My first virus, I think

Discussion in 'malware problems & news' started by Afallach, Feb 10, 2003.

Thread Status:
Not open for further replies.
  1. Afallach

    Afallach Registered Member

    Joined:
    Feb 10, 2003
    Posts:
    4
    When online, I started noticing that I seem to be sending a lot. Then I looked at the online status window and saw that I was sending CONSTANTLY. In fact, in this 5-hour session, having only done routine email and looked at a Web page or two, it appears I've received about 200KB but sent over 500 MEGABYTES.

    Now, I know that's more than I'm capable of sending with a dial-up connection in 5 hours, but still, something's wrong.

    I've quit all applications (especially Explorer and Outlook), then shut down any processes that looked active that weren't in system folders (not that that's a guarantee of anything). It's still going.

    Does this sound familiar? Is it a virus? Other thoughts?

    Many thanks.

    David
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Afallach,

    Have you tried scanning online to make sure?
    Look at our free services page for links.

    Regards,

    Pieter
     
  3. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Could be any number of things. o_O

    Might be a trojan horse, or more likely, a NIMDA-like worm eating up bandwidth. Do you have an up to date av installed?

    More details! Sounds exciting! :D ;)
     
  4. Afallach

    Afallach Registered Member

    Joined:
    Feb 10, 2003
    Posts:
    4
    > Do you have an up to date av installed?

    I don't (he admitted, blushing :oops: ). I've been downloading a trial version of Norton all afternoon, though.

    Meanwhile, I'm up to 599 megabytes. Not that I believe I'm really uploading at 25 KB/sec. Which is the other question.

    David
     
  5. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Several worms can cause the outgoing bandwidth to peg on the redline. I'm betting you're going to find our good friend NIMDA lurking on there somewhere--but again, until you scan with an up-to-date AV--you ain't gonna know for sure! :D

    Regardless, my advice is to get an up-to-date AV on there and pull the plug on your internet connection until you *make sure* you have the bugs out. Some of these worms broadcast information you don't want people to know. :doubt:

    Good luck!
     
  6. Afallach

    Afallach Registered Member

    Joined:
    Feb 10, 2003
    Posts:
    4
    Okay...I downloaded NAV, installed it, updated it and scanned--God!--70K files, and I appear to be clean.

    I'm now at 811 Mb and counting.

    What does *make sure* mean? That is to say, other than running something like Norton AV, I don't really know HOW to clean this up.

    Suggestions, anyone? (815)
    David
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    So, does this condition come back following a system reboot? (Has this problem just started, or has it been there a while - through multiple PC reboots?)

    Certainly, NAV should have found a virus, if that's what this is. Although, I'd suggest just running an online virus scanner at the page Pieter noted: Free Services(link). The Panda scanner is a good double check.

    Another thing to yield a lot more data for us to wade through would be to download a quick analysis tool, StartupList v1.51, from this site:

    http://www.lurkhere.com/~nicefiles/

    It's a zip file... You download it, unzip it, and run it - it gives you a long list of system configuration information which you can copy/paste into a post here. From that, people can advise you whether something looks suspicious or not.
     
  8. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    What is your OS.
    Can you download a free firewall like Outpost, kerio, even ZA? A firewall is going to pick up on whats going out and allow you ID it and block it hopefully.
    If you have 2k or xp you can go to Webattack.com and download Active Ports. It will show what programs are using the net.
    Personally, I recommend going to www.agnitum.com and downloading Outpost free. Install it and reboot.
    Start up in the rules wizard mode of Outpost and allow the default rules for your browser. If you have 2k you will get a prompt of Services.exe. Allow it out to remote port 53 and allow DHCP out. If you have XP it is SVCHOST.exe instead of services.exe.
    I can help you here or at the Outpost firewall forum at http://www.agnitum.com/forum/index.php?s= .
    That would be best for me.
     
  9. Afallach

    Afallach Registered Member

    Joined:
    Feb 10, 2003
    Posts:
    4
    Thanks to everyone for the desire you've shown to help me out. That's what I love about the online community.

    The problem has been showing up for several weeks. I've tried to narrow it down by shutting things down, but I'm now going to try to notice more carefully when it begins. At this point, after a reboot and being back online for 30 min., everything's normal. I'll keep an eye to whether starting any particular software up triggers the process again. Outlook and Explorer seem to be innocent.

    You've given me some tools to work with, and I'll follow up by downloading some of them, and return here when I have more info.
     
  10. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    The impression I get from your posts is that you did not have a lot of protection in place before this.
    I suggest you have as a minimum a good antivirus and a good antitrojan updated daily. Also a firewall is a must.
    You can read around the forums here to get ideas of what is recommended by people. Also at Wilders.org You will find recommended programs with ratings for you to consider.
    Please keep us informed of your progress. There are a lot of people here that can help get you properly protected. ;)
     
  11. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Great to hear that (fingers-crossed) everything is getting back to normal!

    Good luck! :)
     
  12. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    :eek: Did you view 'War and Peace' in html onlineo_O?? ;)
     
Loading...
Thread Status:
Not open for further replies.