A lot of internet activity

Guv · 2 Aug 2009 at 19:39

I've recently been noticing my internet bandwidth being maxed out for no apparent reason. It's affecting the upload only. No p2p or torrent software.

On my router running DD-WRT firmware I can see a pc has over 400 active connections, whereas the other computers have less than 20.

It would appear something on the PC with loads of connections is causing the problem.. but what? how can I find out?

I've run a program called wireshark.. but no idea what to do with it really, doesn't make much sense to me.

Any ideas?

PC is virus and spyware scanned regularly.

bods · 2 Aug 2009 at 20:11

Run tcpview on the PC and see what task is owning the connections:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Guv · 2 Aug 2009 at 20:19

bods said:
Run tcpview on the PC and see what task is owning the connections:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

This shows a total of 53 'endpoints'..
What do I need to be looking for?

Gavin · 2 Aug 2009 at 20:25

funny i had that on my buffalo router running that was so bad i went back to original firmware but browsing is still very slow with virgin 20mb whilst downloading is stable at 2mb/s

marc2003 · 2 Aug 2009 at 20:39

On my router running DD-WRT firmware I can see a pc has over 400 active connections

a pc? don't you know which one? are you running wireless? is it secure?

Guv · 2 Aug 2009 at 20:41

marc2003 said:
a pc? don't you know which one? are you running wireless? is it secure?

yep of course I can see which one, IP and MAC address so I know which one it is, hence I know it's always virus and spyware scanned.

Wireless is running, it's secure and currently there aren't any active wireless connections.

Skidilliplop · 3 Aug 2009 at 10:30

Not using something like blizzard for WoW or something is it. 400 connections is most likely one of two things, Bitorrent based file sourcing running in background or (and you hope it isn't) a botnet of some sort.

Guv · 3 Aug 2009 at 17:45

Skidilliplop said:
Not using something like blizzard for WoW or something is it. 400 connections is most likely one of two things, Bitorrent based file sourcing running in background or (and you hope it isn't) a botnet of some sort.

I don't have any games installed, so not blizzard or WoW. No torrents and no p2p software.

botnet, is that some sort of spyware?

pennywise · 3 Aug 2009 at 18:26

Skidilliplop said:
Not using something like blizzard for WoW or something is it. 400 connections is most likely one of two things, Bitorrent based file sourcing running in background or (and you hope it isn't) a botnet of some sort.

This is the first thing I thought of as well. You could try disconnecting the troublesome PC from the router and see what your upload bandwidth is like on your other machines, and in the meantime check your processes and see if there are any that you don't know running.

Oh, and basically, a botnet is where your PC is taken over and used in some sort of spamming/spyware ring. My understanding of it is that it's like folding@home, only the owners of the PCs affected aren't aware the software is running.

Guv · 3 Aug 2009 at 18:37

pennywise said:
This is the first thing I thought of as well. You could try disconnecting the troublesome PC from the router and see what your upload bandwidth is like on your other machines, and in the meantime check your processes and see if there are any that you don't know running.

Yep tried that as well. Before I noticed the number of connections I was disconnecting each PC 1 by 1 and also limiting upload/download speeds by MAC address to identify which PC was the problem.

Today the upload hasn't been too bad but the number of connections is still very high.

I've been through the processes and checked anything I wasn't sure about - all looks ok.

Thanks for all the suggestions.. keep them coming

bledd · 3 Aug 2009 at 19:15

run a full spyware check..

nod32
malware bytes antimalware

if it's still a problem, the install comodo firewall, and that'll ask you for each app

Skidilliplop · 4 Aug 2009 at 09:39

Just a thought, have you tried restarting the router? I remember a while back reading something about a belikin router that suffered some weird NAT issue where it didn't drop connections and left them open but idle. Though I think in that case they were all to the same known endpoints.

It might possibly be malfunctioning uPnP but again you'd expect multiple open connections to the same remote addresses. Could try disabling it anyway as it might inadvertently kill any inbound botnet connections as a temporary fix.
I would still do a full scan with as many AV/antispy apps as possible, treat these suggestions as "something to do while the scan is running".

Besides obviously making a cuppa and grabbing a biscuit.- The Industry Renound spyware troubleshooting must haves.

james201 · 4 Aug 2009 at 21:22

try malwarebytes to search, that program finds anything im sure,

http://www.malwarebytes.org/

ljt · 5 Aug 2009 at 12:08

I know this might sound stupid, but is 4oD or BBC iplayer installed on your PC? I noticed my upload being saturated after I'd installed this, as it loads in the background on startup and uploads whatever you've downloaded.