PDA

View Full Version : Jetstream Bleeding



Paulmnz
03-08-2004, 07:37 AM
Using Jetstream 256k 10GB package for less than a month. Was pretty sure that the fact that the account has used 8.7GB of its capacity was due to my flatmate's need to play Planetside and other enmasse FPS's games online.

Sitting here with the ADSL router ethernet cable leading to his computer unplugged and my system stripped back to running nothing except DU Network meter. I have deleted all network places not on this system so it shouldnt be LAN data going back and forth - but it's constantly pulsing out at 14.7kb/s DL and 1.7kb/s UL (runs at that for a few seconds, drops to zero, then runs again)

My alarm system is not monitored, and has caused no connection problems, and I know for a fact that the most it should be doing is sending a test signal once per day.

Not an Xtra customer - going through another ISP.

So my question is - what's going through the network and is it chewing up my Jetstream quota? (The T/com usage meter says yes it is)

Have run: AVG antivirus, and Spybot S&D in the last 24 hours and neither showed so much as a blip.

Anyone know of a utility that can scan and list where the signal is going to or coming in from?

Is it somehow local traffic going through the router as a LAN thing or somewhere else?

Appreciate it.

Lohsing
03-08-2004, 07:51 AM
How about installing Zone Alarm and monitoring absolutely everything?

Might turn up a few bits and pieces?

Lo.

Billy T
03-08-2004, 09:04 AM
Yes, get ZA on the job asap.

Use an older version if you can (V4.xx) as V5 was a bit problematic and I don't know if all the bugs are out of it yet. Options to find V4 include: Google for Zone alarm V4, check past PCW CDs, search PF1 for ZA V5 and read the comments, or someone here willl point you to a download site.

You could have a keyboard that is calling home too, so try unplugging it and see if the traffic stops.

Cheers

Billy 8-{)

Paulmnz
03-08-2004, 05:57 PM
I actually thought of ZA too - <Plug>on the cover CD of the latest PC World whats more</Plug>

It gets weirder. Disable the ADSL connection - and still 3 seconds on and 3 seconds off... 14.7KB/s DL and 1.3 UL.... With the ADSL software manager set to disconnect - it stopped it sucking my quota though.

Have e-mailed various interested parties (ADSL router tech support and network traffic monitor app tech support) to see if they can suggest anything.

Graham L
03-08-2004, 06:27 PM
Have you got an HP multimedia keyboard? One model was distrubuted with a helpful feature in its driver to keep the connection alive. :D It has been expensive to people who pay for their bytes. There is a replacement driver from HP to stop it calling home frequently.

Elephant
03-08-2004, 08:00 PM
Try getting another flatmate or actually explain what hard and software you run.

The ADSL router you have. No make and model once again.

Not using Xtra but using another ISP. What ISP?

No operating system mentioned once again.

You use Jetstream but I have no idea how as I don't know what ISP you use.

So far my advice is to buy a boat and use the "Flatmate" as an anchor.

You have a home network and explained you have disconnected your flatmates' computer from the network.

Would you like to tell all here what O/S you use?

What phone filters have you?

Who installed this mess?

Paulmnz
03-08-2004, 08:05 PM
Try getting another flatmate or actually explain what hard and software you run.

Working on that.

The ADSL router you have. No make and model once again.
Conexant

Not using Xtra but using another ISP. What ISP?

iHug

No operating system mentioned once again.

Win XP Pro (I love it when you beg)

You use Jetstream but I have no idea how as I don't know what ISP you use.

Via iHug - and through the LAN connection of my ADSL Router

So far my advice is to buy a boat and use the "Flatmate" as an anchor.

Thats helpful. No really.

You have a home network and explained you have disconnected your flatmates' computer from the network.

Would you like to tell all here what O/S you use?
Win XP Pro

What phone filters have you?
Standard DSE Telepermitted line filter have I. Hmmmm. No other devices connected to phone line I sense.

Who installed this mess?
It actually installs itself. And it works. It's just got some.... eccentricities.

Paulmnz
03-08-2004, 08:07 PM
Oh and its a Logitech keyboard.

Zone Alarm said "DLL as Application": was actively connecting - but wouldnt tell me where or why.

Paulmnz
03-08-2004, 08:09 PM
ADSL Router is a Conexant 4 port Model # PT -3812 :O

fairway
03-08-2004, 08:20 PM
I had this problem with my Dell laptop running xp pro.. Spent months at postings world wide trying to figure it out, to no real avail.
I formatted the drive and installed 2000 pro with sygate firewall (free for home use) never had the problem again.

