Question

khyron · Oct 08, 2006, 01:37:53

I noticed since my speeds when down that my uploads are increased dramatically, i am i used to upload abt 100mb of data or so after a few days or a week but now I am uploading almost 1gb a day.

I have scanned my comp for viruses and they have been removed but this is most unusual.

Any insights?

MAnn

cavillas · Oct 08, 2006, 09:12:48

Do you have P2P installed and running?

Toxteth_OGrady · Oct 08, 2006, 10:14:05

Go to http://www.sysinternals.com/Utilities/TcpView.html and download TCPView. You should be able to see which process and port is being used by the uploads.

khyron · Oct 08, 2006, 11:22:58

No P2P running, only MSN Messenger, firewall enabled with ports open for world of warcraft.

How do i make sense of the info i get from TCP view, i am a newbie but from the this i gather i have a virus that is sending mail out ports are open to SMTP servers
eg
SNOD326.EXE:224 TCP mann.lan:2505 mta-v7.level3.mail.vip.mud.yahoo.com:smtp FIN_WAIT1

i have scanned my comp for viruses and few times with updated definitions.

So how do i get rid of this?

khyron · Oct 08, 2006, 11:30:34

I managed to end the processes and delete the file causing it, and voila internet connection back to normal(for now) i got netmeter and uploads are now zero.

what happened and how do i prevent it from happening?

Toxteth_OGrady · Oct 08, 2006, 11:39:55

What was the name of the file you deleted? Might help identify the virus. Sounds like you have some kind of mass mailer worm infection.

cavillas · Oct 08, 2006, 11:45:00

Your best bet would be to download an anti spyware application.
a few suggestions are: Ewido, Microsoft Defender, Spybot. All these are free.

Spybot http://www.spybot.info/en/index.html
MS Defender http://www.microsoft.com/athome/security/spyware/software/default.mspx
Ewido http://www.ewido.net/en/download/
Another good one is Adaware http://www.lavasoft.com/products/ad-aware_se_personal.php

If you try one of these run a full scan with it.

maxping · Oct 08, 2006, 11:46:39

Download and run all below they are all free.

AdAware. -- http://www.lavasoftusa.com/software/adaware/

Spybot S & D. -- http://www.safer-networking.org/en/download/

Spywareblaster. -- http://www.javacoolsoftware.com/spywareblaster.html

CCleaner -- http://www.ccleaner.com/

mrapoc · Oct 08, 2006, 12:36:10

ccleaner ftw!

used it for years - if your lazy u can download hitman pro (www.hitmanpro.com just click on download dw its in english) and it will download, install, maintain and run all these programs (and more) without u havving to do a thing...its safe ive used it also for ages

khyron · Oct 08, 2006, 13:34:28

i used 2 virus scanners ie AVG and McAfee, used lavasoft and spybot destroyer, Trend anti-spyware.
All failed to pickup this one.

File name was SNOD326.exe

It caused a massive surge in uploads and of course my speeds suffered.

Scary coz i noticed this new file in my C: drive, and thanks to you guys i got TCP view to actually see which file was the culprit!

I am eternally grateful to Toxteth!!

mrapoc · Oct 08, 2006, 14:25:45

that file isnt even on google

Toxteth_OGrady · Oct 08, 2006, 14:32:40

Some virus infections generate randomly named executables to disguise themselves. I'm worried that if OP has only deleted the file to his Recycle Bin that he won't have fully cleared the infection. If it's still in the Bin it would also be a very good idea to upload it for analysis on one of the leading AV Vendor websites.

mrapoc · Oct 08, 2006, 14:48:38

nod32 would like it im sure

Toxteth_OGrady · Oct 08, 2006, 15:06:23

Closest I can find from a description of the behaviour is the Lootseek Trojan. Further details at http://www.symantec.com/security_response/writeup.jsp?docid=2006-050415-4335-99

mrapoc · Oct 08, 2006, 16:41:02

sounds nasty - any ideas where u got it from? dodgy downloading

Toxteth_OGrady · Oct 08, 2006, 16:45:43

Not me - never had a virus.