Windows 7 Unwanted Network Activity

[MajorModeler]

Running Win 7, 64 bit.
Watching the Task Manager, Networking tab, there is an almost constant stream of incoming traffic, even after I have closed Outlook and IE Explorer. I would like to find out which program is requesting the traffic, where it is coming from, and stop it unless I specifically request incoming traffic. Netstat does not help much. WhoIs usually returns an unknown for the IP that I try.
Suggestions?

Peace,
Mike G.

 

[Joe S]

Do you use anything like Carbonite, Spotify or any other streaming services?
Joe

 

[MajorModeler]

Do you use anything like Carbonite, Spotify or any other streaming services?
Joe

No, no streaming. At one point I was using uTorrent, but I removed that from my machine and cleared the registry of any mention of it.

Peace,
Mike G.

 

[Fixer1234]

there is an almost constant stream of incoming traffic

What level of "stream" are you seeing? As long as you have an open network connection, there will be traffic like status pings. You may also have Windows and various software downloading updates in the background, but that wouldn't be continuous. This is more or less continuous and at a volume that would indicate moving serious data around (and you're not backing up your computer to the cloud in the background)?

 

[Fixer1234]

You did say that was incoming traffic. So you're not continuously restoring your cloud backups?

 

[Fixer1234]

A quick test: disconnect the coax cable between your router and the wall and see if the activity stops (rule out handshaking between the router and your PC).

 

[badrobot]

Run Malwarebytes and SuperAntiSpyware to get rid of malwares that are possibly tracking your internet activity.

 

[MajorModeler]

What level of "stream" are you seeing? As long as you have an open network connection, there will be traffic like status pings. You may also have Windows and various software downloading updates in the background, but that wouldn't be continuous. This is more or less continuous and at a volume that would indicate moving serious data around (and you're not backing up your computer to the cloud in the background)?

It is a constant level, no dips to 0. It is not pings from time to time, on a regular basis. The outgoing level is almost at 0 all the time.

 

[MajorModeler]

You did say that was incoming traffic. So you're not continuously restoring your cloud backups?

NO, I stay clear of clouds. I much prefer VFR flights.

 

[MajorModeler]

Run Malwarebytes and SuperAntiSpyware to get rid of malwares that are possibly tracking your internet activity.

I run MalwareBytes on a daily basis since this problem started
Have not heard of SuperAntiSpyware.

 

[MajorModeler]

A quick test: disconnect the coax cable between your router and the wall and see if the activity stops (rule out handshaking between the router and your PC).

Coax cable removed, level goes to 0 immediately.

 

[Fixer1234]

• Do you have a firewall on your PC in addition to one on your router?
• Does the problem go away if you boot in safe mode with networking or clean boot? If it does, it would suggest that the incoming stream is a response to some form of request initiated on your computer (and it could be found by a process of elimination using msconfig).
  
• Can you do a search based on date/time to see if you can identify whether anything is being saved to the hard disk and if so, what?
• Is this a stand-alone computer or is it part of a local network?
• Does the computer have any active software or settings for interfacing with something external other than through a browser (e.g., FTP, VPN, etc.)?
• Is the computer connected to a company or government network?
• Do you get any clue from the Task Manager as to a process on your computer with CPU or disk write activity that might be associated with the stream?
• Are you running any interactive games?
  
• Have you pissed off anyone enough that they would want to subject you to a denial of service attack?

 

[Fixer1234]

What kind of bandwidth is being consumed (what volume of data is incoming and how does that compare to the bandwidth of your connection)? Is the volume high enough that it would interfere with heavy usage, say streaming movies, or do you have enough bandwidth that you wouldn't notice? If you would expect it to affect performance, try doing something like streaming movies and see if it actually does. If it should but doesn't, it might indicate that it is being moderated or prioritized, which would imply that it is under the control of something on your computer.

 

[MajorModeler]

What kind of bandwidth is being consumed (what volume of data is incoming and how does that compare to the bandwidth of your connection)? Is the volume high enough that it would interfere with heavy usage, say streaming movies, or do you have enough bandwidth that you wouldn't notice? If you would expect it to affect performance, try doing something like streaming movies and see if it actually does. If it should but doesn't, it might indicate that it is being moderated or prioritized, which would imply that it is under the control of something on your computer.

The volume of data does not seem to change whether I am actually browsing the net, or when I have IE Explorer closed, or getting email. Once YouTube starts streaming, there does not seem to be any noticeable delay, other than the normal slow download speed.

 

[MajorModeler]

• Do you have a firewall on your PC in addition to one on your router?
• Does the problem go away if you boot in safe mode with networking or clean boot? If it does, it would suggest that the incoming stream is a response to some form of request initiated on your computer (and it could be found by a process of elimination using msconfig).
  
