Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Mysterious data dumping


  • Please log in to reply

#1
jannel

jannel

    Member

  • Member
  • PipPip
  • 10 posts
racenutalways in the malware forum helped me scrub my computer clean for any type of malware, and so suggested I post about my problem here to see if anyone had ideas:

About a month ago, I started getting messages from the network admin that my connection was being slowed because I was exceeding the daily transfer quota. Now I've been on this same connection for years and have done nothing new lately: I'm not a gamer, don't P2P fileshare, don't host any websites and don't even IM. Nothing to account for huge data transfer. I do work from home, but these messages are usually appearing on the weekends, not the weekdays when I work (and besides my work doesn't require that amount of data transfer). This was the first time I had ever gotten such messages.

I called the admin to monitor my traffic and he immediately suspected a trojan. Apparently everything looks normal until every five hours, on schedule, there is some program on my computer taking a massive data dump (pardon the terminology). Aside from those five hours intervals (at the top of the hour) he said my traffic is normal. He said he couldn't determine on his end which program.

Here is the thread containing my logs and the collaboration with racenutalways in looking for any malware. He has pronounced my computer clean.

At first it seemed to stop after cleaning out old JavaScript, and I thought the problem had stopped, but then it started up again.
  • 0

Advertisements


#2
Major Payne

Major Payne

    Retired Staff

  • Retired Staff
  • 5,307 posts
This may or may not help you, but if you could go through this list and check against your version of Win XP to see if there is any relevant change you can make. Especially items under "Advanced Security Settings":

Windows XP Security Checklist

Disable Dump File Creation
A dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to the Control Panel > System > Advanced > Startup and Recovery and change the options for 'Write Debugging Information" to None. If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files


Not that much of an expert on this, so if we don't get anywhere, I'll ask for additional help.

Ron
  • 0

#3
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
you could also download WireShark (formerly Ethereal) and run a packet capture on your system (read the instructions on how to do a basic capture and save that capture to a file)....it would be great to have a whole day's worth of stuff....but since that file would be MASSIVE...it would probably be better to catch the traffic just before and during one of these "dumps".....how long do the dumps last? are they EXTREMELY predictable?
  • 0

#4
jannel

jannel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I disabled the dump file and also downloaded WireShark. However the incidents have not been reliable enough for me to capture anything with WireShark.
  • 0

#5
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
well....you could leave wireshark running for an extended period....then extract a certain time period from the logs when y ou know an "event" has occurred....stuff like this is really hard to nail down
  • 0

#6
jannel

jannel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
It's not even consistent in terms of days, though. For example, I can go a week and not get one of the those messages. Other times, it will pop up two or three days in a row. It's maddening because I can't figure out what's causing it.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP