Strange thing happened after my own video crashed.

Discussion in 'Windows 64bit' started by Skybuck Flying, Mar 20, 2010.

  1. Hello,

    I was watching my own video (locally on the pc)... and I shut it down and
    then it crashed... I can't remember if it was played with Windows Media
    Player or WinAmp.

    The following happened it said: "runtime error" (210 I think it was)

    Then I noticed my internet connection was active... it was sending about 4
    packets/sec.

    Then I looked with netstat -a -o -n

    Suddenly there were many connections being made to all kinds of addresses.

    Also I tried to terminate iexplore.exe and it wouldn't terminate... it would
    keep "respawning itself".

    There were no active internet explorer's... it seemed like hidden internet
    explorer's...

    It looked like a trojan in memory to me...

    I quickly disabled my internet connection to stop the reconnectings and to
    terminate iexplore.exe properly.

    I then did a reboot, went to windowsupdate to see if there were any security
    issue's... none really except windows movie maker (installed that one
    afterwards).

    Something strange is going on with my system I think... when I start
    internet explorer 32 bit it actually starts two internet explorers ?!?

    Both say: iexplore.exe*32 in tasklist... I don't think it did that before
    (?)

    Anyway this whole incident has me spooked a little bit... so I thought I
    report it !

    I also have a little theory about what might be going on:

    Theory 1:

    WinAmp or Media Player has a trojan inside it which becomes active when a
    runtime error 210(?) occurs.

    Theory 2:

    The video was encoded with ffmpeg and mpeg2/4, since those are probably open
    source tool, there might be a hidden trojan inside that codec which could
    later become active or be exploited ?

    Theory 3:

    The crash occured and at the same time I get hit by a trojan packet from the
    internet... seems unlikely to me.

    Theory 4:

    Might be a left over from browings other websites...

    Theory 5:

    It was nothing and I am seeing ghosts.. or maybe windows media player or
    winamp was trying to download something... maybe a codec after it crashed ?
    which would seem weird... or maybe it was trying to send a crash report...
    but why would it open so many addresses ?!? Doesn't seem logical to me... No
    something weird definetly happened... since it got me spooked good ! ;) :)

    If I had to place my bets it's either 1 or 2, very maybe 3.

    Bye,
    Skybuck.
     
    Skybuck Flying, Mar 20, 2010
    #1
    1. Advertising

  2. "Skybuck Flying" <> wrote in message
    news:bebc4$4ba55a9b$d53371df$1.nb.home.nl...
    > Hello,
    >
    > I was watching my own video (locally on the pc)... and I shut it down and
    > then it crashed... I can't remember if it was played with Windows Media
    > Player or WinAmp.
    >
    > The following happened it said: "runtime error" (210 I think it was)
    >
    > Then I noticed my internet connection was active... it was sending about 4
    > packets/sec.
    >
    > Then I looked with netstat -a -o -n
    >
    > Suddenly there were many connections being made to all kinds of addresses.
    >
    > Also I tried to terminate iexplore.exe and it wouldn't terminate... it
    > would keep "respawning itself".
    >
    > There were no active internet explorer's... it seemed like hidden internet
    > explorer's...
    >
    > It looked like a trojan in memory to me...
    >
    > I quickly disabled my internet connection to stop the reconnectings and to
    > terminate iexplore.exe properly.
    >
    > I then did a reboot, went to windowsupdate to see if there were any
    > security issue's... none really except windows movie maker (installed that
    > one afterwards).
    >
    > Something strange is going on with my system I think... when I start
    > internet explorer 32 bit it actually starts two internet explorers ?!?
    >
    > Both say: iexplore.exe*32 in tasklist... I don't think it did that before
    > (?)
    >
    > Anyway this whole incident has me spooked a little bit... so I thought I
    > report it !
    >
    > I also have a little theory about what might be going on:
    >
    > Theory 1:
    >
    > WinAmp or Media Player has a trojan inside it which becomes active when a
    > runtime error 210(?) occurs.
    >
    > Theory 2:
    >
    > The video was encoded with ffmpeg and mpeg2/4, since those are probably
    > open source tool, there might be a hidden trojan inside that codec which
    > could later become active or be exploited ?
    >
    > Theory 3:
    >
    > The crash occured and at the same time I get hit by a trojan packet from
    > the internet... seems unlikely to me.
    >
    > Theory 4:
    >
    > Might be a left over from browings other websites...
    >
    > Theory 5:
    >
    > It was nothing and I am seeing ghosts.. or maybe windows media player or
    > winamp was trying to download something... maybe a codec after it crashed
    > ? which would seem weird... or maybe it was trying to send a crash
    > report... but why would it open so many addresses ?!? Doesn't seem logical
    > to me... No something weird definetly happened... since it got me spooked
    > good ! ;) :)
    >
    > If I had to place my bets it's either 1 or 2, very maybe 3.


