win XP packets flying, Help

Discussion in 'other security issues & news' started by david, May 20, 2003.

Thread Status:
Not open for further replies.
  1. david

    david Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    20
    Hello Paul Fan J. And all. I have noticed my pc running strange lately ,kinda like Im not alone.I ran nod32 , The Cleaner also up to date norton anti virus. When I log on to the internet ,I have notice in 3 hours my computer is sending packets out like today 9,897,598,292 in 4 hours and packets recieved 217,913 and thats after going from website to email the usual. Paul you and fan helped before , I hope you can help now. Thank you David :eek:
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    David,

    do you have TDS-3 or Port Explorer installed? With the first you could look at the processes which are running in the background and with the second you could spy on the open ports and the packets being sent. Would be very helpful in your case! ;)

    Best regards,

    Patrice
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi david,

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'. An explanation on how it works can be found at the same page.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  4. david

    david Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    20
    Hello Pieter Here it tis.Logfile of HijackThis v1.94.0
    Scan saved at 10:15:05 AM, on 5/21/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://home.netscape.com/home/winsearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.pbs.org/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://home.netscape.com/home/winsearch200.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.bestbuy.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.5\THGuard.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37731.643900463
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    I have been online for 23 minutes thank you Pieter, David
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi david,

    Fix the items below in HijackThis, close all IE, OE and explorer windows and click fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://home.netscape.com/home/winsearch200.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O15 - Trusted Zone:

    And a few I'm not so sure about:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.bestbuy.msn.com
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com

    After doing so reboot and let me know how it goes then.

    Regards,

    Pieter
     
  6. david

    david Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    20
    Hello All, I have had my pc on tonight with out the cable modem connected to the internet. I hooked back in and it showed the pc on for 3 & half hours, connected or not it continues to send huge in the billions of packets. I have no programs except norton anti Virus enabled, What is going on ? I am stumped. Thank you David 9:38 pm Cya
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi David

    Do you have a firewall in place to monitor/control applications wanting access to the network/Internet?

    Have you tried something like Port Explorer mentioned above to see what is going on?

    Regards,

    CrazyM
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
Loading...
Thread Status:
Not open for further replies.