Comments on: Are applications contacting home? See what programs are using the internet without your knowledge

By: DonFG

DonFG — Tue, 10 May 2011 13:15:43 +0000

There are too many free programs that do this.

By: blue

blue — Mon, 31 May 2010 21:32:29 +0000

One wonders if #19 uses postcards for all his communication. Perhaps the reason to use security is the same reason that they invented envelopes.

By: leland

leland — Wed, 26 May 2010 00:27:00 +0000

Or use Process Hacker and look at the Network Tab. Or use System Explorer and look under Connections. Both work and are far easier for the average user. Enjoy.

By: alan

alan — Tue, 25 May 2010 21:19:59 +0000

@Locutus:
Last week 10% or 20% of the sites I went to were not there.
After my post on 23rd I found 70% were there with a following wind after several attempts
There were no 404 error messages – the DNS just failed to resolve names into IP addresses.
I vaguely remembered forthcoming DNS doom, and eventually found
“DNSSEC unlikely to break Internet on May 5″ – an article on
http://blogs.techrepublic.com.com/itdojo/?p=1713
Desperation, I unchecked the option to use the DNS provided by my ISP, and went elsewhere – and every site was back with me within a couple of minutes.

That I call A RESULT.
Pity it took me a couple of days to eventually get there.

I am now back, and can advise that THIS is the script to do the job.
I call the script NetStats.BAT
It holds a single line command, which is :-

start “USE Ctrl’C to terminate NETSTAT Logging and close this Window” cmd /c netstat -b 5 ^>activity.txt

You can use Windows Explorer to select that script, and drag/drop a short-cut link to
C:Documents and SettingsAll UsersStart MenuProgramsStartup
That will launch a CMD that rapidly disappears as it launches another CMD which runs netstat.exe and logs into activity.txt in the same folder as the script. This second CMD window reminds you to use Ctrl’C to terminate logging and close the Window. You can minimize the window to the task bar and it will continue logging until you bring it back to focus.
The official way to terminate is via use of Ctrl’C when focus is on its Window. Simply / accidentally closing the window by clicking the tiny X in the top right corner also seems to work for me -
but timing is everything.

I am filled with dread by the thought of killing the netstat.exe process whilst it is halfway through appending the next line of text to Activity.txt. This could corrupt / muddle the last few records in Activity.txt. It may well cause more Lost Clusters.

I remember Windows 98 refused to shutdown until I pulled the plug, and every morning it would blame me for not shutting down “PROPERLY”, and would tell me how many disc clusters I had lost ! !

Windows XP does not APPEAR to fall apart so badly, until you run CHKDSK ! !
Conclusion – Use Ctrl’C – anything else can injure your computer’s health

By: Sputnik

Sputnik — Tue, 25 May 2010 14:59:42 +0000

Thank you Locutus for this information !
Now I will be able to know if “ET wants to phone home” ! :-)

By: win7guru

win7guru — Tue, 25 May 2010 06:53:25 +0000

Don’t forget the shortcut to start CMD as Admin
Ctrl+Shift+Enter

By: JohnD

JohnD — Mon, 24 May 2010 17:48:23 +0000

@Locutus: @alan: @all - Thanks for the comments and advice. I particularly like the term "startup chaos" that alan used as this is the period that I am concerned about. I am not worried about the time after the software firewall kicks in, (I am currently using Online Armor but have used Comodo and Look & Stop in the recent past), but that period of seconds when the router lite shows a connection and the OS software gets started up and my protection programs are running. A lot can happen in these seconds in computer time. I key in on svchost because it will usually have unlimited access to the internet and so Many things use it for various purposes. Ports 80 and 8080 are another open avenue. I very seldom use IE, but CCleaner always finds cookies and such from IE, most I understand as programs like SuperAntiSpyware will use IE subliminally to do update checks but there is also usually a IE cookie for john@msn that I don't particularly like to see. I suppose the only true way to do this type of monitoring would be a hardware packet sniffer between the router and the computer, but that would be a little bit over the top for a home PC. This is a good topic, as we move so many of aspects of our personal lives onto the computer, such as financials, I would really like to know who is taking a "peek" at my PC and why. An apt headline from a Computerworld article today: "MSRT has scrubbed mutating Alureon rootkit from more than 360,000 Windows-based PCs since May 11"

