ChrisEddy
asked on
Intermittent and unaccounted high download volumes, howto track and learn more
Gentlemen,
One of my customers, who has a hughes.net satellite connection to the internet, also has a daughter who is visiting from college.
Several times since the arrival of the daughter, the customer has been FAP-ed almost every day during the visit, and the resulting download speed becomes very low for 12-24 hours.
The customer has printed a usage report for this month, which shows hourly usage, and the usage spikes after the daughter arrives. The time of day tends to vary eg: 7PM, next day at 3AM, next day at 12M, and a couple days later at 2PM.
There are one or more other computers in the house which do have network access to the satellite connection to the internet, but the suspicion is that the daughters computer has become infected because the time of her arrival and presence corresponds with the FAPing.
Note that the FAPing occurs after large downloads, eg: 246+147MB in 2H, 513MB in 1H, 440MB in 1H, 396MB in 1H.
The daughter is either asleep at this times, or the computer is reported to be off.
I have externally scrubbed the hard drive using multiple tools, and other than cookies, they report no findings.
I've checked for rogue LSP's and BHO's, and none were found.
I've checked the event logs, and found something in Security. At about 330A on the above 3AM day, there is a login by the advapi process by the daughter's OS account, then a change of privilege DeChangeNotifyPrivilege, then a logoff of the daughter OS account, then a successful logon attempt by MICROSOFT_AUTHENTICATION_
PACKAGE_V1_0 by the daughter OS account, then another logon bu the daughter OS account by the process advapi, and so on.
I've researched "advapi" and found it to be on both her and my machine, with identical file sizes and timestamps. A google search yields several references which flag advapi as a trojan, but I am not yet convinced that this is the case here. But I'm curious if this process is being run on behalf of another process, like svchost.exe is.
I've changed the automatic OS updates from Automatic at 3AM to notify but don't download.
I've disabled the automatic manuf check for sw updates.
My question(s):
1) How can I learn more about this consumption, after the fact.
2) What tools can I install that would monitor usage for later review.
Any thoughts and guidance are very much appreciated.
Thank you in advance!
One of my customers, who has a hughes.net satellite connection to the internet, also has a daughter who is visiting from college.
Several times since the arrival of the daughter, the customer has been FAP-ed almost every day during the visit, and the resulting download speed becomes very low for 12-24 hours.
The customer has printed a usage report for this month, which shows hourly usage, and the usage spikes after the daughter arrives. The time of day tends to vary eg: 7PM, next day at 3AM, next day at 12M, and a couple days later at 2PM.
There are one or more other computers in the house which do have network access to the satellite connection to the internet, but the suspicion is that the daughters computer has become infected because the time of her arrival and presence corresponds with the FAPing.
Note that the FAPing occurs after large downloads, eg: 246+147MB in 2H, 513MB in 1H, 440MB in 1H, 396MB in 1H.
The daughter is either asleep at this times, or the computer is reported to be off.
I have externally scrubbed the hard drive using multiple tools, and other than cookies, they report no findings.
I've checked for rogue LSP's and BHO's, and none were found.
I've checked the event logs, and found something in Security. At about 330A on the above 3AM day, there is a login by the advapi process by the daughter's OS account, then a change of privilege DeChangeNotifyPrivilege, then a logoff of the daughter OS account, then a successful logon attempt by MICROSOFT_AUTHENTICATION_
PACKAGE_V1_0 by the daughter OS account, then another logon bu the daughter OS account by the process advapi, and so on.
I've researched "advapi" and found it to be on both her and my machine, with identical file sizes and timestamps. A google search yields several references which flag advapi as a trojan, but I am not yet convinced that this is the case here. But I'm curious if this process is being run on behalf of another process, like svchost.exe is.
I've changed the automatic OS updates from Automatic at 3AM to notify but don't download.
I've disabled the automatic manuf check for sw updates.
My question(s):
1) How can I learn more about this consumption, after the fact.
2) What tools can I install that would monitor usage for later review.
Any thoughts and guidance are very much appreciated.
Thank you in advance!
ASKER
Gentlemen,
Thank you for your thoughtful response.
I've uploaded the hjt log per your request.
Since my last posting, I think I may have duplicated the reported symptom.
I had shut off the customer computer, left it off for about .5H, turned it on and logged in, then noticed that the wifi network adapter was constantly lit - indicating continuous network traffic.
The Networking tab on the task manager showed an absolute boatload of network traffic was occurring.
The system became extremely sluggish, not wanting to launch programs within 10+ seconds. I tried to bring up a command prompt by pressing windows-R but there was no response.
