Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

large up downloads to my comp even when i am not using it for hours at a time

Posted on 2011-03-18
18
Medium Priority
?
792 Views
Last Modified: 2012-05-11
am getting large down loads on my computor i do no i am not doing any large down loads and the virus checker but nothing shows up
it may be doing some some form of updates but the auto updates is switched to off
and they are only 130 meg and it would not run every couple of hours have down loaded about 4gig in 3 days and its not me doing it
any software the can show usage over the line ect
any point in the right direction woudl be a help running vista and an xp machine though have taken the xp off line to see if there is any difference
datausage.png
0
Comment
Question by:sydneyguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 3
18 Comments
 
LVL 4

Accepted Solution

by:
rjpilcher earned 1000 total points
ID: 35170175
Updates should not involve that much data.  Some things I would look at:

1. Running processes between :30 and :40 every hour - seems these are happenning at around hte same time every 1-3 hours
2. Run a Malwarebytes scan (free)
3. Ensure you have no rogue entities on your network (are you using wireless?)
4. Run a netstat -ao > c:\example.txt every minute during this time - this will show you what ports are open and what process ID is associated with it - you can look at the PID in task manager to compare

This seems indicative of either someone tagging onto your network or malware
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35170371
Do you have a Bit-torrent client running for file sharing and downloading?
0
 

Author Comment

by:sydneyguy
ID: 35170418
i have not loaded any up Bit-torrent client  or aware of any running in the back ground how could i tell
am running Malwarebytes  now
0
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

 

Author Comment

by:sydneyguy
ID: 35170421
have started netstat -ao > c:\example.txt
and will have a look at the log
0
 

Author Comment

by:sydneyguy
ID: 35170432
my stats have just gone up nother 200meg and i was not even here

her is the log from the netstat if thats any help


Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            DicksmithMir-PC:0      LISTENING       1076
  TCP    0.0.0.0:1110           DicksmithMir-PC:0      LISTENING       1192
  TCP    0.0.0.0:3306           DicksmithMir-PC:0      LISTENING       3580
  TCP    0.0.0.0:9000           DicksmithMir-PC:0      LISTENING       2160
  TCP    0.0.0.0:10000          DicksmithMir-PC:0      LISTENING       2160
  TCP    0.0.0.0:49152          DicksmithMir-PC:0      LISTENING       712
  TCP    0.0.0.0:49153          DicksmithMir-PC:0      LISTENING       1224
  TCP    0.0.0.0:49154          DicksmithMir-PC:0      LISTENING       1464
  TCP    0.0.0.0:49155          DicksmithMir-PC:0      LISTENING       1312
  TCP    0.0.0.0:49156          DicksmithMir-PC:0      LISTENING       768
  TCP    0.0.0.0:49159          DicksmithMir-PC:0      LISTENING       756
  TCP    127.0.0.1:80           DicksmithMir-PC:0      LISTENING       3916
  TCP    127.0.0.1:1110         DicksmithMir-PC:50639  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:60764  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:65183  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:65447  ESTABLISHED     1192
  TCP    127.0.0.1:3306         DicksmithMir-PC:49187  ESTABLISHED     3580
  TCP    127.0.0.1:3306         DicksmithMir-PC:49220  ESTABLISHED     3580
  TCP    127.0.0.1:3306         DicksmithMir-PC:63189  ESTABLISHED     3580
  TCP    127.0.0.1:9000         DicksmithMir-PC:49704  TIME_WAIT       0
  TCP    127.0.0.1:9000         DicksmithMir-PC:49713  TIME_WAIT       0
  TCP    127.0.0.1:49177        DicksmithMir-PC:49178  ESTABLISHED     4112
  TCP    127.0.0.1:49178        DicksmithMir-PC:49177  ESTABLISHED     4112
  TCP    127.0.0.1:49180        DicksmithMir-PC:49181  ESTABLISHED     4112
  TCP    127.0.0.1:49181        DicksmithMir-PC:49180  ESTABLISHED     4112
  TCP    127.0.0.1:49187        DicksmithMir-PC:3306   ESTABLISHED     3664
  TCP    127.0.0.1:49220        DicksmithMir-PC:3306   ESTABLISHED     3664
  TCP    127.0.0.1:50639        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:60764        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:63189        DicksmithMir-PC:3306   ESTABLISHED     6024
  TCP    127.0.0.1:65183        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:65447        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    192.168.1.64:139       DicksmithMir-PC:0      LISTENING       4
  TCP    192.168.1.64:49449     by2msg3010610:http     ESTABLISHED     4676
  TCP    192.168.1.64:49701     73:http                TIME_WAIT       0
  TCP    192.168.1.64:49717     36:http                TIME_WAIT       0
  TCP    192.168.1.64:49718     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49719     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49720     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49721     www-level3:http        SYN_SENT        4676
  TCP    192.168.1.64:49722     images:http            SYN_SENT        4676
  TCP    192.168.1.64:50640     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:60765     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65184     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65448     117.18.239.138:https   ESTABLISHED     1192
  TCP    [::]:135               DicksmithMir-PC:0      LISTENING       1076
  TCP    [::]:445               DicksmithMir-PC:0      LISTENING       4
  TCP    [::]:5357              DicksmithMir-PC:0      LISTENING       4
  TCP    [::]:9000              DicksmithMir-PC:0      LISTENING       2160
  TCP    [::]:10000             DicksmithMir-PC:0      LISTENING       2160
  TCP    [::]:49152             DicksmithMir-PC:0      LISTENING       712
  TCP    [::]:49153             DicksmithMir-PC:0      LISTENING       1224
  TCP    [::]:49154             DicksmithMir-PC:0      LISTENING       1464
  TCP    [::]:49155             DicksmithMir-PC:0      LISTENING       1312
  TCP    [::]:49156             DicksmithMir-PC:0      LISTENING       768
  TCP    [::]:49159             DicksmithMir-PC:0      LISTENING       756
  UDP    0.0.0.0:123            *:*                                    1464
  UDP    127.0.0.1:1900         *:*                                    1464
  UDP    127.0.0.1:50183        *:*                                    4004
  UDP    127.0.0.1:60811        *:*                                    1464
  UDP    127.0.0.1:63871        *:*                                    4676
  UDP    192.168.1.64:137       *:*                                    4
  UDP    192.168.1.64:138       *:*                                    4
  UDP    192.168.1.64:1900      *:*                                    1464
  UDP    [::]:123               *:*                                    1464
  UDP    [::1]:1900             *:*                                    1464
  UDP    [::1]:60810            *:*                                    1464
  UDP    [fe80::2db9:744b:b623:ff59%9]:1900  *:*                                    1464
  UDP    [fe80::30fc:2bd2:3f57:febf%20]:1900  *:*                                    1464
  UDP    [fe80::4812:8da4:1c1:49d0%8]:1900  *:*                                    1464
  UDP    [fe80::8de2:bd9f:ba4e:d5a9%11]:1900  *:*                                    1464
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35170476
"117.18.239.138" belongs to some guy in Santa Monica.  Port 3306 is normally MySQL and I believe you have XAMPP installed.  Ports 135, 137, and 138 are Netbios ports.  "www-level3" is usually Level3 Communications, a network service provider.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35170483
"www-level3" is probably Experts Exchange thru Level3.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1000 total points
ID: 35170491
TCPview from Sysinternals will show you which process is using the different connections.  http://technet.microsoft.com/en-us/sysinternals/bb897437
0
 