• Can you do a search based on date/time to see if you can identify whether anything is being saved to the hard disk and if so, what?
• Is this a stand-alone computer or is it part of a local network?
• Does the computer have any active software or settings for interfacing with something external other than through a browser (e.g., FTP, VPN, etc.)?
• Is the computer connected to a company or government network?
• Do you get any clue from the Task Manager as to a process on your computer with CPU or disk write activity that might be associated with the stream?
• Are you running any interactive games?
  
• Have you pissed off anyone enough that they would want to subject you to a denial of service attack?

When I boot in safe mode, I cannot get to the internet. I have been using msconfig without noticeable results. If something is being stored, I have not been able to find it. no company or government connections. The Task Manager processes do not seem to show me what is going on. The only process that consistently shows activity is the System Idle process. No games. It does not appear to be a DNS, since I can access and utilize the internet when I take specific action. However, when I am not doing anything, the incoming stuff is there.
I think that there is an active firewall, but I have not been able to find it in the process list. What I want in a firewall is the ability to log attempts, the offending IP and an effective whois to list the source of the offender.

 

[Fixer1234]

I'm guessing that you are looking at the Resource Monitor because that differentiates incoming and outgoing and shows the source IP address. Recognize that the network graph shown there is self-scaling. Even minimal traffic can appear to fill the graph. Look at the network tab of the Task Manager. What kind of percentage does it show for network utilization? On the Resource Monitor window, what kinds of numbers are you seeing for Kbps (add up the numbers shown in the chart or interpolate off the graph)?

There's a good chance that what you're seeing relates to the Windows Media Center Extender Service. There are apparently one or more special purpose IP addresses related to this that you won't be able to identify with an owner lookup. If you backtrack the service description, it will be under LocalServiceandNoImpersonation. If you open Windows Media Player, there are some settings for allowing Internet access to home media and remote control of your player. Try disabling these and see if the traffic disappears. You could also try stopping all services labelled LocalServiceandNoImpersonation.

 

[MajorModeler]

I'm guessing that you are looking at the Resource Monitor because that differentiates incoming and outgoing and shows the source IP address. Recognize that the network graph shown there is self-scaling. Even minimal traffic can appear to fill the graph. Look at the network tab of the Task Manager. What kind of percentage does it show for network utilization? On the Resource Monitor window, what kinds of numbers are you seeing for Kbps (add up the numbers shown in the chart or interpolate off the graph)?

There's a good chance that what you're seeing relates to the Windows Media Center Extender Service. There are apparently one or more special purpose IP addresses related to this that you won't be able to identify with an owner lookup. If you backtrack the service description, it will be under LocalServiceandNoImpersonation. If you open Windows Media Player, there are some settings for allowing Internet access to home media and remote control of your player. Try disabling these and see if the traffic disappears. You could also try stopping all services labelled LocalServiceandNoImpersonation.

I am looking at the Networking tab of the Task Manager. It shows the same level, percentage wise, when I am not doing anything and the IE Explorer is closed as it does when I am looking at streaming, or downloading videos, like You Tube.
This traffic is running around 1 meg. My connection is not a high speed, but it does seem slow, even for what I pay.
In the Resource Monitor there are a lot of entries for svchost.exe that under the Listening Ports, Image shows links to a firewall status of allowed, not restricted.
Then there are the pbeagent.exe entries that under the Listening Ports, Image shows links to a firewall status of not allowed, not restricted. I have no idea what those are for.
When I use msconfig, and select the services tab, I do not have any LocalServiceandNoImpersonation showing.

 

[Fixer1234]

Quick test: go into msconfig. On the Services tab, uncheck any entries relating to the Media Center. I found two on mine: Microsoft Media Center Scheduler Service, and Media Center Extender Service (to see them, make sure the Hide all Microsoft services box at the bottom is unchecked). On the General tab, pick Selective startup. Click OK and then reboot. See if the traffic disappears.

 

[badrobot]

I don't think that is something to get worried about. As long as your computer is connected to the internet (wired or wireless) there will be some sort of activity there all the time. In my case, I have NAS that always connects to my PCs and some programs looking and notifying me for updates like Avast and Malwarebytes online protection. That's the activity I am getting in my network.

 

[MajorModeler]

Quick test: go into msconfig. On the Services tab, uncheck any entries relating to the Media Center. I found two on mine: Microsoft Media Center Scheduler Service, and Media Center Extender Service (to see them, make sure the Hide all Microsoft services box at the bottom is unchecked). On the General tab, pick Selective startup. Click OK and then reboot. See if the traffic disappears.

I went into msconfig. I did not find the services you named. However, there were several other "...media..." services named. all but two were stopped, but not checked to off. I checked them all to off and re-booted. no change in the activity.