Unauthorised Downloading.

Hi, having checked my e-mail (only one short one received) I was contemplating what next when I noticed something was happening The little internet status window showed a download was on. 13 min later, a 6.4 MB download had taken place. It wasn't an e-mail or anything I had asked for. How do I figure out what it was?
I run W98 with Trend Micro Internet Security. I run Spybot once a week and Ad-Aware daily (NB Ad-Aware didn't like the RB-Killer).
Answer in plain English, please. Although I've learnt a lot from your site, I'm still basically beginner who is getting a bit nervous about what others can do to my PC.
Thanks,
/ H

 

Hello Hans 01

I don't use W98, but if you click "start" and use "search" (haven't got english version, so i don't know if it's the right word ) you should be able to find it, especially if you can remember the date (the size you have already)

You could also try a couple of online-scanners, Panda Activescan
F-secure

Hope this helps, if not , maybe someone smarter than me will jump in.

Regards

 

Hi Don,
Thanks for the tip, (it's called "Find" in my version). Unfortunately, it didn't give a reply that makes sense to me. It listed all my Outlook Express folders as updated, together with any other files I had worked during the day, even the ones I had deleted (and cleaned out with Ccleaner). But something was downloaded which I hadn't asked for and I still don't know what it might have been. Major worry, that. One thing's for sure - no more internet banking activities. Nobody can pilfer my account numbers and passwords if they aren't there in the first place.
Can anybody suggest something? EG, what about DOS, would it be something there and how would I find ..........?
Thanks in advance,
/ H

 

Just a guess, could it have been a Windows Update?

Cheers

 

Is any of your software configured to automatically download stuff form the internet?
Virusscanner (signatures or engine), Windowsupdate?

Can you run some kind of port explorer tool to find out what processes are listening behind open ports?

 

Hi, and thanks. If you are right, it means I'm getting something I haven't asked for and no alert / popup window to tell me what's being done to my PC "behind my back" as it were. Any way of telling if Microsoft have been at it?
Regards,
/ H

 

Hi Hans

I can certainly understand you feeling uneasy about this, i would too, and probably reformat my way out of it , you mentioned RB-killer(rapid-blaster?),it seems to be capable of autodownloading.
Here is a link to a slightly old thread on Tech support guy forums.
A site where you might find help removing malware Spywareinfo.

Regards

 

Hi all,
Thanks for your hints. Unfortunately, I'm still in the deep end.
Meener - I have no auto downloads of any kind (that I'm aware of). Certainly not from Microsoft (they have already hijacked my IE default page once - now fixed) and my virus scanner sends me warnings that a new virus is about. I then update manually. The port thing - I know I have ports, but what they are and how to scan is beyond my meagre knowledge. I have the Trend Micro Firewall but don't know how to change / verify it's port activities.
Don - the 1st time I ran ad-aware it listed 70 suspect items. I deleted the lot and found that my RB-killer and a heap of Kodak stuff were amongst them. I've since downloaded another copy of the RB-killer. I ran it and it said my PC was OK. The Kodak stuff was for my digital camera and I have gotten around the missing files by going to Windows Explorer and copying the images to another folder.
So - somebody is doing something to my PC and I'm buggered if I know what, but I'm quite pi##ed off about it. I would love to find out who, kick him/her out and warn others but can't do it on my own.
/ H

 

Hi Hans

I would download and install a trial of TDS-3 (trojan-scanner) from DiamondCS, they have their own forums right here on Wilders Security Forums, and they are very helpfull.You can download from Here, it is important that you update the signaturefiles (radius) Here , remember to check everything under "scancontrol" and "configuration",use "full system scan" found under "system testing" in controlpanel. It's a very slow (but thorough) scanner so be patient.
If you are unsure about your firewallsettings, go to the "other firewalls forum" here on wilders, i am sure somebody can help you.

 

Hi Don,
and thanks. I will do as you suggest and advise outcome.
Regards,
/ H

 

The download activity you describe could be any of the following:

1. Windows Update;
2. Other program updates;
3. P2P software (by default, it allows others to download from your system);
4. "Drive-by download" triggered by a web page exploiting an Internet Explorer vulnerability;
5. Malware/trojan update.

Since you have ruled out 1 and 2 and 3 is easily checked, options 4 and 5 seem to be the more likely at this stage.