By: OldElmerFudd

OldElmerFudd — Sun, 23 May 2010 21:22:08 +0000

@RobCr: I ran across this a couple of years ago. I don’t use it often – only five machines in my network – but it has quite a bit going for it. I use the free version (bottom of the page), and don’t recall a “pop-up” feature. Maybe the Pro version will do all you want. Take a look; it might work for you.
http://www.netlimiter.com/download.php

hth

By: alan

alan — Sun, 23 May 2010 19:46:29 +0000

@RobCr
Comodo Security is free and does what you want, and then some.
I use it for all my security needs.
I swear by it.
My son used to swear at it, because every time he ran a new application that wanted the Internet it would pause the connection until the user decided to Block or Permit. It also had a check box to remember (or not) this decision for any further attempt.
It is more docile now with WhiteLists
They have an active user forum at
http://forums.comodo.com/comodo-internet-security-cis-b125.0/

By: tejas

tejas — Sun, 23 May 2010 18:42:02 +0000

@RobCr: This may not be what you want, and unfortunately, it’s not free, but I use BWMeter http://www.desksoft.com/BWMeter.htm
It has a very simple firewall that asks for permission when something wants internet access, and doesn’t bug you about again, unless you remove that program from the Forbid/Allow lists.

By: RobCr

RobCr — Sun, 23 May 2010 17:01:43 +0000

I have been through the 53 comments on that link I posted. Not much Joy there.

What I would like (and perhaps Josh ?), is a nice simple program, which monitors your outgoing Internet traffic, and pops up, when there is out going traffic.
And so that we are not overwhelmed with a plethora of detail, there be two options -
- Hide all safe traffic (Stuff the Developer knows is usual)
- When some traffic appears, it can be told – ‘Never show that one again’

Surely, someone has developed that ?

By: chinaguy

chinaguy — Sun, 23 May 2010 14:31:32 +0000

Glad to help Locutus. Goodness knows I get enough help from you guys. Nice to be able to give a little back.

By: Doru

Doru — Sun, 23 May 2010 14:26:16 +0000

Click on Zum download and next.Download will have program and license.Instal program .After that,click right on license and make to open only with Jv 16(exe) who is install in Program files….Next open the program and go to:Help>Licence information>Install new license and select file:license.Next close and close the program.Open again and will be registered.If you don’t know how to download go to:Techno360.

By: Doru

Doru — Sun, 23 May 2010 14:18:05 +0000

http://www.chip.de/downloads/Vollversion-jv16-PowerTools-2009_42960945.html

By: Josh

Josh — Sun, 23 May 2010 12:20:55 +0000

Some listed items are as mysterious as the hundreds of CLSID/892598319…. entries that appear in registry cleaners. Without knowledge/research/time/courage, it could be more dangerous to tinker with it than leaving the listed items intact. Will be so good if people could write programs that not only report these things, but also, at least, point you in the right direction to find out what the entries mean. Without that, it’s too daunting for John Does like me. Thank you to those who added some insight with their comments!

By: RobCr

RobCr — Sun, 23 May 2010 12:08:59 +0000

I am a bit tied up at the moment.
Someone running one of my Data Base programs, has switched to Windows 7 (New PC), and is trying to use that instead of a server. So I am experimenting, and debugging.

I took time out, to have a quick check of the NirSoft web site, in case he had a GUI program for monitoring the internet.
My browse of his site did not appear to have exactly what we want.
However I came across this web page, where someone was seeking a program (see who is calling home).
http://ask-leo.com/how_can_i_tell_what_internet_activity_is_happening_on_my_machine.html
The author mentions use of a NirSoft program, and another program.
Also there are 53 comments, that I have not read yet.
Perhaps someone may care to study the page in more detail, and also check if one of the 53 comments, points us to something simple, and effective.