    Very maybe 5 I ment...

    >
    > Bye,
    > Skybuck.
    >
     
    Skybuck Flying, Mar 20, 2010
    #2
    1. Advertising

  3. Also in case you can't tell from the headers... this was XP x64 Pro
    edition... with IE8
    ... and old winamp version... and probably latest windows media player.

    Bye,
    Skybuck.
     
    Skybuck Flying, Mar 20, 2010
    #3
  4. "Skybuck Flying" <> wrote in message
    news:bebc4$4ba55a9b$d53371df$1.nb.home.nl...

    > Then I looked with netstat -a -o -n



    So, what did the -o show you? That's the PID on the right side of each
    line. In fact, it sometimes helps to use -b too.

    netstat -abnop TCP

    is what I usually use. But a simpler to use tool would be TCPView.


    >
    > Suddenly there were many connections being made to all kinds of addresses.



    Using which programs, to which ports?


    >
    > Also I tried to terminate iexplore.exe and it wouldn't terminate... it
    > would keep "respawning itself".
    >
    > There were no active internet explorer's... it seemed like hidden internet
    > explorer's...



    Use Process Explorer (ProcExp) instead of Task Manager to see if they are
    related to some other task.


    >
    > It looked like a trojan in memory to me...



    ProcExp can also show you what each task contains.


    >
    > I quickly disabled my internet connection to stop the reconnectings and to
    > terminate iexplore.exe properly.
    >
    > I then did a reboot, went to windowsupdate to see if there were any
    > security issue's... none really except windows movie maker (installed that
    > one afterwards).
    >


    > Something strange is going on with my system I think... when I start
    > internet explorer 32 bit it actually starts two internet explorers ?!?
    >
    > Both say: iexplore.exe*32 in tasklist... I don't think it did that before
    > (?)



    That's normal for IE8. LCIE.


    >
    > Anyway this whole incident has me spooked a little bit... so I thought I
    > report it !
    >
    > I also have a little theory about what might be going on:


    <voice actor="Joe Friday">
    Just the facts,.... All we want are the facts.
    </voice>


    HTH

    Robert Aldwinckle
    ---
     
    Robert Aldwinckle, Mar 21, 2010
    #4
  5. My computer is very fast, so a trojan could do damage very fast... so I have
    no time to analyze what's going on... so I can't answer your questions.

    >> I quickly disabled my internet connection to stop the reconnectings and
    >> to
    >> terminate iexplore.exe properly.


    ^ Exactly ;)

    >> Something strange is going on with my system I think... when I start
    >> internet explorer 32 bit it actually starts two internet explorers ?!?
    >>
    >> Both say: iexplore.exe*32 in tasklist... I don't think it did that before
    >> (?)

    >
    >
    > That's normal for IE8. LCIE.


    Hmmm indeed, it seems to be something new since IE7 ?

    http://blogs.msdn.com/ie/archive/2008/03/11/ie8-and-loosely-coupled-ie-lcie.aspx
    (Apperently control-n opens new tab... could be handy tip ;) :))

    Ok, good to know that...

    However I think IE7 did:

    iexplore*32.exe and iexplore*64.exe

    Now IE8 does twice iexplore*32.exe

    >> Anyway this whole incident has me spooked a little bit... so I thought I
    >> report it !
    >>
    >> I also have a little theory about what might be going on:

    >
    > <voice actor="Joe Friday">
    > Just the facts,.... All we want are the facts.
    > </voice>


    :)

    Bye,
    Skybuck ;) :)
     
    Skybuck Flying, Mar 21, 2010
    #5
  6. However there is one thing I do remember seeing... two ip addresses both
    started with 74.*.*.*

    I have seen that before... maybe it was youtube ?

    After that many other ip addresses were being opened <- which was scary.

    Bye,
    Skybuck.
     
    Skybuck Flying, Mar 21, 2010
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. vivi

    Windows crashed after driver download

    vivi, May 9, 2004, in forum: Microsoft Certification
    Replies:
    2
    Views:
    446
    peter walker
    May 9, 2004
  2. frank malone
    Replies:
    1
    Views:
    1,127
  3. Dave Watson
    Replies:
    12
    Views:
    900
    Plato
    Nov 19, 2003
  4. jcwinters
    Replies:
    1
    Views:
    619
    Allan
    Jul 13, 2008
  5. Roscoe P Pendoscoe
    Replies:
    13
    Views:
    1,985
    ♥Ari♥
    Dec 10, 2009
Loading...

Share This Page