How do I locate the app generating this network traffic?

1

I don't know what this process is doing on my computer. I run Windows 7 Professional w/ all its updates running current non-free antivirus.

I only see it in Resource Monitor, where you can see the Network Service process connected to bitum.nnov.ru.

When my PC's network traffic generating apps are idle, this process is using the most of all the idle processes using the network.

Screenshot hosted here: http://sss.proinbox.com/bitum-nnov-ru.jpg

Does anyone recognize this?

The page source mentions a control port & a stream port:

Page Source for http://bitum.nnov.ru :

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>DVR WebViewer</title>
<meta http-equiv="Content-Type" content="text/html; charset=euc-kr">
</head>

<body topmargin="0" leftmargin="0">
<OBJECT
      classid="clsid:EE479A40-C128-40DD-93DA-000556AF9607"
      codebase="CtrWeb.cab#version=1,0,2,2"
      width=875
      height=585
      align=center
      hspace=0
      vspace=0
>  
<param name="CmdPort" value="5920">
<param name="StreamPort" value="5921">
</body>
</html>

When I google this page's title, I see a number of other domains that host the same page.

Whois:

domain:        NNOV.RU
nserver:       ns.kis.ru.
nserver:       ns.nnov.ru. 78.25.80.210
nserver:       ns1.kis.ru.
nserver:       ns2.kis.ru.
state:         REGISTERED, DELEGATED, VERIFIED
org:           "Agentstvo Delovoj Svjazi", Ltd
registrar:     RU-CENTER-REG-RIPN
admin-contact: https://www.nic.ru/whois
created:       1996.10.23
paid-till:     2012.11.01
free-date:     2012.12.02
source:        TCI

Last updated on 2012.06.16 04:20:46 MSK

Christopher Bartels

Posted 2012-06-16T00:53:52.803

Reputation: 15

If you open up your registry editor, and browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and see what is set to run on startup, what do you see? Also... HKCU\Software\Microsoft\Windows\CurrentVersion\Run for the current user. It's a DLL somewhere that is being accessed and run through SVCHOST.EXE... but you probably already surmised that. You can probably spot the call in one of those two registry locations. – Bon Gart – 2012-06-16T02:33:40.080

This looks rather suspicious; I would advise you to take a look at Computer is infected by a virus or a malware, what do I do now?

– Bob – 2012-06-16T02:53:54.073

Answers

0

I would advice to use Wireshark to sniff the network traffic and see the nature of the traffic. You could upload your pcap file when your computer is idle here and we could take a look. From what I can see, that XHTML file references to an ActiveX control for Internet Explorer. I tried it on a Virtual Machine so if it is malicious I won't infect my main computer and it shows an interface to connect to a DVR Recorder (a webcam that has its own hard drive to store the captures).

Screenshot

Something very fishy is going on here in my opinion. The first thing that comes to my mind is that someone is using you as a proxy to connect to this website, but I don't know for sure.

sinnet3000

Posted 2012-06-16T00:53:52.803

Reputation: 16

0

Download a copy of tcpview from Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx. It can show connected apps & destinations.

uSlackr

Posted 2012-06-16T00:53:52.803

Reputation: 8 755

Asked: 2012-06-16T00:53:52.803

Viewed: 669 times

Active: 2012-07-17T04:52:23.740