Detecting unauthorized upload

[PeaceHere]

I'm worried... Is there a virus trying to upload my data?

This is what happened - right after my connection with Internet is
established with Verizon Wireless network, the "sent packet" in "Local
Area Connection" kept on increasing, while I have my hands off the
Internet/email. I then disconnected and reconnected a few times, and
it happened each time. I restarted computer and reconnected, and the
"Send packet" didn't increase initially. But after a while, the above
scenario happened again.

I'm running the AVG antivirus program to check my hard disk. In the
meantime, I am trying to figure out where this unauthorized upload
comes from.

I examined the tasks in the task manager, and didn't see any
suspicious process.

Is there an utility that can tell me where these "send packet" are
being sent to, like the destination IP address? Even better, is there
a program that can tell me which program/process are initiating all the
sending of data?

My last question, is "sent packet" a reliable way to tell all upload
activity, ie, it cannot be circumvented easily?

Thank you so much for answering.

 

[Shadowman]

I'm worried... Is there a virus trying to upload my data?

This is what happened - right after my connection with Internet is
established with Verizon Wireless network, the "sent packet" in "Local
Area Connection" kept on increasing, while I have my hands off the
Internet/email. I then disconnected and reconnected a few times, and
it happened each time. I restarted computer and reconnected, and the
"Send packet" didn't increase initially. But after a while, the above
scenario happened again.

I'm running the AVG antivirus program to check my hard disk. In the
meantime, I am trying to figure out where this unauthorized upload
comes from.

I examined the tasks in the task manager, and didn't see any
suspicious process.

Is there an utility that can tell me where these "send packet" are
being sent to, like the destination IP address? Even better, is there
a program that can tell me which program/process are initiating all the
sending of data?

My last question, is "sent packet" a reliable way to tell all upload
activity, ie, it cannot be circumvented easily?

Thank you so much for answering.

As for a utility that can tell you which programs are sending data, try
installing a personal firewall -- get a free one like kerio or
zoneAlarm. One of their features is they do exactly what you're asking
-- allow and disallow specific programs access to the internet.

Most likely there's nothing to worry about, however. Quite a few
background processes send and receive info, application auto-updaters,
windows background tasks (I assume you're running windows). But at the
same time, using a personal firewall will help you determine exactly
what is doing what.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm worried... Is there a virus trying to upload my data?

This is what happened - right after my connection with Internet is
established with Verizon Wireless network, the "sent packet" in "Local
Area Connection" kept on increasing, while I have my hands off the
Internet/email. I then disconnected and reconnected a few times, and
it happened each time. I restarted computer and reconnected, and the
"Send packet" didn't increase initially. But after a while, the above
scenario happened again.

<snip>

As well as what Shadowman has said, even when you or any programs aren't
doing anything, the computer will be "checking in" with the ISP regularly,
so this isn't something to worry about. If you are seeing a large amount of
traffic being transmitted, maybe it is worth investigating.

I'd advise a scan for spyware, refer to the links below. You could run the
"netstat" command to see what your computer is connected to:

Click Start->Run
Clear any text, type in: cmd (or command if using Windows 95/98/ME)
Press enter.
In the black "Command window", type in: netstat
Press enter. You will probably see connections on port 80 80 or :http in
foreign address) if you have a web site open or have visited one lately, as
well as port 25(pop3)/110(smtp) for email etc. P2P programs, radio or video
streams can use many connections at once, so you'll want to close them first.

Ad-Aware SE Personal Edition
Scanning and removal only
http://www.lavasoft.com/support/download/

Ad-Aware SE Plus:
Scanning, removal and prevention
http://www.lavasoft.com/software/adawareplus/

Safer Networking's Spybot Search & Destroy
Scanning, removal, prevention and warning of system changes
http://www.safer-networking.de/en/download/index.html

Microsoft's Anti-Spyware Beta (testing)
Scanning, removal, prevention and warning of system changes
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Javacool Software's SpywareBlaster
Prevention, does not need to be loaded to function
http://www.javacoolsoftware.com/spywareblaster.html

Spyware Warrior's "Rogue/Suspect Anti-Spyware Products and Web Sites" page
- - not sure if an anti-spyware program is legitimate? Check here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Is there an utility that can tell me where these "send packet" are being
sent to, like the destination IP address? Even better, is there a
program that can tell me which program/process are initiating all the
sending of data?

You can use the ethereal "packet sniffer" from http://www.ethereal.com to
see what's going on - be warned it is a little complicated but if you don't
get overwhelmed you should be able to get an idea of what's going on.


