Excesive upload

Hello guys, I have an issue with my wife's laptop.

In the past weeks I have followed a strange trend of at certain days uploading a huge amount of data (500 megs or so), which I find unusual since most of the time she uses it for the everyday regunlar needs: email, some youtube videos, facebook, skype, etc.

As additional data: I have followed this trend for a few weeks and I'm sure she has not uploaded to facebook a huge amount of photos, and for the use of video in skype: it has never been that much for one hour talking with friends. I've run the antivirus and spyware and so far nothing.

Has anyone found something like that or do you have any recommendations?

Thanks beforehand for your help.

 

Sounds like a virus or something. Lots of stealth infections any more that use computers for file servers, and they'll subvert antivirus programs by running as a rootkit... might try installing a wireshark or something and watching the traffic a bit.

 

also make sure that whatever spyware/monitor program you are using to look in on your wifes machine is giving you accurate numbers.

Have you asked HER what she might be doing?

 

Some nefarious soul has probably turned your wife's laptop into a 'SpamBot'...

 

What is a wireshark? Actually I feel the same in that there is a deep threat installed.

@ newsposter: Yes, we've had bit a bit of (sometimes bitter) conversations. At this moment I am sure it is not her uploading tons of pics to facebook or using picasa's picture editing tools (the only two activities where she could possibly upload such amount of data).

@ olydetty: any suggestions on how to 'exorsice' my wife's laptop. I could use holy water but I fear the circuitry'll burn

 

Start with MBAM: Malwarebytes : Free anti-malware, anti-virus and spyware removal download
It's pretty good at finding malware, simple and quick to use.

 

Thanks KLF, I'll run and let you know if it found anything.

 

Clean the machine as suggested. And check regularly with resource monitor in w7 (available trough Task Manager or just type resmon in run (don't know if it's in all w7 versions). Go to Network and check for suspicious activity in Network Activity and TCP Connections.

A good and simple monitor: System utilities, password recovery and network tools, miscellaneous software with source code > Network Activity Indicator " displays the old 'two monitors' icon in Windows 7 that flashed blue to show network activity on the System Tray", like in the xp days, very good for spotting any unsolicited activity. Basically, no flashing whatsoever should occur on it's own. If it does light up, find the source (some programs \ windows updates etc are legit, if any programs 'phones home' more than they should, block them with firewall).

 

Flatten and rebuild. --> technet.microsoft.com/en-us/library/cc512587.aspx
Before, you might check the computer from a Live CD. These are available from many AV software manufacturers. Any AV software running on a possibly compromised system can't be trusted at all.

Michael

 

Wireshark is a program. It may not work directly from your wife's machine, so you may want to install it on a clean machine and use a wired ethernet hub (NOT A SWITCH) and sniff the traffic going through. An RJ45 splitter may even work, because you're just going to want to be listening with wireshark, not transmitting anything.

But if you don't want to find what the actual problem is, I would recommend nuking and paving. I would do that no matter what, actually. Including an MBR format/rebuild because there are a number of viruses that are putting themselves there recently. Wireshark is just if you're curious about what program is actually causing the traffic

 

Ok, before anything, thanks for the support and suggestions.

Using malwarebytes there were 4 threats that were removed.

Before nuking the laptop, I want to see if these excesive uploads are cut. I'll take a look at the suggestions of 6730b and Pitabred. Since the excesive uploads have been ocurring in the weekdays, I'll have to wait a few more days to see if the problem was solved.

 

Hey guys, just for a quick report: it seems the detection from malwarebyte has stopped these excessive uploads. Thanks again for all the suggestions and support

 

Do you remember what the infections were called?

 

They should be in a log file generated by MBAM

 

What are you using to monitor the traffic? I suggest using Networx for better stats monitoring.

A quick way to tell if your machine is a zombie is by running cmd > netstat -na or using Networx Netstat tool. This will list all the active connections in your machine.