Packet spewing laptop

[racingboy532]

I am futzing with a Gateway laptop using XPhome SP2. As soon as you plug the thing in to a LAN connection, it seems like it spews packets like no tomorrow. The packets sent under the LAN status goes from 0 to 25 million + in a few seconds and keeps climbing at an exponential rate. It doesn't seem to consume much in the way of CPU resources or even network resources...although I can't browse anywhere with it. I have updated the definitions and scanned for viruses (Norton 2004), scanned with Spybot, Ad Aware, TDS-3, Trojan Hunter and tried MS's detection tool. I tried resetting the Winsock and checked some known ports for IRC-type connections. The problem is rather stubborn, can't say I've ever seen something like this before....

I have yet to try MS's Antispyware tool or Hijack This. Any other ideas before I try these tools?

 

[racingboy532]

Anybody?

 

[DJ-CHRIS]

Run a packet sniffer and see what it's sending

Ethereal is a good one

 

[racingboy532]

I was thinking about it...

I ran Ethereal against the machine last night, along with two other AV programs and Trojan Hunter. The latter revealed nothing, nada, zip.
I have the captures from Ethereal but I am not so sure I understand what I am seeing. I assume the capture is a sampling of what is sent...

Over the course of 45 seconds or so, the laptop spews 448 million+ packets. Ethereal reports 94% are UDP packets.

Anyone have some ideas of what I should try next?

 

[The_Urge]

Sounds like a spyware or hijacker issue.

 

[Inaris]

this is on your home machine on a broadband connection right?
might I suggest that you use procXp from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml .
That will enable you to find the process using the network. it's pretty easy.

Good luck

 

[racingboy532]

The_Urge,
Please re-read the post...

Inaris,
The problem is on a co-wrokers personal laptop. It is located on a cable connection. I am at a loss regarding how the machine was compromised as it's using two firewalls, AV, SpywareBlaster, Spybot and AdAware and the owner claims innocence (of course)...I did not see any errant processes or services, at least using Blackviper's XP service guide.

I will check into the sysinternals tool tonight. Thanks for the help and response.

 

[Crysalis]

I know you said you did these scans, but it sounds like spyware problems. Make sure spybot is updated to version 1.3 The old version (1.2) is no longer supported/updated. Also, spyware blaster has a new version as well... be sure to update that too. SpywareBlaster does not automatically update itself unless you buy it... you have to manually update and install the new def's.

Also, try installing MS antispyware. It works very well as it also scans memory processes.

 

[racingboy532]

Crysalis,

I am using Spybot 1.3 and SpywareBlaster v3.3. All the tools I have used were updated in the last week...I know this sounds like a spyware problem or some kind of Trojan and it has been quite frustrating...I have yet to try MS antispyware.

I am beginning to suspect there is some kind of OS or strange NIC problem.

 

[dexta182]

The NIC may be buggered in doing so broadcasting packets onto the network. One thing you may try if already havent is to disable the 1st Nic and use a PCMCIA NIC and see if you are having the same issue, if not then the NIC is faulty. As suggested run Virus scans and spy wear scans.