HTH
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDCbbC7uRVdtPsXDkRAsf1AJ9/PZEv690o197vLQ2fUJXmUJthBwCfRzuh
aEVhqGwnMjXn/JCbzYKdLgo=
=LodP
-----END PGP SIGNATURE-----

 

[David H. Lipman]

From: <[email protected]>

| I'm worried... Is there a virus trying to upload my data?
|
| This is what happened - right after my connection with Internet is
| established with Verizon Wireless network, the "sent packet" in "Local
| Area Connection" kept on increasing, while I have my hands off the
| Internet/email. I then disconnected and reconnected a few times, and
| it happened each time. I restarted computer and reconnected, and the
| "Send packet" didn't increase initially. But after a while, the above
| scenario happened again.
|
| I'm running the AVG antivirus program to check my hard disk. In the
| meantime, I am trying to figure out where this unauthorized upload
| comes from.
|
| I examined the tasks in the task manager, and didn't see any
| suspicious process.
|
| Is there an utility that can tell me where these "send packet" are
| being sent to, like the destination IP address? Even better, is there
| a program that can tell me which program/process are initiating all the
| sending of data?
|
| My last question, is "sent packet" a reliable way to tell all upload
| activity, ie, it cannot be circumvented easily?
|
| Thank you so much for answering.

Besides the anti spyware that Adam mentioned, use the following tool to make sure you are
not infected with a virus or Trojan that AVG might be missing...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Spacen Jasset]

I'm worried... Is there a virus trying to upload my data?

....
Try tcpview from sysinternals.com and sort by status and look for the
established tcp connections.

you can then see which process it transmitting data, to a tracert to the
desination, and a who is look up to see more about the destination.

 

[David H. Lipman]

From: "Spacen Jasset" <[email protected]>

| ...
| Try tcpview from sysinternals.com and sort by status and look for the
| established tcp connections.
|
| you can then see which process it transmitting data, to a tracert to the
| desination, and a who is look up to see more about the destination.

More importantly...

TCPVIEW will show you what is the fully qualified path of a file that is accessing the
Internet and what IP address (or alias) it is connected to and what TCP or UDP port it is
connecting through.

 

[Duane Arnold]

(e-mail address removed) wrote in @g44g2000cwa.googlegroups.com:

I'm worried... Is there a virus trying to upload my data?

This is what happened - right after my connection with Internet is
established with Verizon Wireless network, the "sent packet" in "Local
Area Connection" kept on increasing, while I have my hands off the
Internet/email. I then disconnected and reconnected a few times, and
it happened each time. I restarted computer and reconnected, and the
"Send packet" didn't increase initially. But after a while, the above
scenario happened again.

I'm running the AVG antivirus program to check my hard disk. In the
meantime, I am trying to figure out where this unauthorized upload
comes from.

I examined the tasks in the task manager, and didn't see any
suspicious process.

Is there an utility that can tell me where these "send packet" are
being sent to, like the destination IP address? Even better, is there
a program that can tell me which program/process are initiating all the
sending of data?

My last question, is "sent packet" a reliable way to tell all upload
activity, ie, it cannot be circumvented easily?

Thank you so much for answering.

Well, malware can circumvent and defeat the PFW solution and any malware
application designed to detect it. Those types of solutions are always a
dime late and a dollar short.

It's good that you looked to see what is running by using Task Manager. But
Task Manager only shows you the processes that are running and will not
show you the processes that are using the process while it's running. The
hidden processes can be running with a process, which malware can be piggy
backing off of it.

You can use Process Explorer to look at a running process and look inside
the process to see what's using it.

In the upper pane on PE, you can right-click any running process and go to
Properties. PE will tell you everything about the running process.

With the menu at the top of the PE screen, you can select View/Show Lower
Pane/Show all Dll(s) and PE will show every process that is running with a
process.

Long version

http://www.pcworld.com/downloads/file_description/0,fid,23780,RSS,RSS,00.as
p

Short version

http://tinyurl.com/99vur

I also like to use Active Ports too.

And if you want to know what packets are leaving the machine and what
remote IP they are going to, then you use a packet siffer like Ethereal
(free).

Long version

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_R
ootkit_Tools_in_a_Windows_Environment.html

Short version

http://tinyurl.com/klw1

If you have too, you can look for yourself and may be spot something.

Duane

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

...
Try tcpview from sysinternals.com and sort by status and look for the
established tcp connections.

you can then see which process it transmitting data, to a tracert to the
desination, and a who is look up to see more about the destination.

Why didn't I think of that?! Much easier for a user than netstat...d'oh!

- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDCdd/7uRVdtPsXDkRAiBLAJ4oiZ0t4jmGpfUc9bui9Tx0N4E+AgCcDIdU
q/+7tfjQMAe4A4f8k1c1Opw=
=R5jE
-----END PGP SIGNATURE-----

 

[electricpete]

Good advice given by many. I think a firewall is a good idea. I use the EZ
armour sweet provided 1 year for free by roadrunner and I think dsl. Also
I've heard good things about zonealarm.

One thing to consider is that you have some very sensitive data on your
computer. You may have done your taxes there and listed names, social
security number, address, occupation... would make it easy for someone to
steel your identity. Also programs can track your keystrokes to identify
passwords or credit card numbers that you type in.

So take it seriously.