what could my pc be downloading?

R

rapid

Limp Gawd
Joined
Aug 10, 2004
Messages
178
I was browsing a few tech sites when I noticed my network monitoring program was showing I was downloading at a steady 15kb/s rate for no apparent reason.
I closed down all firefox tabs and msn and waited a few moments, but the downloading did not stop. I then rebooted and the downloading started up straight away, so I disconnected my router and reconnected (dynamic IP) - and within a few minutes I was mysteriously downloading again.
I dont have XP or anything else set to update automatically, and I dont use any p2p programs, so at the moment Im a bit frantic as to what it could possibly be. Ive scanned with adaware, spybot, hijackthis and avg, but did not find anything malicious.

I ran netstat while the downloading was occuring, and 213.200.97.61:http came up each time, though I dont really know where/what this is. I also searched the hard drive for recently altered files, but i didnt spot anything that could be malicious.

I dont know whats going on but my first guess was I had become a zombie network victim, so Im a bit confused what to try now as I havent come up against anything like this before. anyone have any suggestions other than formatting the drive?
 
I3roknI3ottle said:
do u download using bittorrent?
Click to expand...
he said he isnt using any p2p programs. aside from a virus/trojan, i cant think of what else it could be. use AVG Free to double check for viruses if you havent already.
 
is bittorrent considered P2P?

I always thought P2P was considered programs like Soulseek, Limewire, Kazaa, WinMX, etc..
 
I3roknI3ottle said:
is bittorrent considered P2P?

I always thought P2P was considered programs like Soulseek, Limewire, Kazaa, WinMX, etc..
Click to expand...
yes BT is considered a p2p app...

to the OP: i did a quick whois search on your mystery ip, and it's in Amsterdam (http://www.networksolutions.com/en_...R4U2CWMEAQSFFA?whoistoken=0&_requestid=385347)

i suggest using something like Kerio personal firewall and disallowing that IP address from contacting you; you could be able to do that with Windnoes Firewall, but i'd suggest going ahead and getting Kerio.

if you really haven't done anything "wrong" (pr0n included) maybe even contact your ISP and ask them wtf is up...

 
thanks for the replies guys - will try that tcpview if it happens again

Regarding how whatever it was got through, I use a router firewall and also the SP2 firewall, so if theyre getting through those then am I correct in thinking they are connecting to something thats opening the ports on my pc?
Trouble is, Im not the sort to randomly download programs. Although i do download images and small movie files from the web (not p2p) - its it possible to use those to execute code?
I noticed the IP I posted in my original post was using http, is this a usual protocol amongst malicious programs? I'd thought they'd use something else, but im just trying to think of every possibility right now



and before i go and format the drive, does anyone know of a program which can search for all files that have been altered or created within a time period? windows search by date doesnt really seem to find anything that I didnt do myself, but I really want to try and work out what I was downloading at 15kb a sec.
 
Do you have windows automatic updates on by any chance? Set to download updates in background?
 
rapid said:
Although i do download images and small movie files from the web (not p2p) - its it possible to use those to execute code?

I noticed the IP I posted in my original post was using http, is this a usual protocol amongst malicious programs? .
Click to expand...


1. GDI exploit
http://www.wilderssecurity.com/archive/index.php/t-48978.html

2. yes its very common port 80 http is generally open both on your box and say in a hardware firewall

malware these days will generally both circumvent AV scanners and software firewalls to hide itself, and possibly even drop a rootkit hiding it from subsequent or remote scans, as to if it was a GDI exploit, likely its not the only infection vector you have

http://hardforum.com/showthread.php?t=768776

I too recommend either TCPview or a software firewall that has TCP monitoring
(like say Kerio)
 
nothing strange has downloaded onto my hd so far today, although I deleted every graphical file from the past month or so, I dont know if that could prevent someone from accessing my pc or not - but its done now

I ran the gdiscan program and this list of dll's came up, Vulnerable versions of the .dll files are listed in red, potential risks in yellow (although the faq page said to ignore files listed in 'uninstall' directories, which is the red entry below):

C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.3501.0 <-- Possibly vulnerable (Under OfficeXP only)
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
Version: 5.1.2600.0 <-- Vulnerable version
C:\WINDOWS\$NtServicePackUninstall$\vgx.dll
Version: 6.0.2600.0 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\ServicePackFiles\i386\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
Version: 5.1.3102.2180


while I dont know exactly what each one is, I can make these points:
- I dont have MS Office or 'OfficeXP' installed
- am running XP pro SP2 and fully patched
- however as I was reviewing the MS gdi exploit page i realised I didnt have the visual studio 03 gdi patch. could this potentially be where the problem originated for one of the yellow dll's above?

and also, where does windows update save the gdi detection tool? If I recall it ran once on install, but i cant find it anywhere on the hd now
 
Just to be safe I would reformat in this case, who knows if someone is connecting to ur computer what they could be monitoring. What AV and what Firewall do u have?

Panda ActiveScan

^^Theres an online AV scanner, I would suggest doing a scan with this and ur AV installed on ur PC. Also if u have an files that u thnk could be Malicious scan them here

Virus Total
 
Dude, is windows autoupdate on? Before you go around reformatting and all that bollocks, check it, even if you dont recall turning them on, sp2 does it by itself, also do you have anything else that mnight update itself? Virus scans and firewalls etc?
 
thanks for the links, am planning on formatting the drive anyway
- i dont have windows or anything set to auto update, but I double checked anyway and the settings were still the same. still dont really know what happened
 
You must log in or register to reply here.
Back
Top