Rob

By: jevvv

jevvv — Sun, 23 May 2010 09:39:29 +0000

Some of the progs are ones that start automatically on startup.

To stop those you can run msconfig (Win98, XP and Vista) choose the Startup tab, then look down the list of which items are checked to load on startup. If you are unsure then look them up online.
If there is something you don’t want to load on startup then uncheck it, click the apply button, then ok. (make sure it is something ok to not load!)
Now restart your computer and they will no longer load on startup.

By: Locutus

Locutus — Sun, 23 May 2010 08:52:39 +0000

@alan: Keep me updated! Sounds like a great startup routine.

By: alan

alan — Sun, 23 May 2010 08:32:31 +0000

Nothing happened in first two minutes after I logged in -
except my start-up script did not continue with its activities until netstat received the Ctrl’C to terminate.
I am now creating a seperate script to simultaneously launch at from the startup folder. This will hold the single line
netstat -b 5 > activity.txt.

By: OldElmerFudd

OldElmerFudd — Sun, 23 May 2010 05:49:33 +0000

@Locutus: Just to add, I use Online Armor Pro on all my machines. I have to give permission for applications I install to call out. Processes like svchost.exe haven't shown up in any of my activity reports.

By: OldElmerFudd

OldElmerFudd — Sun, 23 May 2010 05:42:42 +0000

@Locutus: I take the activity text file and and highlight part of an unfamiliar line, such as: "TCP xxxxxx-a9f6040:2619 174.36.30.18-static.reverse.softlayer.com:http ESTABLISHED 636" (x's replace identifier) A little digging with a whois search took me through enough twists to find that Dropbox uses Softlayer's servers. Google was a simple whois lookup using the nuq04s01-in-f191.1e100.net section of the line.

By: Locutus

Locutus — Sun, 23 May 2010 05:01:08 +0000

@Doru: Well this is also good for seeing if that new program you're trying out "AntiSoft GetRiddaBadware" is phoning home.

By: Doru

Doru — Sun, 23 May 2010 04:43:33 +0000

In general are:browsers,antivirus and programs who use your webcam like:Skype,messenger.Also Google Talk .But all this programs are open when you open computer.I think that this is normal.If you afraid for example that Skype will record your camera,without your approval,rotate your webcam on the wall when you not use it and you solve the problem.Google Talk-what can do against my persson?I’m not a terrorist,i’m not a thief or burglar ,anarchist or criminal.So i don’t care.

By: Locutus

Locutus — Sun, 23 May 2010 00:28:20 +0000

@chinaguy: Thanks for that. I've updated the article!

@jumbi: This is great especially for people who use Windows Firewall (it's fine, people, it's fine.) like me!

By: jumbi

jumbi — Sun, 23 May 2010 00:24:15 +0000

very good article!
a nice firewall would easily help doing that, but great when you need to check that without installing other software.

By: chinaguy

chinaguy — Sat, 22 May 2010 23:49:26 +0000

An update: I ran the command from the run box and it did result in what happened to Emrys. The command prompt showed up, showed a whole bunch of stuff that nobody could possibly read because of the short duration it was open and then shut down almost instantaneously. If that is what happened to you Emrys, it seems to be from your description above, then just be sure you run the command prompt and then paste in the instructions Locutus gave rather than pasting them into the run box. That is the only way this will work.

By: chinaguy

chinaguy — Sat, 22 May 2010 23:42:41 +0000

@Emrys: I think your problem Emrys was that you did not paste the command into the command prompt but into the run box instead. Be sure you follow the instructions above to the letter including typing cmd into the run box and hitting enter. Do not paste the command: netstat -b 5 > activity.txt into the run box as that will result in the command running and then the command prompt promptly exiting after it has run. I have made the same mistake before. There was no mistake in the instructions but they need to be followed to the letter. If it doesn't work after you try this post back and we, probably others who are better with computers than me, will help you. @Locutus: You did not make a mistake. The instructions were correct but Emrys just missed a step in the instructions. I have made the same mistake before. Very easy to do. When command prompt runs and then shuts down without letting you see what is going on it is usually because the command to be run was put into the run box not the command prompt. I will try it on the xp machine but am pretty sure that you made no errors.

