Just dwnlded TDS3, newbie questions

Discussion in 'Trojan Defence Suite' started by K. L., Feb 23, 2002.

Thread Status:
Not open for further replies.
  1. K. L.

    K. L. Guest

    Hello all.
    This fairly new to me and I know just enough about network stuff to get me into trouble. Please excuse my ignorance.

    I originally scoured the web to find something that would tell me why at times my cable modem data light blinks rapidly with no programs running on my computer. (checked sysinfo/running programs, ctrl-alt-del) I've run NIS/NAV, tried Ants, nothing from me it seems causes it. So I felt it was someone on my node? and my modem was catching bits and pieces. However after trying TDS3 and clicking resolve on 127. address it showed that pop3NortonAV name. I didn't have auto protect running, didn't have email account protect on so it confuses me. That's one concern.

    Another is that I'm pretty sure that somewhere in TDS3 their is the ability to monitor the packets that go by or through my modem/router but I'm not sure what it is or how to do it.

    By the way, I liked Ants except for the decryptioning of German language even though I'm half German :) but I'm really impressed with the clean-business like interface of TDS3, all the buttons I can play with and the people here that are really into the specifics of keeping up with Security.

    I've read the help files and it helps but like I say I know just enough to get into trouble.

    Also I noticed that at times when I move my mouse around and an animation pops up when it goes over something like start menu etc. that the router/modem data light blinks briefly. It stops after a second when I stop.

    Any remarks/suggestions and help?

    UNICRON Technical Expert

    Feb 14, 2002
    Nanaimo BC Canada
    I would go here:


    download and install ethereal. you'll be told you need winpcap for it to work, this is true. Found here:


    Once you have it all installed, and you run it, you'll have to select the network card stuff.  You'll probably be given more than one choice (even with only one card) but trial and error will solve this quicky.

    Then read the help and capture away.
  3. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi K.L.,
    First congratulations wiht TDS, and welcome here!
    We are all here to learn and hoping to give the right answers in the given situation!:)
    The nice thing with trouble is we can all learn from it and will all try our best to help people out.
    Which Windows version are you using?

    In TDS3 Console | Network | TCP Port Listen , for instance you can see what's coming in on a special port you choose. Just wait for some moments and you'll see it coming in.
    In the same place the Traffic Bridge gives even more possibilities, to even change the data packets.

    TDS has a lot more very interesting buttons for you to play with, and did you look in the SS3 scripts folder to have even more functionality (when you're ready for that) and give functions to the ScriptCmnd buttons?

    I suppose your router has a built-in firewall function as well?

    The connection with the NAV, can it be the LiveUpdate?

    In TDS Console | System Info you have the Netstat connections and running Processes, which you can look deeper into with right-mouse-click and kill what you don't want to be connected/running.
    If you closed all connections and unnecessary programs you can see if it is still happening.

    With the lights blinking up you can look in the traffic if there is anything coming, a poll signal, whatever; i just had my FW open to check but the lights on my modem and hub are not synchrone with possible traffic showing in the firewall. So i'm not quite sure.
    The moment your mouse starts trembling or walking by itself and you see datapackets coming in it is time to worry.
    I noticed even when opening windows\explorer and some programs at times permission for connecting to internet is asked to the firewall, which seems to be a setting somewhere to be changed to have it make differences with IE, but i did not dig for it yet.

    Please keep us informed how it goes.
  4. K.L.

    K.L. Guest

    Hello!  and Thank you for your responses.

    Unicron, I will do as you suggested and try that capturing program. Thank you!

    Jooske, I'll try to do this in order.

    My Win Version is 98SE, all latest updates.

    I tried the TCP port listen on 4 ports, 21,23, 50, 80. Modem still blinked occasionally but nothing was shown in TCP port listen window except the listening line. Kept it going for 10 minutes.

    Did the same with Traffic Bridge.

    By the way, I saw that it was suggested to use the 127. address as this is the most common. Would it make a difference if the actual router address was used? or the assigned IP address by IP provider?

    Scripts, hehe, beyond me and the word scares me.

    My router does have a built in firewall, and has Stateful Packet Inspection.

    NAV autoupdate is always off as well as anything else that wants to update itself.

    The only program that starts up is Exp and Systray. Nothing else. However the 2 Powerprofiles, taskmon, starts up also in the background. (SysInfo) Cleansweep (CSInject, why does that need to start anyway?) and anything else is unchecked from starting up in msconfig.