For option 4, note that Internet Explorer (if you use it) is highly insecure by default to the point where it is almost impossible to keep your system clear of spyware/adware without significant configuration changes. In addition, vulnerabilities in IE can affect Windows itself and other components like Windows Media Player. In this case, it is quite possible that a web page has caused IE to download a file without your consent. It may still be in your Downloads folder - or alternatively use the Windows Search/Find feature to look for files created during the last day (or specify an appropriate time window) to get a list of suspects. Consider running AdAware to scan for common spyware or adware on your system.

See the FAQ thread Why did I get infected in the first place for detailed advice on securing IE - but also consider using an alternative browser like Firefox (free) or Opera (ad-supported but you can register to get rid of them). These have a better security record than IE and offer significant usability improvements also (tabbed browsing, mouse gestures, single-letter search engine access, etc).

The advice given by Don is the best if you suspect option 5.

The key advice I would add though is to get a firewall and use it. Not only can it limit what network activities occur (and Windows by default has a lot of open doors just waiting to be exploited) but it can also provide full details on programs' network activity (e.g. which sites they are connecting to) and the better ones provide extensive logs allowing you to review past activity.

For a beginner, ZoneAlarm is a good place to start. It is as simple as a firewall can get - but it does have a tendency to throw up lots of alerts, the logs are not the best (hence the large number of third party packages providing ZA log analysis) and can be a pig to remove if you wish to try something else. I would also suggest Outpost because it has excellent logging facilities (this applies to the Pro version, the Free is pretty limited here) allowing you to search, filter or sort entries by application, time, bandwidth, destination or several other criteria. If you want a free firewall, then consider Kerio.

 

I have Port Explorer (by DiamondCS, yep, I won a free 5000 wilderssecurity site membership license )Shows lots of info about open ports. Great stuff!
https://www.wilderssecurity.com/forumdisplay.php?f=12

 

Many thanks for your help.

Don Pelotas - I ran TDS-3 and it found 2 off TrojanClicker.Win32.Delf.r 1 off Adware.Blazefind.a (dll) - all now deleted of course.

Paranoid - can it be that I have autodownload from Microsoft after all? I know I haven't asked for it, but perhaps they have sneaked in anyhow. My suspicion is based on my IE default page now changing to Microsoft each time I go on-line (regardless where I go, it seems). At least I can re-set to "default : blank", but it annoys the hell out of me.
I have the Trend Micro firewall. I've found the settings and they are the default ones, ie medium. As soon as I understand the repercussions, I will try "high".

Meener - thanks for the tip. Will check it out.

To sum up - I still get unauthorised downloads and I don't know what they are. I found a whole lot of files update themselves somehow each time I go on-line. I'll see if I can figure out what they are for (Google search I guess).
EG "MS-DOS Batch File", "TTZ File", "DAT File", "SWP File" (large one), etc.

Is it normal for ALL Outlook Express "Local Folders" to update themselves each time I go to my ISP? I'm talking about Inbox, Outbox, Sent + all the ones I've opened up to separate various e-mail topics?

Regards,
/ H

 

Please check your Windows Update settings. On Win2K and WinXP systems they are set to download updates automatically but I'm not so sure about Win9x/ME (check in Start/Settings/Control Panel for an "Automatic Updates" icon, settings will be there if it is present on your system).

I've not used this - does it provide information about current network activity?

Exactly how are you deciding whether files have been updated? If you are just checking the Last Modified times in the file properties then you are wasting your time - scores of files are modified by Windows just during system startup (and that .SWP file is your swapfile which is used as virtual memory, it will be written to all the time).

If OE is set up to automatically check your email when you go online, then yes (this may be its default setting, but I don't use OE so maybe someone else can confirm this).

 

I can confirm that - you'll find it under OE > tools > options > general

Take out the checkmark in: When starting, go directly to my "Inbox" folder.

 

Thankyou all, I'm still no closer to understanding / stopping these downloads.
I've taken all recommended steps (except Firefox), to the point I can't get into my hotmail (guess I have to make it a "Trusted Zone"), but the unauthorised downloads continue. As I write this, the little internet status window says "bytes received " 6,435,782 AND still rolling over like greased lightening. At the same time, "bytes sent" is up to 403,566 and still going.
Surely this can't be normal ?
/ H

 

You can download a copy of Belarc here:

http://www.belarc.com/free_download.html

and then post the log. Just make sure you remove ALL personal info such as Win98 License etc

You could also run Hijack This and then post a log.

