[jannel]

racenutalways in the malware forum helped me scrub my computer clean for any type of malware, and so suggested I post about my problem here to see if anyone had ideas:

About a month ago, I started getting messages from the network admin that my connection was being slowed because I was exceeding the daily transfer quota. Now I've been on this same connection for years and have done nothing new lately: I'm not a gamer, don't P2P fileshare, don't host any websites and don't even IM. Nothing to account for huge data transfer. I do work from home, but these messages are usually appearing on the weekends, not the weekdays when I work (and besides my work doesn't require that amount of data transfer). This was the first time I had ever gotten such messages.

I called the admin to monitor my traffic and he immediately suspected a trojan. Apparently everything looks normal until every five hours, on schedule, there is some program on my computer taking a massive data dump (pardon the terminology). Aside from those five hours intervals (at the top of the hour) he said my traffic is normal. He said he couldn't determine on his end which program.

Here is the thread containing my logs and the collaboration with racenutalways in looking for any malware. He has pronounced my computer clean.

At first it seemed to stop after cleaning out old JavaScript, and I thought the problem had stopped, but then it started up again.

[Advertisements]

This may or may not help you, but if you could go through this list and check against your version of Win XP to see if there is any relevant change you can make. Especially items under "Advanced Security Settings":

Windows XP Security Checklist

Disable Dump File Creation
A dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to the Control Panel > System > Advanced > Startup and Recovery and change the options for 'Write Debugging Information" to None. If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files

Not that much of an expert on this, so if we don't get anywhere, I'll ask for additional help.

Ron

[Major Payne]

This may or may not help you, but if you could go through this list and check against your version of Win XP to see if there is any relevant change you can make. Especially items under "Advanced Security Settings":

Windows XP Security Checklist

Disable Dump File Creation
A dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to the Control Panel > System > Advanced > Startup and Recovery and change the options for 'Write Debugging Information" to None. If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files

Not that much of an expert on this, so if we don't get anywhere, I'll ask for additional help.

Ron

[dsenette]

you could also download WireShark (formerly Ethereal) and run a packet capture on your system (read the instructions on how to do a basic capture and save that capture to a file)....it would be great to have a whole day's worth of stuff....but since that file would be MASSIVE...it would probably be better to catch the traffic just before and during one of these "dumps".....how long do the dumps last? are they EXTREMELY predictable?

[jannel]

I disabled the dump file and also downloaded WireShark. However the incidents have not been reliable enough for me to capture anything with WireShark.

[dsenette]

well....you could leave wireshark running for an extended period....then extract a certain time period from the logs when y ou know an "event" has occurred....stuff like this is really hard to nail down

[jannel]

It's not even consistent in terms of days, though. For example, I can go a week and not get one of the those messages. Other times, it will pop up two or three days in a row. It's maddening because I can't figure out what's causing it.