Solved

large up downloads to my comp even when i am not using it for hours at a time

Posted on 2011-03-18
18
783 Views
Last Modified: 2012-05-11
am getting large down loads on my computor i do no i am not doing any large down loads and the virus checker but nothing shows up
it may be doing some some form of updates but the auto updates is switched to off
and they are only 130 meg and it would not run every couple of hours have down loaded about 4gig in 3 days and its not me doing it
any software the can show usage over the line ect
any point in the right direction woudl be a help running vista and an xp machine though have taken the xp off line to see if there is any difference
datausage.png
0
Comment
Question by:sydneyguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 3
18 Comments
 
LVL 4

Accepted Solution

by:
rjpilcher earned 250 total points
ID: 35170175
Updates should not involve that much data.  Some things I would look at:

1. Running processes between :30 and :40 every hour - seems these are happenning at around hte same time every 1-3 hours
2. Run a Malwarebytes scan (free)
3. Ensure you have no rogue entities on your network (are you using wireless?)
4. Run a netstat -ao > c:\example.txt every minute during this time - this will show you what ports are open and what process ID is associated with it - you can look at the PID in task manager to compare

This seems indicative of either someone tagging onto your network or malware
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35170371
Do you have a Bit-torrent client running for file sharing and downloading?
0
 

Author Comment

by:sydneyguy
ID: 35170418
i have not loaded any up Bit-torrent client  or aware of any running in the back ground how could i tell
am running Malwarebytes  now
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:sydneyguy
ID: 35170421
have started netstat -ao > c:\example.txt
and will have a look at the log
0
 

Author Comment

by:sydneyguy
ID: 35170432
my stats have just gone up nother 200meg and i was not even here

her is the log from the netstat if thats any help


Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            DicksmithMir-PC:0      LISTENING       1076
  TCP    0.0.0.0:1110           DicksmithMir-PC:0      LISTENING       1192
  TCP    0.0.0.0:3306           DicksmithMir-PC:0      LISTENING       3580
  TCP    0.0.0.0:9000           DicksmithMir-PC:0      LISTENING       2160
  TCP    0.0.0.0:10000          DicksmithMir-PC:0      LISTENING       2160
  TCP    0.0.0.0:49152          DicksmithMir-PC:0      LISTENING       712
  TCP    0.0.0.0:49153          DicksmithMir-PC:0      LISTENING       1224
  TCP    0.0.0.0:49154          DicksmithMir-PC:0      LISTENING       1464
  TCP    0.0.0.0:49155          DicksmithMir-PC:0      LISTENING       1312
  TCP    0.0.0.0:49156          DicksmithMir-PC:0      LISTENING       768
  TCP    0.0.0.0:49159          DicksmithMir-PC:0      LISTENING       756
  TCP    127.0.0.1:80           DicksmithMir-PC:0      LISTENING       3916
  TCP    127.0.0.1:1110         DicksmithMir-PC:50639  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:60764  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:65183  ESTABLISHED     1192
  TCP    127.0.0.1:1110         DicksmithMir-PC:65447  ESTABLISHED     1192
  TCP    127.0.0.1:3306         DicksmithMir-PC:49187  ESTABLISHED     3580
  TCP    127.0.0.1:3306         DicksmithMir-PC:49220  ESTABLISHED     3580
  TCP    127.0.0.1:3306         DicksmithMir-PC:63189  ESTABLISHED     3580
  TCP    127.0.0.1:9000         DicksmithMir-PC:49704  TIME_WAIT       0
  TCP    127.0.0.1:9000         DicksmithMir-PC:49713  TIME_WAIT       0
  TCP    127.0.0.1:49177        DicksmithMir-PC:49178  ESTABLISHED     4112
  TCP    127.0.0.1:49178        DicksmithMir-PC:49177  ESTABLISHED     4112
  TCP    127.0.0.1:49180        DicksmithMir-PC:49181  ESTABLISHED     4112
  TCP    127.0.0.1:49181        DicksmithMir-PC:49180  ESTABLISHED     4112
  TCP    127.0.0.1:49187        DicksmithMir-PC:3306   ESTABLISHED     3664
  TCP    127.0.0.1:49220        DicksmithMir-PC:3306   ESTABLISHED     3664
  TCP    127.0.0.1:50639        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:60764        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:63189        DicksmithMir-PC:3306   ESTABLISHED     6024
  TCP    127.0.0.1:65183        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    127.0.0.1:65447        DicksmithMir-PC:nfsd-status  ESTABLISHED     4676
  TCP    192.168.1.64:139       DicksmithMir-PC:0      LISTENING       4
  TCP    192.168.1.64:49449     by2msg3010610:http     ESTABLISHED     4676
  TCP    192.168.1.64:49701     73:http                TIME_WAIT       0
  TCP    192.168.1.64:49717     36:http                TIME_WAIT       0
  TCP    192.168.1.64:49718     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49719     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49720     www-level3:http        ESTABLISHED     4676
  TCP    192.168.1.64:49721     www-level3:http        SYN_SENT        4676
  TCP    192.168.1.64:49722     images:http            SYN_SENT        4676
  TCP    192.168.1.64:50640     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:60765     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65184     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65448     117.18.239.138:https   ESTABLISHED     1192
  TCP    [::]:135               DicksmithMir-PC:0      LISTENING       1076
  TCP    [::]:445               DicksmithMir-PC:0      LISTENING       4
  TCP    [::]:5357              DicksmithMir-PC:0      LISTENING       4
  TCP    [::]:9000              DicksmithMir-PC:0      LISTENING       2160
  TCP    [::]:10000             DicksmithMir-PC:0      LISTENING       2160
  TCP    [::]:49152             DicksmithMir-PC:0      LISTENING       712
  TCP    [::]:49153             DicksmithMir-PC:0      LISTENING       1224
  TCP    [::]:49154             DicksmithMir-PC:0      LISTENING       1464
  TCP    [::]:49155             DicksmithMir-PC:0      LISTENING       1312
  TCP    [::]:49156             DicksmithMir-PC:0      LISTENING       768
  TCP    [::]:49159             DicksmithMir-PC:0      LISTENING       756
  UDP    0.0.0.0:123            *:*                                    1464
  UDP    127.0.0.1:1900         *:*                                    1464
  UDP    127.0.0.1:50183        *:*                                    4004
  UDP    127.0.0.1:60811        *:*                                    1464
  UDP    127.0.0.1:63871        *:*                                    4676
  UDP    192.168.1.64:137       *:*                                    4
  UDP    192.168.1.64:138       *:*                                    4
  UDP    192.168.1.64:1900      *:*                                    1464
  UDP    [::]:123               *:*                                    1464
  UDP    [::1]:1900             *:*                                    1464
  UDP    [::1]:60810            *:*                                    1464
  UDP    [fe80::2db9:744b:b623:ff59%9]:1900  *:*                                    1464
  UDP    [fe80::30fc:2bd2:3f57:febf%20]:1900  *:*                                    1464
  UDP    [fe80::4812:8da4:1c1:49d0%8]:1900  *:*                                    1464
  UDP    [fe80::8de2:bd9f:ba4e:d5a9%11]:1900  *:*                                    1464
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35170476
"117.18.239.138" belongs to some guy in Santa Monica.  Port 3306 is normally MySQL and I believe you have XAMPP installed.  Ports 135, 137, and 138 are Netbios ports.  "www-level3" is usually Level3 Communications, a network service provider.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35170483
"www-level3" is probably Experts Exchange thru Level3.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 35170491
TCPview from Sysinternals will show you which process is using the different connections.  http://technet.microsoft.com/en-us/sysinternals/bb897437
0
 

