dermag Posted September 5, 2009 Report Posted September 5, 2009 Hi All,Can anyone shed any light on something I've noticed.For all I know it may be just a feature of the prog.If I have a few torrents just seeding, i.e. all have finishedd/loading. Say my global upload speed is 50.Using NetMeter to check my overall usage, I'm d/loadingat roughly the same speed as I'm uploading.uT is reporting that theres nothing coming down, but roughly 50going up. Which is what I'd expect.If I alter my global upload to say 75, NetMeter again reportsthat my d/load is at about 75, the same as the upload speed.I've checked for any rogue TCP/IP connections but there's nothing.If I close uT alltogether the reported d/load speed dissapears assoon as uT is closed.It definitely seems to be a uT thing. I'm aware that there is alwaysgoing to be some residual d/load data while uploading is going on.But this seems a bit excessive. Can anyone shed light on this?TIARon
Switeck Posted September 5, 2009 Report Posted September 5, 2009 Possible hostile man-in-the-middle style trojan on your computer -- it sees your upload as its download, then uploads it again out your internet connection. Such would be used to monitor private activities on the internet, such as username+passwords for stuff like...banking account login. After some time, it might even "phone home" any useful data it finds.NetMeter is spotting that activity and reporting BOTH the download and upload nature of it.This would also explain why down+up traffic stops when uTorrent is stopped...Do you have Zone Alarm on your computer?
dermag Posted September 5, 2009 Author Report Posted September 5, 2009 I don't use zone alarm these days.I did think it might be a trojan but using a program called TCPview I cannot see any suspect looking connections.Everything I would expect to be showing, is showing. And nothing more.I guess I need to do a bit more digging.I'm using AVG 8 and Spybot S&D and I'm pretty stringent when it comes to running anything suspect.Thanks for the help so fast.Ron
Switeck Posted September 5, 2009 Report Posted September 5, 2009 Does AVG 8 have a software firewall?
dermag Posted September 5, 2009 Author Report Posted September 5, 2009 AVG doesn't have a software firewall.I've relied on my hardware firewall (router) for ages now but sadlythat doesn't help if I accidentally load a trojan up from my side.Which is what seems to be the case.What I find odd is why would the trojan stop & start with uTI've tested it many times and when uT is not running there is nosuspicious activity at all.I would expect the trojan to be active as much as possible.Ron
Switeck Posted September 6, 2009 Report Posted September 6, 2009 So, where's the Process Explorer utorrent DLL log?(1st link in my signature, very bottom...)
dermag Posted September 6, 2009 Author Report Posted September 6, 2009 Switeck,Thanks for taking the time, really appreciate it.Here's the info you asked for.Process PID CPU Description Company NameSystem Idle Process 0 81.95 procexp.exe 2872 8.27 Sysinternals Process Explorer Sysinternals - www.sysinternals.comavgrsx.exe 232 2.26 AVG Resident Shield Service AVG Technologies CZ, s.r.o.uTorrent.exe 1748 1.50 µTorrent BitTorrent, Inc.System 4 1.50 TeaTimer.exe 2280 0.75 System settings protector Safer-Networking Ltd.NetMeter.exe 2404 0.75 Interrupts n/a 0.75 Hardware Interrupts explorer.exe 1764 0.75 Windows Explorer Microsoft CorporationDPCs n/a 0.75 Deferred Procedure Calls csrss.exe 704 0.75 Client Server Runtime Process Microsoft Corporationwinlogon.exe 728 Windows NT Logon Application Microsoft Corporationsvchost.exe 2044 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1152 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 968 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1056 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1228 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1444 Generic Host Process for Win32 Services Microsoft Corporationspoolsv.exe 1840 Spooler SubSystem App Microsoft Corporationsmss.exe 632 Windows NT Session Manager Microsoft Corporationservices.exe 772 Services and Controller app Microsoft CorporationNMSAccessU.exe 348 lsass.exe 784 LSA Shell (Export Version) Microsoft Corporationinetinfo.exe 264 Internet Information Services Microsoft Corporationiexplore.exe 2460 Internet Explorer Microsoft Corporationfirefox.exe 2136 Firefox Mozilla CorporationE_FATI9BE.EXE 2068 EPSON Status Monitor 3 SEIKO EPSON CORPORATIONctfmon.exe 1168 CTF Loader Microsoft CorporationBORGChat.exe 3276 BORGChat IOnavgwdsvc.exe 1980 AVG Watchdog Service AVG Technologies CZ, s.r.o.avgtray.exe 2132 AVG Tray Monitor AVG Technologies CZ, s.r.o.ati2evxx.exe 952 ATI External Event Utility EXE Module ATI Technologies Inc.ati2evxx.exe 1700 ATI External Event Utility EXE Module ATI Technologies Inc.alg.exe 3628 Application Layer Gateway Service Microsoft CorporationProcess: uTorrent.exe Pid: 1748Name Description Company Name VersionACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.1.2600.5512adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.1.2600.5512ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation 5.1.2600.5512ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation 3.5.2284.1CLBCATQ.DLL Microsoft Corporation 2001.12.4414.700COMCTL32.dll User Experience Controls Library Microsoft Corporation 6.0.2900.5512comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.0.2900.5512COMRes.dll Microsoft Corporation 2001.12.4414.700credui.dll Credential Manager User Interface Microsoft Corporation 5.1.2600.5512CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.5512ctype.nls DnsApi.dll DNS Client API DLL Microsoft Corporation 5.1.2600.5512dot3api.dll 802.3 Autoconfiguration API Microsoft Corporation 5.1.2600.5512dot3dlg.dll 802.3 UI Helper Microsoft Corporation 5.1.2600.5512eappcfg.dll Eap Peer Config Microsoft Corporation 5.1.2600.5512eappprxy.dll Microsoft EAPHost Peer Client DLL Microsoft Corporation 5.1.2600.5512GDI32.dll GDI Client DLL Microsoft Corporation 5.1.2600.5512hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation 5.1.2600.5512iertutil.dll Run time utility for Internet Explorer Microsoft Corporation 7.0.5730.13IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation 5.1.2600.5512Iphlpapi.dll IP Helper API Microsoft Corporation 5.1.2600.5512kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.1.2600.5512locale.nls MPRAPI.dll Windows NT MP Router Administration DLL Microsoft Corporation 5.1.2600.5512MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.1.2600.5512MSCTF.dll MSCTF Server DLL Microsoft Corporation 5.1.2600.5512msctfime.ime Microsoft Text Frame Work Service IME Microsoft Corporation 5.1.2600.5512MSVCP60.dll Microsoft ® C++ Runtime Library Microsoft Corporation 6.2.3104.0msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.0.2600.5512mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.1.2600.5512netapi32.dll Net Win32 API DLL Microsoft Corporation 5.1.2600.5694netshell.dll Network Connections Shell Microsoft Corporation 5.1.2600.5512Normaliz.dll Unicode Normalization DLL Microsoft Corporation 6.0.5441.0ntdll.dll NT Layer DLL Microsoft Corporation 5.1.2600.5512ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.1.2600.5512oleaut32.dll Microsoft Corporation 5.1.2600.5512onerovom.dll OneX.DLL IEEE 802.1X supplicant library Microsoft Corporation 5.1.2600.5512rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.1.2600.5512RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation 5.1.2600.5512rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation 5.1.2600.5507rtutils.dll Routing Utilities Microsoft Corporation 5.1.2600.5512SAMLIB.dll SAM Library DLL Microsoft Corporation 5.1.2600.5512Secur32.dll Security Support Provider Interface Microsoft Corporation 5.1.2600.5512SETUPAPI.dll Windows Setup API Microsoft Corporation 5.1.2600.5512SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.0.2900.5512shfolder.dll Shell Folder Service Microsoft Corporation 6.0.2900.5512SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation 6.0.2900.5512sortkey.nls sorttbls.nls unicode.nls USER32.dll Windows XP USER API Client DLL Microsoft Corporation 5.1.2600.5512USERENV.dll Userenv Microsoft Corporation 5.1.2600.5512uTorrent.exe µTorrent BitTorrent, Inc. 1.8.3.15772uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.0.2900.5512VERSION.dll Version Checking and File Installation Libraries Microsoft Corporation 5.1.2600.5512WININET.dll Internet Extensions for Win32 Microsoft Corporation 7.0.5730.13WINSTA.dll Winstation Library Microsoft Corporation 5.1.2600.5512WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.1.2600.5512WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.1.2600.5512WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.1.2600.5512wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.1.2600.5512WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.1.2600.5512xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.1.2600.5512
Switeck Posted September 7, 2009 Report Posted September 7, 2009 I don't know what "onerovom.dll" is...but it's in the DLL list under uTorrent.exe!
dermag Posted September 7, 2009 Author Report Posted September 7, 2009 Yeah, I had that one marked as suspicious.Trying to get rid of it is another matter though. The rogue dll (and a couple other) suspicious ones are proving stubborn to delete.Do you know of anything like DOS that can delete files without loading the op system?Thanks for the help anyway.
Switeck Posted September 8, 2009 Report Posted September 8, 2009 I've heard of unlocker programs that might allow that...You'll have to find what runs it in the system registry.
dermag Posted September 8, 2009 Author Report Posted September 8, 2009 I managed to delete the offender after a lot of hassle.It did the job as well, there is no d/l now while I'm seeding.Kept getting the message that the file was in use by another program.In the end I got rid of it with CyberScrub, a secure file shredder.Getting rid of the registry entries is another matter all together.Thanks again.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.