    Like you say when the mouse trembles or other funny things go on, on my desktop it's time to worry. I see what you mean. Probably a trojan or something then right?

    It just seems strange that the data will blink on my modem when I just move the cursor over an icon. Might be my imagination, don't think so though.

    After I had posted earlier I checked around and saw where someone mentioned that the US Government had a program that uses your Antivirus program to access/monitor your computer. Fine by me, I just wish I knew wither it was the good or bad guys.

    By the way, quick question, I block port 520 (efs) because my router tries to send data to my computer at a regular interval. Does this cause problems?

    Thank you Unicron and Jooske for responding and keeping up with this Security stuff. It's all very interesting to me, even if it takes awhile to absorb it.

    I'm going to try your suggestions and am going to respond if I can find the reasons for my concerns.
  5. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi again K.L.,
    Have been thinking about some parts of your message, hope others help you with the other parts.
    You might like to try the other addresses as well, the router's and modem's IP for instance and leave them on some time.

    As i run Win98SE as well, gives more insight in trying out some effects and settings.

    Scripts? as i don't know much about them, they all look more or less the same for me, and the exact differences which make them run or not are in many cases obscure for me, but at times i try little things and am happy when i have it doing what i want.
    If your TDS version is registered you have lots of possibilities and in the licenced operators only forum are impressive scripts and discussions about them, far over my head too (still).
    For TDS in general the helpfile together with the members only forum is a wealth of information.

    I don't run NAV myself anymore, activated even the LiveUpdate manually but there might still be some call home if it is resident. NAV users might be able to tell that part.
    Was the blinking and connection to pop3NAV at all moments or when you collected your emails?
    It might even be the one has nothing to do with the other, the blinking.
    And as you say the router has packet inspection, might be part of that process?
    So it certainly looks interesting to look on which port is a connection, like that pop3NAV and put that # under controll some time via the traffic or port listen.

    What happens if you start Cleansweep manually so out of the autostart?
    Does the blinking still occur when you kill the process from the process list?
    With the moving mouse yes, that's what i mean, or an intruder, or a stupid little program i once activated "move mouse" so i really had no ways to stop the thing but finally a reboot.
    Dit you also see which light is blinking, the Lan, Line TX or RX? As i see them frequently lighting up, what for me is normal line activity.
    Does the HD light also blink extra at such moments?

    You mean probably the discussions about Magic Lantern. It's not quite correct the security software developpers would have agreed with that. There is another discussion about the NSA key in all Windows versions, not sure about the latest developments in that story at this moment.
    If people want to be in your computer, you can make it as difficult for them as possible with the security tools and other security habits.

    The port 520 for data sending, depends on if you want the data (logs?) or not. I might suppose the data is either dropped or you get an error message if it is not ok for it?

    Hope these points together with the ethereal help you to locate your original blinking points. You might be able to think of a little script to make them blinking at your wish. :D
    Please keep us informed how you're dowing.
  6. K.L.

    K.L. Guest

    Hi again! Sorry for long period of absense, reformatted/reinstalled everything again. With ethereal the only thing captured has been the router talking on 520 to ISP router. Connect verification thingy.

    The hard drive light doesn't blink in sych or at all when the 'data' lights does so.

    In TDS when I hit the resolve button, it still shows PopNav (NortonAnti-Virus) however nothing is captured on pop3 port with ethereal or any other comm except that one with the port 520.

    CSinject, part of Cleansweep is listed in task along with Systray and Expl.

    Doesn't seem that data is leaking but I still have to wonder about that pop3Nav thing. Also tried 'Netstat -an' to see what was open..nothing during these tests.

    So I can only conclude that the data light blinking on cable modem is bits and pieces passing by. It gets intense sometimes, not as bad as before when Code red bug was heavy.

    Anyway, I hope to purchase TDS in the near future so that I can experiment more.

    Thanks again for all your insight.
  7. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hello again K.L.
    Lot of work you did, and in fact the same result.
    So it seems even if you don't configure NAVPop3 it keeps trying to have illegal looks :)
    But you can control the 520 traffic, for sure.

    Buying TDS is about the best buy you can do for yourself and your computers life. It did for me since more then two years ago. Not only for all the functions, and even more in the next version which will be really astonishing again, but also at least for access to the licenced operators only forum, bringing you even closer to the holy of holiest.
    The registered version gives you even more possibilities then you have already.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.