Hi guys, I have a PC which is constantly downloading from the internet. I have no idea what it's downloading. I installed Bandwidth monitor to have a look and in a few minutes it had downloaded close to 5MB. I have no applications open. All I did was boot the PC and open up BandWidthMonitor to view the report.

I also installed ZoneAlarm to see if I could catch the program trying to access the internet but it didn't work. Even if I set ZoneAlarm to "Enable Internet Lock" it still continues downloading.

I ran TCPView to see what processes where accessing a remote address and there weren't that many and none that appeared obviously out of place.

I will get a HiJackThis log as soon as I can, but does anyone have any ideas?

You can try this and see if it comes up with anything

http://www.processlibrary.com/processscan/

Use Wireshark to capture the packets on your network interface and see where they are going to/coming from and what protocols are in use:

http://www.wireshark.org/

I used Wireshark to capture the packets and found it was constantly sending ARP requests. Below is an example of what I saw:

55 46.358739 Cisco_f3:74:54 Broadcast ARP Who has 220.237.155.96? Tell 220.237.155.1

It went on and on until I turned the modem off - I only had it capturing for less than a minute and it reached over 3000 ARP requests/broadcasts.

Any idea what would cause this? Also, where is the "Cisco" coming from? I have no Cisco gear attached.

How are you connected to the internet? Is it a router/modem combo unit or just a modem? What is the make/model? Are you using a cable modem?

Lacking the above info this is just my guess based on what you've told us:

You are on a cable modem (satellite maybe?) with the modem connected right to the computer, no router. In that case the packets are normal. When you are on a cable system your computer is effectively on a LAN with all of your neighbors that are on the same segment of the cable system (same spotbeam of the satellite system). ARP traffic is normal LAN communication and the Cisco equipment (the .1 address) is probably the cable company's gateway device that you and all the neighbors send traffic to/receive traffic from.

As I said, just a guess based on my understanding. I may be wrong on some of it. But in any case, unless the ARP traffic is taking down your connection it is probably benign.