Mystery downloading: how to track it down

[jwazevedo]

I have a dial-up connection to the Internet. Recently, the Internet connection status dialog shows that the computer is receiving a steady stream of bytes, even when no program is running (IE7 and Outlook Express not started). I've turned off Windows Update notification. I've restarted. Still, the next time I connect, the bytes start their relentless arrival. How do I figure out what service is requesting this download? It's maddening.

Thanks,
Jerry

 

[howard_hopkinso]

Let`s make sure you don`t have something nasty on your system.

Go and read this thread HERE, then post a HJT log as an attachment.

Regards Howard

This thread is for the use of jwazevedo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jwazevedo]

Here's the log, which I ran today. I should mention that I've done a virus scan with AVG and a spyware scan with SpyBot S&D, both of which came up normal. I also looked in msconfig and found an untitled service, so I did a selective startup without it. The mystery download did eventually stop, but when I checked msconfig again, the untitled service was gone, so that may be a red herring. Anyway, I'm hoping this was some sort of transient glitch that will not return. If you see anything suspicious in the log, though, I'd like to know about it. Also, if you know of any software that I can run to track what service or site is communicating with my computer, I'd be curious to hear about that too. Thanks for the help.

Jerry

 

[howard_hopkinso]

Please rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log. This is because some malware can hide form HijackThis.exe.

Regards Howard

This thread is for the use of jwazevedo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jwazevedo]

Sorry. I thought I was supposed to rename the log file, not the exe. Here is the fresh log file created with the renamed HijackThis1991.exe.

Jerry

 

[howard_hopkinso]

Your HJT log is clean.

Just have HJT fix this entry.

O11 - Options group: [INTERNATIONAL] International*

Click the fix checked button.

You might be able to find the untitled service by typing services.msc into the run box and pressing the enter key. When the services window opens maximise it and see if you can find the service.

I do agree it sounds suspicious.

Check in your firewall software logs for possible info on the mystery download. It is possible that the download was perfectly legit. I.E some programme you have may have been simply updating?

Other than the above, I don`t know what else to suggest.

Regards Howard

This thread is for the use of jwazevedo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jwazevedo]

Thanks for the many tips. In checking the firewall log, I find a repeated attempt to enter through port 6881 over the period in question, so maybe the "download" was simply the rebuffing of the swarm by my firewall. Anyway, you've given me some good ideas for the future. Thanks.

Jerry

 

[Nodsu]

You can see active network connections with the Windows builtin "netstat" command or the TCPView utility from www.sysinternals.com.

 

[jwazevedo]

Very useful. Thanks. Note that Sysinternals is now a Microsoft product.

Best,
Jerry

 

[Nodsu]

Yes I know I'm pretty sure that soon these cool utilities will "disappear"..