eldon96 Posted January 5, 2009 Report Share Posted January 5, 2009 Hello,I have an odd situation that I'd like some advice about.My sister has been using uTorrent for several years now. About once a year she'd get a malware item for no apparent reason. She doesn't do general web browsing, just news etc. I always assumed she was doing something stupid and getting infected without realizing it. However...I have just recently installed uTorrent and am ONLY downloading .AVI television shows from TVTorrents.com. I don't download any hijacked software, etc. I have been a computer tech for twenty years and own my own consulting company so I know the dangers of spyware/malware. I am extremely safe with my web browsing and if there is even a twinge of suspicion about a website I use FireFox to minimize my exposure. I have been using uTorrent for six months now without issue but mostly for downloading. Within the last six weeks I have been doing more seeding than downloading with the last two weeks being exclusively seeding. I leave it running 24/7 and only shut it down when I need to reclaim the bandwidth for work purposes.Friday I sat down at my computer to do some work and FireFox as well as IE was redirecting all my google searches to various advertisement sites. The search results of both Yahoo and Google were pointing to http://go.yahoo.com and http://go.google.com and would then push me to an ad. The PC was working fine when I left it the day before. I tracked it down to a TDSSserv.sys driver that was loaded in the hidden devices of my device manager (and had variations on the TDSSxxxx.dll in my system32 folder). I disabled the driver and cleaned the files and all is well. Some say that is closely linked to the WinAntiVirus 2009 infections but I have no evidence of that on my system.The above facts make me suspect that someone has found my open port and has remotely installed some malware. Or, perhaps someone else connected to my torrents has somehow infected me? I'm not sure. The only thing I am 100% sure about is that this is not operator error.I'm going to continue using my torrents as I had been, but was wondering if anyone else has had this kind of thing happen to them? How can one protect against someone exploiting the open port? Is there any danger of being infected from a leecher? What other security suggestions do you have?Thank you Link to comment Share on other sites More sharing options...
Switeck Posted January 5, 2009 Report Share Posted January 5, 2009 There are known vulnerabilities to older uTorrent versions. I've heard there's actual examples of exploit .torrent files in the wild. uTorrent v1.8 and later should be immune to the old vulnerabilities... Link to comment Share on other sites More sharing options...
cremaster Posted January 6, 2009 Report Share Posted January 6, 2009 I will put my two cents in on this one. Cliff note: Check numerous times with numerous up to date root kit detectors, if you have a kit you might be best off to format.I had the same type of behavior when I was running a lot of torrent traffic. Everything was fine and then it was not. I was slightly unprotected (not having updated my virus and spy progs) at the time and I guess my computer condom broke. The behavior started with occasional redirects and then it increased over a period of days. What was strange was that any search for a virus site ,help site, or even microsoft was redirected to a fake results site. I was able to google several files in threads that I did not recognize in task manager. I found several suspect files but any delete would cause the file to be reinstalled AND new junk to appear. It just kept getting worse and worse till I began to get blue screens with stupid messages on them. Then I got one that said "bla bla bla sysinternals.com bla bla bla", I knew that that could not be true and googled the message and it was more malware. I think that it was a root kit detector from sysinternals.com that ended up detecting my main problem. I ended up having to format, it was either that or nuke it from orbit to be sure. If you can identify your bug then you can find out what it will take to remove the infestation. You may want to consider running utorrent and keeping all your utorrent stuff on a separate disc or partition with its own OS. It is what I am doing now and have had no further problems. Link to comment Share on other sites More sharing options...
eldon96 Posted January 6, 2009 Author Report Share Posted January 6, 2009 Thank you for your input. I am using version 1.8.1.I currently have the problems removed and the PC is working fine. I suppose I could make a second computer just for uTorrent with the torrents being stored on a drive separate from the OS and then make a image of the OS. Then if it gets hijacked I can just restore the image.My virus scanner was current but I didn't have an active spyware scanner. I'm going to get uTorrent running again and try some configuration options to see if I can keep it more secure.Any other comments are gladly welcomed. Link to comment Share on other sites More sharing options...
Switeck Posted January 6, 2009 Report Share Posted January 6, 2009 Process Explorer and HijackThis! are must-have tools as well.While you're at it, you might want to get other tools available from the same place as Process Explorer.1st link in my signature (at very bottom) tells more. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.