Something is trying to access the internet..

December 20, 2009 at 22:33:11
Specs: Windows XP, 3G/1G
Hello,

I've noticed some unusual bandwidth usage on my computer recently, so I ran Ethereal sniffer to see what was going on.

It appears that some process is repeatedly trying to access the internet. Something keeps trying to connect to an IP (67.228.114.204) and then does the request:
GET /z178/dfj9.bin HTTP/1.1

Thankfully '404 Page not found' is being returned... However I would like to find out what process is doing this and put an end to it since i'm on limited bandwidth.

Does anyone know of a program I could use to figure out what process on my computer is making this internet request? I would be very grateful!


See More: Something is trying to access the internet..

Report •


#1
December 20, 2009 at 22:42:36
Not much info, but it looks like that IP seems to host alot of sites.
http://www.robtex.com/ip/67.228.114...

EDIT: Sorry, but your post title is just awesome. 'Something is trying to access the internet..'.. OMG, is it an invasion? jokes lol. Sorry, couldnt help but comment :P

ArukkNet Homepage -- My.. Under Construction Currant Project.

Feel like helping? PM me.


Report •

#2
December 21, 2009 at 16:53:07
Haha, glad you liked it. I stumbled across that robtex website when I googled the IP, but didn't know what it meant. I don't recognize any of those hostnames though, so i'm guessing it's not good.

I downloaded TCPView last night and ran it hoping to find what process is making the connection. It turns out the connection is coming from an instance of SVCHost.exe (which by itself is safe.) But TCPView doesn't tell me what process is initiating SVCHost.exe. So i'm still stumped on how to eliminate the source of this...


Report •

#3
December 21, 2009 at 19:13:10
Lol, well generally that exe is safe, however as it is basically a 'Gateway' through the computers security system (Older antivirus let that run, no matter how infected, because it is a very important system process). So maybe, if you ran a scan on your exe with a more modernised AV (May i reccomend Avast? Or atleast over AVG anyways, as AVG tends to detect non-existant viruses :P)
A link that might help would be http://www.ehow.com/how_5132341_rem...
Sorry, i probably should have left it to one of the security pros to answer but your post title was just too good to resist :P
All i really can tell you is whatever it is doing, it is trying to download the non-existant file (http://67.228.114.204/z178/dfj9.bin) over the HTTP protocol (I tried most of the commonly used ports but i couldnt imagine it being wayy too smart. The fact that a windows file is automatically attempting to request an unorthorised file that seems to have been unexistant for some time triggers warning bells in my head :P
I wouldnt be too worried about this, it seems very out-dated and somewhat safe, but i wish you luck in preventing it.

NOTE: Just did a trace of the IP. I believe the server is based in Texas, and they are owned by a company called yinghu. It seems to me that the IP originally hosted a spy-ware virus for one of those "This domain is for sale.." companies who buy a crapload of web adresses cheap and sell them off seperatly, im guessing the spy-ware was designed to see what domains people looked up that they could buy, not sure. I might not be right, but its just my guess.

ArukkNet Homepage -- My.. Under Construction Currant Project.

Feel like helping? PM me.


Report •

Related Solutions

#4
December 22, 2009 at 02:11:41
Thanks, I managed to find the source. It was a file, hidden from the windows API, called twext.exe. It was running through the UserInit registry key and was invisible to the process list. Couldn't even see the bugger in its folder.

Apparently it's a fairly common Banking trojan called Zbot.. it logs keystrokes to get passwords to popular banks and sends them to that website. Scary thing is I just set up an online bank account a few weeks ago. Looks like I lucked out with that website being defunct for a while now. It's been lurking around on my computer since February and I never noticed! I'm usually pretty observant about these things but this one threw me for a loop by hiding itself out in places I don't usually check. I'd still like to know how I ended up with it though, whether it was something I downloaded, a website I went to or something else.


Report •


Ask Question