Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have this download occuring at precisely 3:23am every morning. I am permanently connected to my ISP thru an adsl connection.
I don't know what it is. I have ZoneAlarm Pro working but that does not stop it - if it a hacker.
Please can someone show me which process i should be checking to see what it may be. There is NOTHING in Task schedular that is set up and Windows automatic downloads is disabled.
The only way to combat this mystery download (which varies in size but is usually about 25mB) is to pull the telephone line plug every night. That stops it. And it's using up my monthly allocation of paid-for data access.
Thanks
How do you know your system is doing this? Is there a file created? Is your anti-virus perhaps set to update? It would help if you could provide a little more information.
One thing I find curious. You have a limit as to how much data you can download per month? Hmmmm I've never heard of that before...
0 
hi gaz,
lets try this to see if you are hacked.
hit your start button, go to the run button and hit it, then type in command, in the ms dos prompt box where you see the flashing cursor type in netstat -an (as you see it)you will now see the box with 4 columns:
proto, local address, foreign address, state.
if you see anything in foreign address with an address followed by a port number take note of it. if it is followed in the state column with the word established, then you will know you have a new friend.
with the address and the port number taken, go to www.thepublicworks.com, security section, link to tantalo ports, put in the port number and do a search, if the results tell you that you have a trojan, note it down, then while at the publicworks, link to simovits consulting and do a search on the trojan by name and read up on the info on the trojan.
then still at the publicworks, go to payware section, link to trojan hunter anti-trojan, download free 30 day trial, get latest defs, and scan your machine in safe mode, delete all files it comes up with.
all the best,
murve
0
Murve, saw your post above, and ran your CMD since I'd never heard of it. Found 4 established foreign addresses at ports 1025 thru 1028. I've run 3 trojan detection programs with negative results, and Shields Up shows my computer as completely stealthed. It should have been this way prior to me ever hooking to the internet. After checking the port numbers on Google, I would guess these findings in WWW.publicworks.com are either benign or false positives, is that correct? Thanks.
0
hi johnO.
netstat is a port monitor and it gives a true picture on what ports are opened on all computers. if it found that these ports are opened on your machine and if you checked with Tantalo Ports and found that ports 1024 1025 udp NetSpy trojan, 1025 udp Maverick's Matrix trojan, and 1027 tcp ICQ trojan, then you may have those trojans in your computer hiding somewhere. the anti trojan software may not be picking up those signatures.
you may want to try the trojan and port test at pcflank to get another picture of what may or may not be on your computer, i think you can access it by going to www.thepublicworks.com, security section, in security tests area.
all the best,
murve
0
Murve, thanks for reminding me of PC Flank. Well, I ran all of its tests, and it didn't find anything either. If I can't find it I can't clean it. My Zone Alarm Pro was installeed and set up, along with my IE security and AV before this thing was ever connected. I have d/l a few programs, but they're programs I've used for years. Well, can't worry about it, nothing is getting out that shouldn't.
0
Murve - nothing spectaular found so far. NO, it's is not a Windows download/update.
I omitted to tell you that these are two computers on a LAN and both have ZoneAlarm installed.
The remote computer had nothing open that I wouldn't expect - just lan stuff on 193.
However, the gateway comp (this one) has a foreign address open (192.168.0.2:135) and in a "Time_Wait" state.
Is this significant?
Gazza
0
hi gaz,
How to read NETSTAT -AN results:
the address you mention is showing that the address and port are in a time wait state, and this is not important.TCP port 135 is the Microsoft DCOM/RPCSS. Its impossible to close in Windows NT/2000/XP Pro.
For Windows 9x/ME/XP Home:
Start REGEDIT.EXE, go to HKLM\Software\Microsoft\OLE and change both EnableDCOM and EnableRemoteConnect to 'N' and reboot.Netstat is a old-school DOS program that displays all TCP connections on your Windows system.
The command line parameter -A adds all listening ports (both TCP and UDP) and any other TCP connections.
The N parameter makes all ports and IP addresses numerical instead of named.In lines saying 'ESTABLISHED', you need the remote port to identify what has connected to the remote site.
In lines saying 'LISTENING', you need the local port to identify what is listening there.
Each outbound TCP connection also causes a LISTENING entry on the same port.
Most UDP listening ports are duplicates from a listening TCP port.
TIME_WAIT entries are not important.
If it says 0.0.0.0 on the Local Address column, it means that port is listening on all 'network interfaces' (i.e. your computer, your modem(s) and your network card(s)).
If it says 127.0.0.1 on the Local Address column, it means that port is ONLY listening for connections from your PC itself, not from the Internet or network. No danger there.
If it displays your online IP on the Local Address column, it means that port is ONLY listening for connections from the Internet.
If it displays your local network IP on the Local Address column, it means that port is ONLY listening for connections from the local network.hi johnO,
you could be right it may just be a false positive, but to be sure you may want to use hijackthis, just to make sure that you don't have any trojan servers hanging around.all the best gaz and johnO,
murve
0
Thanks for all that info Murve. I don't pretend to know it all yet but I will print it out and study it.
In the meantine I did a scan a few nights ago and came up with these ports all established: 1693, 3094, 1551, 1552 and 1200.
Of these, the last is signifcant as that supposedly is the "NoBackO" trojan. I did a scan with ALL my various checkers and only one revealed its presence (Spybot tx). I deleted NBO but if I leave the computer plugged in all night it still does a download at precisely 3:23am. Yesterday morning (7th Nov) it was 46mB and it uploaded about 5mB.
Subsequent scans using 'command' have been mainly quiet except except just now there is a 192.168.0.197:4896 established.
gazza Sun, 7 Nov 2004 23:51:24
0  |
 The joy of removing spywa...
|
yahoo messager
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
