Strange network activity - rootkit?

[joydivision]

Had a computer with the usual fake AV messages and the internet was not working. Turns out it was being rerouted via proxy. I sorted that and got rid of the fake AV and other virus. MWB and MSE all say the system is 'clean'. I've tried GMER and TTDSKILLER and again nothing.

The problem is the wireless icon (at the right of the screen) is contantly lit up and its recieving quite a bit of data and it dosn't stop. It is also sending some but not as much as its recieving.

I've checked Netstat and stopped the legit services causing network activity but its still recieving data. Now netstat-b is not show any signs of network activity even though the WIFI is recieving lots of data continously.

Not sure where to go from here? Is their a legit reason for this which I am missing?

 

[Martyn]

Wireshark and check the traffic

 

[joydivision]

Just checking this now, been a long time since I have studied TCP/IP though so I don't understand it all. I don't have the comp in question here so I cannot run it on that.

I suppose I am just checking for the IP addresses and it will probably be obvious when I run it.

 

[vdub12]

Run TCPView also.

A few months ago I had a problem with BITS causing this.

 

[Martyn]

Just checking this now, been a long time since I have studied TCP/IP though so I don't understand it all. I don't have the comp in question here so I cannot run it on that.

I suppose I am just checking for the IP addresses and it will probably be obvious when I run it.

You're checking ip addresses and ports mainly. You can filter by various criteria. If there is a lot of activity it should stand out like a sore thumb.

 

[iisjman07]

There's nothing like windows update/bit torrent/limewire running? Does the mass data transfer still occur in Safe Mode (of course with networking...)?

 

[joydivision]

Not checked in safe mode, wouldn't a windows update download show in Netstat?

 

[Alan22]

Have you tried using Microsoft's Network Monitor on the network? You can capture the traffic and see what's happening on the network.

By the way, this is a perfect example of why I hate that Microsoft did away with the animated network icon.

 

[hondablaster]

Could it be a different PC on your subnet sending out constant broadcast or multicasting data?

http://www.comptechdoc.org/independent/networking/guide/netbroadcasting.html

look for addresses that end in *.*.*.255 in your wireshark.

Wireshark is probably a good idea.

 

[glricht]

By the way, this is a perfect example of why I hate that Microsoft did away with the animated network icon.

Check out Lan Lights http://www.paulmather.net/lanlight.asp. Works fine on Vista and Win 7.

 

[Alan22]

Check out Lan Lights http://www.paulmather.net/lanlight.asp. Works fine on Vista and Win 7.

Thanks, I'll check it out.

 

[snifferpro]

Run a wireshark trace and post the results.