Windows 7 Mystery Downloads?!

[Me__2001]

Lately i've been up late quite a lot doing some design work and i've noticed over the last few nights that something is being downloaded (i have a program called netmeter running in the task bar) obviously i was automatically intrigued by this as none of my browsers were open and i certainly wasn't downloading anything so investigated a bit using the resources monitor.

I pinned it down to a process called "svchost.exe (netsvcs)" accessing the following address "v-4-kp15-d2026-73.webazilla.com"

Webazilla appear to be a hosting company so i'm going to contact them and find out WTF this domain/ address is linked to. I have no idea what it is downloading but it is not a small amount either, tonight it has done over 400MB!!

Anyone have any ideas as to what it could be downloading?

 

[Taffycat]

Hi Me__2001 - Not sure if this linky will help you a bit. Others certainly seem to be experiencing a similar thing to yourself and a couple of suggestions have been posted on there.

 

[muckshifter]

I take it you done an "anti-trojan" scan or something?

 

[Silverhazesurfer]

sounds like a bot. Malware for sure. kill it with fire!

 

[Me__2001]

Thanks for the link TC, i'd already read through that and i identified what the running process is supposedly for. See below

I've done all the usual scans and even HJT which were clear. The thing that i can't understand is that if it was a trojan or virus etc surely it would be uploading a ton of data and not just downloading?

 

[Silverhazesurfer]

do you have automatic updates on for downloading but not installing? The linked forum indicates the update services. I would not put it past MS to put updates on a hosted server. I have yet to hear that the updates actually come from a hosted site, but who knows.

I would try to turn off updates and see if that clears up.

 

[Me__2001]

That was my initial thought but i have it set to notify but not to download, i wouldn't be surprised if MS were installing updates in the background without the users knowledge though.

They would have to be a lot of updates, i reckon it's downloaded a good 2GB over the last few days

 

[Silverhazesurfer]

if you disconnect the network connection, do you get an error that the application cannot download? *edit* it may take some time to notifiy, especially if there is that much downloading.

Have you tried searching the registry for the webazilla entries?

*also edit* Try installing something like wireshark. Maybe you can analyze the information and see where the data is actually going.

 

[Me__2001]

I've tried disabling the network adapter, it stops downloading but there are no messages complaining about it

I'll try wireshark, looks like it may shed a bit more light on things

 

[Abarbarian]

17gayboys.com78.140.138.75NL, Netherlandsv-2-dl14-d686-75.webazilla.com.

Taken from here

http://www.croatoan.net/lapsiporno.info/suodatuslista/index.html_lang=en.html

which is

The Finnish Internet Censorship List

Now are you sure there is nothing you want to tell us

 

[Me__2001]

Now that i was not expecting. Ok so looking down that list the sites are of questionable adult content attached to this host

I don't know why i didn't do it earlier but i've just done a whois and all it does is lead back to this mysterious webazilla hosting company that are based in the netherlands

Just had a bit of a brainwave, i tried blocking the address in my router which didn't stop it so i'm going to try the hosts file and see if that has a bit more luck with it

Edit: I'm sure this host has more than just dodgy stuff on it but i've put the IP ranges into the hosts file now so i'll soon find out whether there are any legit sites hosted on there

 

[Abarbarian]

Definitly a puzzle. Sorry I can not offer any constructive help.

 

[Silverhazesurfer]

I am just interested in the play by play. It seems as if the situation is under control, kind of, and it's now just a "who is this and why are you doing it" thing.

Finding it helps prevent it in the future. Keep posting updates!

 

[Me__2001]

I am just interested in the play by play. It seems as if the situation is under control, kind of, and it's now just a "who is this and why are you doing it" thing.

Finding it helps prevent it in the future. Keep posting updates!

I feel the same, i just want to know what it is. If it's legit then i'll leave it be but i somehow doubt it will be

Had an early night last night so didn't get a chance to see if it still does it (only does it around 1am) I think the hosts file should have it dealt with though