Do you think this weird network activity is caused by a virus?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a D-Link wireless router with a couple computers attached to it
to access the internet.  When I log into the router's configuration
web pages, there's a page called "Internet Sessions" that displays the
full details of active sessions to your router.  Sometimes there are
only a handful of sessions, but sometimes there are over one hundred.
We have two computers using the router right now: my laptop
(192.168.0.201) and my wife's laptop (192.168.0.200).  Almost all the
sessions are from her laptop, and she=92s not even using it.  I am
including a copy of the sessions list below.  Do you think that means
there=92s probably some sort of malware on her laptop?  The sessions are
attaching to IP addresses that I don't recognize when I look them up
with a whois lookup.  I have AVG anti-virus and did a full scan
without finding anything. I did a full scan with Malwarebytes without
finding anything.  Is there a way to find out what process on the
computer is creating all these sessions?  All of the sessions have an
"out" direction, which I think means they were started by something on
the computer.

thanks in advance,
John

session list:

Local IP            Internet IP         Protocol
192.168.0.200:51983    125.0.214.93:32448    UDP
192.168.0.200:51983    220.136.73.142:12221    UDP
192.168.0.200:2759    70.82.37.111:443    TCP
192.168.0.200:51983    187.13.234.109:56665    UDP
192.168.0.200:51983    76.18.139.52:47694    UDP
192.168.0.200:51983    77.41.74.24:28303    UDP
192.168.0.201:2665    24.75.72.182:443    TCP
192.168.0.200:51983    77.42.63.84:6852    UDP
192.168.0.200:51983    216.176.148.50:27355    UDP
192.168.0.200:51983    66.176.136.210:65222    UDP
192.168.0.200:51983    76.120.187.97:11922    UDP
192.168.0.200:51983    75.135.255.237:18234    UDP
192.168.0.200:51983    142.217.41.118:54248    UDP
192.168.0.200:51983    89.135.202.226:53728    UDP
192.168.0.200:51983    190.16.177.208:28500    UDP
192.168.0.201:    69.147.125.65:    ICMP
192.168.0.200:51983    182.163.18.7:52927    UDP
192.168.0.200:51983    84.52.19.113:25514    UDP
192.168.0.200:51983    194.30.217.242:36129    UDP
192.168.0.200:51983    75.57.121.143:60406    UDP
192.168.0.200:51983    76.100.141.24:9661    UDP
192.168.0.200:51983    76.11.77.54:31878    UDP
192.168.0.200:51983    58.138.36.166:13140    UDP
192.168.0.200:51983    117.74.46.7:50509    UDP
192.168.0.200:51983    68.55.148.86:63181    UDP
192.168.0.200:51983    78.154.135.227:57109    UDP
192.168.0.200:51983    61.227.136.173:26167    UDP
192.168.0.200:51983    83.30.213.130:18228    UDP
192.168.0.200:51983    66.158.227.194:38236    UDP
192.168.0.200:51983    213.37.38.205:13597    UDP
192.168.0.200:51983    98.254.100.116:23320    UDP
192.168.0.200:51983    99.231.54.192:60977    UDP
192.168.0.200:    239.255.255.250:    IGMP
192.168.0.200:51983    184.153.218.213:37432    UDP
192.168.0.200:51983    121.3.19.8:15969    UDP
192.168.0.200:51983    87.188.117.229:34275    UDP
192.168.0.200:51983    218.164.0.102:47457    UDP
192.168.0.200:51983    58.173.233.71:54776    UDP
192.168.0.200:51983    85.30.105.163:37451    UDP
192.168.0.200:2760    8.21.4.203:80    TCP
192.168.0.201:2672    24.75.72.182:443    TCP
192.168.0.200:51983    87.97.139.80:6076    UDP
192.168.0.200:51983    186.205.196.179:56494    UDP
192.168.0.200:51983    130.215.74.35:61828    UDP
192.168.0.200:51983    79.118.215.125:27084    UDP
192.168.0.200:51983    187.65.32.59:20238    UDP
192.168.0.200:51983    85.238.197.195:41846    UDP
