Oh boy...am I infected?

Appleby

New Member
Reaction score
3
Location
Texas
Well here is a strange request....a tech asking for help on his own computer.lol I think I basically just freaked out in this situation and panicked since it was my own computer and my own personal data at risk.

Here is the deal, my internet was super super slow at my office yesterday so I called my ISP after doing a power cycle on the modem and router. They claimed all was good on their end but I had an unusual amount of outgoing traffic. I reached over and switched off my wireless card and he said, ok it stopped. Uh-oh. I closed Firefox, Thunderbird and iTunes, reconnected to the router and he said the traffic going up was back. Weird. I have a little Windows 7 gadget to monitor network traffic on my desktop and I could see traffic both up and down and my hard drive access light was blinking non-stop. Weird. I panicked. I have a couple TrueCrypt containers on my system with alot of personal banking info. My CC#'s, SS#'s bank, stock info etc. I have a very good, very long passphrase but I immediately start thinking about that data.

I have KAV running and it's showing nothing. I update MABAM and SAS and run them both. Nothing shows up. I open a packet sniffer and it's going nuts with data transferring up and down. I close it in 100% freak out mode. In my haste (and I had other stuff I had to get done) I didn't even think to look at the outgoing IP's, it could have been nothing malicious, and I didn't even think to see how MUCH data was being uploaded. Duh. I know I'm an idiot but again, I was in a hurry.

I ran Kaspersky's TDDS Killer and it comes back clean. Process Explorer shows no unusual un-verified processes running. HiJackThis had one gopherprefix which I removed.

I then went to my TrueCrypt files and renamed the files. I let everything finish up scanning, again, nothing was found at all, besides the one thing I mentioned in HiJackThis. I looked at the network monitor and the data upload traffic had stopped. It would sporadically show a little random upload traffic but not much. Today it's just sitting there on 0 traffic up and down most of the time unless I'm obviously doing something. But my pessimistic mind keeps telling me that something was uploading data from my system and it only "happen" to stop after I renamed the TrueCrypt files.

Guys, just be honest with me and tell me if I'm an idiot.lol I normally never have a problem determining if a machine is infected or 2nd guess my results but for some reason I just started imagining all my personal info being uploaded and some crook having my passwords and opening up bank accounts in my name.lol It's not normally anything I even think twice about, since it's all TrueCryt'ed but it just really panicked me yesterday.

Thoughts? Do you think I'm clean? Should I just forget about it or run more scans since everything has shown up ok?
 
Last edited:
I don't think you're an idiot.

If you are worried that even TrueCrypt can't keep your files safe, I would invest in some analog security - securely erase (I use Eraser) all the password & credit card files and keep them on your person.
 
I had a system in the shop a while back that the customer kept getting fapd on his satellite. Running wireshark I could see tons of data being downloaded but no source was downloading it. I manually checked for malicious files and startup entries and even ran MSE and the AVG boot CD and found nothing.

After a while I figured out what was going on. BITS or Background Intelligent Transfer Service in Windows was the cause. The customer had an old version of Norton on the system when he went to try and renew it the installer initiated BITS to download Norton 360. I never could stop the download even after removing Norton completely. There must have been a bug in BITS. After downloading almost 20Gb it just stopped. I left wireshark running on the system for a day just to make sure and it never started back up again.

Normally BITS is used by windows update but I guess other company's have access to it but if the code is not written correctly it can make the download unstoppable. Leave it to Symantec to F it all up, lol.
 
Have you tried sourcing the process hogging up traffic via task manager. Try a netstat -a and nestat -n and check those ip connections and processes in detail, look for rootkits using GMER go to safe mode with networking and perform a netstat- a and -n, process of elimination. It might be a windows update process or a hijacked windows system file, run sfc/ scannow. Let me know what you find.
 
Last edited:
Have you tried sourcing the process hogging up traffic via task manager. Try a netstat -a and nestat -n and check those ip connections and processes in detail, look for rootkits using GMER go to safe mode with networking and perform a netstat- a and -n, process of elimination. It might be a windows update process or a hijacked windows system file, run sfc/ scannow. Let me know what you find.

TCPview from sysinternals works better than netstat I think?

To OP:
That is a weird situation though...I would be freaked out too.
 
Thanks so much for the help guys. I'm telling ya, not much bothers me and I have very little privacy concerns or fear of viruses etc. However, just the way this whole situation came about struck me as weird. Then when all the thoughts started racing through my mind about my TrueCrypt files (that was total unsubstantiated paranoia), I freaked a little. I was imagining a keylogger in place, having caught my passphrase and all my personal data was gone.lol Oh and then when I changed the name of the TrueCrypt files and soon after the data upload stopped, I was even more worried.lol

In truth, the data transfer was probably harmless and might have only been going on for a few minutes. But it was happening right then and I couldn't seem to quickly figure out where it was coming from or going. To top it off the ISP guy scared me because I told him the connection had been really slow off an on for weeks and he said, "Ya probably so with all this data going up that's coming from your system.":eek: LOL! Had I not been busy with other stuff and I had time to really slow down and look the situation over and figure it out, I wouldn't have gone into panic mode.

Thanks for the other suggestions guys. All seems to be good today. For safety sake I switched off my wifi when I left the office for a few hours but I've been watching my network transfer widget all day and it's been normal. I downloaded a free version of ZoneAlarm (hoping it won't bog down my system much) just to see what's connecting and so far it's all normal. I didn't realize it was so hard to find a software firewall for a 64bit ver. of Win7.

Again, thanks for all your comments and suggestions. I appreciate it.
 
Good to hear that everything is back to normal. This is why i set 3 accounts on my machine "64 bit win 7 ultimate". All accounts except admin run an all inclusive software restriction policy, except LNK extensions, standard accounts/ non admin, selective DEP, and an active anti-virus. This combination makes for a pretty hardy system, if you need admin rights for something simply right click it and select run as administrator and enter the admin password..
 
Last edited:
Back
Top