I believe it is a issue in windpows XP, in processes running ...designed to make your server rich? ;-)

fairway
03-08-2004, 08:22 PM
Yes that was a Plug for the Sygate fire wall... ;)

mikebartnz
03-08-2004, 08:31 PM
>Zone Alarm said "DLL as Application":
It does not sound good a DLL running as an application. Have you tried stopping it with ZA and seeing what complains.

Elephant
03-08-2004, 09:04 PM
> Try getting another flatmate or actually explain what
> hard and software you run.
>
> Working on that.
Well you don't have to. Only if you want to.
>
> The ADSL router you have. No make and model once
> again.
> Conexant
OK...
>
> Not using Xtra but using another ISP. What ISP?
>
> iHug
OK.
> No operating system mentioned once again.
>
> Win XP Pro (I love it when you beg)
Yep... Down on my bended knees once again. :-)


> You use Jetstream but I have no idea how as I don't
> know what ISP you use.
>
> Via iHug - and through the LAN connection of my ADSL
> Router

Your main problem as I see it is that you are trying to find out where the network traffic is coming from. I take it that you have the router plugged into your computer and the network cable has been removed from the flatmates' computer. The router connects to the ISP on your computer for you to connect to the internet. Depending on your setup you can even get your own computer or network give you a ping. I don't believe that just this happening will give you 8.7 Gig of traffic.

> So far my advice is to buy a boat and use the
> "Flatmate" as an anchor.
>
> Thats helpful. No really.
No... I have to admit that my post will not solve your problem. I posted my questions in the hope that I can solve your question and to elicit more info so that others may do so.

I have set up networks in the past as recently as a few days ago I set up a home network where one computer will use the dial up connection where the modem is installed as is normal. Got the other computer to use the same connection.
>
> You have a home network and explained you have
> disconnected your flatmates' computer from the
> network.
>
> Would you like to tell all here what O/S you use?
> Win XP Pro
OK. Understood.
> What phone filters have you?
> Standard DSE Telepermitted line filter have I. Hmmmm.
> No other devices connected to phone line I sense.

You mentioned that there is no alarm fitted in your home earlier.
So how many phones are plugged into outlets? As I work it out so far you have one voice phone plugged in. You don't say any different. What do you mean that "No other devices connected to the phone line I sense." Do you not know? For all I know you use cellphones for communication othe than the internet and have no landline phones at all.
> Who installed this mess?
> It actually installs itself. And it works. It's
> just got some.... eccentricities.

<sarcastic mode on>

So all the hardware just jumped onto the desk of you and the flatmate and plugged itself in to available phone lines. I take it that the hardware just rewired the house you live in and just did everything.

<sarcastic mode off>

The eccentricities you mention above I think are costing you money. Otherwise why post here.

The point of my post was to get some answers from you so that others who use Ihug and Jetstream and ADSL modems or Routers can explain why you are getting the traffic you complain about.

Personally I can't help you as I can't see what you see. Your answers to my post may well help others to help you.

I hope this helps.

fairway
03-08-2004, 09:22 PM
Well I still rekon it''s a pre sp1 XP operating system issue .. I am at this moment trying to find the UK board this was posted on .. 2 years ago.
"""""watch this space''''''''''

Elephant
03-08-2004, 09:38 PM
> Well I still rekon it''s a pre sp1 XP operating
> system issue .. I am at this moment trying to find
> the UK board this was posted on .. 2 years ago.
>
> """""watch this
> """""watch this space''''''''''

I'm waiting. Not that I need the answer myself.
So are you suggesting that the original poster gets Service Pack 1 for WinXP and all the network traffic will go away?

I have installed Win XP SP1 and it works for me. I tried WinXP SP2 Beta RC2 and was not a happy chappy.

fairway
03-08-2004, 10:46 PM
Sorry to keep you waiting .. My Mother rang ...

Go download sygate firewall ... get familiar with it and then block each individual port/programme and windows service one by one ... then you can tell me what programme this dollar wasting chatter is coming from.

I did a quick google search, it is a familiar problem it seems, with cable and dialup?

fairway
03-08-2004, 11:12 PM
>>>Have run: AVG antivirus, and Spybot S&D in the last 24 hours and >>>neither showed so much as a blip.


While you are downloading, trash the AVG antivirus and go get Avast antivirus ..at least it updates hourly, automaticaly. (not when most people remember to) Spybot S&M has another update as well.