192.168.0.200:51983    160.216.111.126:38071    UDP
192.168.0.200:51983    118.169.219.12:33574    UDP
192.168.0.200:51983    98.218.114.226:29322    UDP
192.168.0.200:51983    95.143.19.183:13943    UDP
192.168.0.200:51983    173.179.48.51:64610    UDP
192.168.0.200:51983    96.41.121.105:46992    UDP
192.168.0.200:51983    91.139.210.165:22288    UDP
192.168.0.200:51983    89.205.22.40:39643    UDP
192.168.0.200:51983    93.183.152.33:21413    UDP
192.168.0.200:51983    24.1.254.158:32808    UDP
192.168.0.200:51983    78.137.24.17:11359    UDP
192.168.0.200:51983    193.69.197.10:15507    UDP
192.168.0.200:51983    87.10.164.72:20943    UDP
192.168.0.200:51983    77.247.91.5:28995    UDP
192.168.0.200:51983    76.97.235.49:40896    UDP
192.168.0.200:51983    188.230.34.217:65151    UDP
192.168.0.200:51983    213.146.167.35:49442    UDP
192.168.0.200:51983    82.51.62.128:1615    UDP
192.168.0.200:51983    96.53.225.61:15965    UDP
192.168.0.200:51983    109.121.227.133:43282    UDP
192.168.0.200:51983    96.55.56.64:23320    UDP
192.168.0.200:51983    70.82.37.111:34153    UDP
192.168.0.200:51983    111.255.166.1:40192    UDP
192.168.0.200:51983    92.49.20.15:51582    UDP
192.168.0.200:51983    200.136.9.177:45558    UDP
192.168.0.200:51983    76.16.69.229:62434    UDP
192.168.0.200:51983    211.2.96.161:38402    UDP
192.168.0.200:51983    67.163.248.56:38527    UDP
192.168.0.200:51983    213.231.154.228:20272    UDP
192.168.0.200:51983    64.250.217.79:27838    UDP
192.168.0.200:51983    194.213.101.133:59446    UDP
192.168.0.200:51983    87.250.38.187:3328    UDP
192.168.0.201:1792    72.14.213.19:443    TCP
192.168.0.200:51983    90.150.112.52:57972    UDP
192.168.0.200:51983    87.18.41.112:4873    UDP
192.168.0.200:51983    76.18.203.156:56674    UDP
192.168.0.200:51983    70.80.82.112:56780    UDP
192.168.0.200:51983    77.101.83.118:52495    UDP
192.168.0.200:51983    95.245.224.115:2864    UDP
192.168.0.200:51983    74.160.67.127:61568    UDP
192.168.0.200:51983    75.26.196.181:37372    UDP
192.168.0.200:51983    71.60.76.69:20412    UDP
192.168.0.200:51983    88.80.123.55:61709    UDP
192.168.0.200:51983    68.82.132.126:15331    UDP
192.168.0.200:51983    66.55.126.202:15918    UDP
192.168.0.200:51983    69.203.217.160:46910    UDP
192.168.0.200:51983    81.84.184.84:51880    UDP
192.168.0.200:51983    58.156.103.135:22085    UDP
192.168.0.200:51983    24.91.77.156:50557    UDP
192.168.0.201:1901    199.7.55.72:80    TCP
192.168.0.200:51983    129.25.29.25:11606    UDP
192.168.0.200:51983    89.103.82.144:32785    UDP
192.168.0.200:51983    72.47.169.135:51867    UDP
192.168.0.200:51983    89.45.137.118:33266    UDP
192.168.0.200:51983    94.189.184.11:35667    UDP
192.168.0.200:51983    58.174.152.244:23891    UDP
192.168.0.200:51983    92.124.176.226:2132    UDP
192.168.0.200:51983    113.252.228.150:7061    UDP
192.168.0.200:51983    173.31.25.176:38066    UDP
192.168.0.200:51983    77.52.196.202:44326    UDP
192.168.0.200:51983    78.96.215.106:27791    UDP
192.168.0.200:51983    87.198.43.188:21080    UDP
192.168.0.200:51983    62.163.89.58:36447    UDP
192.168.0.200:51983    98.210.254.131:26833    UDP
192.168.0.200:51983    186.136.79.223:61467    UDP
192.168.0.200:51983    79.136.88.72:25693    UDP
192.168.0.200:51983    125.233.148.15:59050    UDP
192.168.0.200:51983    118.167.181.188:45250    UDP
192.168.0.200:51983    125.137.84.145:46675    UDP
192.168.0.200:51983    94.41.103.56:63684    UDP
192.168.0.201:1900    74.125.53.18:443    TCP

Re: Do you think this weird network activity is caused by a virus?