Author Comment

by:sydneyguy
ID: 35170511
were does 117.18.239.138 come from is it on the list??
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35170784
TCP    192.168.1.64:50640     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:60765     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65184     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65448     117.18.239.138:https   ESTABLISHED     1192
0
 

Author Comment

by:sydneyguy
ID: 35171177
edgecast Networks Asia Pacific Network
117.18.239.138:https  
is aapt the lousy ip provider that i am trying to get way from so thats not the problem
0
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35172489
Are the downloads still occurring?  

Netstat is only going to give you a capture of open connections at the time you run it.

It may be better to try using Wireshark during the window these are occurring in.  Here's a quick guide:

http://portforward.com/networking/wireshark.htm

You can start a capture at :30 and then go over it.  Also, can you shut down both machines and see if the downloads continue?  Is it possible someone else is on your network?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35172517
Do you have a wireless network?  Is it secured?  WPA?  WEP?
0
 

Author Comment

by:sydneyguy
ID: 35173572
here is a shot of data found after scan which i have taken off now also left one machine on and the other off to see which machine may be the problem
malfound.png
0
 

Author Comment

by:sydneyguy
ID: 35173578
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6104

Windows 6.0.6000
Internet Explorer 7.0.6000.16851

20/03/2011 10:44:48 AM
mbam-log-2011-03-20 (10-44-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 891320
Time elapsed: 13 hour(s), 24 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\5DR8ZAD8GX (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TG0PTF86JH (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\dicksmith miranda\AppData\Local\Temp\nskA95B.tmp\NSISdl.dll (Trojan.Banker) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
0
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35173602
And that could very well be your issue. I'd reccommend running Malwarebytes again in safe mode to make sure it's clearn and hasn't repopulated the infection.

0
 

Author Comment

by:sydneyguy
ID: 35312659
thanks for the help
so far i seem to have cleared the problem at worst know what machine it on, also it seems to stop when i disable regcure still chasing it up but thanks for both of your help
0
 

Author Closing Comment

by:sydneyguy
ID: 35312697
thanks for the help
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question