Unauthorised Downloading.

Discussion in 'privacy problems' started by Hans 01, Aug 9, 2004.

Thread Status:
Not open for further replies.
  1. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Hi, having checked my e-mail (only one short one received) I was contemplating what next when I noticed something was happening The little internet status window showed a download was on. 13 min later, a 6.4 MB download had taken place. It wasn't an e-mail or anything I had asked for. How do I figure out what it was?
    I run W98 with Trend Micro Internet Security. I run Spybot once a week and Ad-Aware daily (NB Ad-Aware didn't like the RB-Killer).
    Answer in plain English, please. Although I've learnt a lot from your site, I'm still basically beginner who is getting a bit nervous about what others can do to my PC.
    Thanks,
    / H
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hello Hans 01

    I don't use W98, but if you click "start" and use "search" (haven't got english version, so i don't know if it's the right word :p ) you should be able to find it, especially if you can remember the date (the size you have already) :)

    You could also try a couple of online-scanners, Panda Activescan
    F-secure

    Hope this helps, if not , maybe someone smarter than me will jump in. :D

    Regards
     
    Last edited: Aug 9, 2004
  3. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Hi Don,
    Thanks for the tip, (it's called "Find" in my version). Unfortunately, it didn't give a reply that makes sense to me. It listed all my Outlook Express folders as updated, together with any other files I had worked during the day, even the ones I had deleted (and cleaned out with Ccleaner). But something was downloaded which I hadn't asked for and I still don't know what it might have been. Major worry, that. One thing's for sure - no more internet banking activities. Nobody can pilfer my account numbers and passwords if they aren't there in the first place.
    Can anybody suggest something? EG, what about DOS, would it be something there and how would I find ..........?
    Thanks in advance,
    / H
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just a guess, could it have been a Windows Update?

    Cheers :D
     
  5. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Is any of your software configured to automatically download stuff form the internet?
    Virusscanner (signatures or engine), Windowsupdate?

    Can you run some kind of port explorer tool to find out what processes are listening behind open ports?
     
  6. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Hi, and thanks. If you are right, it means I'm getting something I haven't asked for and no alert / popup window to tell me what's being done to my PC "behind my back" as it were. Any way of telling if Microsoft have been at it?
    Regards,
    / H
     
  7. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi Hans

    I can certainly understand you feeling uneasy about this, i would too, and probably reformat my way out of it ;), you mentioned RB-killer(rapid-blaster?),it seems to be capable of autodownloading.
    Here is a link to a slightly old thread on Tech support guy forums.
    A site where you might find help removing malware Spywareinfo. :)

    Regards
     
  8. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Hi all,
    Thanks for your hints. Unfortunately, I'm still in the deep end.
    Meener - I have no auto downloads of any kind (that I'm aware of). Certainly not from Microsoft (they have already hijacked my IE default page once - now fixed) and my virus scanner sends me warnings that a new virus is about. I then update manually. The port thing - I know I have ports, but what they are and how to scan is beyond my meagre knowledge. I have the Trend Micro Firewall but don't know how to change / verify it's port activities.
    Don - the 1st time I ran ad-aware it listed 70 suspect items. I deleted the lot and found that my RB-killer and a heap of Kodak stuff were amongst them. I've since downloaded another copy of the RB-killer. I ran it and it said my PC was OK. The Kodak stuff was for my digital camera and I have gotten around the missing files by going to Windows Explorer and copying the images to another folder.
    So - somebody is doing something to my PC and I'm buggered if I know what, but I'm quite pi##ed off about it. I would love to find out who, kick him/her out and warn others but can't do it on my own.
    / H
     
  9. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi Hans

    I would download and install a trial of TDS-3 (trojan-scanner) from DiamondCS, they have their own forums right here on Wilders Security Forums, and they are very helpfull.You can download from Here, it is important that you update the signaturefiles (radius) Here , remember to check everything under "scancontrol" and "configuration",use "full system scan" found under "system testing" in controlpanel. It's a very slow (but thorough) scanner so be patient. :)
    If you are unsure about your firewallsettings, go to the "other firewalls forum" here on wilders, i am sure somebody can help you. :)
     
    Last edited: Aug 11, 2004
  10. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Hi Don,
    and thanks. I will do as you suggest and advise outcome.
    Regards,
    / H
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The download activity you describe could be any of the following:
    1. Windows Update;
    2. Other program updates;
    3. P2P software (by default, it allows others to download from your system);
    4. "Drive-by download" triggered by a web page exploiting an Internet Explorer vulnerability;
    5. Malware/trojan update.
    Since you have ruled out 1 and 2 and 3 is easily checked, options 4 and 5 seem to be the more likely at this stage.

