Massive internet usage in 10 days.

Hello forums!

I have been reading a lot through this site to find some help, but I can't seem to find what I am looking for. I share usage of the internet with my fiance and we are quite concerned over the amount used. Our internet has a 150g limit per month and a max speed of 4mbps.

Over the past 10 days our computer alone has used 65g downloads and 16g uploads.

So I ran Spybot SnD and ended a ton of processes, since I did so nothing has changed. I have also ran resource monitor and the usage is constantly above 60kbps it seems.

Freemeter tracks it as well, and I notice that the internet usage itself stays around 10kbps(ish) for 14 seconds then bursts for literally 1 second to about 1.5 mbps.

I would really like some help on this matter, I do not wish to continue paying more per month for internet when I do not use the bandwidth myself. Let alone upgrading.

Help!

Thanks, - Mike

Also, I can take screenshots etc if needed.

 

I would suggest you run a scan with Hitman Pro, Webroot SecureAnywhere and Malwarebytes, Spybot is almost defunct these days. Also is it possible these are some p2p application like utorrent or dc++ is running?

 

No, no torrent programs are running, nothing like it to be honest. DC++ also is not running. (To be honest not sure what it is )

And is there any specific order you would suggest these programs to be used? Or just one?

 

FWIW, Process Explorer is a very useful, reputable tool and you can configure columns to display many different things including CPU history and network send & receive byte counts (and even deltas). You can launch it and sit back and watch it to get an overview of what is going on and look for something that is sending/receiving much data. It can be downloaded individually:

http://technet.microsoft.com/en-us/sysinternals/bb896653

or along with the other tools in the SysInternals Suite. Which includes the Autoruns program Ronjor mentioned below.

http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

Wireshark is a very useful, reputable tool for network capture and protocol analysis. It allows you to see what is sent and received by your network adapter and examine the packets to determine where they come from, where they are headed, etc. You need some basic understanding of protocols in order to interpret what is displayed, but perhaps you have enough or skim a tutorial or simply give it a go and able to make sense of some things. Be sure to take advantage of the tools under the Statistics menu.

http://www.wireshark.org/

 

Open Resource Monitor and click the Network drop-down arrow. It should display all processes and their network usage. You can end processes as well.

 

first question i would ask is do you have a wireless connection? if so how is it protected? do you have a good wifi security setup or are you just using wep? i can not say for sure of course but it sounds like someone may be using your connection or you may have some type of infection allowing someone else to use it for sending spam etc...also are you using anyone's dns settings or just the normal default windows ones? as said if there is no torrent apps running at startup (this can cause this very easy). you can easily see this by running ccleaner and clicking tools then startup and you can from there remove any torrent or disable things at startup to see if they are affecting things also.

if you are SURE no one is using your connection then imo run a few things:

1-run hitman pro available for free to use. it will not remove major infections unless paid for buti t can give us an idea of whats going on.

2-run malwarebytes. make sure its fully updated and this is free to use just be sure to download the free version from their website.

3-i would tun dr web cure it! i like this program and it has really good rootkit detection.

-----------------------------------------
now if you are sure you are not using a certain dns or a custom one you should make sure there is not botnet that altered your settings. lets flush your dns do the following.

Start > All Programs > Accessories > Command Prompt. Rt-click on it and ‘Run As Administrator’. Type the following and hit enter: ipconfig /flushdns

you can also check your dns here: http://www.dns-changer.eu/en/check.html

-------------------------------------------

lastly for a quick check i would recc checking to make sure your host file has not been altered in a bad way. you can open the host file to view it simply by right clicking and selecting to open it in notepad. you can post all the settings here or you are welcome to shoot me a pm and we can make sure they all look okay.

--------------------------------------------
first i would see what these all show then we can go from there. personally i dont like spybot and have not in a long time i personally dont think its even worth running but this is my opinion and others think differently. i have removed spybot from more systems that were infected while running it than i even remember. we'll help as much as we can here and these are just a few quick things to start with. i see this issue A LOT with people who do not have good wireless protection and have someone like a neighbor etc who are using their connection or there is a botnet using their system to send out info etc. these are some things i will ask a client just so you know over the phone to start to get a idea of whats going on before going out to their home or business (not to run the above but the basic questions)


do you watch netflix or streaming video? or xbox live etc?? there are a number of things that could cause this as you can see..

 

First, I will note that I am impressed with how fast you guys are on replies.

Second, the PM system says it is unavailable.

And 3rd, I'm running Malwarebytes as we speak, I will post again when it is finished with the results.

I am on wireless, and we share with our land lord (who is the one who first noticed the problem.) We both took our logs and it is very clearly my computer that is doing so.

The wireless setting is WPA2-Personal, perhaps not secure enough? But again my computer logs it very clearly that the internet usage is coming from my computer.

Never used hitman pro, and I am decent on computers, but when it comes to more technical things to look for I am still a bit of an amateur.

----------

Ran Resource Monitor and under network the highest process is only 3kbps total. So perhaps what ever it is that is using the bandwidth is hidden from this program?

Anyway the more replies the better, I will keep updating as I continue this ever so irritating "journey"

Thanks again

----

quick edit, DNS changer says I'm not infected with the DNS changer trojan. So that is okay from what I see

 

wpa2 is very good. let all of what i recc run and see what comes up. also flush your dns and check your host file. let me know the results.

i would still flush your dns just to be sure no settings somehow got changed imo

 

Alright I flushed my DNS, and Malewarebytes has finished with 22 results. Posting a picture of it now, Before I hit "Go" on the delete, I would like to know if you recognize any of these as well as I would like to know why the "PUP.Codec" etc etc ones are automatically unchecked.

What next captain?

 

Image

 

You should also run Hitman Pro if you have not already done that. It is a cloud AV that scans your PC with several AV's at once. It may find things that Malwarebytes missed.

 

i would say you have some cleaning up to do. run hitman pro and post results as well. but it does appear you may very well be infected.

 

How much data that you need is on that machine?

What sort of data? Is it all Word etc documents, music, video, etc?

Your best option might be to back up everything that you want to keep, at least twice on different media, and the do a clean Windows install.

Before you do anything else, change all of your online passwords, using a different machine that's never been on the same LAN as your infected machine.

Also, keep that machine off the Internet until it's clean.

 

So clearly there is some stuff, I slowly scrolled through them all, and all from

"Installhelper.dll" are all tracking cookies. Now, since I don't have the full version, where to from here.

-----

Edit, Mir, I have a ton of stuff I need kept on this computer. I hope to avoid that option all together, if its my last resort when it comes time then so be it.

 

Yes, that would be the safest approach. One should always make backup images of their system as well. I use Shadow Protect, but it's a little pricy. I would suggest Acronis True Image to most.

 

the first thing at this point i would do if this was my machine is make a FULL image. use a reliable program many free ones exist just in case something happens when you start to remove things, then start to allow malware bytes to remove those items all of them.

i agree though the best option would be a clean install. the three programs i mentioned *should* clean things up but there is always a possibility there may be things remaining. macrium is a decent free one. and there are others unless you use a paid one. for this you dont need a paid one. this is a precaution i would recc just in case. and normally i would recc having backups anyway...

 

How useful is an image in this case?

Can you really trust imaging software running on a compromised machine?

Wouldn't it be better to just boot with a Linux LiveCD, and back up only needed data (but no executables)?

 

Go ahead, and remove whatever Hitman Pro will remove then do another full scan with Malwarebytes, and Hitman Pro. Was you using an Antivirus when you became infected? You should always use some sort of mitigation with Windows Machines whether it be a traditional AV, Anti-executable, HIPS, Sandboxing, or light virtualization. Its best to use a combination or layered approach. If you have not been using an AV then let us know, and we will try to make some recommendations, and you can learn for yourself which suites your needs best through trying them for yourself. Also there's no substitute for education. You should research to educate yourself about the different means that users get infected. I have not had an infection of any kind that i'm aware of in over 15 years. I contribute that to a combination of education, and using state of the art software for mitigating attacks. IMO, the well known AV's that the general population are familiar with are not the best means for protecting users from attacks.

 

i recc an image if in the case removing these files causes a bsod or any other major issue they will be able to browse the image and recover the files that are important to them, ALWAYS create a image before doing anything like that imo. its just a precaution that i dont personally think should be neglected. and an image in this case will be just fine if recovering files will be needed. macrium, ifw, and most others allow a image to be mounted or browsed to recover pictures and documents etc that are important. i am not saying to make the backup to recover to later BUT to save the important files that they may need in this case. i do not see any real danger in removing those files BUT its always possible, i never do any major work to a clients system without either then having a backup or me creating one *just in case* better to have it then not to.

also here is a link for dr. web cure it:

ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

 

The point was to make a backup image when the machine was most likely clean. It's too late now. I only do backup images on-demand. I never run scheduled backup images. I create a backup image about once every week or two depending on how much changes I have made to that machine. It takes a little education on ever user's part to create a plan for a rainy day.

 

Well I deleted what Hitman Pro has noticed, and restarted the computer to see if any was returned from start up, and its all gone, the internet usage is now running well it seems using only 3mb from the last 10m, and that includes browsing this site through a couple thread pages and what not. So far so good. I will make a full image and throw it on a flash drive tomorrow morning, for the time being I need some sleep. I will run Malwarebytes while I sleep and check it again in the morning.

And as for AV, I had norton for a year and haven't repurchased it since I found it was more irritating then it was useful. So any rec's would be greatly appreciated. You guys have no idea the weight that feels like its gone from my shoulders even having this figured out temporarily. Post what you think is best for freeware AV and what not, I will take a look, and repost afterwards (Most likely in the morning.)

Thanks again Wilders users, nice to see some people out there spend the time of day just to help another out. It won't be forgotten any time soon.

 

@zfactor

Yes, having an image is essential if he's going to clean up but not reinstall.

But if it were my machine, I'd want independent copies of whatever I really needed, made by a different OS than the one that's compromised.

Having both can't hurt, I suppose. But, as long as that machine is up, there's a chance that it'll get wiped in revenge.

 

I would recommend Avast, or Avira for a free AV. I heard Avira now contains Adware in their free version, but i'm not sure since I do not use it. I use to use Avira paid, and liked it. I know Avast still offers a great free AV so try it first. You could also try AVG, but if it was me I would use Avast. Microsoft Security Essentials is also free, but I trust Avast with my protection more.

 

well he stated he didnt want to format and do a clean install which is why i would have ALWAYS recc a backup to save the files...

avast is very good, i recc eset though for something that is pretty set and forget even avast will have more pop ups. i also like wsa if something light and non intrusive is important. there are many others also the point is you NEED something unless you never want to do much at all online. really anything free is better than having nothing. i would agree avast is the best freebie, and forticlient is really nice also a semi full suite and its free. many people jump all over me for saying this but imo mse just plain sucks.