A customer suspected he had a spyware infection, since his daily internet usage increased from around 10Mb per day to 100Mb per day.

I take a look and see he is running norton internet security… which should protect against most nasties.

But I install and run AVG antispyware anyway… and it finds nothing…

He points out that the NIS log has many entries for 127.0.0.1

But when I look at the actual transfer sizes, there doesn’t seem to be much…

He is sure that on most weekends, he hardly uses the PC, yet the ISP records that he has downloaded and uploaded large amounts of data…

I disable some unnecessary startup programs, but cannot pinpoint any obvious culprit.

I then find he uses a VOIP phone via a VOIP modem/router…

Now that could cause “difficult to detect” bandwidth usage (both download and upload… thats what normal telephone conversations would be like).

He’s sure the NIS log indicates something on his PC is “abusing” 127.0.0.1, and somehow causing larger than expected downloads.

I take a look at the norton firewall, and setup “monitor” on icmp and loopback traffic.

This seems to trigger NIS into displaying a never ending series of message windows in the bottom right-hand corner of the screen. And for some reason, I cannot make the popups stop.

In the end, I suggest a reinstall of NIS, and unplug the VOIP (he says he will revert to his original modem, so he can eliminate a modem fault).

If the bandwidth usage drops, then it must have been VOIP that caused it somehow.