Lil' J Posted January 6, 2007 Share Posted January 6, 2007 Hi For the past 2 weeks now I have noticed on my bandwidth monitor a constant upload. I checked processes but I can't see anything out of the ordinary. I went on CMD and put "netstat" to see many many many connections connected to me from the same host name as my computer. Sometimes the windows XP dialog that pop ups when a program wants to connect to the internet says a program wants to connect to "www.starman.ee" or "www.if.ee". I have ran ad-ware scans and virus scans both in normal boot and safe mode and what ever they do find never seems to sort this problem out. Ad-aware and Zonelabs I?m using both up to date definition list. No P2P is running such as limewire or torrents on my system when these connections are present. I did block the host however 2 were still able to connect and I couldn't use the web for anything else once blocked as I think I blocked myself. Please help. Need some urgent assistance, kind of worried what could be installed on my system. Link to comment Share on other sites More sharing options...
raskren Posted January 6, 2007 Share Posted January 6, 2007 (edited) Those domains aren't owned. NVM. nslookup still finds them. Link to comment Share on other sites More sharing options...
Lil' J Posted January 6, 2007 Author Share Posted January 6, 2007 Sorry i don't understand :s? Link to comment Share on other sites More sharing options...
mkol Posted January 6, 2007 Share Posted January 6, 2007 there must be a some sort of program installed on your pc which is doing this upload. remove the programs which you don't need or not sure about it. Did you downloaded any free programs from the net? Or did you clicked on the pop ups which appear when you are browsing the net. Either way I think there must be a small program on your pc somewhere which is stealing your bandwidth. Link to comment Share on other sites More sharing options...
Lil' J Posted January 6, 2007 Author Share Posted January 6, 2007 (edited) Well i went through add/remove programs on control panel and removed any program i wern't using and the programs left i don;t think any of them would be hogging my bandwith. Is there anyway i can trace back to the exe. Task manager looks fine. Link to comment Share on other sites More sharing options...
raskren Posted January 6, 2007 Share Posted January 6, 2007 (edited) Kill all unnecessary processes and see if it continues. If it does, run a rootkit scanner and pray that you haven't done any online banking or bill pay recently. Link to comment Share on other sites More sharing options...
mkol Posted January 6, 2007 Share Posted January 6, 2007 I had similar problem in the past, the only think I suggest is do more digging on what you have installed. or do a clean format, get your self a router and use that. NEVER download freebies. Link to comment Share on other sites More sharing options...
raskren Posted January 6, 2007 Share Posted January 6, 2007 I had similar problem in the past, the only think I suggest is do more digging on what you have installed. or do a clean format, get your self a router and use that. NEVER download freebies. Why not? Firefox was a freebie. Link to comment Share on other sites More sharing options...
mkol Posted January 6, 2007 Share Posted January 6, 2007 freebies programs I was refering to was not something like firefox but something like that expires after certain period and not from reliable sources. Thats what I meant.. Link to comment Share on other sites More sharing options...
k22 Posted January 6, 2007 Share Posted January 6, 2007 (edited) netstat -abo will tell you what process ID/executable name is making those connections. post the output of that command here if you need more help from here. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 7, 2007 MVC Share Posted January 7, 2007 Those domains aren't owned Um -- yeah ok..starman.ee -- Registrant: Starman Kaabeltelevisiooni AS Akadeemia tee 28, EE0026 Tallinn TEL +372 6 779 955 FAX +372 6 779 907 Domain Name: starman.ee Contacts: Margus Paap Record created on 19-Jun-1997 Record changed on 19-Jun-1997 -- if.ee -- Registrant: AS If Kinnisvarahaldus Pronksi, 19, Tallinn, Harjumaa, 10124 TEL +3726671100 FAX +3726671101 Domain Name: if.ee Contacts: Erik Matt *********@kindlustus.ee Record created on 06-Feb-2002 Record changed on 01-Apr-2005 -- Do you live in Estonia?? Not sure why your machine would try to contact these domains?? Could be that your infected with some type trojan, that has your machine doing a DDOS attack against these sites? What port does netstat show they are connecting too? As already stated, a netstat -o or -b will give you the PID or binary that is creating the connection.. Or you could download the FREE tool http://www.microsoft.com/technet/sysintern...ng/TcpView.mspx TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. But yeah if your machine is making connections to any IP that you have not actually requested, or minor phone home type thing.. Ie your constantly showing upload bandwidth usage.. How much exactly??? Your infected with something.. You need to find exactly what process is creating the connection, and then correct it. Estonia -- Really? ;) Not a country you hear of much.. Prety kewl name though, and hey how could you not like the "kroon" -- too bad they are switching to the euro next year.. Tallinn is on my list of places to visit.. but you sure do not hear of this country much.. But your infected with something talking to a machine somewhere there.. Kind of kewl if you think about it ;) hehehhe Link to comment Share on other sites More sharing options...
Lil' J Posted January 7, 2007 Author Share Posted January 7, 2007 Thanks for the help, using it i have found what is on my PC irdvxc.exe i'm using this thread to try and remove it Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 7, 2007 MVC Share Posted January 7, 2007 Hmmm, a google states that exe is part of the sdbot familiy.. Here is a tool and instructions for removal http://www.sophos.com/support/disinfection/sdbot.html What virus scanner are you using?? If it did not detect it, then it is clearly not very good ;) Link to comment Share on other sites More sharing options...
Lil' J Posted January 7, 2007 Author Share Posted January 7, 2007 (edited) Using Zonelabs, Ad-aware and Spybot S&D. none of these even detected it. to get rid of it i used prevx, well its not their anymore hope it got rid. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 7, 2007 MVC Share Posted January 7, 2007 Hmmm, had not heard of prevx until now.. Will have to give them a look see, next time I have to clean up some users box.. Glad it worked out for ya, so did you buy prevx or did the free trial clean you up? You can lic it for 1 month for $4.95 -- kind fo neat idea, so for $5 you should be able to clean up your machine.. So how much did it find -- just the one infection? Link to comment Share on other sites More sharing options...
mezoko Posted January 7, 2007 Share Posted January 7, 2007 Are you using the zonelabs virus scanner, or just the firewall? Link to comment Share on other sites More sharing options...
raskren Posted January 7, 2007 Share Posted January 7, 2007 Um -- yeah ok.. Looks like you missed the correction I added. I guess when you're that adamant to prove someone wrong it is easy to overlook. Link to comment Share on other sites More sharing options...
Lil' J Posted January 7, 2007 Author Share Posted January 7, 2007 (edited) BudMan Free key, found that one infection in the process, cleaned it (well i think it did) then restarted. mezoko Zonelabs security centre so firewall and anti-virus, program control all that stuff Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 7, 2007 MVC Share Posted January 7, 2007 Looks like you missed the correction I added. No I saw this ---> "NVM. nslookup still finds them."? How does that give him any info to where his machine was going? That is not a correction.. that is a nevermind my post was meaningless spam anyway type statement ;) Link to comment Share on other sites More sharing options...
mezoko Posted January 7, 2007 Share Posted January 7, 2007 mezokoZonelabs security centre so firewall and anti-virus, program control all that stuff You may want to consider getting some better antivirus then :-/ Link to comment Share on other sites More sharing options...
k22 Posted January 7, 2007 Share Posted January 7, 2007 do another netstat to verify that things are clean. Link to comment Share on other sites More sharing options...
Recommended Posts