Win XP System Continuously Downloading Data

[DirtRider]

I suspect this is in the incorrect area but I just could not seem to see where it should go, sorry.

Anyway this is my issue at hand. I have a WinXP box that seems to be continuously downloading data. Now we pay per meg for our bandwidth this side so this is becoming a huge issue to me. I have a bandwidth monitor on that system that will show huge amounts of downloads and some uploads when I am not even at the PC. I am talking a few Gig in a weekend (this PC is at my office and not used weekends).

I have disabled all automatic updates with now result. I have the following programs installed for security.

AVG Free
Zone Alarm
SuperAnti Spyware

Additionally I have done various scans with different house call antivirus and nothing. I mostly use this system for mail and browsing the internet so the following programs are normally running.

FireFox
MS Outlook

I don't have any P2P applications installed and no SkyPe either. I have now reach the stage that I am considering formatting and doing a clean install but as a last resort I thought I would ask here for help. Right now I am only turning on the router and connecting to the internet when I need to do work on the above applications

[Keyboard_Commando]

Download TCPView, if you don't have it already, and see which exe's are connecting.

And if you find many instances of Svchost, use Svchost Viewer to narrow it down.

I would add Malwarebytes to your current scanners. In my experience it has found something other scanners haven't.

[DirtRider]

Ok let me try that but it will now only be on Monday when I am back at the office then I will post the results here

[Cudni]

also you can set ZA to block all traffic while not around. Then check its logs to see what was trying to access the net

[DirtRider]

Thanks I never thought of doing that

[clubhouse]

Quote:

Originally Posted by Keyboard_Commando

Download TCPView, if you don't have it already, and see which exe's are connecting.

And if you find many instances of Svchost, use Svchost Viewer to narrow it down.

I would add Malwarebytes to your current scanners. In my experience it has found something other scanners haven't.

Useful...glad I saw this

[LockBox]

Quote:

Originally Posted by Cudni

also you can set ZA to block all traffic while not around. Then check its logs to see what was trying to access the net

Absolutely. Finding out what was trying to access the net is better than finding out was has already accessed the net. At any rate, you need to find out what's going on and Keyboard_Commando had two good tools to find out.

[DirtRider]

Ok I just had a look at my ZA and it seems it does not give me an option to block traffic at scheduled times at all, this is the free version. I have also started running TCPView now to try and see what is doing this

[DirtRider]

Ok what I now did is download NetBalance and I noticed that I still had a lot of leftovers from when I was running iTunes. So I have uninstalled all of that and it seemed to have helped but this is what I still have using data, see attached.

The thing is I am not sure what some of these are for lsass.exe. Looking it up it seems it is a local server of some sorts should I have this running on this PC? Ok I have now also removed IIS on this PC and this seemed to have stopped the traffic on the lsass.exe. Not sure why IIS was running anyway

[fax]

I would not waste too much time if you don't know well how to move around (e.g. its normal to see "lsass.exe" on standard XP installation), Just post relevant logs at Bleepingcomputer or SpywareHammer to have your system reviewed (malware infection).

Normally you don't install IIS on the system or at least you should recall having installed it. This is not a good sign.

[DirtRider]

Well the problem seem to be a lot better now that I got rid of all the iTunes stuff. The IIS I do now remember installing it to test something but then forgot about it. I will also try what you suggested when I am back in the office again, thanks