My computer has decided to take over the world

[KF]

Well why else would it be doing what it is doing? I am guessing it is connected to networking.

Basically my computer has decided on its own to send huge amount of data over the Internet. It has been doing this the last 4 times I dialed up. It appears that it will do this continuously forevever it I don't shut it down.

This is as far as I have narrowed it down:

I boot the computer. 10 minutes after XP starts, it dials my ISP on it's own. There is nothing anywhere still set to auto connect that I can find, although probably I don't know every possible place to check. No applications are running. There is nothing set to run in the scheduler that has run since April. The modem lights indicated it is sending data nearly continuously. The Networking Status box says I am sending data continuously and receiving very little. After about 45 minutes, it starts to receive data periodically while it is still sending. After about an hour, the computer has sent 36 megabytes (76% compressed, at 28,800).

I can stop the process by shutting down dllhost.exe in Processes with Taskmanager. This results in a red X error event in Event Viewer. "The WINS Client service terminated unexpectedly. " The Component Services app says:

"WINS client

Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start."

It doesn't sound like that should be a concern, although perhaps it is unneeded.

This started the first time after I reinstalled XP over itself to fix an unrelated problem (XP has quit playing music CDs.). The first time I noticed the continual uploading was when I clicked on a link to CDex, and could not get it to download. After that no web pages anywhere would load.

I shut down dllhost.exe about a half hour ago and now restarted it to see what woud happen. It sends some data every few seconds, and gets a little back. This is much less intensive than when I leave it run, probably around half or third the data per hour.

Naturally I'm suspicious. Is there any way to find out what is being sent? Is there any way to find out where it is being sent? It seem like there should be. I don't like not knowing what is going on.

It would seem that there has to be some process doing this. And the computer was not doing this before. Is there some way to check that all the processes are legitmate and if they are what they seem to be?

 

[JackMDS]

LOL.

You achieved the goal of Dr. No, Goldfinger and many more.:Q

A computer that can take over the world.

Can I buy it???

==========================

Install a Software firewall (Not WinXP native Firewall). Let it do it again, and look at the Log book to see where it goes.

Look at WinXP services and see if there is a Service that is loaded Auto for the DialUp.

 

[InlineFive]

I would try a Virus and a SpyWare scan on your computer.

-Por

 

[gunrunnerjohn]

You either have a p2p program that you've forgotten loaded, or you have spyware/malware somewhere on the machine. Time for a complete virus scan, SpyBot scan, and perhaps an AdAware scan.

 

[KF]

Thanks for all the responses. I was thinking a virus or a spy would behave differently than this, but here is as far as I got....

Part 2

I got some freew versions of virus scanners and I ran spybot and ad-aware.

As usually, there was a load of cookies and registry keys reported as being spies. Actually most of the references were to the free virus scanners. The Panda virus scanner said I had 16 virus files and 15 deactivated before it locked up. It locked up at the same spot when I ran it again, although it reported no viruses, so I guess it got rid of all 16. Because of that I don't know what the files were supposed to be that had viruses. What I actually wanted to know was what was doing this. I don't think I do things that should have put a virus on the computer.

Another virus scanner found viruses in files that I backed up to another partition (beyond where the other scanner locked up), so I figured the originals on C: must have been the ones that had the viruses, and I put them back. The files were in 4 subdirectories of Windows, named ddm1, ddm2, ddm3, and ddm4, which appear to be near duplicates. The file dates are all within a few minutes of each other. I wonder if this some porno garbage I picked up at astalavista? (edit: yes it is. I started the executables and it takes me to a porno site. It doesn't start dllhost.exe. So this is not what the take-over-the-world thing.)

I installed the ZoneAlarm firewall, rebooted XP and waited for it dial on its own. But it didn't. I notice that dllhost.exe is not there in TaskManager and the service WINS Client is not in Component Services at all.

So I dialed on my own. Nothing is going out, although ZA says it is not blocking anything outgoing. ZoneAlarm gives me Alerts averaging 3 per minute, now totaling about 500. It says these are 'Pings' (ICMP Echo Request). They come from all sorts of IPs. ZA gives a source DNS, and I don't see any pattern. All the counts are 1. ZoneAlert says I have nothing to worry about, because it is blocking them. But I wonder why all these people are pinging my IP?

gunrunnerjohn says I might have a p2p program running. Maybe I installed something like that at one time. But I don't see any sign of any program that seems like it might be one in the Programs list, and I don't see any uninstaller for one in "Add or Remove Programs."

I turned ZA blocking off for a while. But I only got a couple of brief flickers of the send light, so whatever is doing the sending does not appear to be active.

 

[KF]

Evidently I had the Welchia worm. It puts its own version of dllhost.exe and svchost.exe on the computer.

I believe reinstalling XP lead to a cascade of problems, due to the fact that it took off those nice security patches I've been installing over the months, and may have reset some settings. It seems that the next time I connected to the Internet I got the Welchia worm. Getting the Welchia worm first may have protected me against the Blaster worm though. (Just lucky I guess.) Welchia deletes Blaster. Since I got the Zone Alarm firewall, that probably kept the Blaster from getting onboard when the anti-virus software eliminated Welchia, or partially eliminated it.

Unfortunately my ISP went out of business without any notice two days ago. So I couldn't get on the Internet, which lead to another cascade of trouble.

To get Internet service, I decided to tag on as a second user of a relative's MSN account. I tried to set that up on my main XP installation. But MSN insisted that I had to be a second user of the free trial MSN account which I cancelled years ago, and refused to do that either, unless I gave it the password for that account, which I no longer remember, and in any case is invalid because the account is cancelled. Deleting MSN from the XP Windows components didn't help. Same thing when I put it back. Typical Microsoft bull.

So I used a second installation of XP on the same computer. That XP installation has never been connected to the Internet, and has no patches beyond sp1. Setting up MSN went OK. I had to set up as my relative first, then tag myself as another user. Unfortunately, I didn't think I needed any protection, since obviously I had no viruses or worms or malware. (I did have Windows XP though, which is just as dangerous.) So as I was completing the final MSN questions, the Blaster stuck and I got the 60 second countdown till shutting down Windows. After rebooting, and dialing MSN I did the questionaire faster and got done before the Blaster struck. Third time, I was downloading/installing the newer MSN messenger at the insistance of MSN (about an hour.) I didn't quite make it.

Fourth time, I had taskmanager running to see what was going on. When Blaster struck, a lot tftp.exe and cmd.exe versions appeared at a rapid pace. I shut them down successfully for about ten minutes. Then msblaster.exe appeared. Then I got the 60 second countdown, etc.

Enough. I ran some of the anti-virus/worm software I had down loaded before and it removed msblaster.exe. OK. I had downloaded the ZoneAlarm firewall so I installed that before dialing. That did it.

So now I have been on the Internet for about 18 hours, and ZA has blocked 7432 intusions, 251 high rated. All apparently from different IPs and single attempts. I really don't see any reason for all this pinging of my IP, or why people would legitimately be accessing my IP high-ratedly 251 times.

Why do I feel a sudden urge to switch to linux? I wonder how I would set up MSN on linux?

It has been educational. Unfortunately, the process by which worms are allowed to be put on my computer is not very clearly described in any web reseach I have seen. I'd like to know in sufficient detail to be able to write my own worms, like maybe XPblaster; and delete the XP souce code at Microsoft. Sounds like fun! Just kidding. But it seems like it should be impossible to do what worms do so easily. Why isn't it? Firewalls have no problem. Why can't XP just do it right?

 

[StraightPipe]

often you only have to be online, and not behind a firewall.

seems like you had some dailers on there too, my friend had a dialer that ran up a $260bill in overseas calls! (he was able to get the phone company to waive it once, but they warned that they would not do it a second time, adaware found them all!)