vdub12
New Member
- Reaction score
- 2
I have a new one for yeah all.
I got a call the other day from a customer that was on satellite internet that has gotten FAPed repeatedly over the last week because one of his computers had a constant stream of data.
Well today was the appointment and i showed up and started looking at the system. Right off the bat I could see that the network was solid with activity. I run TCPview and notice that its coming from svchost from a strange IP address that wasn't ms. I think it was 69.147.148.x occasionally changing but staying on that network. I whois'ed it and found it was an IP from another ISP I can't remember which one. My first impression was adware but I wanted to investigate further. I opened process explorer and checked the properties for the offending pid. I started killing services until the data stopped. It turned out it was BITS (background intelligent transfer service) causing the network traffic. So I thought I solved it, must be windows update. So I restarted the computer and killed the update service and noticed its still transferring data from the same network. All of a sudden Norton live update kicks in with the same destination network but different address. I though well that's a quintessence. So I uninstall Norton using the Norton uninstaller, restart the computer and its still transferring from the same network. By this time I have killed just about every non MS process trying to narrow this thing down. I can't run wireshark because for some reason it can't get packet information from the USB wireless card that the customers using. I disable BITS and the transferring stops but with BITS disabled you can't run Windows update.
Finally the customer says that nothing on the computer is important and tells me to just reload it. I do some paperwork and take the system back to my shop. Not wanting to admit defeat I decide I am only going to charge the customer for what he wanted, a flat fee reload, but i was going to figure this out. Now that I am in my zone I have a much better chance. I connect the computer to my network using the Ethernet instead of the WIFI and I fire wireshark up. At the same time i have my netbook right next to me watching my bandwidth on my routers DD-WRT gui. To my surprise its peaking at around 20Mbps no wonder he kept getting faped. I start looking at the packets in wireshark and notice that they are coming from port 1120 which is a port used by battle.net. I start thinking that maybe its got some crazy rootkit game server on it. So I start process monitor and I filter everything but the offending pid. I start seeing all these writes to the application data folder in all users under Norton. So I go to the folder and find 3Gb of tmp files labeled BITxx.tmp with xx being a number letter combo.
I try everything to stop it. There is not one single process from Norton running and all I can assume is that once BITS gets started it can't be stopped or maybe it was a bug in BITS because Norton had been gone for hours at this point. Once the download hit a little over 4Gb it just stopped, I deleted all the temp files and the network hasn't flickered since. I am updating the system to SP3 right now and I am going to install all the windows updates after that but I still don't know what was causing the download to continue after Norton was gone. The system is very clean, no adware, not even much data. Once Norton was gone it actually ran pretty good.
Any way now I have a new reason to hate Norton, or love it when you consider how much money it makes me, lol.
I got a call the other day from a customer that was on satellite internet that has gotten FAPed repeatedly over the last week because one of his computers had a constant stream of data.
Well today was the appointment and i showed up and started looking at the system. Right off the bat I could see that the network was solid with activity. I run TCPview and notice that its coming from svchost from a strange IP address that wasn't ms. I think it was 69.147.148.x occasionally changing but staying on that network. I whois'ed it and found it was an IP from another ISP I can't remember which one. My first impression was adware but I wanted to investigate further. I opened process explorer and checked the properties for the offending pid. I started killing services until the data stopped. It turned out it was BITS (background intelligent transfer service) causing the network traffic. So I thought I solved it, must be windows update. So I restarted the computer and killed the update service and noticed its still transferring data from the same network. All of a sudden Norton live update kicks in with the same destination network but different address. I though well that's a quintessence. So I uninstall Norton using the Norton uninstaller, restart the computer and its still transferring from the same network. By this time I have killed just about every non MS process trying to narrow this thing down. I can't run wireshark because for some reason it can't get packet information from the USB wireless card that the customers using. I disable BITS and the transferring stops but with BITS disabled you can't run Windows update.
Finally the customer says that nothing on the computer is important and tells me to just reload it. I do some paperwork and take the system back to my shop. Not wanting to admit defeat I decide I am only going to charge the customer for what he wanted, a flat fee reload, but i was going to figure this out. Now that I am in my zone I have a much better chance. I connect the computer to my network using the Ethernet instead of the WIFI and I fire wireshark up. At the same time i have my netbook right next to me watching my bandwidth on my routers DD-WRT gui. To my surprise its peaking at around 20Mbps no wonder he kept getting faped. I start looking at the packets in wireshark and notice that they are coming from port 1120 which is a port used by battle.net. I start thinking that maybe its got some crazy rootkit game server on it. So I start process monitor and I filter everything but the offending pid. I start seeing all these writes to the application data folder in all users under Norton. So I go to the folder and find 3Gb of tmp files labeled BITxx.tmp with xx being a number letter combo.
I try everything to stop it. There is not one single process from Norton running and all I can assume is that once BITS gets started it can't be stopped or maybe it was a bug in BITS because Norton had been gone for hours at this point. Once the download hit a little over 4Gb it just stopped, I deleted all the temp files and the network hasn't flickered since. I am updating the system to SP3 right now and I am going to install all the windows updates after that but I still don't know what was causing the download to continue after Norton was gone. The system is very clean, no adware, not even much data. Once Norton was gone it actually ran pretty good.
Any way now I have a new reason to hate Norton, or love it when you consider how much money it makes me, lol.
