes
Have checked my emails looked at monradsl.monornet.hu seems to be lists of addresses different people have visited
Will get Blueface and their router it has a NAT firewall
I run a work from home business and place all my orders on the internet. No orders no income. Emmergency backup connection is/was via my mobile phone.
Used to prepay €25 per month for 25M have not needed so am now on €5 perMbyte hence desire not to have to pay €50 for the hour it takes to put place my orders.
Windows task manager showed very little traffic this morning except when I was checking mail etc will keep an eye on it but really would like to know what was happening
Thankyou for your time so far.

Foxwood

Go to SysInternals and get TCPView to find out what process is associated with that connection.
http://www.sysinternals.com/Utilities/TcpView.html

You might also want to check out their Root Kit Revealer tool.
http://www.sysinternals.com/Utilities/RootkitRevealer.html