need help. My PC is sending HEAPS of data out.

Discussion in 'NZ Computing' started by cowboyz, Aug 1, 2006.

  1. cowboyz

    cowboyz Guest

    I noticed that my upload seemed really high. We are talking 100-150meg an
    hour out when the PC is sitting here doing nothing.

    So SmartSniff shows that I am sending mail out SMTP all the time. About 500
    per minute.

    I think Virus. AVG didn't see it. Zone Alarm is ignoring it. So I online
    scan at panda (tried house call first but it wont load??) Found a virus and
    killed it. Problem solved I thought. Nope.

    Now I have no virus/spyware or anything. System is completely clean. Apart
    from sending out heaps of mail


    How do I stop this. I tried blocking IP ranges in zone alarm but I pretty
    much hacve to bvlock the entire internet to stop it.

    BTW. In the time it took me to type this out I have sent 14 meg out.


    Any ideas?


    this is about 2 seconds of smartsniff running

    1 TCP 203.109.206.243 141.222.1.4 2837 25 xp2100 smtp 1 97 Bytes 298 Bytes
    8/1/2006 6:08:15 PM:453
    2 TCP 203.109.206.243 216.254.185.198 2858 25 xp2100
    host-198-arido.dsl.primus.ca smtp 4 128 Bytes 427 Bytes 8/1/2006 6:08:15
    PM:453
    3 UDP 203.109.206.243 203.0.178.191 2859 53 xp2100 dns.iinet.net.au domain 1
    156 Bytes 368 Bytes 8/1/2006 6:08:15 PM:875
    4 TCP 203.109.206.243 203.84.195.1 2845 25 xp2100
    mta-v2.mail.vip.tpe.yahoo.com smtp 3 46 Bytes 269 Bytes 8/1/2006 6:08:15
    PM:937
    5 TCP 203.109.206.243 213.130.158.169 2842 25 xp2100
    adsl213-130-158-169.as15444.net smtp 4 128 Bytes 460 Bytes 8/1/2006 6:08:15
    PM:937
    6 UDP 203.109.206.243 203.0.178.191 2860 53 xp2100 dns.iinet.net.au domain 3
    87 Bytes 228 Bytes 8/1/2006 6:08:16 PM:062
    7 TCP 203.109.206.243 211.49.224.58 2849 25 xp2100 r-smtp5.korea.com smtp 2
    105 Bytes 266 Bytes 8/1/2006 6:08:16 PM:156
    8 TCP 203.109.206.243 203.252.3.229 2846 25 xp2100 smtp 2 93 Bytes 236
    Bytes 8/1/2006 6:08:16 PM:265
    9 UDP 203.109.206.243 203.0.178.191 2861 53 xp2100 dns.iinet.net.au domain 2
    202 Bytes 318 Bytes 8/1/2006 6:08:16 PM:296
    10 UDP 203.109.206.243 203.0.178.191 2862 53 xp2100 dns.iinet.net.au domain
    2 197 Bytes 319 Bytes 8/1/2006 6:08:16 PM:453
    11 UDP 203.109.206.243 203.0.178.191 2863 53 xp2100 dns.iinet.net.au domain
    2 137 Bytes 260 Bytes 8/1/2006 6:08:16 PM:531
    12 UDP 203.109.206.243 203.0.178.191 2866 53 xp2100 dns.iinet.net.au domain
    2 190 Bytes 310 Bytes 8/1/2006 6:08:16 PM:734
    13 UDP 203.109.206.243 203.0.178.191 2865 53 xp2100 dns.iinet.net.au domain
    1 124 Bytes 304 Bytes 8/1/2006 6:08:17 PM:078
    14 UDP 203.109.206.243 203.0.178.191 2868 53 xp2100 dns.iinet.net.au domain
    2 220 Bytes 347 Bytes 8/1/2006 6:08:17 PM:093
    15 UDP 203.109.206.243 203.0.178.191 2870 53 xp2100 dns.iinet.net.au domain
    1 124 Bytes 304 Bytes 8/1/2006 6:08:17 PM:296
    16 TCP 203.109.206.243 194.113.247.123 2864 25 xp2100 mail02.duesseldorf.de
    smtp 1 33 Bytes 146 Bytes 8/1/2006 6:08:18 PM:000
    17 TCP 203.109.206.243 194.113.247.123 2869 25 xp2100 mail02.duesseldorf.de
    smtp 1 33 Bytes 146 Bytes 8/1/2006 6:08:18 PM:000
     