    For option 4, note that Internet Explorer (if you use it) is highly insecure by default to the point where it is almost impossible to keep your system clear of spyware/adware without significant configuration changes. In addition, vulnerabilities in IE can affect Windows itself and other components like Windows Media Player. In this case, it is quite possible that a web page has caused IE to download a file without your consent. It may still be in your Downloads folder - or alternatively use the Windows Search/Find feature to look for files created during the last day (or specify an appropriate time window) to get a list of suspects. Consider running AdAware to scan for common spyware or adware on your system.

    See the FAQ thread Why did I get infected in the first place for detailed advice on securing IE - but also consider using an alternative browser like Firefox (free) or Opera (ad-supported but you can register to get rid of them). These have a better security record than IE and offer significant usability improvements also (tabbed browsing, mouse gestures, single-letter search engine access, etc).

    The advice given by Don is the best if you suspect option 5.

    The key advice I would add though is to get a firewall and use it. Not only can it limit what network activities occur (and Windows by default has a lot of open doors just waiting to be exploited) but it can also provide full details on programs' network activity (e.g. which sites they are connecting to) and the better ones provide extensive logs allowing you to review past activity.

    For a beginner, ZoneAlarm is a good place to start. It is as simple as a firewall can get - but it does have a tendency to throw up lots of alerts, the logs are not the best (hence the large number of third party packages providing ZA log analysis) and can be a pig to remove if you wish to try something else. I would also suggest Outpost because it has excellent logging facilities (this applies to the Pro version, the Free is pretty limited here) allowing you to search, filter or sort entries by application, time, bandwidth, destination or several other criteria. If you want a free firewall, then consider Kerio.
     
  12. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I have Port Explorer (by DiamondCS, yep, I won a free 5000 wilderssecurity site membership license :p)Shows lots of info about open ports. Great stuff!
    https://www.wilderssecurity.com/forumdisplay.php?f=12
     
  13. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Many thanks for your help.

    Don Pelotas - I ran TDS-3 and it found 2 off TrojanClicker.Win32.Delf.r 1 off Adware.Blazefind.a (dll) - all now deleted of course.

    Paranoid - can it be that I have autodownload from Microsoft after all? I know I haven't asked for it, but perhaps they have sneaked in anyhow. My suspicion is based on my IE default page now changing to Microsoft each time I go on-line (regardless where I go, it seems). At least I can re-set to "default : blank", but it annoys the hell out of me.
    I have the Trend Micro firewall. I've found the settings and they are the default ones, ie medium. As soon as I understand the repercussions, I will try "high".

    Meener - thanks for the tip. Will check it out.

    To sum up - I still get unauthorised downloads and I don't know what they are. I found a whole lot of files update themselves somehow each time I go on-line. I'll see if I can figure out what they are for (Google search I guess).
    EG "MS-DOS Batch File", "TTZ File", "DAT File", "SWP File" (large one), etc.

    Is it normal for ALL Outlook Express "Local Folders" to update themselves each time I go to my ISP? I'm talking about Inbox, Outbox, Sent + all the ones I've opened up to separate various e-mail topics?

    Regards,
    / H
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Please check your Windows Update settings. On Win2K and WinXP systems they are set to download updates automatically but I'm not so sure about Win9x/ME (check in Start/Settings/Control Panel for an "Automatic Updates" icon, settings will be there if it is present on your system).
    I've not used this - does it provide information about current network activity?
    Exactly how are you deciding whether files have been updated? If you are just checking the Last Modified times in the file properties then you are wasting your time - scores of files are modified by Windows just during system startup (and that .SWP file is your swapfile which is used as virtual memory, it will be written to all the time).
    If OE is set up to automatically check your email when you go online, then yes (this may be its default setting, but I don't use OE so maybe someone else can confirm this).
     
  15. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    I can confirm that - you'll find it under OE > tools > options > general

    Take out the checkmark in: When starting, go directly to my "Inbox" folder.
     
  16. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Thankyou all, I'm still no closer to understanding / stopping these downloads.
    I've taken all recommended steps (except Firefox), to the point I can't get into my hotmail (guess I have to make it a "Trusted Zone"), but the unauthorised downloads continue. As I write this, the little internet status window says "bytes received " 6,435,782 AND still rolling over like greased lightening. At the same time, "bytes sent" is up to 403,566 and still going.
    Surely this can't be normal o_O?
    / H
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You can download a copy of Belarc here:

    http://www.belarc.com/free_download.html

    and then post the log. Just make sure you remove ALL personal info such as Win98 License etc

    You could also run Hijack This and then post a log.