Author Comment

by:sydneyguy
ID: 35170511
were does 117.18.239.138 come from is it on the list??
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35170784
TCP    192.168.1.64:50640     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:60765     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65184     117.18.239.138:https   ESTABLISHED     1192
  TCP    192.168.1.64:65448     117.18.239.138:https   ESTABLISHED     1192
0
 

Author Comment

by:sydneyguy
ID: 35171177
edgecast Networks Asia Pacific Network
117.18.239.138:https  
is aapt the lousy ip provider that i am trying to get way from so thats not the problem
0
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35172489
Are the downloads still occurring?  

Netstat is only going to give you a capture of open connections at the time you run it.

It may be better to try using Wireshark during the window these are occurring in.  Here's a quick guide:

http://portforward.com/networking/wireshark.htm

You can start a capture at :30 and then go over it.  Also, can you shut down both machines and see if the downloads continue?  Is it possible someone else is on your network?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35172517
Do you have a wireless network?  Is it secured?  WPA?  WEP?
0
 

Author Comment

by:sydneyguy
ID: 35173572
here is a shot of data found after scan which i have taken off now also left one machine on and the other off to see which machine may be the problem
malfound.png
0
 

Author Comment

by:sydneyguy
ID: 35173578
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6104

Windows 6.0.6000
Internet Explorer 7.0.6000.16851

20/03/2011 10:44:48 AM
mbam-log-2011-03-20 (10-44-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 891320
Time elapsed: 13 hour(s), 24 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\5DR8ZAD8GX (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TG0PTF86JH (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\dicksmith miranda\AppData\Local\Temp\nskA95B.tmp\NSISdl.dll (Trojan.Banker) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
0
 
LVL 4

Expert Comment

by:rjpilcher
ID: 35173602
And that could very well be your issue. I'd reccommend running Malwarebytes again in safe mode to make sure it's clearn and hasn't repopulated the infection.

0
 

Author Comment

by:sydneyguy
ID: 35312659
thanks for the help
so far i seem to have cleared the problem at worst know what machine it on, also it seems to stop when i disable regcure still chasing it up but thanks for both of your help
0
 

Author Closing Comment

by:sydneyguy
ID: 35312697
thanks for the help
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Part One of the two-part Q&A series with MalwareTech.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question