D/load b/width = upload b/width even when I'm only seeding.

[dermag]

Hi All,

Can anyone shed any light on something I've noticed.

For all I know it may be just a feature of the prog.

If I have a few torrents just seeding, i.e. all have finished

d/loading. Say my global upload speed is 50.

Using NetMeter to check my overall usage, I'm d/loading

at roughly the same speed as I'm uploading.

uT is reporting that theres nothing coming down, but roughly 50

going up. Which is what I'd expect.

If I alter my global upload to say 75, NetMeter again reports

that my d/load is at about 75, the same as the upload speed.

I've checked for any rogue TCP/IP connections but there's nothing.

If I close uT alltogether the reported d/load speed dissapears as

soon as uT is closed.

It definitely seems to be a uT thing. I'm aware that there is always

going to be some residual d/load data while uploading is going on.

But this seems a bit excessive. Can anyone shed light on this?

TIA

Ron

[Switeck]

Possible hostile man-in-the-middle style trojan on your computer -- it sees your upload as its download, then uploads it again out your internet connection. Such would be used to monitor private activities on the internet, such as username+passwords for stuff like...banking account login. After some time, it might even "phone home" any useful data it finds.

NetMeter is spotting that activity and reporting BOTH the download and upload nature of it.

This would also explain why down+up traffic stops when uTorrent is stopped...

Do you have Zone Alarm on your computer?

[dermag]

I don't use zone alarm these days.

I did think it might be a trojan but using a program called TCPview I cannot see any suspect looking connections.

Everything I would expect to be showing, is showing. And nothing more.

I guess I need to do a bit more digging.

I'm using AVG 8 and Spybot S&D and I'm pretty stringent when it comes to running anything suspect.

Thanks for the help so fast.

Ron

[Switeck]

Does AVG 8 have a software firewall?

[dermag]

AVG doesn't have a software firewall.

I've relied on my hardware firewall (router) for ages now but sadly

that doesn't help if I accidentally load a trojan up from my side.

Which is what seems to be the case.

What I find odd is why would the trojan stop & start with uT

I've tested it many times and when uT is not running there is no

suspicious activity at all.

I would expect the trojan to be active as much as possible.

Ron

[Switeck]

So, where's the Process Explorer utorrent DLL log?

(1st link in my signature, very bottom...)

[dermag]

Switeck,

Thanks for taking the time, really appreciate it.

Here's the info you asked for.

Process PID CPU Description Company Name

System Idle Process 0 81.95

procexp.exe 2872 8.27 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

avgrsx.exe 232 2.26 AVG Resident Shield Service AVG Technologies CZ, s.r.o.

uTorrent.exe 1748 1.50 µTorrent BitTorrent, Inc.

System 4 1.50

TeaTimer.exe 2280 0.75 System settings protector Safer-Networking Ltd.

NetMeter.exe 2404 0.75

Interrupts n/a 0.75 Hardware Interrupts

explorer.exe 1764 0.75 Windows Explorer Microsoft Corporation

DPCs n/a 0.75 Deferred Procedure Calls

csrss.exe 704 0.75 Client Server Runtime Process Microsoft Corporation

winlogon.exe 728 Windows NT Logon Application Microsoft Corporation

svchost.exe 2044 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1152 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 968 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1056 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1228 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1444 Generic Host Process for Win32 Services Microsoft Corporation

spoolsv.exe 1840 Spooler SubSystem App Microsoft Corporation

smss.exe 632 Windows NT Session Manager Microsoft Corporation

services.exe 772 Services and Controller app Microsoft Corporation

NMSAccessU.exe 348

lsass.exe 784 LSA Shell (Export Version) Microsoft Corporation

inetinfo.exe 264 Internet Information Services Microsoft Corporation

iexplore.exe 2460 Internet Explorer Microsoft Corporation

firefox.exe 2136 Firefox Mozilla Corporation

E_FATI9BE.EXE 2068 EPSON Status Monitor 3 SEIKO EPSON CORPORATION

ctfmon.exe 1168 CTF Loader Microsoft Corporation

BORGChat.exe 3276 BORGChat IOn

avgwdsvc.exe 1980 AVG Watchdog Service AVG Technologies CZ, s.r.o.

avgtray.exe 2132 AVG Tray Monitor AVG Technologies CZ, s.r.o.

ati2evxx.exe 952 ATI External Event Utility EXE Module ATI Technologies Inc.

ati2evxx.exe 1700 ATI External Event Utility EXE Module ATI Technologies Inc.

alg.exe 3628 Application Layer Gateway Service Microsoft Corporation

Process: uTorrent.exe Pid: 1748

Name Description Company Name Version

ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.1.2600.5512

adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.1.2600.5512

ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation 5.1.2600.5512

ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation 3.5.2284.1

CLBCATQ.DLL Microsoft Corporation 2001.12.4414.700

COMCTL32.dll User Experience Controls Library Microsoft Corporation 6.0.2900.5512

comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.0.2900.5512

COMRes.dll Microsoft Corporation 2001.12.4414.700

credui.dll Credential Manager User Interface Microsoft Corporation 5.1.2600.5512

CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.5512

ctype.nls

DnsApi.dll DNS Client API DLL Microsoft Corporation 5.1.2600.5512

dot3api.dll 802.3 Autoconfiguration API Microsoft Corporation 5.1.2600.5512

dot3dlg.dll 802.3 UI Helper Microsoft Corporation 5.1.2600.5512

eappcfg.dll Eap Peer Config Microsoft Corporation 5.1.2600.5512

eappprxy.dll Microsoft EAPHost Peer Client DLL Microsoft Corporation 5.1.2600.5512

GDI32.dll GDI Client DLL Microsoft Corporation 5.1.2600.5512

hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation 5.1.2600.5512

iertutil.dll Run time utility for Internet Explorer Microsoft Corporation 7.0.5730.13

IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation 5.1.2600.5512

Iphlpapi.dll IP Helper API Microsoft Corporation 5.1.2600.5512

kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.1.2600.5512

locale.nls

MPRAPI.dll Windows NT MP Router Administration DLL Microsoft Corporation 5.1.2600.5512

MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.1.2600.5512

MSCTF.dll MSCTF Server DLL Microsoft Corporation 5.1.2600.5512

msctfime.ime Microsoft Text Frame Work Service IME Microsoft Corporation 5.1.2600.5512

MSVCP60.dll Microsoft ® C++ Runtime Library Microsoft Corporation 6.2.3104.0

msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.0.2600.5512

mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.1.2600.5512

netapi32.dll Net Win32 API DLL Microsoft Corporation 5.1.2600.5694

netshell.dll Network Connections Shell Microsoft Corporation 5.1.2600.5512

Normaliz.dll Unicode Normalization DLL Microsoft Corporation 6.0.5441.0

ntdll.dll NT Layer DLL Microsoft Corporation 5.1.2600.5512

ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.1.2600.5512

oleaut32.dll Microsoft Corporation 5.1.2600.5512

onerovom.dll

OneX.DLL IEEE 802.1X supplicant library Microsoft Corporation 5.1.2600.5512

rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.1.2600.5512

RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation 5.1.2600.5512

rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation 5.1.2600.5507

rtutils.dll Routing Utilities Microsoft Corporation 5.1.2600.5512

SAMLIB.dll SAM Library DLL Microsoft Corporation 5.1.2600.5512

Secur32.dll Security Support Provider Interface Microsoft Corporation 5.1.2600.5512

SETUPAPI.dll Windows Setup API Microsoft Corporation 5.1.2600.5512

SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.0.2900.5512

shfolder.dll Shell Folder Service Microsoft Corporation 6.0.2900.5512

SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation 6.0.2900.5512

sortkey.nls

sorttbls.nls

unicode.nls

USER32.dll Windows XP USER API Client DLL Microsoft Corporation 5.1.2600.5512

USERENV.dll Userenv Microsoft Corporation 5.1.2600.5512

uTorrent.exe µTorrent BitTorrent, Inc. 1.8.3.15772

uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.0.2900.5512

VERSION.dll Version Checking and File Installation Libraries Microsoft Corporation 5.1.2600.5512

WININET.dll Internet Extensions for Win32 Microsoft Corporation 7.0.5730.13

WINSTA.dll Winstation Library Microsoft Corporation 5.1.2600.5512

WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.1.2600.5512

WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.1.2600.5512

WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.1.2600.5512

wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.1.2600.5512

WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.1.2600.5512

xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.1.2600.5512

[Switeck]

I don't know what "onerovom.dll" is...but it's in the DLL list under uTorrent.exe!

[dermag]

Yeah, I had that one marked as suspicious.

Trying to get rid of it is another matter though. The rogue dll (and a couple other) suspicious ones are proving stubborn to delete.

Do you know of anything like DOS that can delete files without loading the op system?

Thanks for the help anyway.

[Switeck]

I've heard of unlocker programs that might allow that...

You'll have to find what runs it in the system registry.

[dermag]

I managed to delete the offender after a lot of hassle.

It did the job as well, there is no d/l now while I'm seeding.

Kept getting the message that the file was in use by another program.

In the end I got rid of it with CyberScrub, a secure file shredder.

Getting rid of the registry entries is another matter all together.

Thanks again.