Unexplained high broadband traffic

[spears list]

On Oct 13, 9:49 am, Jim <koeh...@btinternet.com> wrote:
> A real challenge to all spyware and malware experts.
>
> Please excuse my bad manners in publishing this article in two
> newsgroups simultaneously. I am not sure which one is most likely to
> provide help in solving my problem.
>
> If there is another newsgroup that in which I should post this article
> please let me know.
>
> The problem that I have is driving me mad!
>
> The problem is that my broadband traffic is at times extremely high
> for completely unexplained reasons.
>
> This is indicated by (1) the daily log kept by my ISP and (2) more
> visibly by the icon in the lower right-hand corner on my screen that
> consists of the two little monitor symbols. It these symbols indicate
> broadband activity by lighting up in light blue - one for up traffic
> and the other for down traffic.
>
> The problem has been around on and off for three months now.
>
> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
> Aware SE Personal. The last of these I run only on demand - usually
> once a day.
>
> When the problem is occurring the daily ISP log shows 4 or 5 times
> normal megabytes per day and the monitor symbols are lit up all the
> time.
>
> Normally the log and the monitor symbols show low broadband activity.
> I have been a fairly light user of the internet. No movie downloads,
> etc. Just emails and web page accesses.
>
> The high activity problem has occurred in two episodes. During the
> first of these (a couple of weeks) the high traffic was more or less
> equally divided between uploading and downloading. But during the most
> recent episode (a couple of days) downloading has been very high while
> uploading was normal.
>
> My traffic has been so high that my ISP's monthly limit is 60% used
> while I am only 40% into the month. I will be charged for any excess.
> I have become so concerned that I am leaving my modem connection to my
> phone line unplugged except when I need to access the internet.
>
> Regarding the first episode: I tried PREVX. It found and removed some
> malware. It reported that it put the following items in "jail".
> zrmkxe.exe (4 KB)
> ykouzmp.exe (4 KB)
> ugstzfqp.exe (4 KB)
> tftp4904 (4 KB)
> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
> rphekn.exe (4 KB)
> gpiawddx.exe 4 KB)
> avgmb.exe (4 KB)
>
> This cleared up the problem but PREVX and Norton 360 do not get along
> with each other - Norton 360 will not work properly unless PREVX is
> not present in the same system.
>
> I spent a considerable amount of time on the Symantec technical help
> line. Symantec finally apparently fixed the problem by activating the
> Norton 360 backup facility. Traffic dropped back down to its normal
> level for a while. I can't understand why this worked - what is the
> connection between backup and the high traffic problem?
>
> Broadband traffic went back to normal for a while but eventually the
> high traffic problem returned on several occasions. They were fixed by
> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
> some malware, and (3) uninstalling PREVX - all of this while
> temporarily disabling Norton 360.
>
> As I said earlier, the second and last episode of the high traffic
> broadband problem began a few days ago. This seems to be different
> than the first episode because the high traffic is mainly downloading
> while uploading is normal.
>
> The big issue with all this is that I need to find out what spyware
> malware is causing my high traffic. Can anyone tell me how to do this.
> Is there some diagnostic software that could be of use here?
>
> Below are some items that might help diagnose my problem. All of these
> were obtained when broadband traffic was very high as indicated by the
> monitor symbols being lit up constantly.
>
> The first item is a HijackThis log file. The last two are snapshots
> are the most active processes in the Windows Task Manager process
> display.
>
> Thanks in advance for your help.
>
> Jim
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> -
>
> Logfile of HijackThis v1.99.1
> Scan saved at 23:41:58, on 10/12/2007
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.6000.16544)
>
> Running processes:
> C:\WINNT\System32\smss.exe
> C:\WINNT\system32\winlogon.exe
> C:\WINNT\system32\services.exe
> C:\WINNT\system32\lsass.exe
> C:\WINNT\system32\Ati2evxx.exe
> C:\WINNT\system32\svchost.exe
> C:\WINNT\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
> C:\WINNT\system32\Ati2evxx.exe
> C:\WINNT\Explorer.EXE
> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
> C:\WINNT\system32\spoolsv.exe
> C:\Program Files\Common Files\Apple\Mobile Device Support\bin
> \AppleMobileDeviceService.exe
> C:\WINNT\system32\CTsvcCDA.exe
> C:\WINNT\system32\inetsrv\inetinfo.exe
> C:\Program Files\Kontiki\KService.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
> C:\WINNT\System32\PGPsdkServ.exe
> C:\WINNT\system32\dllhost.exe
> C:\WINNT\System32\vssvc.exe
> C:\Program Files\RealVNC\VNC4\WinVNC4.exe
> C:\WINNT\System32\MsPMSPSv.exe
> C:\WINNT\system32\fxssvc.exe
> C:\WINNT\system32\dllhost.exe
> C:\Program Files\Common Files\Real\Update_OB\realsched.exe
> C:\Program Files\QuickTime\QTTask.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\WINNT\system32\ctfmon.exe
> C:\Program Files\Intense Language Office\COMMON\Offman.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\Program Files\Eraser\eraser.exe
> C:\Program Files\Kontiki\KHost.exe
> C:\Program Files\iPod\bin\iPodService.exe
> C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
> C:\WINNT\system32\taskmgr.exe
> C:\WINNT\system32\notepad.exe
> C:\Program Files\HJT\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
> =http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =http://go.microsoft.com/fwlink/?LinkId=69157
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
> =
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
> =
> O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no
> file)
> O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:
> \Program Files\Common Files\Symantec Shared\coShared\Browser
> \1.7\NppBho.dll
> O2 - BHO: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C}
> - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtP DF.dll
> O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:
> \PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
> O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-
> FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro
> \wsbho2k0.dll
> O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:
> \PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
> O3 - Toolbar: SolidConverter PDF - {259F616C-A300-44F5-B04A-
> ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF
> \ExploreExtPDF.dll
> O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-
> FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared
> \Browser\1.7\UIBHO.dll
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real
> \Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
> \QTTask.exe" -atboottime
> O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and
> Settings\Jim.JIM-HOMEPC\Local Settings\Temp\ImInstaller\IncrediMail
> \incredimail_install[1].exe -startup -product IncrediMail
> O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
> \iTunesHelper.exe"
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
> background
> O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
> O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
> O9 - Extra button: (no name) - SolidConverterPDF - (no file)
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
> O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
> - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
> O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
> d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
> \xpnetdiag.exe (file missing)
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
> BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
> O11 - Options group: [INTERNATIONAL] International*
> O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
> O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
> O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
> scanner) -http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff..cab
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
> -http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client...
> O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
> Utility Class) -http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
> O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload
> Manager Class) -http://www.kodakgallery.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
> O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} ...
>
> read more »

Check to see if this software helps because it saved my pc! www.eliteatm.biz