Cheers

 

Well, I tried to get more information on Trend's firewall and failed miserably, this page appears to be the closest they do to a firewall - is this what you are running Hans 01? If so, check to see if it gives any indication of what network connections are currently active (if it gives no indications or at least a log of blocked/allowed traffic, then I would strongly advise getting rid of it and switching to a firewall that does).

Hotmail requires cookies - ensure that Firefox and any privacy/cookie filters you use are configured to allow them for it.

Another option to find out what is happening is to open a DOS Box window and type netstat. This will list all current network connections and their destination - this should provide a good idea of which sites you are connecting to.

 

Blackspear & Paranoid, I thank you for your time and expertise.

Firstly, I'm beginning to suspect dear old Microsoft, because -
- my IE keeps on resetting to msn.com and I kept resetting to default "blank" (Tools, Internet Options).
- when I downloaded Adaware, it found 2 "Data Miners" which I then deleted. Next time on-line I noticed the big downloads.
- Adaware again found these 2 data miners and the cycle continued.
- Today, I didn't reset the IE default page and I didn't run Adaware. Guess what, no unauthorised downloads as yet.
- The 2 "Data Miners" were :
HKEY_CURRENT_USER.Software\Microsoft\Internet Explorer\Main "Start Page" ("about.blank") and
HKEY_USERS.Default\Software\Microsoft\Internet Explorer\Main "Start Page" ("about.blank").
Sure look suspicious to a novice like me.

The Trend Firewall doesn't show activity, but has a log of blocked attempts. This log shows several approaches PER MINUTE, with source IP address and port, etc, etc. In the last minute, some of the IP adresses in the log are :
144.138.11.219
144.139.163.95
202.160.20.30
144.139.173.244 and so on.
It's all hebrew to me, I'm afraid.

The DOS window showed only a few :
Today - 433.ge-4-0-0.er10b.sjc2.us.above.net:80.
Yesterday - 127.0.0.1:1456 and 209.133.117.7 available.above.net:80.

I also ran the Belarc thingy, with the following log (I hope I deleted the right personal bits)

Belarc Log 2004-08-17.

Operating System System Model
Windows 98 (build 4.10.199 MICRO-STAR INTERNATIONAL CO., LTD MS-6378
Processor a Main Circuit Board b
1.10 gigahertz AMD Duron Board: MICRO-STAR INTERNATIONAL CO., LTD MS-6378(VT8361)
Bus Clock: 100 megahertz
BIOS: Award Software International, Inc. 6.00 PG 10/04/2002
Drives Memory Modules c,d
6.44 Gigabytes Usable Hard Drive Capacity
4.61 Gigabytes Hard Drive Free Space

CD-S500/A [CD-ROM drive]
LITE-ON LTR-48246S [CD-ROM drive]
Generic floppy disk drive (3.5")

Generic IDE hard disk drive (6.44 GB) -- drive 0, No SMART Driver 248 Megabytes Installed Memory
Local Drive Volumes

c: (on drive 0) 6.44 GB 4.61 GB free

Network Drives
None detected
Users Printers
No details available Canon S520 on USBPRN01

Controllers Display
Standard Floppy Disk Controller
Primary IDE controller (dual fifo)
Secondary IDE controller (dual fifo)
VIA Bus Master PCI IDE Controller VIA Tech VT8361/VT8601 Graphics Controller [Display adapter]
(Unknown Monitor)
Bus Adapters Multimedia
VIA VT83C572/VT82C586 PCI to USB Universal Host Controller
VIA VT83C572/VT82C586 PCI to USB Universal Host Controller AW200/AS9200 External Midi (MPU401) Device
AW200/AS9200 Internal Midi (OPL3) Device
AW200/AS9200 Joystick Device
AW200/AS9200 PCI Audio Device
AW200/AS9200 Wave Audio Device
Wave Device for Voice Modem
Communications Other Devices
Lucent Win Modem CanoScan LiDE 20/N670U/N676U
Standard 101/102-Key or Microsoft Natural Keyboard
KODAKCAM
KODAKIFS
KODAKROUTER
Canon S520
USB Root Hub
USB Root Hub
Virus Protection
No details available
Installed Microsoft Hotfixes [Back to Top]
None detected