Using the task manager, I launched a new cmd process, and ran "netstat -o" to show the open network connections. The following is a cut-and-paste of the file:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\username>netstat -o
Active Connections
Proto Local Address Foreign Address State PID
TCP Lucy:1075 localhost:1076 ESTABLISHED 3568
TCP Lucy:1076 localhost:1075 ESTABLISHED 3568
TCP Lucy:1042 cs53.msg.dcn.yahoo.com:505 0 ESTABLISHED 3296
TCP Lucy:1065 sip7.voice.re2.yahoo.com:h ttps ESTABLISHED 3296
TCP Lucy:1078 eh-in-f99.google.com:http ESTABLISHED 3568
TCP Lucy:1081 py-in-f104.google.com:http ESTABLISHED 3568
TCP Lucy:1082 py-in-f104.google.com:http ESTABLISHED 3568
TCP Lucy:1084 216.246.93.19:http ESTABLISHED 3568
TCP Lucy:1087 216.246.93.43:http ESTABLISHED 3568
TCP Lucy:1088 216.246.93.43:http ESTABLISHED 3568
TCP Lucy:1091 ro-in-f91.google.com:http ESTABLISHED 3568
TCP Lucy:1093 69.8.201.72:http ESTABLISHED 3568
TCP Lucy:1094 ro-in-f99.google.com:http ESTABLISHED 3568
TCP Lucy:1097 l1.ycs.vip.mud.yahoo.com:h ttp ESTABLISHED 3156
C:\Documents and Settings\username>
Your thoughts ...
Thank you for your thoughtful response.
I've uploaded the hjt log per your request.
Since my last posting, I think I may have duplicated the reported symptom.
I had shut off the customer computer, left it off for about .5H, turned it on and logged in, then noticed that the wifi network adapter was constantly lit - indicating continuous network traffic.
The Networking tab on the task manager showed an absolute boatload of network traffic was occurring.
The system became extremely sluggish, not wanting to launch programs within 10+ seconds. I tried to bring up a command prompt by pressing windows-R but there was no response.
Using the task manager, I launched a new cmd process, and ran "netstat -o" to show the open network connections. The following is a cut-and-paste of the file:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\username>netstat -o
Active Connections
Proto Local Address Foreign Address State PID
TCP Lucy:1075 localhost:1076 ESTABLISHED 3568
TCP Lucy:1076 localhost:1075 ESTABLISHED 3568
TCP Lucy:1042 cs53.msg.dcn.yahoo.com:505
TCP Lucy:1065 sip7.voice.re2.yahoo.com:h
TCP Lucy:1078 eh-in-f99.google.com:http ESTABLISHED 3568
TCP Lucy:1081 py-in-f104.google.com:http
TCP Lucy:1082 py-in-f104.google.com:http
TCP Lucy:1084 216.246.93.19:http ESTABLISHED 3568
TCP Lucy:1087 216.246.93.43:http ESTABLISHED 3568
TCP Lucy:1088 216.246.93.43:http ESTABLISHED 3568
TCP Lucy:1091 ro-in-f91.google.com:http ESTABLISHED 3568
TCP Lucy:1093 69.8.201.72:http ESTABLISHED 3568
TCP Lucy:1094 ro-in-f99.google.com:http ESTABLISHED 3568
TCP Lucy:1097 l1.ycs.vip.mud.yahoo.com:h
C:\Documents and Settings\username>
Your thoughts ...
Do you have a link to your HJT log?
I will take a look at it, but the real pro should be rolling in here within the next 30 minutes or so.
Vic
I will take a look at it, but the real pro should be rolling in here within the next 30 minutes or so.
Vic
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gentlemen,
I may have found the problem, and I think it's a process called "yupdater.exe".
This was determined using the Task Manager, and adding some columns to the Processes display, eg: ioreads, iowrites, and ioother.
The yupdater process had a disproportionately high rate of io's, increasing about 2500 per sampling at the low rate. After killing the yupdater process, the io rate went way down, and the Networking graph showed that the data volume had gone from several mbps to near zero.
Using a google search, there is more than one report about yupdater behaving poorly for a time, but nothing near as long or as intense as this. But it was good corroborating information.
I've renamed yupdater.exe to have a leading underscore prefix, to prevent this process from being automatically again, with the caveat that yahoo updates must now be periodically taken manually.
I may have found the problem, and I think it's a process called "yupdater.exe".
This was determined using the Task Manager, and adding some columns to the Processes display, eg: ioreads, iowrites, and ioother.
The yupdater process had a disproportionately high rate of io's, increasing about 2500 per sampling at the low rate. After killing the yupdater process, the io rate went way down, and the Networking graph showed that the data volume had gone from several mbps to near zero.