    cowboyz, Aug 1, 2006
    #1
    1. Advertising

  2. cowboyz

    Jo Guest

    "cowboyz" <> wrote in message
    news:eamr98$elk$...
    >I noticed that my upload seemed really high. We are talking 100-150meg an
    >hour out when the PC is sitting here doing nothing.
    >
    > So SmartSniff shows that I am sending mail out SMTP all the time. About
    > 500 per minute.
    >
    > I think Virus. AVG didn't see it. Zone Alarm is ignoring it. So I
    > online scan at panda (tried house call first but it wont load??) Found a
    > virus and killed it. Problem solved I thought. Nope.
    >
    > Now I have no virus/spyware or anything. System is completely clean.
    > Apart from sending out heaps of mail
    >
    >
    > How do I stop this. I tried blocking IP ranges in zone alarm but I pretty
    > much hacve to bvlock the entire internet to stop it.
    >
    > BTW. In the time it took me to type this out I have sent 14 meg out.
    >
    >

    Firstly contact your isp let them know.

    Reboot. Check your processes, and look for unfamiliar ones

    Update your virus scanner asap

    I would also recommend setting zone alarm to stop smtp.

    Being a non technical person and not in front of your pc I suspect one of
    two things - virus type mailer or your machine has been zombied.
     
    Jo, Aug 1, 2006
    #2
    1. Advertising

  3. cowboyz

    cowboyz Guest

    "Jo" <> wrote in message news:44cef5a1$...
    >


    > Firstly contact your isp let them know.


    done that. they said too bad. And BTW. limited to 64k now.

    >
    > Reboot. Check your processes, and look for unfamiliar ones


    There is this starwindservice that I can't get rid of. going to be working
    on this angle.
    >
    > Update your virus scanner asap
    >

    always up to date and running. I dont know why it missed it in the first
    place.


    > I would also recommend setting zone alarm to stop smtp.


    good idea. done that.

    >
    > Being a non technical person and not in front of your pc I suspect one of
    > two things - virus type mailer or your machine has been zombied.
    >
    >

    this is my suspect too but I just cant find the damn thing.


    thanks for the advice.
     
    cowboyz, Aug 1, 2006
    #3
  4. cowboyz

    jay Guest

    In article <eamu08$jh2$>, says...
    >
    > "Jo" <> wrote in message news:44cef5a1$...
    > >

    >
    > > Firstly contact your isp let them know.

    >
    > done that. they said too bad. And BTW. limited to 64k now.
    >
    > >
    > > Reboot. Check your processes, and look for unfamiliar ones

    >
    > There is this starwindservice that I can't get rid of. going to be working
    > on this angle.
    > >
    > > Update your virus scanner asap
    > >

    > always up to date and running. I dont know why it missed it in the first
    > place.
    >
    >
    > > I would also recommend setting zone alarm to stop smtp.

    >
    > good idea. done that.
    >
    > >
    > > Being a non technical person and not in front of your pc I suspect one of
    > > two things - virus type mailer or your machine has been zombied.
    > >
    > >

    > this is my suspect too but I just cant find the damn thing.
    >
    >
    > thanks for the advice.
    >
    >


    Get

    http://www.sysinternals.com/Utilities/TcpView.html

    use it to indentify which process is sending the stuff, double-click on
    a line to see pathname etc
     
    jay, Aug 1, 2006
    #4
  5. cowboyz

    Dogboy Guest

    cowboyz wrote:
    > I noticed that my upload seemed really high. We are talking 100-150meg an
    > hour out when the PC is sitting here doing nothing.
    >
    > So SmartSniff shows that I am sending mail out SMTP all the time. About 500
    > per minute.


    Most probably your PC has been "owned" and is now a spam zombie, by the
    sounds of it you may be rootkitted and therefore anything said by
    programs installed on your machine can considered suspect.

    You could try to fluff around and get rid of the infection but I
    recommend you backup your important data on to CD or DVD and then format
    and reinstall Windows, then patch up to date. Its fairly drastic but its
    about the only way you can be sure your not infected again.
     
    Dogboy, Aug 1, 2006
    #5
  6. cowboyz

    thingy Guest

    cowboyz wrote:
    > "Jo" <> wrote in message news:44cef5a1$...
    >
    >
    >>Firstly contact your isp let them know.

