Strange thing happened after my own video crashed.
in [64 Bits Windows]
|
Prev: Windows7 64bits Credential Manager not working
Next: Where is my WMDC in Windows 7 Home Premium
From: Skybuck Flying on 20 Mar 2010 19:30 Hello, I was watching my own video (locally on the pc)... and I shut it down and then it crashed... I can't remember if it was played with Windows Media Player or WinAmp. The following happened it said: "runtime error" (210 I think it was) Then I noticed my internet connection was active... it was sending about 4 packets/sec. Then I looked with netstat -a -o -n Suddenly there were many connections being made to all kinds of addresses. Also I tried to terminate iexplore.exe and it wouldn't terminate... it would keep "respawning itself". There were no active internet explorer's... it seemed like hidden internet explorer's... It looked like a trojan in memory to me... I quickly disabled my internet connection to stop the reconnectings and to terminate iexplore.exe properly. I then did a reboot, went to windowsupdate to see if there were any security issue's... none really except windows movie maker (installed that one afterwards). Something strange is going on with my system I think... when I start internet explorer 32 bit it actually starts two internet explorers ?!? Both say: iexplore.exe*32 in tasklist... I don't think it did that before (?) Anyway this whole incident has me spooked a little bit... so I thought I report it ! I also have a little theory about what might be going on: Theory 1: WinAmp or Media Player has a trojan inside it which becomes active when a runtime error 210(?) occurs. Theory 2: The video was encoded with ffmpeg and mpeg2/4, since those are probably open source tool, there might be a hidden trojan inside that codec which could later become active or be exploited ? Theory 3: The crash occured and at the same time I get hit by a trojan packet from the internet... seems unlikely to me. Theory 4: Might be a left over from browings other websites... Theory 5: It was nothing and I am seeing ghosts.. or maybe windows media player or winamp was trying to download something... maybe a codec after it crashed ? which would seem weird... or maybe it was trying to send a crash report... but why would it open so many addresses ?!? Doesn't seem logical to me... No something weird definetly happened... since it got me spooked good ! ;) :) If I had to place my bets it's either 1 or 2, very maybe 3. Bye, Skybuck.
From: Skybuck Flying on 20 Mar 2010 19:31 "Skybuck Flying" <IntoTheFuture(a)hotmail.com> wrote in message news:bebc4$4ba55a9b$d53371df$29974(a)cache1.tilbu1.nb.home.nl... > Hello, > > I was watching my own video (locally on the pc)... and I shut it down and > then it crashed... I can't remember if it was played with Windows Media > Player or WinAmp. > > The following happened it said: "runtime error" (210 I think it was) > > Then I noticed my internet connection was active... it was sending about 4 > packets/sec. > > Then I looked with netstat -a -o -n > > Suddenly there were many connections being made to all kinds of addresses. > > Also I tried to terminate iexplore.exe and it wouldn't terminate... it > would keep "respawning itself". > > There were no active internet explorer's... it seemed like hidden internet > explorer's... > > It looked like a trojan in memory to me... > > I quickly disabled my internet connection to stop the reconnectings and to > terminate iexplore.exe properly. > > I then did a reboot, went to windowsupdate to see if there were any > security issue's... none really except windows movie maker (installed that > one afterwards). > > Something strange is going on with my system I think... when I start > internet explorer 32 bit it actually starts two internet explorers ?!? > > Both say: iexplore.exe*32 in tasklist... I don't think it did that before > (?) > > Anyway this whole incident has me spooked a little bit... so I thought I > report it ! > > I also have a little theory about what might be going on: > > Theory 1: > > WinAmp or Media Player has a trojan inside it which becomes active when a > runtime error 210(?) occurs. > > Theory 2: > > The video was encoded with ffmpeg and mpeg2/4, since those are probably > open source tool, there might be a hidden trojan inside that codec which > could later become active or be exploited ? > > Theory 3: > > The crash occured and at the same time I get hit by a trojan packet from > the internet... seems unlikely to me. > > Theory 4: > > Might be a left over from browings other websites... > > Theory 5: > > It was nothing and I am seeing ghosts.. or maybe windows media player or > winamp was trying to download something... maybe a codec after it crashed > ? which would seem weird... or maybe it was trying to send a crash > report... but why would it open so many addresses ?!? Doesn't seem logical > to me... No something weird definetly happened... since it got me spooked > good ! ;) :) > > If I had to place my bets it's either 1 or 2, very maybe 3. Very maybe 5 I ment... > > Bye, > Skybuck. >
From: Skybuck Flying on 20 Mar 2010 19:32 Also in case you can't tell from the headers... this was XP x64 Pro edition... with IE8 ... and old winamp version... and probably latest windows media player. Bye, Skybuck.
From: Robert Aldwinckle on 21 Mar 2010 08:56 "Skybuck Flying" <IntoTheFuture(a)hotmail.com> wrote in message news:bebc4$4ba55a9b$d53371df$29974(a)cache1.tilbu1.nb.home.nl... > Then I looked with netstat -a -o -n So, what did the -o show you? That's the PID on the right side of each line. In fact, it sometimes helps to use -b too. netstat -abnop TCP is what I usually use. But a simpler to use tool would be TCPView. > > Suddenly there were many connections being made to all kinds of addresses. Using which programs, to which ports? > > Also I tried to terminate iexplore.exe and it wouldn't terminate... it > would keep "respawning itself". > > There were no active internet explorer's... it seemed like hidden internet > explorer's... Use Process Explorer (ProcExp) instead of Task Manager to see if they are related to some other task. > > It looked like a trojan in memory to me... ProcExp can also show you what each task contains. > > I quickly disabled my internet connection to stop the reconnectings and to > terminate iexplore.exe properly. > > I then did a reboot, went to windowsupdate to see if there were any > security issue's... none really except windows movie maker (installed that > one afterwards). > > Something strange is going on with my system I think... when I start > internet explorer 32 bit it actually starts two internet explorers ?!? > > Both say: iexplore.exe*32 in tasklist... I don't think it did that before > (?) That's normal for IE8. LCIE. > > Anyway this whole incident has me spooked a little bit... so I thought I > report it ! > > I also have a little theory about what might be going on: <voice actor="Joe Friday"> Just the facts,.... All we want are the facts. </voice> HTH Robert Aldwinckle ---
From: Skybuck Flying on 21 Mar 2010 14:21 My computer is very fast, so a trojan could do damage very fast... so I have no time to analyze what's going on... so I can't answer your questions. >> I quickly disabled my internet connection to stop the reconnectings and >> to >> terminate iexplore.exe properly. ^ Exactly ;) >> Something strange is going on with my system I think... when I start >> internet explorer 32 bit it actually starts two internet explorers ?!? >> >> Both say: iexplore.exe*32 in tasklist... I don't think it did that before >> (?) > > > That's normal for IE8. LCIE. Hmmm indeed, it seems to be something new since IE7 ? http://blogs.msdn.com/ie/archive/2008/03/11/ie8-and-loosely-coupled-ie-lcie.aspx (Apperently control-n opens new tab... could be handy tip ;) :)) Ok, good to know that... However I think IE7 did: iexplore*32.exe and iexplore*64.exe Now IE8 does twice iexplore*32.exe >> Anyway this whole incident has me spooked a little bit... so I thought I >> report it ! >> >> I also have a little theory about what might be going on: > > <voice actor="Joe Friday"> > Just the facts,.... All we want are the facts. > </voice> :) Bye, Skybuck ;) :)
|
Next
|
Last
Pages: 1 2 Prev: Windows7 64bits Credential Manager not working Next: Where is my WMDC in Windows 7 Home Premium |