Using a google search, there is more than one report about yupdater behaving poorly for a time, but nothing near as long or as intense as this. But it was good corroborating information.
I've renamed yupdater.exe to have a leading underscore prefix, to prevent this process from being automatically again, with the caveat that yahoo updates must now be periodically taken manually.
Nice detective work.
If you do the 'msconfig' snooping, you might be able to 'uncheck' it from the auto-start list.
Vic
If you do the 'msconfig' snooping, you might be able to 'uncheck' it from the auto-start list.
Vic
One of your connections appears to be Yahoo's "messaging" service:
cs53.msg.dcn.yahoo.com:
Some of these allow for file transfers. Also it appears you may be doing Voice over IP (VOIP):
sip7.voice.re2.yahoo.com:h ttps
This is one of many of Yahoo's Asterisk servers.
You may want to install something like wireshark (http://www.wireshark.org) a network packet capture utility and capture network traffic while you are having the problem. See what host the traffic is coming from.
cs53.msg.dcn.yahoo.com:
Some of these allow for file transfers. Also it appears you may be doing Voice over IP (VOIP):
sip7.voice.re2.yahoo.com:h
This is one of many of Yahoo's Asterisk servers.
You may want to install something like wireshark (http://www.wireshark.org) a network packet capture utility and capture network traffic while you are having the problem. See what host the traffic is coming from.
ASKER
Gentlemen,
Thank you for your thoughtful and helpful responses.
Nice tip on wireshark! I think I'm in love!
The computer has been delivered to the customer, and peace in the household has been restored. Both mother and daughter are greatly relieved that the home satellite connection is no longer downloading huge volumes in a relative short period of time, resulting in them being FAP-ed for 6-24 hours, and having download speeds like dialup for that duration.
I'm still curious how or why a program like Yahoo Messenger, which is released for active and simultaneous usage by millions of people, that only this one computer is showing this one symptom and there are no others. The solution was an expedient one: don't run the offending program. The act of automatically updating yahoo is not a mission critical one, because it can be done manually by the user.
But over the past month or so, I've seen several computers with performance issues, where the cpu usage was vhigh sustained, which I later found to be caused by the WinXP automatic updating process. Wonder if there is a connection, other than a temporal one.
Thank you again.
Thank you for your thoughtful and helpful responses.
Nice tip on wireshark! I think I'm in love!
The computer has been delivered to the customer, and peace in the household has been restored. Both mother and daughter are greatly relieved that the home satellite connection is no longer downloading huge volumes in a relative short period of time, resulting in them being FAP-ed for 6-24 hours, and having download speeds like dialup for that duration.
I'm still curious how or why a program like Yahoo Messenger, which is released for active and simultaneous usage by millions of people, that only this one computer is showing this one symptom and there are no others. The solution was an expedient one: don't run the offending program. The act of automatically updating yahoo is not a mission critical one, because it can be done manually by the user.
But over the past month or so, I've seen several computers with performance issues, where the cpu usage was vhigh sustained, which I later found to be caused by the WinXP automatic updating process. Wonder if there is a connection, other than a temporal one.
Thank you again.
It seems that most of the work I do on home computers (and many work ones) is just cleaning up all of the 'junk' that gets installed automatically.
Users seem to not give a second thought to clicking 'OK' when a pop-us asks if it alright to download/install a program.
Lately it seems as if every one of these programs will automatically start on boot or log-in - and - automatically check for updates at start up.
Very frustrating for the un-educated user, but very lucrative for me.
I leave a 'hot-sheet' of good tips for basic users, but I'm back doing the same clean up for some customers every 2-3 months.
Kind of a 'good news-bad news' thing.
Vic
Users seem to not give a second thought to clicking 'OK' when a pop-us asks if it alright to download/install a program.
Lately it seems as if every one of these programs will automatically start on boot or log-in - and - automatically check for updates at start up.
Very frustrating for the un-educated user, but very lucrative for me.
I leave a 'hot-sheet' of good tips for basic users, but I'm back doing the same clean up for some customers every 2-3 months.
Kind of a 'good news-bad news' thing.
Vic
LeeTutor,
These were the actual questions:
"1) How can I learn more about this consumption, after the fact.
2) What tools can I install that would monitor usage for later review."
And they were both answered.
Thank you,
Vic
These were the actual questions:
"1) How can I learn more about this consumption, after the fact.
2) What tools can I install that would monitor usage for later review."
And they were both answered.
Thank you,
Vic
If you have already used HJT, just go ahead and post the logs.
These instructions courtesy of: rpggamergirl
https://www.experts-exchange.com/M_3598771.html
Get the newest version of HJT:
Please download HijackThis 1.99.1
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Then post the link to the saved list here.