    >
    >
    > done that. they said too bad. And BTW. limited to 64k now.
    >
    >
    >>Reboot. Check your processes, and look for unfamiliar ones

    >
    >
    > There is this starwindservice that I can't get rid of. going to be working
    > on this angle.
    >
    >>Update your virus scanner asap
    >>

    >
    > always up to date and running. I dont know why it missed it in the first
    > place.
    >
    >
    >
    >>I would also recommend setting zone alarm to stop smtp.

    >
    >
    > good idea. done that.
    >
    >
    >>Being a non technical person and not in front of your pc I suspect one of
    >>two things - virus type mailer or your machine has been zombied.
    >>
    >>

    >
    > this is my suspect too but I just cant find the damn thing.
    >
    >
    > thanks for the advice.
    >
    >


    Sounds like you have been zombied and seriously so, MS is especially
    weak on rootkit infections....forget the advise herein (zonealarm etc),
    if you cannot find it to be honest I dont think you ever will 100% be
    sure your machine is OK, so back up your stuff, low level format your hd
    and re-install. If you dont have an anti-virus checker get clamav, its
    free and as its non-main stream so more likely to work, also spybot and
    zone alarm...use thunderbird and firefox....patch every second wednesday
    in the month without fail....you might live a few a while.....IE,
    outlook are the biggest attack vectors dont use them, you will be dead
    in no time....

    regards

    Thing
     
    thingy, Aug 1, 2006
    #6
  7. cowboyz

    E. Scrooge Guest

    "cowboyz" <> wrote in message
    news:eamr98$elk$...
    >I noticed that my upload seemed really high. We are talking 100-150meg an
    >hour out when the PC is sitting here doing nothing.
    >
    > So SmartSniff shows that I am sending mail out SMTP all the time. About
    > 500 per minute.
    >
    > I think Virus. AVG didn't see it. Zone Alarm is ignoring it. So I
    > online scan at panda (tried house call first but it wont load??) Found a
    > virus and killed it. Problem solved I thought. Nope.
    >
    > Now I have no virus/spyware or anything. System is completely clean.
    > Apart from sending out heaps of mail
    >
    >
    > How do I stop this. I tried blocking IP ranges in zone alarm but I pretty
    > much hacve to bvlock the entire internet to stop it.
    >
    > BTW. In the time it took me to type this out I have sent 14 meg out.
    >
    >
    > Any ideas?


    Hijack This and other programs to clean out anything suspicious. There's a
    malicious program with probably more than one file that will be doing it.
    There could be other things happening as well.

    Did you note the name of the virus? Info on Google might tell you all about
    the damage it does and how to fix it.

    E. Scrooge
     
    E. Scrooge, Aug 1, 2006
    #7
  8. cowboyz

    Mark C Guest

    jay <> wrote in
    news::

    > In article <eamu08$jh2$>,
    > says...
    >>
    >> "Jo" <> wrote in message
    >> news:44cef5a1$...
    >> >

    >>
    >> > Firstly contact your isp let them know.

    >>
    >> done that. they said too bad. And BTW. limited to 64k now.
    >>
    >> >
    >> > Reboot. Check your processes, and look for unfamiliar ones

    >>
    >> There is this starwindservice that I can't get rid of. going
    >> to be working on this angle.
    >> >
    >> > Update your virus scanner asap
    >> >

    >> always up to date and running. I dont know why it missed it in
    >> the first place.
    >>
    >>
    >> > I would also recommend setting zone alarm to stop smtp.

    >>
    >> good idea. done that.
    >>
    >> >
    >> > Being a non technical person and not in front of your pc I
    >> > suspect one of two things - virus type mailer or your machine
    >> > has been zombied.
    >> >
    >> >

    >> this is my suspect too but I just cant find the damn thing.
    >>
    >>
    >> thanks for the advice.
    >>
    >>

    >
    > Get
    >
    > http://www.sysinternals.com/Utilities/TcpView.html
    >
    > use it to indentify which process is sending the stuff,
    > double-click on a line to see pathname etc


    Also, get EMSIsoft HiJackFree:
    http://www.emsisoft.com/en/
    http://www.hijackfree.com/en/

    Alledgedly (I have not used it myself), it drills down into a process
    better than the free sysinternals TcpView.

