Jim wrote:
> A real challenge to all spyware and malware experts.
>
> Please excuse my bad manners in publishing this article in two
> newsgroups simultaneously. I am not sure which one is most likely to
> provide help in solving my problem.
>
> If there is another newsgroup that in which I should post this article
> please let me know.
>
>
> The problem that I have is driving me mad!
>
>
> The problem is that my broadband traffic is at times extremely high
> for completely unexplained reasons.
>
> This is indicated by (1) the daily log kept by my ISP and (2) more
> visibly by the icon in the lower right-hand corner on my screen that
> consists of the two little monitor symbols. It these symbols indicate
> broadband activity by lighting up in light blue - one for up traffic
> and the other for down traffic.
>
> The problem has been around on and off for three months now.
>
> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
> Aware SE Personal. The last of these I run only on demand - usually
> once a day.
>
> When the problem is occurring the daily ISP log shows 4 or 5 times
> normal megabytes per day and the monitor symbols are lit up all the
> time.
>
> Normally the log and the monitor symbols show low broadband activity.
> I have been a fairly light user of the internet. No movie downloads,
> etc. Just emails and web page accesses.
>
> The high activity problem has occurred in two episodes. During the
> first of these (a couple of weeks) the high traffic was more or less
> equally divided between uploading and downloading. But during the most
> recent episode (a couple of days) downloading has been very high while
> uploading was normal.
>
> My traffic has been so high that my ISP's monthly limit is 60% used
> while I am only 40% into the month. I will be charged for any excess.
> I have become so concerned that I am leaving my modem connection to my
> phone line unplugged except when I need to access the internet.
>
> Regarding the first episode: I tried PREVX. It found and removed some
> malware. It reported that it put the following items in "jail".
> zrmkxe.exe (4 KB)
> ykouzmp.exe (4 KB)
> ugstzfqp.exe (4 KB)
> tftp4904 (4 KB)
> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
> rphekn.exe (4 KB)
> gpiawddx.exe 4 KB)
> avgmb.exe (4 KB)
>
> This cleared up the problem but PREVX and Norton 360 do not get along
> with each other - Norton 360 will not work properly unless PREVX is
> not present in the same system.
>
> I spent a considerable amount of time on the Symantec technical help
> line. Symantec finally apparently fixed the problem by activating the
> Norton 360 backup facility. Traffic dropped back down to its normal
> level for a while. I can't understand why this worked - what is the
> connection between backup and the high traffic problem?
>
> Broadband traffic went back to normal for a while but eventually the
> high traffic problem returned on several occasions. They were fixed by
> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
> some malware, and (3) uninstalling PREVX - all of this while
> temporarily disabling Norton 360.
>
> As I said earlier, the second and last episode of the high traffic
> broadband problem began a few days ago. This seems to be different
> than the first episode because the high traffic is mainly downloading
> while uploading is normal.
>
> The big issue with all this is that I need to find out what spyware
> malware is causing my high traffic. Can anyone tell me how to do this.
> Is there some diagnostic software that could be of use here?
>
> Below are some items that might help diagnose my problem. All of these
> were obtained when broadband traffic was very high as indicated by the
> monitor symbols being lit up constantly.
>
> The first item is a HijackThis log file. The last two are snapshots
> are the most active processes in the Windows Task Manager process
> display.
>
> Thanks in advance for your help.
(snip HJT log)
We ask that you not post HijackThis logs in the MS newsgroups. HJT logs
take a great deal of time and expertise to analyze and you will not get
the assistance you need here. Instead, please register at one of the
following specialty sites below where you will get guided help. Your
computer is heavily infected and should definitely be taken off the
Internet until it is clean. It is also probable that you have a rootkit
or similar malware that is running a hidden process. Cleaning this type
of malware is extremely difficult, if not impossible.
So you have some choices:
1. Do as suggested and post to one of the forums below. This will
require that you have another computer from which to work since you
should *not* have the infected machine on the Internet. You will need
time and patience as well. You may still need to wipe the machine and
start over.
In any case, back up your data *now* if you haven't done it.
2. Or take the machine to a professional computer repair shop (not your
local version of BigComputerStore/GeekSquad) for cleaning. Please be
aware that not all local shops are skilled at removing malware and even
if they are, your computer may be so infested that Windows will need to
be clean-installed. Have all your data backed up before you take the
machine into a shop.
3. Or do a clean install of Windows. Do not connect to the Internet
until you are protected by the Windows Firewall built into XP and Vista.
http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/...alling_Windows -
What you will need on-hand
HijackThis specialty forums:
http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/foru...howtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Reply With Quote