Please Help!

facename
facename
in Malware talk

Hi Guys


I have a fixed monthly data bundle size internet connection and have been having problems. Apparently I have been uploading 9 times more data than I have been downloading!! Obviously this is not possible under normal use. The guy at my ISP said that I have some kind of malware or peer to peer software sending out this data. I am running Bitdefender Internet Security 2008, Ad-Aware and the Sunbelt Personal firewall. This is driving me up the wall as I can't find the source of the leak. Can somebody please help?


Thanks very much


Etienne

Comments

  • alexcrist
    alexcrist

    Hello Etienne,


    If you look in BitDefender -> Firewall -> Activity, can't you see the application that is connected and makes the traffic?


    What the guy at your ISP said is correct. If you don't have any peer-to-peer, the it means you might have somekind of malware that's flooding the network.


    Post a HijackThis! log, maybe it can show something.


    Also, I assume you already made a DeepScan of your system, right? You could also try SUPERAntiSpyware to scan for spyware.


    I am running Bitdefender Internet Security 2008, Ad-Aware and the Sunbelt Personal firewall.


    I see you have two firewalls. Which one are you using? Did you disable the Windows Firewall?


    Running multiple firewalls might cause conflicts and, instead of more protection, you'll have less. My suggestion is to choose one of them, and uninstall (or, at least, disable) the other one(s).


    Cris.

  • facename
    facename
    Hello Etienne,


    If you look in BitDefender -> Firewall -> Activity, can't you see the application that is connected and makes the traffic?


    What the guy at your ISP said is correct. If you don't have any peer-to-peer, the it means you might have somekind of malware that's flooding the network.


    Post a HijackThis! log, maybe it can show something.


    Also, I assume you already made a DeepScan of your system, right? You could also try SUPERAntiSpyware to scan for spyware.


    I see you have two firewalls. Which one are you using? Did you disable the Windows Firewall?


    Running multiple firewalls might cause conflicts and, instead of more protection, you'll have less. My suggestion is to choose one of them, and uninstall (or, at least, disable) the other one(s).


    Cris.


    Hi Cris


    Thanks very much for your reply. No, unfortunately there is no indication which application might be doing it when I check the Bitdefender firewall. How can I be sure that there is no peer-to-peer sw installed?


    What is a "HijackThis!" log? Sorry for the basic question...


    Yes, I have done deep scans and do it on a regular basis.


    Hmmmm......You gave me an idea now...I went to the data usage panel of my ISP and saw that on one specific day my upload data was extraordinarily high. I went to the "activity"- "show log" setting and saw that there was no log for data usage on that day at all. I remember that I used my MAC on that day!!!! So, this does not seem to be a Bitdefender/Windows issue at all, but seems to be a MAC issue. Any thoughts on this?


    Thanks again, much appreciated


    Etienne

  • alexcrist
    alexcrist

    Download HijackThis!, install it and run a scan with it. Then copy the content of the log and paste it in a new post.


    About the MAC... I don't know. Maybe you are right. I never used a MAC and I don't know what problems could it have.


    On the other hand, you also have to consider that someone else might have stolen your IP and made that traffic as you. If you can, check the times when there was too much traffic and think if you were connected or not.


    Cris.

  • facename
    facename

    Thanks Cris


    I'll let you know how it turns out.


    Take care


    Etienne

  • facename
    facename

    Hi Cris


    This is the result of the HijackThis! scan, any ideas?


    Thanks very much for your time, much appreciated.


    Etienne


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 09:57:34 PM, on 2007/12/16


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe


    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Executive Software\Diskeeper\DkService.exe


    C:\WINDOWS\System32\GEARSec.exe


    C:\Program Files\Norton Ghost\Agent\VProSvc.exe


    C:\WINDOWS\System32\nvsvc32.exe


    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe


    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe


    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe


    C:\Program Files\Canon\CAL\CALMAIN.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\QuickTime\qttask.exe


    C:\Program Files\iTunes\iTunesHelper.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe


    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe


    C:\Program Files\Messenger\MSMSGS.EXE


    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe


    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe


    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe


    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe


    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe


    C:\PROGRA~1\MICROS~3\rapimgr.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe


    C:\Program Files\WinZip\WZQKPICK.EXE


    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe


    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe


    C:\PROGRA~1\Webshots\webshots.scr


    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe


    J:\PhoneConnectorVMC.exe


    J:\vmc.exe


    C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe


    C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\Outlook Express\msimn.exe


    C:\Program Files\Internet Explorer\IEXPLORE.EXE


    C:\Program Files\FlashGet\flashget.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://reg.mywireless.sentech.co.za/regist...351152000008420


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll


    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll


    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll


    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)


    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"


    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"


    O4 - HKLM\..\Run: [sBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background


    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')


    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe


    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe


    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe


    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe


    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe


    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe


    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Handspring\Hotsync.exe


    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?


    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE


    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm


    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll


    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll


    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe


    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145115077628


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193927524484


    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab


    O17 - HKLM\System\CCS\Services\Tcpip\..\{1DBE14DF-D11C-4817-8461-3262BB23FAE1}: NameServer = 196.207.32.69 196.43.45.190


    O17 - HKLM\System\CCS\Services\Tcpip\..\{57E10273-BD1E-4029-BD2C-7E362525DD80}: NameServer = 196.25.255.34,196.25.255.3


    O17 - HKLM\System\CS1\Services\Tcpip\..\{1DBE14DF-D11C-4817-8461-3262BB23FAE1}: NameServer = 196.207.32.69 196.43.45.190


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe


    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe


    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe


    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe


    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe


    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe


    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe


    O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe


    O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe


    O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe


    O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe


    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe


    O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe


    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 12721 bytes

  • alexcrist
    alexcrist

    The only thing I found suspicious in your log is this:


    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe


    Searching for this application on Google, all I could find is State: Undetermined or Possible threat (trojan/worm/adware/etc... ). I didn't find any site that says that this is a legit application.


    If you know and trust this application, leave it as it is. Otherwise, I suggest that you select the above line in HijackThis! and hit Fix selected.


    Other ideas...I don't have right now. If you get any other ideas, post here. Also, if I get other ideas, I'll also post.


    Cris.

All Time Leaders

Categories

Defenders of the month