Query about monitoring internet traffic

[Grasshopper]

One of the computers at home seems to be infected with a virus. I know this because the internet is being accessed almost continuously even when Firefox and Internet Explorer are not loaded. The virus is not detected by Spybot or Adaware.

I'm reluctant to completely re-install XP at this point. And in any case, even if I do, there's no guarantee that I won't catch the virus again.

The traffic appears to be mostly outgoing and I'd like to know where the data is being sent. It occurs to me that the machine might have been hijacked to produce spam email. Does anyone know of a (preferably free) program that can log all ingoing and outgoing internet traffic? Alternatively, does Windows already offer this facility? I'm using XP.

If I could find out where the data is being sent then that would make it easier to google for a fix. Also, as a temporary measure, I could simply block all outgoing traffic to that address using my router.

Thanks in advance.

[patrickl]

I guess you could try Ethereal for Windows. I tried it once a long time ago. Personally I use tcpdump for FreeBSD/Linux.

Are Spybot or Adaware virus scanners? I though they were spyware detectors. Maybe you should try a virus scanner like Kaspersky.

[leapinlew]

You could open a command prompt and type "netstat".

There are some decent switches with netstat you can checkout with the /? option. (I would think /b and /a)

The other option I can think of is to install a software based firewall like blackice.

[EwJ]

open command prompt - type 'netstat -ano'.
you will see all connections and ip addy's (as well as process id's).

to see which process has the connections open, type 'tasklist'.
you will see which process has the connection open under 'image name'.
if it is not a recognized process, investigate it further.

you could put the ip addy(s) into ARIN to see where you're connecting to.

you could also do a ctrl-alt-del, and utilize the task manager to see what processes are running.
It is a good idea to investigate any suspicious processes. use your favorite search engine for all the ones you don't recognize.

you could also get a packet sniffer and see what the data is that is going out.

above all, a software firewall will block any connections that you don't allow. (zonealarm, comodo,etc)
also, a virus scanner might be a good idea (avg is free, and if you don't want it running all the time, you can disable it in your OS services, etc until you want to run it).

[Jess--]

have a look at the freeware app "Active Ports"

it will show Ip address being connected to, Process making the connection and the exact filename of the process.

it also gives you the ability to kill any process even if windows has it tagges as an essential service

[vornar]

What about a free anti-virus program?

Download AVG free and scan your hard drive to see if there is a virus present.

[RayB]

No anti-virus?! no firewall?!? That's just nuts.
Get ZoneAlarm. You can BLOCK all outgoing that isn't permitted, AND it will tell you what app is trying to connect.

[abrannan]

open command prompt - type 'netstat -ano'.
you will see all connections and ip addy's (as well as process id's).

to see which process has the connections open, type 'tasklist'.
you will see which process has the connection open under 'image name'.
if it is not a recognized process, investigate it further.

Netstat -b will do this without the extra legwork.  It'll map the processes to the ports that are open.

And I'm going to agree with RayB, No firewall and no AV?  You're insane. 

Regardless of whether or not AVG turns anything up, you should download Zonealarm and AVG (or even avast) to a USB drive, reinstall XP (With your system disconnected from the network), install Zonealarm and AV, connect to the internet, patch, reboot, patch, reboot, patch, reboot.  Then go and change every password on every sensitive site you ever may have logged into (it's likely that a keylogger was also installed as a part of the rootkit).


In short, dust off, and nuke the site from space.  It's the only way to be sure.

[Texasmame]

No anti-virus?! no firewall?!? That's just nuts.
Get ZoneAlarm. You can BLOCK all outgoing that isn't permitted, AND it will tell you what app is trying to connect.

Strongly seconded on ZoneAlarm.