Network monitoring tool - please help

[Screeper]

Hi guys,

Here's the deal...
My work PC, running Win7 Pro 32-bit is starting to act a bit suspiciously.
I have been getting emails from users around the company (people with network monitoring tools installed) that my user name and IP has been scanning their PC's for open shares etc.
Our corporate AV is McAfee - which is currently not the best performer in the AV world. So it is happily eating my resources but reporting nothing evil on my PC after full scan.
I then scanned with Nod and Kaspersky and they picked up nothing.
Spybot was equally unsuccessfully in picking up anything evil.
And yet the attacks originating from my IP are still happening.

Is there any free tool that I can use to pick up when an application/service/process starts to make use of my network connection?
I really need to find out what is causing this..
Any ideas/suggestions would be appreciated as I have a feeling that my pc is probably scanning a lot more other PC's, it is just that the users don't know about it..

[Anakha56]

Wireshark can help assist I am sure. http://www.wireshark.org/

[Nuke]

Do a netstat to see all connections, and start killing processes in the task manager till the connections you don't want stops. Wireshark is a great tool, and you can use it instead of netstat too. But it won't show you what program is making the connections.

[Screeper]

Thanks, will give Wireshark a whirl... looks promising.

[Abatis]

stab in the dark, but couldnt netmonitor do this ?

[Screeper]

Netmonitor doesn't show enough detail as far as I can work out.

Nuke - tried Netstat but it only shows 4 connections, all of which are ones that should be there (proxy, mail server, file server x2)

Have just started Wireshark and it is really overwhelming
But looks like it may do the trick, if i can just learn how to use it properly

[rustypup]

also.. icesword - with a major NB that not everything this tool finds is a rootkit... some system files are meant to fall outside of the hive, for all manner of reasons... always verify, (goggle), before canning anything...

it could also be completely innocuous behaviour - are you running any net mapping tools on your machine?

[DeeVeeDee]

Are you sure you ran the correct netstat command cus i dont think you should only see 4 connections ?

Code: Select all

netstat /a -n

Also note that it will only show your current connections and not the intermittent ones.
In the past i used to use the free ver of ZoneAlarm until i found the proccess thats causing the problem then remove Zonealarm again afterwards.
Not sure if you still get the free ver.

Are they sure they haven't misconfigured their IDS software to confuse an attack with Network discovery?
And yes wireshark will give you lots of activity cus the PCAP driver will catch network packets that's not intended for your nic.

And if you cant see suspect connections then it could be what rustypup said sometimes a valid network app can get infected and make connections
its not supposed and when you look at it it look like a 'legal' connection cus of its process name.

if you have windows 7 or Vista you can right click a process and open its location, by doing that you can also see if its in the wrong location or not.