Rob99
04-08-2004, 01:55 AM
Avast is just as crap as AVG (http://www.virusbtn.com/vb100/archives/products.xml?avist.xml)

Elephant
04-08-2004, 02:23 AM
> Sorry to keep you waiting .. My Mother rang ...
Well if I still had a Mother alive and can talk to her I would feel really lucky. Some people would say that the sooner I get with my Mother the better even!!! :-)

The original post seemed to blame the flatmate but having said that the flatmate has been disconnected by removing a network cable.

Now being the suspicious sod that I am I could think that maybe the flat mate has access to the original posters PC as it would probably be in the same house.

It was mentioned in the earlier post that the said flatmate was wanting to play games. The fact that you can unplug a cable will not help your PC to be secure if people have access to the PC and possibly know passwords.

Laura
04-08-2004, 06:29 AM
Presume you mean the Spybot Definition Rules update of 28 July?
A helpful reminder post meant PF1ers found that 5 days ago.
Keep your eyes open & you won't be as late checking as "most people"..

whetu
04-08-2004, 10:33 AM
Use a packet sniffer such as Ethereal... not really for the non-networking inclined but far more dependable and functional than depending on some messy third party firewall application to blindly suggest what the problem could be.

Paulmnz
04-08-2004, 10:41 AM
Well thanks for all the discussion. Using Zone Alamr to den network access to the DLL file with the following specs:

Product name Microsoft® Windows® Operating System
File name C:\WINDOWS\System32\rundll32.exe
Policy Manually configured
Last policy update Not applicable
Version 5.1.2600.0 (xpclient.010817-1148)
Created date 24/08/2001
File size 31 KB

Has reduced my unintentional network traffic to ZERO. No apparent ill effects at this time.

Interesting.


Oh and in response to Elephant's earlier post:

It is secure when you go to the trouble of setting up passwords, including p/word protected screensaver return from options.
The cable is unplugged at the router end (on my desk), the software control for the ADSL router is switched to the disconnect option and Telecom's Useage meter confirm that you haven't been online (the numbers havent changed).

Which leads me to clarification of the original issue....

(Now with full technical detail!)

System: XP PRO
Conexant ADSL 4 port router Part# PT3812
IHug is the ISP, 256K 10gb Jetstream connection.
Connecting via an ethernet connection to the router, with one other LAN computer (now unplugged at the router).

Zone Alarm indicates a "DLL running as application" is the only active program. Zone Alarm and DU Meter (for monitoring network traffic) concur that every 3 seconds for 3 seconds the network registers a 14.1 DL and a 1.3 UL burst of data.

When the software control for the ADSL connection is set to Disconnect - this does not effect my Telecom useage quoata. When Im online - it does effect the quota.

[Issue resolved]

Murray P
04-08-2004, 11:06 AM
MVPS (http://www.mvps.org/sramesh2k/rundll32.htm) re finding the process that rundll32.exe is executing.

Spyware Info (http://www.spywareinfo.com/~merijn/winfiles.html#rundll32)

It would seem that ZA is only taking the info from windows Task Manager and not actually analysing the process itself.

I would be very suspicious of anything that rundll32 is calling (or visa versa) and using that much data. It may not necessarily be malicious but it still needs to be tracked down and sorted.

Cheers Murray P

fairway
04-08-2004, 12:48 PM
thanks for that...
I run spybot and adaware 6 I have this pet hate of malware, thinking I should charge then $$ for allowing them into my putter... them and spammers.

fairway
04-08-2004, 01:13 PM
Paulmnz,

I have my suspicions it may be something like a "virus in the wild" If you downloaded sygate you could use the dll authentication switch .. Do you guys have a love affair with zone alarm .. ? ( I think it's days are numbered.)
The reason I suggested Avast Antivirus is also it has a top rating for these "wild viruses" and features not found anywhere else without a payment to be made.

These Tools are all Freeware ..

don't kick it till you've played with it ;-)

Please post the offending DLL file when you find it .. we are laying bets here//

yingxuan
04-08-2004, 01:23 PM
whats a reliable firewall?I heard magazine publishing zone alarm is the best or...?