    Also, Autoruns could be good for finding and stopping stuff
    (services, apps)
    http://www.sysinternals.com/Utilities/Autoruns.html

    (HiJackFree claims to do the same as Autoruns)

    Mark
     
    Mark C, Aug 1, 2006
    #8
  9. cowboyz

    cowboyz Guest

    "Mark C" <> wrote in message
    news:44cf06f4$0$1468$...
    > jay <> wrote in
    > news::
    >
    >> In article <eamu08$jh2$>,
    >> says...
    >>>
    >>> "Jo" <> wrote in message
    >>> news:44cef5a1$...
    >>> >
    >>>
    >>> > Firstly contact your isp let them know.
    >>>
    >>> done that. they said too bad. And BTW. limited to 64k now.
    >>>
    >>> >
    >>> > Reboot. Check your processes, and look for unfamiliar ones
    >>>
    >>> There is this starwindservice that I can't get rid of. going
    >>> to be working on this angle.
    >>> >
    >>> > Update your virus scanner asap
    >>> >
    >>> always up to date and running. I dont know why it missed it in
    >>> the first place.
    >>>
    >>>
    >>> > I would also recommend setting zone alarm to stop smtp.
    >>>
    >>> good idea. done that.
    >>>
    >>> >
    >>> > Being a non technical person and not in front of your pc I
    >>> > suspect one of two things - virus type mailer or your machine
    >>> > has been zombied.
    >>> >
    >>> >
    >>> this is my suspect too but I just cant find the damn thing.
    >>>
    >>>
    >>> thanks for the advice.
    >>>
    >>>

    >>
    >> Get
    >>
    >> http://www.sysinternals.com/Utilities/TcpView.html
    >>
    >> use it to indentify which process is sending the stuff,
    >> double-click on a line to see pathname etc

    >
    > Also, get EMSIsoft HiJackFree:
    > http://www.emsisoft.com/en/
    > http://www.hijackfree.com/en/
    >
    > Alledgedly (I have not used it myself), it drills down into a process
    > better than the free sysinternals TcpView.
    >
    > Also, Autoruns could be good for finding and stopping stuff
    > (services, apps)
    > http://www.sysinternals.com/Utilities/Autoruns.html
    >
    > (HiJackFree claims to do the same as Autoruns)
    >
    > Mark




    thanks for all the advice.


    i turned off printer spooler service and it has "fixed"/"masked" the
    problem. I will format when I get more time. probably on the weekend. At
    least I can use my internet connection now.
     
    cowboyz, Aug 1, 2006
    #9
  10. cowboyz

    Dave Taylor Guest

    Dave Taylor, Aug 1, 2006
    #10
  11. cowboyz

    Brendan Guest

    On Tue, 1 Aug 2006 18:11:32 +1200, cowboyz wrote:

    > I noticed that my upload seemed really high. We are talking 100-150meg an
    > hour out when the PC is sitting here doing nothing.


    You have a 'rootkit', these are special virus type things that use new
    systems to hide from the OS. That is why virus killers etc will not find
    them - they delete their names from any file list the computer makes, at a
    very low level.

    You can remove them by booting from a live CD, like Bart's PE cd, with the
    appropriate virus killer stuff on that disk, and then scan for the root
    kit. This is very technical work though and may be beyond your skill
    levels.

    You could try some of the rootkit detectors out, they often work, try the
    sysinternals one.

    Other than that, it's backup your good files and format your drive,
    reinstall. The format is important because you may just inherit the rootkit
    if you don't.

    One thing is for sure: if you do not stop it spamming 50 million people a
    day, your account will be deleted by your ISP pretty fast.

    --

    .... Brendan

    Police arrested two kids yesterday, one was drinking battery
    acid, and the other was eating fireworks. They charged one and let the
    other one off.


    Note: All my comments are copyright 1/08/2006 7:53:07 p.m. and are opinion only where not otherwise stated and always "to the best of my recollection". www.computerman.orcon.net.nz.
     
    Brendan, Aug 1, 2006
    #11
  12. cowboyz

    MaHogany Guest

    On Tue, 01 Aug 2006 18:11:32 +1200, cowboyz wrote:

    > How do I stop this.


    Format c:

    Install a non-microsoft OS.


    Ma Hogany

    --
    Q: How do I make Windows(TM) go faster?
    A: Throw it harder...
     
    MaHogany, Aug 1, 2006
    #12
  13. cowboyz

    MaHogany Guest

    On Tue, 01 Aug 2006 18:57:56 +1200, cowboyz wrote:

    >> Update your virus scanner asap
    >>

    > always up to date and running. I dont know why it missed it in the first
    > place.


