Laptop D/L at night

Darian929

Hello fellow techies. I work as a computer technician at my job, which is a Home for the ages with over 500 users, and lately the internet has been super slow so the network engineer here setup a cisco switch outside the firewall for sniffing, and in the past 2 weeks, they have noticed that there is this laptop which is downloading mbytes and mbytes of stuff at night, over weekends and everything, and the person who uses it is not even there. The laptop does have gotomypc but the services are stopped and everything. You take it off the network and put it back on and within mintues it download 60+ mbytes.... so they gave me the laptop to check it out and see if there is anything uncommon like software trying to download stuff, its unplugged from the network and everything, but I see no unordinary services. I am no network expert so I was wonderring if you guys could advice me on any software or anything. thanks in advance

[Deleted User]

Sounds like it is infected.

HeroPsycho

Get some!

TCPView for Windows

Darian929

xmalachi, Ive scanned the hard drive with our anti virus and nothing, I will be trying that TPview

veritas_libertas

Darian929 wrote: »

xmalachi, Ive scanned the hard drive with our anti virus and nothing, I will be trying that TPview

I swear by MBAM. Out of curiosity, what are using for AntiVirus? We use Symantec Corporate and it leaves much to be desired.

Darian929

We have Mcafee, I scanned it with that and malwarebytes

chrisone

scan for virus and spyware. If this still does not fix the problem, back up critical data only, RELATED TO WORK ONLY! then re-image the laptop, end of story!

Darian929

yea thats what Im going to do next, just make her save her data and reformat the thing.

tiersten

The network engineer not say what the laptop was downloading or from? If they had gone to the trouble of setting everything up, I'd have expected them to also work out what it was doing.

Install Wireshark and do a log of the network traffic when it is downloading.

mikej412

Uh, exactly where is it putting all the stuff it's downloading?

While you're probably going to nuke that laptop no matter what, you may want to find out what it's been doing in case you've been backing up someone's ***** pron site/collection somewhere on your network.

Darian929

the network engineer did track the IP's it was going to and it was going to a company called akamai... they are a company based on web application and accelarations.. who knows... it wasnt actual downloading programs or anything

tiersten

Darian929 wrote: »

the network engineer did track the IP's it was going to and it was going to a company called akamai... they are a company based on web application and accelarations.. who knows... it wasnt actual downloading programs or anything

Akamai is a Content Delivery Network. You outsource storage/bandwidth from them so they can host all the large files for you so you don't need massive network capacity yourself. Apple and others use them to store things like video files and updates.

So just saying it is using Akamai doesn't really narrow it down that much. It could be downloading anything including software or media files.

Darian929

Yea I mean its just going out to that site and thats when it says its downloading mbytes of bandwidth.. im no engineer myself..

MentholMoose

If it's downloading from Akamai, it's unlikely to be an infection. The user is probably leaving their browser open on a site with video (e.g. myspace).

Darian929

Whats happening is It's going and updating adobe reader for some reason. We reformatted the computer, and nothing for now. However the PC for the HR director now is doing the same thing. So we got out of one, and stumbled on another. The network engineer says its adobe reader going out and updating reader for 400+ mb...

tiersten

Darian929 wrote: »

Whats happening is It's going and updating adobe reader for some reason. We reformatted the computer, and nothing for now. However the PC for the HR director now is doing the same thing. So we got out of one, and stumbled on another. The network engineer says its adobe reader going out and updating reader for 400+ mb...

400+ MB though? Its either doing something else or the update program is badly broken and its constantly updating the same component over and over. The updates I get are generally smaller than 40MB and fairly infrequent.

I wouldn't advise disabling the Adobe updater though. Adobe Reader exploits are one of the biggest avenues for attacks now so keeping it up to date is extremely important.

Darian929

Yea its like 470 MB. Here is a screenshots. I wanna help the engineer here so any tips/advice would help, I will tell her about disabling it, can cause some exploits.

tiersten

Ah. It isn't reader. That explains why it is so much larger.

What is odd though is that the update is so huge. That looks like a full install version of Acrobat Standard and they do offer incremental updates.

When it has actually downloaded the update, does it install properly and does it want to download again?

Darian929

I think its trying to redownload because it downloads 75 megs every 4 mins. and its been happening for the past 3-4 days... So i mean it would of downloaded the whole 400 megs in 25-30 mins... and stopped, but it keeps peaking. I looked at adobe's site for the update and that update requires 335 mb of free HD space.. so it is large..

Darian929

Here is the link to the adobe 9.3.1 release notes update.

ADOBE READER AND ACROBAT 9.3.1 AND 8.2.1 RELEASE NOTES

TheShadow

My guess would to be check the version of the updater. If you do not have the correct version I have seen even small updates repeat. The big ones must reboot the system and if they are just using suspend and not allowing a reboot that could be a source. I really hate Adobes update strategy, seems they are always replacing the updater and it that does not work the real updates just keep coming.

rage_hog

akaimai is using the box as an add relay. Read their terms and see. Thats my theory. Is this a Windows7 box? Start here:

Network Advertising Initiative

MentholMoose

rage_hog wrote: »

akaimai is using the box as an add relay. Read their terms and see. Thats my theory. Is this a Windows7 box? Start here:

Network Advertising Initiative

Uh, read the rest of the thread. The traffic is caused by Adobe Updater.