Solved

large up downloads to my comp even when i am not using it for hours at a time

Posted on 2011-03-18
18
763 Views
Last Modified: 2012-05-11
am getting large down loads on my computor i do no i am not doing any large down loads and the virus checker but nothing shows up
it may be doing some some form of updates but the auto updates is switched to off
and they are only 130 meg and it would not run every couple of hours have down loaded about 4gig in 3 days and its not me doing it
any software the can show usage over the line ect
any point in the right direction woudl be a help running vista and an xp machine though have taken the xp off line to see if there is any difference
datausage.png
0
Comment
Question by:sydneyguy
  • 9
  • 6
  • 3
18 Comments
 
LVL 4

Accepted Solution

by:
rjpilcher earned 250 total points
Comment Utility
Updates should not involve that much data.  Some things I would look at:

1. Running processes between :30 and :40 every hour - seems these are happenning at around hte same time every 1-3 hours
2. Run a Malwarebytes scan (free)
3. Ensure you have no rogue entities on your network (are you using wireless?)
4. Run a netstat -ao > c:\example.txt every minute during this time - this will show you what ports are open and what process ID is associated with it - you can look at the PID in task manager to compare

This seems indicative of either someone tagging onto your network or malware
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Do you have a Bit-torrent client running for file sharing and downloading?
0
 

Author Comment

by:sydneyguy
Comment Utility
i have not loaded any up Bit-torrent client  or aware of any running in the back ground how could i tell
am running Malwarebytes  now
0
 

Author Comment

by:sydneyguy
Comment Utility
have started netstat -ao > c:\example.txt
and will have a look at the log
0
 

Author Comment

by:sydneyguy
Comment Utility
my stats have just gone up nother 200meg and i was not even here

her is the log from the netstat if thats any help


Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            DicksmithMir-PC:0      LISTENING       1076
  TCP    0.0.0.0:1110           DicksmithMir-PC:0      LISTENING       1192
  TCP    0.0.0.0:3306           DicksmithMir-PC:0      LISTENING       3580
  TCP    0.0.0.0:9000           DicksmithMir-PC:0      LISTENING       2160
  TCP    0.0.0.0:10000          DicksmithMir-PC:0      LISTENING       2160
  TCP    0.0.0.0:49152          DicksmithMir-PC:0      LISTENING       712
  TCP    0.0.0.0:49153          DicksmithMir-PC:0      LISTENING       1224
  TCP    0.0.0.0:49154          DicksmithMir-PC:0      LISTENING       1464
  TCP    0.0.0.0:49155          DicksmithMir-PC:0      LISTENING       1312
  TCP    0.0.0.0:49156          DicksmithMir-PC:0      LISTENING       768
  TCP    0.0.0.0:49159          DicksmithMir-PC:0      LISTENING       756
  TCP    127.0.0.1:80           DicksmithMir-PC:0      LISTENING       3916
  TCP    127.0.0.1:1110         DicksmithMir-PC:50639  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:60764  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:65183  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:65447  ESTABLISHED     1192
  TCP    127.0.0.1:3306         DicksmithMir-PC:49187  ESTABLISHED     3580
  TCP    127.0.0.1:3306         DicksmithMir-PC:49220  ESTABLISHED     3580
  TCP    127.0.0.1:3306         DicksmithMir-PC:63189  ESTABLISHED     3580
  TCP    127.0.0.1:9000         DicksmithMir-PC:49704  TIME_WAIT       0
  TCP    127.0.0.1:9000         DicksmithMir-PC:49713  TIME_WAIT       0
  TCP    127.0.0.1:49177        DicksmithMir-PC:49178  ESTABLISHED     4112
  TCP    127.0.0.1:49178        DicksmithMir-PC:49177  ESTABLISHED     4112
  TCP    127.0.0.1:49180        DicksmithMir-PC:49181  ESTABLISHED     4112
  TCP    127.0.0.1:49181        DicksmithMir-PC:49180  ESTABLISHED     4112
  TCP    127.0.0.1:49187        DicksmithMir-PC:3306   ESTABLISHED     3664
  TCP    127.0.0.1:49220        DicksmithMir-PC:3306   ESTABLISHED     3664
  TCP    127.0.0.1:50639        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:60764        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:63189        DicksmithMir-PC:3306   ESTABLISHED     6024
  TCP    127.0.0.1:65183        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:65447        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    192.168.1.64:139       DicksmithMir-PC:0      LISTENING       4
  TCP    192.168.1.64:49449     by2msg3010610:http     ESTABLISHED     4676
  TCP    192.168.1.64:49701     73:http                TIME_WAIT       0
  TCP    192.168.1.64:49717     36:http                TIME_WAIT       0
  TCP    192.168.1.64:49718     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49719     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49720     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49721     www-level3:http        SYN_SENT        4676
  TCP    192.168.1.64:49722     images:http            SYN_SENT        4676
  TCP    192.168.1.64:50640     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:60765     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65184     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65448     117.18.239.138:https   ESTABLISHED     1192
  TCP    [::]:135               DicksmithMir-PC:0      LISTENING       1076
  TCP    [::]:445               DicksmithMir-PC:0      LISTENING       4
  TCP    [::]:5357              DicksmithMir-PC:0      LISTENING       4
  TCP    [::]:9000              DicksmithMir-PC:0      LISTENING       2160
  TCP    [::]:10000             DicksmithMir-PC:0      LISTENING       2160
  TCP    [::]:49152             DicksmithMir-PC:0      LISTENING       712
  TCP    [::]:49153             DicksmithMir-PC:0      LISTENING       1224
  TCP    [::]:49154             DicksmithMir-PC:0      LISTENING       1464
  TCP    [::]:49155             DicksmithMir-PC:0      LISTENING       1312
  TCP    [::]:49156             DicksmithMir-PC:0      LISTENING       768
  TCP    [::]:49159             DicksmithMir-PC:0      LISTENING       756
  UDP    0.0.0.0:123            *:*                                    1464
  UDP    127.0.0.1:1900         *:*                                    1464
  UDP    127.0.0.1:50183        *:*                                    4004
  UDP    127.0.0.1:60811        *:*                                    1464
  UDP    127.0.0.1:63871        *:*                                    4676
  UDP    192.168.1.64:137       *:*                                    4
  UDP    192.168.1.64:138       *:*                                    4
  UDP    192.168.1.64:1900      *:*                                    1464
  UDP    [::]:123               *:*                                    1464
  UDP    [::1]:1900             *:*                                    1464
  UDP    [::1]:60810            *:*                                    1464
  UDP    [fe80::2db9:744b:b623:ff59%9]:1900  *:*                                    1464
  UDP    [fe80::30fc:2bd2:3f57:febf%20]:1900  *:*                                    1464
  UDP    [fe80::4812:8da4:1c1:49d0%8]:1900  *:*                                    1464
  UDP    [fe80::8de2:bd9f:ba4e:d5a9%11]:1900  *:*                                    1464
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
"117.18.239.138" belongs to some guy in Santa Monica.  Port 3306 is normally MySQL and I believe you have XAMPP installed.  Ports 135, 137, and 138 are Netbios ports.  "www-level3" is usually Level3 Communications, a network service provider.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
"www-level3" is probably Experts Exchange thru Level3.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
Comment Utility
TCPview from Sysinternals will show you which process is using the different connections.  http://technet.microsoft.com/en-us/sysinternals/bb897437
0
 