    The problem is that you're using M$ Windows, as MS Windows is extremely
    vulnerable to viruses that can bypass detection.

    The only real solution is to not use Microsoft software.


    Ma Hogany

    --
    Q: How do I make Windows(TM) go faster?
    A: Throw it harder...
     
    MaHogany, Aug 1, 2006
    #13
  14. cowboyz

    E. Scrooge Guest

    "MaHogany" <> wrote in message
    news:p...
    > On Tue, 01 Aug 2006 18:57:56 +1200, cowboyz wrote:
    >
    >>> Update your virus scanner asap
    >>>

    >> always up to date and running. I dont know why it missed it in the first
    >> place.

    >
    > The problem is that you're using M$ Windows, as MS Windows is extremely
    > vulnerable to viruses that can bypass detection.
    >
    > The only real solution is to not use Microsoft software.
    >
    >
    > Ma Hogany


    According to Bruce Simpson what you're trying to use as an OS is dead in the
    water.

    E. Scrooge
     
    E. Scrooge, Aug 1, 2006
    #14
  15. cowboyz

    XPD Guest

    cowboyz wrote:

    >
    >> Reboot. Check your processes, and look for unfamiliar ones

    >
    > There is this starwindservice that I can't get rid of. going to be working
    > on this angle.


    Starwind is a valid process, just cant remember exactly what runs
    it...some app Ive got installed.... thats right, its Alcohol 120% that
    uses it.
     
    XPD, Aug 2, 2006
    #15
  16. cowboyz

    Earl Grey Guest

    E. Scrooge wrote:

    >
    > According to Bruce Simpson what you're trying to use as an OS is dead in the
    > water.
    >
    > E. Scrooge
    >
    >


    Who he ?
     
    Earl Grey, Aug 2, 2006
    #16
  17. cowboyz

    E. Scrooge Guest

    "Earl Grey" <> wrote in message news:44d009fd$...
    > E. Scrooge wrote:
    >
    >>
    >> According to Bruce Simpson what you're trying to use as an OS is dead in
    >> the water.
    >>
    >> E. Scrooge

    >
    > Who he ?


    Native in jungle.

    E. Scrooge
     
    E. Scrooge, Aug 2, 2006
    #17
  18. cowboyz

    TomC Guest

    cowboyz wrote:
    > I noticed that my upload seemed really high. We are talking 100-150meg an
    > hour out when the PC is sitting here doing nothing.
    >
    > So SmartSniff shows that I am sending mail out SMTP all the time. About 500
    > per minute.
    >
    > I think Virus. AVG didn't see it. Zone Alarm is ignoring it. So I online
    > scan at panda (tried house call first but it wont load??) Found a virus and
    > killed it. Problem solved I thought. Nope.
    >
    > Now I have no virus/spyware or anything. System is completely clean. Apart
    > from sending out heaps of mail
    >
    >
    > How do I stop this. I tried blocking IP ranges in zone alarm but I pretty
    > much hacve to bvlock the entire internet to stop it.
    >
    > BTW. In the time it took me to type this out I have sent 14 meg out.
    >
    >
    > Any ideas?
    >
    >
    > Anyone who thinks they are safe using AVG Free needs to think

    again. We thank AVG Free for all the work that comes our way!

    If you can not afford Kaspersky, PC-cillin, AntiViren Kit or
    BitDefender then try AntiVir....

    http://www.free-av.com/

    cheers, Tom
     
    TomC, Aug 3, 2006
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM

    router heaps.

    AM, Jul 13, 2005, in forum: Cisco
    Replies:
    1
    Views:
    2,761
    Anthony
    Jul 14, 2005
  2. lowlife123
    Replies:
    9
    Views:
    949
    lowlife123
    Feb 25, 2006
  3. ZZZZZZZZZZZzz

    Need Help Sending large multi part atatchments

    ZZZZZZZZZZZzz, Oct 16, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    447
    ZZZZZZZZZZZzz
    Oct 16, 2003
  4. admyc
    Replies:
    1
    Views:
    1,248
    David H. Lipman
    Apr 26, 2007
  5. Dave - Dave.net.nz

    win2k3 minimum specs intel heaps higher.

    Dave - Dave.net.nz, Mar 30, 2005, in forum: NZ Computing
    Replies:
    3
    Views:
    383
Loading...

Share This Page