    Cheers :D
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Well, I tried to get more information on Trend's firewall and failed miserably, this page appears to be the closest they do to a firewall - is this what you are running Hans 01? If so, check to see if it gives any indication of what network connections are currently active (if it gives no indications or at least a log of blocked/allowed traffic, then I would strongly advise getting rid of it and switching to a firewall that does).

    Hotmail requires cookies - ensure that Firefox and any privacy/cookie filters you use are configured to allow them for it.

    Another option to find out what is happening is to open a DOS Box window and type netstat. This will list all current network connections and their destination - this should provide a good idea of which sites you are connecting to.
     
  19. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Blackspear & Paranoid, I thank you for your time and expertise.

    Firstly, I'm beginning to suspect dear old Microsoft, because -
    - my IE keeps on resetting to msn.com and I kept resetting to default "blank" (Tools, Internet Options).
    - when I downloaded Adaware, it found 2 "Data Miners" which I then deleted. Next time on-line I noticed the big downloads.
    - Adaware again found these 2 data miners and the cycle continued.
    - Today, I didn't reset the IE default page and I didn't run Adaware. Guess what, no unauthorised downloads as yet.
    - The 2 "Data Miners" were :
    HKEY_CURRENT_USER.Software\Microsoft\Internet Explorer\Main "Start Page" ("about.blank") and
    HKEY_USERS.Default\Software\Microsoft\Internet Explorer\Main "Start Page" ("about.blank").
    Sure look suspicious to a novice like me.

    The Trend Firewall doesn't show activity, but has a log of blocked attempts. This log shows several approaches PER MINUTE, with source IP address and port, etc, etc. In the last minute, some of the IP adresses in the log are :
    144.138.11.219
    144.139.163.95
    202.160.20.30
    144.139.173.244 and so on.
    It's all hebrew to me, I'm afraid.

    The DOS window showed only a few :
    Today - 433.ge-4-0-0.er10b.sjc2.us.above.net:80.
    Yesterday - 127.0.0.1:1456 and 209.133.117.7 available.above.net:80.

    I also ran the Belarc thingy, with the following log (I hope I deleted the right personal bits)

    Belarc Log 2004-08-17.

    Operating System System Model
    Windows 98 (build 4.10.199:cool: MICRO-STAR INTERNATIONAL CO., LTD MS-6378
    Processor a Main Circuit Board b
    1.10 gigahertz AMD Duron Board: MICRO-STAR INTERNATIONAL CO., LTD MS-6378(VT8361)
    Bus Clock: 100 megahertz
    BIOS: Award Software International, Inc. 6.00 PG 10/04/2002
    Drives Memory Modules c,d
    6.44 Gigabytes Usable Hard Drive Capacity
    4.61 Gigabytes Hard Drive Free Space

    CD-S500/A [CD-ROM drive]
    LITE-ON LTR-48246S [CD-ROM drive]
    Generic floppy disk drive (3.5")

    Generic IDE hard disk drive (6.44 GB) -- drive 0, No SMART Driver 248 Megabytes Installed Memory
    Local Drive Volumes

    c: (on drive 0) 6.44 GB 4.61 GB free

    Network Drives
    None detected
    Users Printers
    No details available Canon S520 on USBPRN01

    Controllers Display
    Standard Floppy Disk Controller
    Primary IDE controller (dual fifo)
    Secondary IDE controller (dual fifo)
    VIA Bus Master PCI IDE Controller VIA Tech VT8361/VT8601 Graphics Controller [Display adapter]
    (Unknown Monitor)
    Bus Adapters Multimedia
    VIA VT83C572/VT82C586 PCI to USB Universal Host Controller
    VIA VT83C572/VT82C586 PCI to USB Universal Host Controller AW200/AS9200 External Midi (MPU401) Device
    AW200/AS9200 Internal Midi (OPL3) Device
    AW200/AS9200 Joystick Device
    AW200/AS9200 PCI Audio Device
    AW200/AS9200 Wave Audio Device
    Wave Device for Voice Modem
    Communications Other Devices
    Lucent Win Modem CanoScan LiDE 20/N670U/N676U
    Standard 101/102-Key or Microsoft Natural Keyboard
    KODAKCAM
    KODAKIFS
    KODAKROUTER
    Canon S520
    USB Root Hub
    USB Root Hub
    Virus Protection
    No details available
    Installed Microsoft Hotfixes [Back to Top]
    None detected