Author Comment

by:sydneyguy
Comment Utility
were does 117.18.239.138 come from is it on the list??
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
TCP    192.168.1.64:50640     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:60765     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65184     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65448     117.18.239.138:https   ESTABLISHED     1192
0
 

Author Comment

by:sydneyguy
Comment Utility
edgecast Networks Asia Pacific Network
117.18.239.138:https  
is aapt the lousy ip provider that i am trying to get way from so thats not the problem
0
 
LVL 4

Expert Comment

by:rjpilcher
Comment Utility
Are the downloads still occurring?  

Netstat is only going to give you a capture of open connections at the time you run it.

It may be better to try using Wireshark during the window these are occurring in.  Here's a quick guide:

http://portforward.com/networking/wireshark.htm

You can start a capture at :30 and then go over it.  Also, can you shut down both machines and see if the downloads continue?  Is it possible someone else is on your network?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Do you have a wireless network?  Is it secured?  WPA?  WEP?
0
 

Author Comment

by:sydneyguy
Comment Utility
here is a shot of data found after scan which i have taken off now also left one machine on and the other off to see which machine may be the problem
malfound.png
0
 

Author Comment

by:sydneyguy
Comment Utility
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6104

Windows 6.0.6000
Internet Explorer 7.0.6000.16851

20/03/2011 10:44:48 AM
mbam-log-2011-03-20 (10-44-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 891320
Time elapsed: 13 hour(s), 24 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\5DR8ZAD8GX (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TG0PTF86JH (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\dicksmith miranda\AppData\Local\Temp\nskA95B.tmp\NSISdl.dll (Trojan.Banker) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
0
 
LVL 4

Expert Comment

by:rjpilcher
Comment Utility
And that could very well be your issue. I'd reccommend running Malwarebytes again in safe mode to make sure it's clearn and hasn't repopulated the infection.

0
 

Author Comment

by:sydneyguy
Comment Utility
thanks for the help
so far i seem to have cleared the problem at worst know what machine it on, also it seems to stop when i disable regcure still chasing it up but thanks for both of your help
0
 

Author Closing Comment

by:sydneyguy
Comment Utility
thanks for the help
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Set cookies HttpOnly and Secure 4 50
Please explain: Aspect Oriented Programming 2 51
Printer Settings 3 58
RDP Sonicwall 8 22
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now