Constant Uploading From PC

[Lil' J]

Hi

For the past 2 weeks now I have noticed on my bandwidth monitor a constant upload. I checked processes but I can't see anything out of the ordinary.

I went on CMD and put "netstat" to see many many many connections connected to me from the same host name as my computer. Sometimes the windows XP dialog that pop ups when a program wants to connect to the internet says a program wants to connect to "www.starman.ee" or "www.if.ee".

I have ran ad-ware scans and virus scans both in normal boot and safe mode and what ever they do find never seems to sort this problem out. Ad-aware and Zonelabs I?m using both up to date definition list.

No P2P is running such as limewire or torrents on my system when these connections are present.

I did block the host however 2 were still able to connect and I couldn't use the web for anything else once blocked as I think I blocked myself.

Please help.

Need some urgent assistance, kind of worried what could be installed on my system.

[raskren]

Those domains aren't owned.

NVM. nslookup still finds them.

[Lil' J]

Sorry i don't understand :s?

[mkol]

there must be a some sort of program installed on your pc which is doing this upload. remove the programs which you don't need or not sure about it. Did you downloaded any free programs from the net? Or did you clicked on the pop ups which appear when you are browsing the net. Either way I think there must be a small program on your pc somewhere which is stealing your bandwidth.

[Lil' J]

Well i went through add/remove programs on control panel and removed any program i wern't using and the programs left i don;t think any of them would be hogging my bandwith.

Is there anyway i can trace back to the exe.

Task manager looks fine.

[raskren]

Kill all unnecessary processes and see if it continues. If it does, run a rootkit scanner and pray that you haven't done any online banking or bill pay recently.

[mkol]

I had similar problem in the past, the only think I suggest is do more digging on what you have installed. or do a clean format, get your self a router and use that. NEVER download freebies.

[raskren]

I had similar problem in the past, the only think I suggest is do more digging on what you have installed. or do a clean format, get your self a router and use that. NEVER download freebies.

Why not? Firefox was a freebie.

[mkol]

freebies programs I was refering to was not something like firefox but something like that expires after certain period and not from reliable sources. Thats what I meant..

[k22]

netstat -abo will tell you what process ID/executable name is making those connections. post the output of that command here if you need more help from here.

[+BudMan MVC]

Those domains aren't owned

Um -- yeah ok..

starman.ee

--

Registrant:

Starman Kaabeltelevisiooni AS

Akadeemia tee 28, EE0026 Tallinn

TEL +372 6 779 955

FAX +372 6 779 907

Domain Name: starman.ee

Contacts:

Margus Paap

Record created on 19-Jun-1997

Record changed on 19-Jun-1997

--

if.ee

--

Registrant:

AS If Kinnisvarahaldus

Pronksi, 19, Tallinn, Harjumaa, 10124

TEL +3726671100

FAX +3726671101

Domain Name: if.ee

Contacts:

Erik Matt *********@kindlustus.ee

Record created on 06-Feb-2002

Record changed on 01-Apr-2005

--

Do you live in Estonia?? Not sure why your machine would try to contact these domains??

Could be that your infected with some type trojan, that has your machine doing a DDOS attack against these sites? What port does netstat show they are connecting too?

As already stated, a netstat -o or -b will give you the PID or binary that is creating the connection.. Or you could download the FREE tool

http://www.microsoft.com/technet/sysintern...ng/TcpView.mspx

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows.

But yeah if your machine is making connections to any IP that you have not actually requested, or minor phone home type thing.. Ie your constantly showing upload bandwidth usage.. How much exactly???

Your infected with something.. You need to find exactly what process is creating the connection, and then correct it.

Estonia -- Really? ;) Not a country you hear of much.. Prety kewl name though, and hey how could you not like the "kroon" -- too bad they are switching to the euro next year.. Tallinn is on my list of places to visit.. but you sure do not hear of this country much.. But your infected with something talking to a machine somewhere there.. Kind of kewl if you think about it ;) hehehhe

[Lil' J]

Thanks for the help, using it i have found what is on my PC

irdvxc.exe

i'm using this thread to try and remove it

[+BudMan MVC]

Hmmm, a google states that exe is part of the sdbot familiy.. Here is a tool and instructions for removal

http://www.sophos.com/support/disinfection/sdbot.html

What virus scanner are you using?? If it did not detect it, then it is clearly not very good ;)

[Lil' J]

Using Zonelabs, Ad-aware and Spybot S&D. none of these even detected it.

to get rid of it i used prevx, well its not their anymore hope it got rid.

[+BudMan MVC]

Hmmm, had not heard of prevx until now.. Will have to give them a look see, next time I have to clean up some users box..

Glad it worked out for ya, so did you buy prevx or did the free trial clean you up? You can lic it for 1 month for $4.95 -- kind fo neat idea, so for $5 you should be able to clean up your machine..

So how much did it find -- just the one infection?

[mezoko]

Are you using the zonelabs virus scanner, or just the firewall?

[raskren]

Um -- yeah ok..

Looks like you missed the correction I added.

I guess when you're that adamant to prove someone wrong it is easy to overlook.

[Lil' J]

BudMan

Free key, found that one infection in the process, cleaned it (well i think it did) then restarted.

mezoko

Zonelabs security centre so firewall and anti-virus, program control all that stuff

[+BudMan MVC]

Looks like you missed the correction I added.

No I saw this ---> "NVM. nslookup still finds them."? How does that give him any info to where his machine was going? That is not a correction.. that is a nevermind my post was meaningless spam anyway type statement ;)

[mezoko]

mezoko

Zonelabs security centre so firewall and anti-virus, program control all that stuff

You may want to consider getting some better antivirus then :-/

[k22]

do another netstat to verify that things are clean.