Paulmnz
04-08-2004, 01:45 PM
&gt; Paulmnz,
&gt;
&gt; I have my suspicions it may be something like a
&gt; "virus in the wild" If you downloaded sygate you
&gt; could use the dll authentication switch .. Do you
&gt; guys have a love affair with zone alarm .. ? ( I
&gt; think it's days are numbered.)
&gt; The reason I suggested Avast Antivirus is also it has
&gt; a top rating for these "wild viruses" and features
&gt; not found anywhere else without a payment to be made.
&gt;
&gt;
&gt; These Tools are all Freeware ..
&gt;
&gt; don't kick it till you've played with it ;-)
&gt;
&gt; Please post the offending DLL file when you find it
&gt; .. we are laying bets here//

This is what Zone Alarm lists as the DLL (its Rundll32.exe)


Product name Microsoft® Windows® Operating System
File name C:\WINDOWS\System32\rundll32.exe
Policy Manually configured
Last policy update Not applicable
Version 5.1.2600.0 (xpclient.010817-1148)
Created date 24/08/2001
File size 31 KB

Murry P's link was useful too:
http://www.mvps.org/sramesh2k/rundll32.htm

Personally I don't like Zone Alarm - but it's available. *shrug*

fairway
04-08-2004, 01:46 PM
Here's a start for a fire wall if you want to build one ...

I look upon a wirewall as a means to close down all unused ports of access(both ways) to my computer, when required, giving me detailed reports of data transfer, programs and aLL files using the ports and allow me to control all and any part of this exercise ..
Anything else is a bonus... like anti program hijacking, dll authentication, enable anti-MAC spoofing... ETC..
Most importantly make me coffee in the morning!

mikebartnz
04-08-2004, 01:50 PM
I'm not sure if Steve Gibson of grc.com has updated his site for a comparison of firewalls but Zonealarm came out tops and some were positively useless. You could even say dangerous because they gave people a false sense of security.

Paulmnz
04-08-2004, 01:53 PM
Okay a txt file print out of the following command line instruction

tasklist /m /fi "IMAGENAME eq rundll32.exe" >C:\rundll32.txt

Gives this output:

Image Name PID Modules
========================= ====== =============================================
rundll32.exe 1356 ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, ADVAPI32.dll,
RPCRT4.dll, IMAGEHLP.dll, CnxTrApp.dll,
comdlg32.dll, SHLWAPI.dll, COMCTL32.dll,
SHELL32.dll, WINSPOOL.DRV, OLEAUT32.dll,
OLE32.DLL, WININET.dll, CRYPT32.dll,
MSASN1.dll, comctl32.dll, uxtheme.dll,
Secur32.dll, wsock32.dll, WS2_32.dll,
WS2HELP.dll, mswsock.dll, DNSAPI.dll,
MSCTF.dll, iphlpapi.dll, winrnr.dll,
WLDAP32.dll, sensapi.dll, RASAPI32.DLL,
rasman.dll, NETAPI32.dll, TAPI32.dll,
rtutils.dll, WINMM.dll, serwvdrv.dll,
umdmxfrm.dll, USERENV.dll, urlmon.dll,
VERSION.dll, wshtcpip.dll
rundll32.exe 1508 ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, ADVAPI32.dll,
RPCRT4.dll, IMAGEHLP.dll, NvMcTray.dll,
SHELL32.dll, SHLWAPI.dll, COMCTL32.dll,
comctl32.dll, PSAPI.DLL, uxtheme.dll,
MSCTF.dll

fairway
04-08-2004, 06:17 PM
> I'm not sure if Steve Gibson of grc.com has updated
> his site for a comparison of firewalls but Zonealarm
> came out tops and some were positively useless. You
> could even say dangerous because they gave people a
> false sense of security.

I could say it is about you being in control of your computer (not the other way around) using trusted applications to serve their purpose.

Never before have I seen so many malicious attacks on computers, from virus wars to adware and spam. now security even for a dial up modem is becomeing commonplace, and so it should be, as these nasty people only want to spread their "bugs",read your information, at your expence! to boot.
I believe Steve Gibbons is offering thoroughly tested software ... but it is up to us the users to determine what is best for the purpose we want.

I still believe spammers and people of that ilk should pay me ($$$) to send me spam, it would be so easy to set up, like having a "no junk mail" sign on your letter box at home .. but I digress.......

So .. in saying that ..A fire wall should basically give you control if ALL the traffic (data) in and out of your computer.

fairway
04-08-2004, 07:01 PM
I've passed it on to Suzy to look at ..
Better she does it than me... :D

fairway
04-08-2004, 07:36 PM
I got this message from her,

"bugger off and do your own homework"

with these url's

http://www.mvps.org/sramesh2k/rundll32.htm

http://www.mvps.org/sramesh2k/listproc.htm

I don't use xp .. Means little to me.

fairway
04-08-2004, 09:52 PM
CnxTrApp.dll >>>> it's an odd one?


http://www.windll.com/library-c_500.php