Track Unknown Download Bytes

I connected the network to the internet and noticed through my network
monitor that over 100 mbs had been received and was continuing. I
immediately disconnected from the internet. That seems to have stopped it.
I need to monitor this on startup. Would like something simple I could
start before connecting the internet which would possibly show the program
or at least the ip address where this stuff is originating. Have Wireshark
but I am looking for something more simple. Autoruns did not help me. I do
have the Nirsoft utilities and Sysinternals Suite. There has to be
something simple somewhere in these utilities but I am not picking it out.

Running WIndows 7 Pro 32 bit.
--
Bill

Brought to you from Anchorage, Alaska

On 12/4/2016 2:47 PM, Bill Bradshaw wrote:
I connected the network to the internet and noticed through my network
monitor that over 100 mbs had been received and was continuing. I
immediately disconnected from the internet. That seems to have stopped it.
I need to monitor this on startup. Would like something simple I could
start before connecting the internet which would possibly show the program
or at least the ip address where this stuff is originating. Have Wireshark
but I am looking for something more simple. Autoruns did not help me. I do
have the Nirsoft utilities and Sysinternals Suite. There has to be
something simple somewhere in these utilities but I am not picking it out.

Running WIndows 7 Pro 32 bit.


If you had W10 then you could just bring up task manager and look at the
network column. I don't recall if W7 had a similar capability.

Bill Bradshaw wrote:
I connected the network to the internet and noticed through my network
monitor that over 100 mbs had been received and was continuing. I
immediately disconnected from the internet. That seems to have stopped it.
I need to monitor this on startup. Would like something simple I could
start before connecting the internet which would possibly show the program
or at least the ip address where this stuff is originating. Have Wireshark
but I am looking for something more simple. Autoruns did not help me. I do
have the Nirsoft utilities and Sysinternals Suite. There has to be
something simple somewhere in these utilities but I am not picking it out.

Running WIndows 7 Pro 32 bit.

The only thing I know of, is Sysinternals TCPView. That shows
executable name and the connection it is making (IPortnum).

*******

The closer you get to T=0, the more difficult it becomes.

Windows Performance Toolkit uses ETW trace events. It cannot
record the network traffic, and all it does is log executable
activities. And if you didn't like Wireshark, you won't like
this. What this allows you to do, is start a reboot with xbootmgr,
and ETW traces everything after T=0, as soon as ETW is running.
But if the name of the executable isn't something meaningful,
you'll be no further ahead. Black hat materials, for all intents
and purposes, will be untraceable. I can set up a dynamic address
on the Internet, hide the ownership, use it for Command and Control,
and a log of such a communication would be of no use to you. The
only way your tracing work will pan out, is if the activity
is benign, and the materials and operations are properly labeled.

http://al.howardknight.net/msgid.cgi...nt-email.me%3E

*******

I think actually Sysinternals Process Monitor can also use ETW
on a reboot, and after the reboot, Process Monitor can then be
used to review the trace. That's better than the output of WPA
related tools.

Under Options, is "Enable boot tracing". Give that a try. It may not
record enough material after boot, to be really useful. Even with
the WPA stuff, you may set the recording for 2 minutes or 20 minutes
and find the recording ended before the interval you defined.

Services hiding in SVCHOST will be mostly hidden. ETW doesn't
tell you which one is doing it. All the SVCHOSTs go by the
same name. So if malware were to hide as a service (even some
Google add-ons did this), you would be hard-pressed to
identify the activity. Using Wireshark/WinPCAP and recording
addresses might make more sense with some sort of Google
auto-update problem.

Paul