Unknown app connecting to unknown server and Dling FAST

[xera]

Greetings,

I have a serious problem.

My computer (with windows xp sp3) keeps on trying to connect to this strange server, and when it does (if my firewall doesn't stop it, or my firewall isn't running), then it downloads and downloads as fast as it can!!!

I ran netstat -b, and this is what I got:

C:\>netstat -b

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    supercomputer:1463     cds517.lon.llnw.net:http  ESTABLISHED     1608
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\WINHTTP.dll
  [svchost.exe]

Any ideas how I can fix this??! I have all auto updates disabled.

 

[YourPsycho]

sounds like a virus - your computer can't just connect without a program initiating such an activity. Check your background processes - I'm pretty sure you'll find a virus running.

Run HijackThis and put a screen shot here I think.

 

[Sandman30s]

get tcpview and procmon from sysinternals.com, then find the process that is doing that (tcpview will light up the row green) and kill it

 

[Conradl]

Greetings,

I have a serious problem.

My computer (with windows xp sp3) keeps on trying to connect to this strange server, and when it does (if my firewall doesn't stop it, or my firewall isn't running), then it downloads and downloads as fast as it can!!!

I ran netstat -b, and this is what I got:

C:\>netstat -b

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    supercomputer:1463     cds517.lon.llnw.net:http  ESTABLISHED     1608
[B]  c:\windows\system32\WS2_32.dll
  c:\windows\system32\WINHTTP.dll[/B]
  [svchost.exe]

Any ideas how I can fix this??! I have all auto updates disabled.

Pretty sure those two are not MS dlls; I do not have them on any of my systems. Download Spybot, run it and see what it picks up. Do you have AV installed? You can also try download Autoruns from www.sysinternals.com, same site as mentioned above, and disable all unnecessary startup objects - but rather just run Spybot....

http://www.safer-networking.org/en/home/index.html

 

[xera]

I'm pretty sure those are ms dll's. the one is winsock, which would be the one communicating with the net. but the question is what told it to dl?

I tried using tcpview, but it does not go green when svchost is downloading, only other app's (such as firefox)

I ran Process Explorer (also by sysinternals) and checked the svchost for the process ID I got using netstat -b
These are the sub-processes that I saw:

 

[diabolus]

Well Google Shows this:

Registrant:
Limelight Networks Inc http://www.limelightnetworks.com/

They are a streaming content provider [Games / Movies / Radio etc ]

Major Customers

* Activision
* Apple Inc.[25]
* Amazon Unbox[26]
* BuyMusic
* Disney[27]
* DreamWorks
* EA Sports[28]
* Facebook[29]
* Foxnews.com
* Harpo Productions[30]
* ifilm
* ITV Play
* MSNBC
* MySpace
* NetFlix[31]
* Nissan[32]
* PlayStation Network[33]
* Toyota[34]
* Valve Corporation
* Xbox
* Windows Update

You don't have STEAM perhaps (this implies Counterstrike / Half Life etc etc) ?


EDIT also found this:

http://social.microsoft.com/Forums/en-US/whssoftware/thread/e1d94895-e088-4ae3-8e30-a49a24db896a

I have got a strange issue with my WHS server.

Additional software apart from WHS is, SQL Express 2005 and WSUS 3.0
I have noticed my monthly bandwidth allocation been used up when my main pc is switched off.
I have tracked the issue down to a process id of 884, svchost.exe, using process explorer i cannot see anything that should not be there.
the process has an out going connection to "87.248.221.40:80" and\or "87.248.212.53:80", this resolves to "cds472.lon.llnw.net" which i have no idea what it is for. all i know its using my bandwidth.
I have run a mal ware app but found nothing...

Has anyone else seen an issue like this before????
Cheers for your time

------------------------------------------------------------------

Hi, i have been doing some digging, i had installed windows software update services version 3.
Using Microsoft’s network monitor 3.1 and sysinternals files mon program i worked out that it was WSUS that was downloading stuff, even though I had set the sync schedule to download though out the night.

Uninstalling WSUS stopped the connections to the ip addresses and the connection has not come back, yet. Will keep a close eye on this, but looks like issue resolved.

WSUS = Microsoft Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network.


So it can be anything though, some say NERO also updates from there....

 

[xera]

Great thanks, I use my pc for dev mostly, don't have any games installed on it.. but I do have SQL Server Express.

Just need to figure out how to disable or uninstall this WSUS thingi... I can't seem to find it anywhere . .

I didn't see the microsoft thread when I googled the strange host before.
thanks for the help..

 

[RSkeens]

That is definitely a CDS (content delivery system) of some kind, do you have any IPTV software or plugins?

 

[Conradl]

Ooops. Yeah those are MS files. I missed them twice, on two different machines Have you tried disabling the Automatic update service?? Also disabling the Background Intelligent Transfer Service (BITS), used to do the download should kill it....

 

[noswal]

Greetings,

I have a serious problem...
... or my firewall isn't running),

why would your stop you firewall from running?

 

[xera]

IPTV? not that I know of..

disable firewall? I don't... but sometimes it doesn't start, cause the ms startup is a bit glitchy or something, I have to ensure that the internet or lan is disconnected before booting my pc, else sometimes the firewall doesn't start . . .

auto updates are disabled... I disabled the service.

how can I get to the WSUS thingi to disable it, in case that helps??!

 

[RSkeens]

I think that may be the Background Intelligent Transfer service (haven't used a Windows system in a while, I think that's the name). It is Windows Update related.

I recommend you first try manually turning Windows Updates back on again and then back off.

Then I want you to try running services.msc and manually setting that service, as well as Automatic Updates, to disabled.

Reboot and see if it connects again.

 

[adielh]

Hi

Get spybot on downloads.com, probably malware/spyware on back loophole so when a service runs it activates to internet almost as if wants to update

 

[YourPsycho]

I think that may be the Background Intelligent Transfer service (haven't used a Windows system in a while, I think that's the name). It is Windows Update related.

I recommend you first try manually turning Windows Updates back on again and then back off.

Then I want you to try running services.msc and manually setting that service, as well as Automatic Updates, to disabled.

Reboot and see if it connects again.

Or he could go into the control panel - Administrative tools - services and disable windows updates.

I still think it's a virus running background processes though.

 

[RSkeens]

Or he could go into the control panel - Administrative tools - services and disable windows updates.

Or he could go to the Windows system32 directory and run services.msc from there lol.

Many ways to do the same thing. I mainly want him to follow my guide and disable Background Intelligent Transfer, though.

 

[gregmcc]

Or he could go to the Windows system32 directory and run services.msc from there lol.

Even easier....start/run...services.msc