By: Locutus

Locutus — Sat, 22 May 2010 23:18:03 +0000

@OldElmerFudd: Nice! Say, how do you trace those back?

@Marco: Where does it say that they are going (the "foreign address" column")?

By: Marco

Marco — Sat, 22 May 2010 21:21:23 +0000

I checked just for fun and found Chrome and Avast and that’s ok but I also found O&O Clever Cache files (ooccctrl.exe and ooccag.exe) that seem to be phoning quite often, I don’t know where? Why would a memory & cache optimization software need to access the Network so often????

By: alan

alan — Sat, 22 May 2010 20:42:04 +0000

@John
I already have a script which runs at start-up following my password.
It can also be accessed via
Start / All Programs / Startup / Mystart.BAT
I used that access route and right click to edit the script and add the magic bit.

Please try “Netstat /?”
That describes many options, and suggests to me that if svchost should be identified as a culprit, then Netstat will also show what asked svchost to do that.
Finally, nothing will go out during the boot process if you are not connected to the internet – e.g. if you have dial-up modem which does not issue the password till you log in. If however you have an “always on” broadband connection there could be a few dangerous seconds.
I do not worry about my dangerous seconds because I am confident that Comoodo will block svchost unless it is working for an approved executable.

At 19:52:19 “C:pagefile.sys” had a modified time-stamp as XP came out of BIOS
At 19:52:32 the event log shows I submitted my password for log-on.
I admit 13 seconds is an unlucky number, but I will keep my fingers crossed ! !
I think if something bad happened in that 13 seconds I would be more concerned that a Rootkit had seized control.

This seems to be the most popular article I have ever seen.
I started this after seeing post 6 – now it is post 11 and advancing.

By: ha14

ha14 — Sat, 22 May 2010 20:37:57 +0000

Hi, Thanks for this review I read similar article on http://www.techishare.com/blog/softwares/whats-my-computer-doing/ I used it to find it worms were connection to internet and sending infos without my knowledge.

By: haakon

haakon — Sat, 22 May 2010 20:33:58 +0000

Great article- and thanks a lot!!!
————–
”Gil”: I do not know if this freebie is still there to have.
http://dottech.org/headline/7292#
I DID use the CMD and found lots of “connections” I did not recognize.
THEN I remebered I had the Anvir app and use THAT instead.
More or less detailed descriptions of what the “connecting” apps was and more. Also very easy to disable or remove them.
I have more often than not removed ….”too much” :-)
The Anvir IS a great help when you dont know what to do

By: OldElmerFudd

OldElmerFudd — Sat, 22 May 2010 20:25:38 +0000

This is a nice CLI tool that I started using with Windows XP. It’s a good idea to let the command prompt run for a couple of minutes to get all the information properly. Usually, the text document you create will contain the usual suspects (bg), your browser, AV, email client, whatever web-based apps – Dropbox, for instance – you have open. There’s likely to be a group of listings that look less familiar. In those instances where you’re not sure what something is, copy and paste into a browser search to find out. On this box, nuq04s01-in-f191.1e100.net is Google.com. 174.36.30.18-static.reverse.softlayer.com is Dropbox’s server, and so on.

By: Locutus

Locutus — Sat, 22 May 2010 20:19:17 +0000

@Gil: There are ways-easy ways-but due to having to leave in about 30 seconds, can't share them right now. Maybe when I get back?

Also, "To summarize, you are allowed to reprint dotTech.org owned content if the content is used for a noncommercial purpose and you provide attribution to dotTech.org in a clear and proper manner; for more detailed information please check out CreativeCommons.org."

By: Locutus

Locutus — Sat, 22 May 2010 19:56:09 +0000

@alan: Glad to hear it worked out for you! @JohnD: I guess you could add it to startup like alan, but it'l only show things that happen after it starts up too.