Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

When connected to internet, bandwidth consumed & eating disk space


  • Please log in to reply

#1
evisu28

evisu28

    New Member

  • Member
  • Pip
  • 1 posts
Hi Team,

Hope you guys are well and can help me out. I'm running on XP. Here are the symptoms/scenario:

-I think the culprit program maybe "Funshion" which I have since uninstalled.
-When connected to the internet via Ethernet cable, the packets received is very high. For example, just going to the home page within the first 2 seconds of connecting to the internet, the packets received is already at 220,742 packets received and 47,496 packets sent (photo attached). If I leave it on, the packets rec'd/sent would just increase exponentially. If I start downloading something, the packets go into the millions.
-While the packets received increases, my C: drive disk space decreases.
-I tried running Malwarebytes but the initial start up didn't work. I ran it again and I was able to perform a scan but they only found some false positives and removed them. The problem continues.
-I ran the Microsoft Malicious Software Remover tool (January 2011 version) and it came up with nothing. The problem continues.
-I ran Combofix but it appears to removed some things but the problem still exists. Please see attached combofix log provided below or in the TXT attachment.

Please let me know if you need anything else to diagnose the problem or perform a fix. Any advice provided is very much appreciated! Thank you.

Kind regards,
Dan

===================================================================================================


ComboFix 11-01-31.02 - Administrator 02/02/2011 19:14:46.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1345 [GMT -5:00]
Running from: G:\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2011-01-03 to 2011-02-03 )))))))))))))))))))))))))))))))
.

2011-02-01 04:09 . 2011-02-01 04:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-01 04:09 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-01 04:09 . 2011-02-01 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-01 04:08 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 04:08 . 2011-02-01 04:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-23 18:31 . 2011-02-01 04:05 -------- d-----w- c:\program files\Kuaiwan
2011-01-23 18:31 . 2011-02-01 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\KuaiWan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-19 20:06 . 2010-03-28 22:16 398744 ----a-r- c:\windows\system32\cpnprt2.cid
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . EEC9730F9CC03819111D90E6CAA2DCC9 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2004-08-15 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_02.26.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-03 00:12 . 2011-02-03 00:12 16384 c:\windows\Temp\Perflib_Perfdata_76c.dat
+ 2008-02-10 17:26 . 2011-01-04 22:20 37403080 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-10 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"QvodPlayer"="c:\program files\QvodPlayer\QvodTerminal.exe" [2011-01-22 562568]
"PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2009-07-22 210312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-15 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-05 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-05 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-05 94208]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-17 16062464]
"SkyTel"="SkyTel.EXE" [2006-05-15 2879488]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-13 363008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-07 198160]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\GVOD\\GVODS.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/12/2009 8:29 PM 717296]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/24/2008 7:13 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/7/2010 8:36 PM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 1:02 PM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 18:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-02-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-10 03:09]

2011-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 18:02]

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 18:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pwkye1ou.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-02 19:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-706699826-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,d7,26,0b,ea,a5,c9,48,8c,79,dd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,d7,26,0b,ea,a5,c9,48,8c,79,dd,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2716)
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2011-02-02 19:19:13
ComboFix-quarantined-files.txt 2011-02-03 00:19
ComboFix2.txt 2011-02-02 02:29

Pre-Run: 116,268,343,296 bytes free
Post-Run: 116,246,941,696 bytes free

- - End Of File - - 106665DE7715A70EDB8A6D34E4CC0254

Attached Thumbnails

  • untitled.JPG

Attached Files

  • Attached File  log.txt   11.7KB   132 downloads

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP