Hacked or not hacked?

I have a weird feeling some abnormal things are happening to my PC. Weird restart. Weird blue screens. Tried a lot of antivirus. Tried windows firewall.

Finally recently installed Network intrusion detection system - Sax2. I thought Sax2 (free version) was going to be easy but I could not make anything out of the statistics but only thing I found out that it had what is called a traffic curve and it was showing that traffic was active even when i was not even browsing. I even tried closing my browser but still the graph showed traffic at a few bytes/seconds at every few minutes though not at regular intervals.

I checked my broadband connection activity and I found it was sending out something like 10 bytes or so at irregular intervals.

Questions:
1. Is it normal for a PC to send out a few bytes even when the browser is closed and no program is being manually used?

2. How can I find out using Sax2 software to know if I am being hacked into.

3. Is there any way to know if a program I am using is actual also doing spywork?

4. Name an easy to use anti hacking software?

 

Greetings, Techtalky,

I'll take a stab at answering your first question. The long-winded elaboration is absolutely free!....hah

Whether a browser is open or not many legitimate programs call home (without using a browser) to check for software updates, etc., so yes at some time or another one might see periods of activity in and out even if you're not actively doing anything. Whenever I think something suspicious may be going on I monitor my computer's traffic using
TCPView, which you can get here at MG. http://majorgeeks.com/Microsoft_Sysinternals_TCPView_d599.html

TCPView is very easy to use and shows surprising amounts of traffic by various programs, including Windows programs. It also shows (among other things) the remote IP addresses being contacted. If an address seems suspicious, you can sleuth it out using whois and other internet tools.

As a test to investigate your question and refresh my memory, I disabled internet, rebooted, and before doing anything else ran TCPView. With internet disabled obviously nothing was going to get in or out. I enabled internet and immediately saw activity (several svchost.exe processes opened, and my AV called home to see if there were updates). Then I opened the Local Area Connection Status (Windows program) to monitor the number of packets being sent and received. After an initial flurry of activity after enabling internet it settled down and didn't show much packet traffic. I then just watched things for a while and yes, indeed, even when no conventional programs were being used I very occasionally saw a packet or two go out, followed by a packet or two being returned or the reverse (I think this may be chatter between my computer and my ISP just to maintain the connection, kind of like saying "can you hear me now?").

I suggest you do what I did and see what your system is up to. With the Status window you can see the packet traffic and with TCPView you can see who is calling out and where it's going.

After you get a feel for what may be "normal" with Status and TCPView, and to make things a lot more interesting, start opening up programs. Even seemingly innocuous things like pressing the F1 key to activate Help and Support Center illicits a call home. Starting Media Player will do the same. Some programs will call home once; others may do it repeatedly. Open a browser and watch what happens in TCPView (a lot of browsers will check for version updates upon being opened), and when you're actively using the browser it's astonishing how many connections come and go. Don't forget any scheduled tasks, too. If you have GoogleUpdate or similar in your Tasks it will become active at the scheduled time and show activity even if your computer is on but you're not doing anything. There's a lot of reasons that packets could be going out legitimately. I found TCPView to be very enlightening at understanding TCP traffic.

There's also a program called WireShark which I haven't yet investigated ( http://majorgeeks.com/Wireshark_d4449.html ) but I imagine that it's similar to a more sophisticated version of the free TCPView (different authors, though). You may want to take a look at that, too, and explore its capabilities. It's touted for checking security of networks among other things.

Sorry, I know nothing about Sax2, and I don't know how you can confirm if you're being hacked, or if a program is spying on you, but I think Wireshark can help you with some things if TCPView doesn't.

Finally, and if you're uncertain about viruses being or not being on your computer, I suggest going through the processes in the Run and Read Me sticky in the Malware-Removal Forum. If those procedures reveal anything suspicious, start a new post there and provide the information requested by the sticky.

Hope this helps you a little. Good luck.

 

I think Kipfeet is going in the right direction will try it out myself

 

would like to upload highjack this file to The Chaslang and others in response to a post on 10/04/05, have been learning as I go and find this very insightful am sorry about being new to posts here, hope you'all aren't to aggravated,i'm looking for answers to my inquisitive brain and I believe i found the right place.I'll Bet the you'all or yall let you know i'm in Texas