Software Versions [Back to Top]
Adobe Acrobat Reader Version 5.0.0.0 *
Ahead Software AG Karlsbad Germany Phone: ++49-7248-911-800 Fax: ++49-7248-911-888 e-mail: info@nero.com - LANGUAGE_English2 Version 5, 5, 9, 13 *
Ahead Software AG - InfoTool Application Version 1, 2, 0, 0 *
ahead software gmbh, karlsbad - Cover Designer Version 2, 2, 1, 6 *
Apple Computer, Inc. - QuickTime QuickTime 5.0.1 *
ArcSoft Inc. - PhotoBase Version 3.0.0.78 *
ArcSoft PhotoStudio Version 5,0,0,36 *
Belarc, Inc. - BelManage Client Version 6.1f *
blindman.exe *
Canon BJ Printer Driver Installer Version 4.3.0.950 *
Canon BJ Printer Driver Version 7.2.2.000 *
Canon BJ Raster Printer Driver Version 5.2.2.950 *
CANON INC. - CanoScan Toolbox Application Version 4.0.0.0 *
Company - CCleaner Version 1.11.0062 *
Copyright (C) ahead software gmbh and its licensors - InCD Version 3.39.0 *
Decoder Configuration *
Diamond Computer Systems Pty. Ltd. - Radius Update Version 1.00 *
Diamond Computer Systems Pty. Ltd. - TDS-3 Version 3.20 *
DiamondCS Port Explorer Version 1.800 *
DivX Player 2.1 *
Eastman Kodak Company - Kodak DC File System Driver (Win32) Version 3.2.0400.0 *
Eastman Kodak Company - Kodak EasyShare software Version 2, 1, 0, 55 *
Eastman Software, Inc., A Kodak Business - Imaging for Windows® Version 1.01.1311 *
Elite Practice Solutions Pty Ltd - etax2003 Version 6.0.1.00 *
EnDisService Application Version 1, 0, 0, 1 *
Erik Deppe - DriveSpeed Application Version 1, 5, 0, 0 *
Erik Deppe - Nero CD Speed Application Version 1, 1, 1, 0 *
Goodsol Development Inc. - Free Solitaire Version 4.01 *
Inno Setup Version 51.13.0.0 * javaw.exe *
Jordan Russell - Inno Setup Uninstaller Version 51.6.0.0 *
kpgreader.exe *
Lavasoft Ad-aware Plus Version 6.0.0.0 *
Microsoft (r) Windows Script Host Version 5.6.0.6626 *
Microsoft Clip Gallery Version 5.1.00.1221 *
Microsoft Corporation - DirectShow Version 6.4.07.1119 *
Microsoft Corporation - Internet Explorer Version 6.00.2600.0000 *
Microsoft Corporation - Windows Installer Version 2.0.2600.2 *
Microsoft imgstart Version 1, 0, 0, 1 *
Microsoft Office 2000 Version 9.0.2719 *
Microsoft Outlook Version 9.0.2416 *
Microsoft PowerPoint for Windows Version 9.0.2716 *
Microsoft Snapshot Viewer Application Version 9.0.0.2402 *
Microsoft(R) Windows Media Player Version 7.01.00.3055 *
Microsoft® Access Version 9.0.2719 *
Microsoft® FrontPage(TM) Version 2.0.2.1118 *
Microsoft® FrontPage® 2000 Version 4.0.2.2717 *
Microsoft® Internet Services Version 6.1.33.0 *
Microsoft® NetMeeting® Version 2.11 *
MindVision - Installer VISE 2.8.3 Version 2.8.3 *
MindVision Software - Installer VISE Version 3.1.1 *
PepiMK Software - SpyBot-S&D Version 1.2 *
ScanSoft, Inc - OmniPage SE Version 11.0 *
Trend Pc-cillin 11 Version 11.0.0 *
Trend Pc-cillin 11 Version 11.30.0 *
Virtos GmbH - WaveEdit DLL Version 1, 0, 4, 6 *
WinZip Version 8.1 SR-1 (5266) *

I'm not sure what it all tells me, eg what is "blindman.exe" good for?
I will definitely have a look at Firefox. Is Thunderbird an alternative to IE?
Apologies for the many basic questions, but I am a novice and have difficulty with most computer terms and functions.
/ H

 

Look here BTW i noticed you're running Spybot 1.2, Spybot 1.3 was released some time ago, and i don't think signatures has been available for 1.2, since 1.3 was released. There's also a new version of Ad-Aware.

 

These are quite likely false positives. "about:blank" gets flagged since there is a variant of the CoolWebSearch browser hijacker that uses this entry - if you actually had this you would (almost surely) be seeing a stack of porn sites added to your IE Favourites list.

