XP Security Breach

[MAP]

-----Original Message-----
I am running Windows XP (Japanese version..but that

should not matter) on a Toshiba Dynabook. I have an ADSL
internet connection at home.

For the past week or so as soon as and for as long as I

am online, I have noticed that the green light on the
Connection Status icon, which indicates "Sent" Activity
is on. Even when every application is closed and I am
doing nothing. The send rate is relatively slow,
typically no more than a couple of packets per second.
This is constant until I manually disconnect.

I assume that someone/something must be accessing my

computer but I am not sure who or what (or why!) and I
cannot figure out how to stop it.

I have already done the following:

1. Reboot. This always seems to be a good and simple

place to start. Has not worked.

2. Install and run both "adaware" and "spybot" to see if

it was some tracking file on my computer that I could
easily delete. Did not work.

3. Install Mcafee Virus Scan and Firewall. Virus Scan

did not find anything. And even with the firewall
running it does not stop.

4. Set the Firewall to Security Level: "Lockdown".

According to Mcafee, "The program blocks all network
traffic, both incoming and outgoing. While locked down,
no events will be generated. This setting basically has
the same effect as 'pulling the plug' on your Internet
connection." With this setting, I am naturally unable to
access anything on the Internet. However, according to
the Connection Status dialogue box, the packets continue
to be sent without interruption.

I cannot figure out what the problem is. I don't know

how up to date Mcafee is, but I would have expected that
between a Virus Scan and Firewall set at lockdown,
nothing would get through. I know that this may sound
paranoid, but one thing I can imagine at this point is
that this may something that Microsoft itself has put
into the software to send whatever uninteresting and
useless information there is about me from my computer to
them.

Well, whatever the case may be, I would like to solve

this as soon as possible, so anyone with
ideas/suggestions, please do not hesitate to let me
know. Very much appreciated in advance.

.
I really dont think that a multi billion dollar corp.

cares what is on your computer,the status lite could be
something as simple as pinggin your ISP to keep your
connection open.

 

[Roger]

Snipped first two posts on this thread.

My opinion is that pinging the ISP to maintain the connection is not
reasonable, because the firewall being set to block all traffic would
preclude (prevent) the capacity to ping anything. And DSL type
connections don't work like dial-up connections.

As for opening and checking each and every port on the computer, there
is over 60K ports that would need to be checked. A simpler approach
would probably more helpful. Is there a way to record the traffic that
is flowing in and out of your machine? My own firewall has an automatic
logging function that would tell me what kind of traffic was entering
and exiting my system. In order for this to work, you would need to
allow traffic to flow normally.

A hacker is unlikely because of the low bandwidth being consumed.

Last point to consider is that if the firewall is blocking all the
traffic, then the traffic that is lighting up the activity light is
coming from somewhere "beyond" your firewall, which would indicate a
problem with your physical connection to the internet.

I offer as evidence the fact that network traffic exiting your computer
typically must go through the firewall to reach the physical connection.
Data transmission occurs by some form of energy, be it electrical,
light, radio, etc. This energy is created by your physical connection.
The presence of that energy is what will light up the activity light.

You said that you could see continuous outgoing data when the firewall
was closed. Is there any data flowing into your computer when the
firewall is closed?

Let us know.

 

[Guest]

Thanks for all of your responses

First, agreed that it is likely not pinging the server, precisely because the firewall was locked down and because it is a DSL and not a dialup connection
Also agreed that a hacker is unlikely due to low bandwidth being consumed

Regarding the possibility of this being the physical connection, I tried the following as a quick test

The ADSL connection goes through a modem to a splitter to which two computers are currently connected. One is the XP culprit and the other is a computer running Windows 2000. I switched the LAN cables (and thus the specific ports they are connected to) for these two computers and the same result occurs. That is, regardless of which physical port the computers go through on the splitter/modem, the XP machine continues to have a small trickle of packets being sent out somewhere

As far as I can tell, there is no data inflow when the firewall is closed

Mcafee has a "Traffic Monitor" function. However, it does not give much detail (unless I am missing something). The first tab, "Statistics", give per minute traffic analysis at a very high level: a) Incoming KB/minute, Outgoing KB/minute, Traffic Usage breakdown of approximate % of bandwidth used by application over past 24 hours (i.e. Internet Explorer X%, Windows Media Player Y%, System Process Z%, etc.) Other than this information there is nothing else

On the only other tab, "Applications", "Active Connections" are listed, giving "Application Name" and "Port Number." For example, application "System Process" is listed as having a few ports that are "listening". I'm not sure that this tells me very much

Other than this, I am not sure what else to do

Any further suggestions?

 

[Jim Carlock]

I had something like that earlier in the month upon a fresh
reinstall of XP.

I got rid of the outgoing information. But I don't know
exactly what it was. I disabled the following things though:

Simple File Sharing
Offline Synchronization
SNMP
Automatic Updates
Remote Assistance

The way to get to the Simple File Sharing (it's enabled by
default):

http://support.microsoft.com/default.aspx?kbid=307874

Offline Synchronization:
1) Open My Computer
2) Click on Tools
3) Click on the Offline tab, do what you have to there.

SNMP
1) Open Control Panel
2) Network
3) If SNMP is listed there, highlight it and delete it if it's
not needed.

Automatic Updates and Remote Assistance:
Right click on My Computer, you'll see the tabs for Update and
Remote.

Hope that helps.

--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.


Thanks for all of your responses.

First, agreed that it is likely not pinging the server, precisely because
the firewall was locked down and because it is a DSL and not a dialup
connection.
Also agreed that a hacker is unlikely due to low bandwidth being consumed.

Regarding the possibility of this being the physical connection, I tried the
following as a quick test:

The ADSL connection goes through a modem to a splitter to which two
computers are currently connected. One is the XP culprit and the other is a
computer running Windows 2000. I switched the LAN cables (and thus the
specific ports they are connected to) for these two computers and the same
result occurs. That is, regardless of which physical port the computers go
through on the splitter/modem, the XP machine continues to have a small
trickle of packets being sent out somewhere.

As far as I can tell, there is no data inflow when the firewall is closed.

Mcafee has a "Traffic Monitor" function. However, it does not give much
detail (unless I am missing something). The first tab, "Statistics", give
per minute traffic analysis at a very high level: a) Incoming KB/minute,
Outgoing KB/minute, Traffic Usage breakdown of approximate % of bandwidth
used by application over past 24 hours (i.e. Internet Explorer X%, Windows
Media Player Y%, System Process Z%, etc.) Other than this information there
is nothing else.

On the only other tab, "Applications", "Active Connections" are listed,
giving "Application Name" and "Port Number." For example, application
"System Process" is listed as having a few ports that are "listening". I'm
not sure that this tells me very much.

Other than this, I am not sure what else to do.

Any further suggestions?

 

[Guest]

Just figured out the problem. Rather silly actually. Seems that the small signal was being generated by the IEEE 1394 card that was installed to accept a firewire cable. Have disabled it and the signal stops. thanks to everyone for your help!