    Software Versions [Back to Top]
    Adobe Acrobat Reader Version 5.0.0.0 *
    Ahead Software AG Karlsbad Germany Phone: ++49-7248-911-800 Fax: ++49-7248-911-888 e-mail: info@nero.com - LANGUAGE_English2 Version 5, 5, 9, 13 *
    Ahead Software AG - InfoTool Application Version 1, 2, 0, 0 *
    ahead software gmbh, karlsbad - Cover Designer Version 2, 2, 1, 6 *
    Apple Computer, Inc. - QuickTime QuickTime 5.0.1 *
    ArcSoft Inc. - PhotoBase Version 3.0.0.78 *
    ArcSoft PhotoStudio Version 5,0,0,36 *
    Belarc, Inc. - BelManage Client Version 6.1f *
    blindman.exe *
    Canon BJ Printer Driver Installer Version 4.3.0.950 *
    Canon BJ Printer Driver Version 7.2.2.000 *
    Canon BJ Raster Printer Driver Version 5.2.2.950 *
    CANON INC. - CanoScan Toolbox Application Version 4.0.0.0 *
    Company - CCleaner Version 1.11.0062 *
    Copyright (C) ahead software gmbh and its licensors - InCD Version 3.39.0 *
    Decoder Configuration *
    Diamond Computer Systems Pty. Ltd. - Radius Update Version 1.00 *
    Diamond Computer Systems Pty. Ltd. - TDS-3 Version 3.20 *
    DiamondCS Port Explorer Version 1.800 *
    DivX Player 2.1 *
    Eastman Kodak Company - Kodak DC File System Driver (Win32) Version 3.2.0400.0 *
    Eastman Kodak Company - Kodak EasyShare software Version 2, 1, 0, 55 *
    Eastman Software, Inc., A Kodak Business - Imaging for Windows® Version 1.01.1311 *
    Elite Practice Solutions Pty Ltd - etax2003 Version 6.0.1.00 *
    EnDisService Application Version 1, 0, 0, 1 *
    Erik Deppe - DriveSpeed Application Version 1, 5, 0, 0 *
    Erik Deppe - Nero CD Speed Application Version 1, 1, 1, 0 *
    Goodsol Development Inc. - Free Solitaire Version 4.01 *
    Inno Setup Version 51.13.0.0 * javaw.exe *
    Jordan Russell - Inno Setup Uninstaller Version 51.6.0.0 *
    kpgreader.exe *
    Lavasoft Ad-aware Plus Version 6.0.0.0 *
    Microsoft (r) Windows Script Host Version 5.6.0.6626 *
    Microsoft Clip Gallery Version 5.1.00.1221 *
    Microsoft Corporation - DirectShow Version 6.4.07.1119 *
    Microsoft Corporation - Internet Explorer Version 6.00.2600.0000 *
    Microsoft Corporation - Windows Installer Version 2.0.2600.2 *
    Microsoft imgstart Version 1, 0, 0, 1 *
    Microsoft Office 2000 Version 9.0.2719 *
    Microsoft Outlook Version 9.0.2416 *
    Microsoft PowerPoint for Windows Version 9.0.2716 *
    Microsoft Snapshot Viewer Application Version 9.0.0.2402 *
    Microsoft(R) Windows Media Player Version 7.01.00.3055 *
    Microsoft® Access Version 9.0.2719 *
    Microsoft® FrontPage(TM) Version 2.0.2.1118 *
    Microsoft® FrontPage® 2000 Version 4.0.2.2717 *
    Microsoft® Internet Services Version 6.1.33.0 *
    Microsoft® NetMeeting® Version 2.11 *
    MindVision - Installer VISE 2.8.3 Version 2.8.3 *
    MindVision Software - Installer VISE Version 3.1.1 *
    PepiMK Software - SpyBot-S&D Version 1.2 *
    ScanSoft, Inc - OmniPage SE Version 11.0 *
    Trend Pc-cillin 11 Version 11.0.0 *
    Trend Pc-cillin 11 Version 11.30.0 *
    Virtos GmbH - WaveEdit DLL Version 1, 0, 4, 6 *
    WinZip Version 8.1 SR-1 (5266) *

    I'm not sure what it all tells me, eg what is "blindman.exe" good for?
    I will definitely have a look at Firefox. Is Thunderbird an alternative to IE?
    Apologies for the many basic questions, but I am a novice and have difficulty with most computer terms and functions.
    / H
     
    Last edited: Aug 17, 2004
  20. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Look here BTW i noticed you're running Spybot 1.2, Spybot 1.3 was released some time ago, and i don't think signatures has been available for 1.2, since 1.3 was released. There's also a new version of Ad-Aware. :)
     