You'll get incoming connection attempts all the time - mainly from other computers infected with worms. It is of little significance here except to confirm that your firewall is doing a basic job of protecting your system. I would suggest you consider an alternative firewall that gives you more information on what is going on though - or use Port Explorer (which you apparently have installed) to look at the details of these active connections (you should be able to view exactly what is being sent).

The :80 at the end suggests that your PC was connecting to web servers at those addresses but neither have websites registered (according to the whois entries for 433.ge-4-0-0.er10b.sjc2.us.above.net and 209.133.117.7) which makes them suspicious in my view. 127.0.0.1 is just your own PC and can be ignored. Unless you actually typed these addresses into Internet Explorer yourself or are running a file-sharing application, I would suspect that your PC may be being used as a web hosting proxy or relay.

At this point, I would suggest you check Task Manager to see what processes you have running (right-click on your taskbar at the bottom of the screen, Task Manager should be one of the options - select the Processes window and list the details or take a screenshot). Alternatively, download HijackThis! (from here), run it and post only the "Running Processes" section in your post (this forum no longer accepts full HijackThis! logs - posting them may result in this thread being closed).

Thunderbird is an email client, a replacement for Outlook Express.

 

Do also scan your system at grc's shield's up, to check for open ports on your system.
An sample of an open ports problem can be found in this topic

 

Hi, thanks for your patience,

.....These are quite likely false positives. "about:blank" gets flagged since there is a variant of the CoolWebSearch browser hijacker that uses this entry - if you actually had this you would (almost surely) be seeing a stack of porn sites added to your IE Favourites list.....

There are no porn sites in the IE Favourites list, I have never used that list anyway.

.....or use Port Explorer (which you apparently have installed) to look at the details of these active connections (you should be able to view exactly what is being sent).....

I did a portscan and got the answer below. I saved it in Notepad, but it doesn't look very clear. Does it make any sense to anybody?
| NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
---------------------------------------------------------------------------------------------------------------------------------------------------------
| msimn.exe | 22:39 21/08/2004 | -1812205 | UDP | 127.0.0.1 | 1025 | 127.0.0.1 | 1025 | LISTENING | 2/2 | 2/2 |
| iexplore.exe | 22:54 21/08/2004 | -1789233 | UDP | 127.0.0.1 | 1081 | 127.0.0.1 | 1081 | LISTENING | 173/173 | 172/172 |
| tmproxy.exe | 22:51 21/08/2004 | -1739473 | TCP | 127.0.0.1 | 6999 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| SYSTEM | --- | 0 | TCP | 127.0.0.1 | 1025 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | 144.139.123.226 | 138 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | 144.139.123.226 | 137 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | 144.139.123.226 | 139 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | 127.0.0.1 | 1081 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | UDP | 144.139.123.226 | 137 | *.*.*.* | * | LISTENING | --- | --- |
| SYSTEM | --- | 0 | UDP | 144.139.123.226 | 138 | *.*.*.* | * | LISTENING | --- | --- |

.....At this point, I would suggest you check Task Manager.....

I had to use 'start', 'settings' to find the taskbar. Lots of stuff there, Ad-Aware says 24 processes running. I tried to reduce 'em, but failed - they all ended up in the recycle bin so I had to restore to get 'em back.

.....download HijackThis! (from here), run it and post only the "Running Processes" section in your post.....

Did that, and chopped everything off, bar the "running processes", ie

Logfile of HijackThis v1.97.7
Scan saved at 9:35:23 AM, on 8/21/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\AOTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

I have now also updated to Spybot 1.3. Interestingly, each time I used the older version, I'd ask for updates - only to get "none available" in reply. It didn't advise that there was a new version of the program available.

I do apologise for taking up so much time. The mere thought that somebody might use my PC covertly is scary. I'm sure they are up to no good, and I don't want to be involved in any such activities.

Regards,
/H

 

Well, there's nothing obviously amiss with your system - what I was thinking of was that some spammers were using compromised PCs as relays to their websites (hiding their real address and making them harder to shut down by ISPs). In some cases, legitimate software like WinGate was being used, which would probably not be picked up by malware scanners but would show up in any task list.

In your case, I would suspect LOADQM to be the cause of the traffic - see the article LOADQM.EXE -- another Microsoft disastrous Jewel for details. Try disabling it as suggested and see if that solves the problem.

 

You do need to get Service pack 1 for IE 6...