| I have a D-Link wireless router with a couple computers attached to it
| to access the internet.  When I log into the router's configuration
| web pages, there's a page called "Internet Sessions" that displays the
| full details of active sessions to your router.  Sometimes there are
| only a handful of sessions, but sometimes there are over one hundred.
| We have two computers using the router right now: my laptop
| (192.168.0.201) and my wife's laptop (192.168.0.200).  Almost all the
| sessions are from her laptop, and she’s not even using it.  I am
| including a copy of the sessions list below.  Do you think that means
| there’s probably some sort of malware on her laptop?  The sessions are
| attaching to IP addresses that I don't recognize when I look them up
| with a whois lookup.  I have AVG anti-virus and did a full scan
| without finding anything. I did a full scan with Malwarebytes without
| finding anything.  Is there a way to find out what process on the
| computer is creating all these sessions?  All of the sessions have an
| "out" direction, which I think means they were started by something on
| the computer.

| thanks in advance,
| John

Totally suspicious activity.  It is NOT goof for a Richmond Va., PoP, Comcast
Business
account to perform UDP to a Russia, Bulgaria, Brazil, etc.

You were able to show protocols but what is the application doing the
communication ?

I don't know but I would consider that notebook COMPROMISED as well as the data
on it and
accounts used.

That notebook needs to be taken Offline ASAP.

Remove the hard disk from the notebook and use a surrogate PC to scan the
notebook's hard
disk.

Actually, I think you should back up all pertinent data from that hard disk and
wipe the
drive and then re-install the OS of choice from scratch or image.  You should
also
consider changing passwords and checking all accounts accessed from that
notebook.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Do you think this weird network activity is caused by a virus?

On 21/10/2010 11:42, Big Daddy wrote:
Quoted text here. Click to load it

The computer is almost certainly zombified. This is not detected by AVG,
but may be detectable by MBAM's Anti-Malware, and/or Search and Destroy,
and/or Super-Anti-Spyware. OTOH, zombie programs are very good at hiding
themselves.

I would copy personal data onto DVD and/or USB stick(s), then wipe and
reinstall Windows.

HTH
wolf k.



Re: Do you think this weird network activity is caused by a virus?


Quoted text here. Click to load it

Looks likely to be a p2p program, such as bittorrent.  Find out which
progam is using udp port 51983.  Open a command prompt window, and run
"netstat -ano", to find out the program id number (PID), and then check
in the task manager, to find out which program is using that PID.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Do you think this weird network activity is caused by a virus?

"Big Daddy" wrote:

Quoted text here. Click to load it

Do you have Skype installed?

Quoted text here. Click to load it

Quite possibly.

computer is creating all these sessions?

Proces Explorer from sysinternals.com (should redirect to Microsoft
who now own it).



Re: Do you think this weird network activity is caused by a virus?


| "Big Daddy" wrote:

Quoted text here. Click to load it

| Do you have Skype installed?

Quoted text here. Click to load it

| Quite possibly.

Quoted text here. Click to load it
| computer is creating all these sessions?

| Proces Explorer from sysinternals.com (should redirect to Microsoft
| who now own it).


Also TCPView such that one can see what fully qualified executable is
communicating on the
Internet.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Do you think this weird network activity is caused by a virus?

"David H. Lipman" wrote:

Quoted text here. Click to load it

That's easier than Proces Explorer and a little more "user friendly"
(for some value of "user") than netstat. I dunno why I didn't mention
Tcpview because I use it often!

He really should look at what's sending UDP packets before jumping to
the conclusion it's malware.



Re: Do you think this weird network activity is caused by a virus?


| "David H. Lipman" wrote:

Quoted text here. Click to load it

| That's easier than Proces Explorer and a little more "user friendly"
| (for some value of "user") than netstat. I dunno why I didn't mention
| Tcpview because I use it often!

| He really should look at what's sending UDP packets before jumping to
| the conclusion it's malware.

I agree to that but to do so he'd be connected to the Internet and if
compromised then
there is the chance of even greater data exfiltration.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Do you think this weird network activity is caused by a virus?

I have a D-Link wireless router with a couple computers attached to it
to access the internet.  When I log into the router's configuration
web pages, there's a page called "Internet Sessions" that displays the
full details of active sessions to your router.  Sometimes there are
only a handful of sessions, but sometimes there are over one hundred.
We have two computers using the router right now: my laptop
(192.168.0.201) and my wife's laptop (192.168.0.200).  Almost all the
sessions are from her laptop, and she’s not even using it.  I am
including a copy of the sessions list below.  Do you think that means
there’s probably some sort of malware on her laptop?  The sessions are
attaching to IP addresses that I don't recognize when I look them up
with a whois lookup.  I have AVG anti-virus and did a full scan
without finding anything. I did a full scan with Malwarebytes without
finding anything.  Is there a way to find out what process on the
computer is creating all these sessions?  All of the sessions have an
"out" direction, which I think means they were started by something on
the computer.

[...]

***
Not a virus, but you may have a malicious bot trying to communicate with
other bots on other hosts or trying to reach sites they have set up for
downloading and executing additional malware.

Very bad!

AVG and MBAM may be missing it because it might be hidden by a
"rootkit". I would suggest GMER as a rootkit detector, but as others
have suggested, you are probably better off with the "flatten and
rebuild" method.
***



Re: Do you think this weird network activity is caused by a virus?

On 10/21/2010 10:42 AM, Big Daddy wrote:
Quoted text here. Click to load it

<http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

You can't trust the computer anymore format the HD.

<http://technet.microsoft.com/en-us/library/cc512587.aspx>



Re: Do you think this weird network activity is caused by a virus?

I have figured out the culprit: skype.  One user that responded to my
OP asked if I am running Skype. It seemed like almost all the strange
sessions were using port 51983.  I used TCPView, which for some reason
didn't list most of the IP sessions that my router was reporting.
However, it did show that the only program using port 51983 was
Skype.  I closed Skype, which I usually just leaving running in the
background, and the suspicious IP sessions stopped. Then I looked
around the internet and found out why Skype does this.  Here are some
pages, in case you are interested in reading about it (the first one
you have to scroll halfway down the page):

http://www.skype.com/intl/en-us/security/universities /

http://forum.skype.com/index.php?showtopic=18401

http://forum.skype.com/index.php?showtopic=660523&view=&hl=supernode&fromsearch=1

BTW, another network analyzer tool I saw recommended in my searches
(besides TCPView) is WireShark.

Thank you, everyone, for your suggestions and responses.
John

Re: Do you think this weird network activity is caused by a virus?


| I have figured out the culprit: skype.  One user that responded to my
| OP asked if I am running Skype. It seemed like almost all the strange
| sessions were using port 51983.  I used TCPView, which for some reason
| didn't list most of the IP sessions that my router was reporting.
| However, it did show that the only program using port 51983 was
| Skype.  I closed Skype, which I usually just leaving running in the
| background, and the suspicious IP sessions stopped. Then I looked
| around the internet and found out why Skype does this.  Here are some
| pages, in case you are interested in reading about it (the first one
| you have to scroll halfway down the page):

| http://www.skype.com/intl/en-us/security/universities /

| http://forum.skype.com/index.php?showtopic=18401

|
http://forum.skype.com/index.php?showtopic=660523&view=&hl=supernode&fromsearch=1

| BTW, another network analyzer tool I saw recommended in my searches
| (besides TCPView) is WireShark.

| Thank you, everyone, for your suggestions and responses.
| John

I am certainly glad it wasn't nefarious activity!

{ whew }

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Do you think this weird network activity is caused by a virus?

Quoted text here. Click to load it
http://forum.skype.com/index.php?showtopic=660523&view=&hl=supernode&fromsearch=1
Quoted text here. Click to load it

Glad you got it sorted out, but I'm wondering why so much network egress
activity when "she's not even using it".

I'm reminded of the Kazaa 'incoming' traffic that people with personal
firewall applications were often inquiring about - I'm guessing Skype
also uses your computer in some way similar to when one agreed to be a
supernode in Kazaa.



Re: Do you think this weird network activity is caused by a virus?


Quoted text here. Click to load it






| Glad you got it sorted out, but I'm wondering why so much network egress
| activity when "she's not even using it".

| I'm reminded of the Kazaa 'incoming' traffic that people with personal
| firewall applications were often inquiring about - I'm guessing Skype
| also uses your computer in some way similar to when one agreed to be a
| supernode in Kazaa.


Skype is considered a P2P app.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Do you think this weird network activity is caused by a virus?

Quoted text here. Click to load it

I guess I should look into it. From what the OP has said, it seems it is
a distributed computing application (a non-malicious bot) - even when
you are not actively using it, it consumes your computing power for the
good of the application (of course, with your tacit approval).



Re: Do you think this weird network activity is caused by a virus?



Quoted text here. Click to load it










| I guess I should look into it. From what the OP has said, it seems it is
| a distributed computing application (a non-malicious bot) - even when
| you are not actively using it, it consumes your computing power for the
| good of the application (of course, with your tacit approval).


Yepper.

I have to admit, I didn't even think of it as being the acusitive factor in this
scenario.
I have to admit...

I was wrong.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Do you think this weird network activity is caused by a virus?

Quoted text here. Click to load it


Yes, Skype will do this, as I posted here a few months ago.

But the funny thing is:  Skype and a real virus have a lot of
characteristics in common, LOL.  So you always have to be on your
toes.

RL

Site Timeline