  21. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    These are quite likely false positives. "about:blank" gets flagged since there is a variant of the CoolWebSearch browser hijacker that uses this entry - if you actually had this you would (almost surely) be seeing a stack of porn sites added to your IE Favourites list.
    You'll get incoming connection attempts all the time - mainly from other computers infected with worms. It is of little significance here except to confirm that your firewall is doing a basic job of protecting your system. I would suggest you consider an alternative firewall that gives you more information on what is going on though - or use Port Explorer (which you apparently have installed) to look at the details of these active connections (you should be able to view exactly what is being sent).
    The :80 at the end suggests that your PC was connecting to web servers at those addresses but neither have websites registered (according to the whois entries for 433.ge-4-0-0.er10b.sjc2.us.above.net and 209.133.117.7) which makes them suspicious in my view. 127.0.0.1 is just your own PC and can be ignored. Unless you actually typed these addresses into Internet Explorer yourself or are running a file-sharing application, I would suspect that your PC may be being used as a web hosting proxy or relay.

    At this point, I would suggest you check Task Manager to see what processes you have running (right-click on your taskbar at the bottom of the screen, Task Manager should be one of the options - select the Processes window and list the details or take a screenshot). Alternatively, download HijackThis! (from here), run it and post only the "Running Processes" section in your post (this forum no longer accepts full HijackThis! logs - posting them may result in this thread being closed).
    Thunderbird is an email client, a replacement for Outlook Express.
     
  22. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Do also scan your system at grc's shield's up, to check for open ports on your system.
    An sample of an open ports problem can be found in this topic
     
  23. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Hi, thanks for your patience,

    .....These are quite likely false positives. "about:blank" gets flagged since there is a variant of the CoolWebSearch browser hijacker that uses this entry - if you actually had this you would (almost surely) be seeing a stack of porn sites added to your IE Favourites list.....

    There are no porn sites in the IE Favourites list, I have never used that list anyway.

    .....or use Port Explorer (which you apparently have installed) to look at the details of these active connections (you should be able to view exactly what is being sent).....

    I did a portscan and got the answer below. I saved it in Notepad, but it doesn't look very clear. Does it make any sense to anybody?
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    ---------------------------------------------------------------------------------------------------------------------------------------------------------
    | msimn.exe | 22:39 21/08/2004 | -1812205 | UDP | 127.0.0.1 | 1025 | 127.0.0.1 | 1025 | LISTENING | 2/2 | 2/2 |
    | iexplore.exe | 22:54 21/08/2004 | -1789233 | UDP | 127.0.0.1 | 1081 | 127.0.0.1 | 1081 | LISTENING | 173/173 | 172/172 |
    | tmproxy.exe | 22:51 21/08/2004 | -1739473 | TCP | 127.0.0.1 | 6999 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | SYSTEM | --- | 0 | TCP | 127.0.0.1 | 1025 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 144.139.123.226 | 138 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 144.139.123.226 | 137 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 144.139.123.226 | 139 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 127.0.0.1 | 1081 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | UDP | 144.139.123.226 | 137 | *.*.*.* | * | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | UDP | 144.139.123.226 | 138 | *.*.*.* | * | LISTENING | --- | --- |

    .....At this point, I would suggest you check Task Manager.....

    I had to use 'start', 'settings' to find the taskbar. Lots of stuff there, Ad-Aware says 24 processes running. I tried to reduce 'em, but failed - they all ended up in the recycle bin so I had to restore to get 'em back.

    .....download HijackThis! (from here), run it and post only the "Running Processes" section in your post.....

    Did that, and chopped everything off, bar the "running processes", ie

    Logfile of HijackThis v1.97.7
    Scan saved at 9:35:23 AM, on 8/21/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\AOTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    I have now also updated to Spybot 1.3. Interestingly, each time I used the older version, I'd ask for updates - only to get "none available" in reply. It didn't advise that there was a new version of the program available.

    I do apologise for taking up so much time. The mere thought that somebody might use my PC covertly is scary. I'm sure they are up to no good, and I don't want to be involved in any such activities.

    Regards,
    /H
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Well, there's nothing obviously amiss with your system - what I was thinking of was that some spammers were using compromised PCs as relays to their websites (hiding their real address and making them harder to shut down by ISPs). In some cases, legitimate software like WinGate was being used, which would probably not be picked up by malware scanners but would show up in any task list.

    In your case, I would suspect LOADQM to be the cause of the traffic - see the article LOADQM.EXE -- another Microsoft disastrous Jewel for details. Try disabling it as suggested and see if that solves the problem.
     
  25. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    You do need to get Service pack 1 for IE 6...
     
Thread Status:
Not open for further replies.