Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Networking Networking
Search Search
Search for:
Tech Support Guy > > >

PC constantly downloading


(!)

amaru96's Avatar
amaru96 amaru96 is offline
Junior Member with 18 posts.
THREAD STARTER
 
Join Date: Oct 2007
28-Dec-2007, 06:28 AM #1
PC constantly downloading
Hi guys, I have a PC which is constantly downloading from the internet. I have no idea what it's downloading. I installed Bandwidth monitor to have a look and in a few minutes it had downloaded close to 5MB. I have no applications open. All I did was boot the PC and open up BandWidthMonitor to view the report.

I also installed ZoneAlarm to see if I could catch the program trying to access the internet but it didn't work. Even if I set ZoneAlarm to "Enable Internet Lock" it still continues downloading.

I ran TCPView to see what processes where accessing a remote address and there weren't that many and none that appeared obviously out of place.

I will get a HiJackThis log as soon as I can, but does anyone have any ideas?
Broly's Avatar
Broly Broly is offline
Computer Specs
Member with 379 posts.
 
Join Date: Dec 2007
Location: Raleigh, NC
Experience: Advanced
28-Dec-2007, 06:46 AM #2
Man,
I'm no expert but if I were you, the first thing I would do is snatch my internet cord. Reboot in safe mode and search for Viruses, malware, ect. Post whatever findings on this site using another computer. These guys can help u. You got issues. Good Luck!
Broly's Avatar
Broly Broly is offline
Computer Specs
Member with 379 posts.
 
Join Date: Dec 2007
Location: Raleigh, NC
Experience: Advanced
28-Dec-2007, 06:54 AM #3
Before u do that though u could try to hit ctrl,Alt,Delete and go to Processes. That will tell u what programs are currently running and hopefully the system recources that they are using. Hopefully this is a start. Good Luck.
D_B's Avatar
D_B D_B is offline
Computer Specs
Member with 73 posts.
 
Join Date: Aug 2007
Experience: Beginner
28-Dec-2007, 08:02 AM #4
Is your automatic updates disabled? I know that most firewalls see the system.exe or svchost.exe as a safe application and then allows them to access the internet unsupervised. Check that maybe.
JohnWill's Avatar
Computer Specs
Retired Moderator with 106,412 posts.
 
Join Date: Oct 2002
Location: South Eastern PA, USA
28-Dec-2007, 08:22 AM #5
I have an idea, you have some sort of malware. Time for that HJT log.

Please post a HijackThis 2.00.2 Log here.
amaru96's Avatar
amaru96 amaru96 is offline
Junior Member with 18 posts.
THREAD STARTER
 
Join Date: Oct 2007
29-Dec-2007, 06:09 AM #6
The AutoUpdates are disabled. I also went through all the processes and ended them one by one (as many as I could) and it didn't help.

Below is the Hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:11 PM, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\FixCamera.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1161823464968
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6923 bytes
JohnWill's Avatar
Computer Specs
Retired Moderator with 106,412 posts.
 
Join Date: Oct 2002
Location: South Eastern PA, USA
29-Dec-2007, 10:43 AM #7
Install WireShark and monitor for a spell and see if you can find out where it's connecting. If you installed a firewall with outbound access, that would help identify the application responsible.

I'd try booting in safe mode with networking and see if it still happens. If not, then you can use MSCONFIG in normal mode to disable blocks of startup applications until you isolate the one responsible.
__________________
Remember: Data you don't have at least two copies of is data you don't care about.
amaru96's Avatar
amaru96 amaru96 is offline
Junior Member with 18 posts.
THREAD STARTER
 
Join Date: Oct 2007
29-Dec-2007, 04:34 PM #8
I used Wireshark to capture the packets and found it was constantly sending ARP requests. Below is an example of what I saw:

55 46.358739 Cisco_f3:74:54 Broadcast ARP Who has 220.237.155.96? Tell 220.237.155.1

It went on and on until I turned the modem off - I only had it capturing for less than a minute and it reached over 3000 ARP requests/broadcasts.

I then placed a router in between the modem and PC and the broadcasts stopped (more like blocked by the router).

Is it normal for cable modems to behave like this?
JohnWill's Avatar
Computer Specs
Retired Moderator with 106,412 posts.
 
Join Date: Oct 2002
Location: South Eastern PA, USA
29-Dec-2007, 07:31 PM #9
Yep, I noticed that with Comcast when I had it. I was getting continuous ARP packets, Comcast was never able to explain to my satisfaction what was happening.
amaru96's Avatar
amaru96 amaru96 is offline
Junior Member with 18 posts.
THREAD STARTER
 
Join Date: Oct 2007
30-Dec-2007, 04:46 AM #10
Seems to me like a bit of a scam by the ISP. As long as you have the modem on you are constantly downloading, even if your PC is off! Reach your download limit pretty quickly for a lot of people.

Thanks for your advice too.
JohnWill's Avatar
Computer Specs
Retired Moderator with 106,412 posts.
 
Join Date: Oct 2002
Location: South Eastern PA, USA
30-Dec-2007, 10:51 AM #11
Actually, the ARP requests don't count as traffic. Also, at least for Comcast, they don't have download limits. During a really busy month once, I downloaded more than 100gig on Comcast, never heard a word from them. I don't know about my Verizon FiOS, but I've downloaded a number of MSDN DVD images, and no complaints there either.
SdeWndr's Avatar
SdeWndr SdeWndr is offline
Junior Member with 12 posts.
 
Join Date: Dec 2007
Experience: Intermediate
30-Dec-2007, 01:26 PM #12
Try disabling this BHO in your HJT log:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

You may also try disableing the Yahoo! toolbars and search helpers if not just uninstalling them for troubleshooting purposes.

Have you run a spyware cleaner?
JohnWill's Avatar
Computer Specs
Retired Moderator with 106,412 posts.
 
Join Date: Oct 2002
Location: South Eastern PA, USA
30-Dec-2007, 05:51 PM #13
Quote:
Originally Posted by SdeWndr View Post
Try disabling this BHO in your HJT log:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

You may also try disableing the Yahoo! toolbars and search helpers if not just uninstalling them for troubleshooting purposes.

Have you run a spyware cleaner?
Be advised that you are not authorized to help with HijackThis logs on this forum. Please see the forum rules regarding replying to security related threads:

http://www.techguy.org/rules.html
Quote:
Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield next to their name. Anyone wishing to participate in a training program should contact a Moderator for more information.
Please refrain from replying to security related matters on this forum until you have presented evidence to one of the mods or admins here that proves you to be qualified to do so. If you are not yet qualified and interested in being trained, we will be glad to help you get enrolled at one of the free online training facilities. Just PM one of the mods that work Security and they'll point you in the right direction.

Thanks in advance for your cooperation.
Broly's Avatar
Broly Broly is offline
Computer Specs
Member with 379 posts.
 
Join Date: Dec 2007
Location: Raleigh, NC
Experience: Advanced
12-Jan-2008, 02:21 AM #14
Johnwill,
I would like to take some training and maybe get qualified in some of this stuff. What do I do? You can e-mail me with any info if u like.
Thanks
Broly OUT
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