Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Laptop clean, but still sending lots of packets?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Laptop clean, but still sending lots of packets?

Unread postby cixo » February 12th, 2006, 12:21 pm

New member here :)

Anyway I think I opened an infected file, upon which it started to install various stuff on my laptop. I had Counterspy installed, which managed to stop the program from making most of the unwanted changes. I restarted my computer in Safe Mode, and used Spybot and Ad-Aware to try and cleaned it out.

I also did a virus-scan, as well as using a-squared to scan for any trojans. It all came out clean, but I am still sending more packets than I am receiving, which is really puzzling. I am on a university network, but I am not sure whether that is the problem. So if anyone could help me, that would be most appreciated. Thanks in advance!!

Below is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:48 AM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\System32\urtclsvc.exe
C:\OfficeScan NT\ofcdog.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\OfficeScan NT\pccntmon.exe
C:\PROGRA~1\WINPAT~1\WinPatrol.exe
C:\Program Files\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\OfficeScan NT\pccntupd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 20
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stu.nus.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = stu.nus.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stu.nus.edu.sg
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: URT Client Service (urtclientservice) - Unknown owner - C:\WINDOWS\System32\urtclsvc.exe
cixo
Active Member
 
Posts: 5
Joined: February 12th, 2006, 10:09 am
Advertisement
Register to Remove

Unread postby Nellie2 » February 14th, 2006, 6:20 pm

Hello.. I'm sorry for the delay in replying to your question.

Your log looks ok to me... but you do seem to be running two anti-virus applicaitons. This isn't a good idea as it can cause conflicts. I suggest you disable one of them from real time scanning and use it for backup scanning purposes only.

CounterSpy is an excellent program however if you would like to try another scanner then you could try the Ewido trial.

Please download ewido security suite it is a free version of the program.

  1. Install ewido security suite
  2. When installing, under "Additional Options" uncheck..

    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.

    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Post the Ewido log here for review please
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby cixo » February 15th, 2006, 8:21 am

Thanks for the help! :)

Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:17:57 PM, 2/15/2006
+ Report-Checksum: C315CAF

+ Scan result:

:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.yik\cookiesnew.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.yik\cookiesnew.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20060208-010214-567.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup


::Report End
cixo
Active Member
 
Posts: 5
Joined: February 12th, 2006, 10:09 am

Unread postby Nellie2 » February 15th, 2006, 5:33 pm

That looks ok, there were just a few tracking cookies.. lets check for a rootkit

Download F-Secure's trial Blacklight program :
http://www.f-secure.com/blacklight/try.shtml

Print out the help page for guidance.
Ok the license.
Check scan through Windows Explorer
Click Scan
When animated graphics disappears, click Next
Note any files and their locations that appear in the output summary, and let me know in a reply what they are.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby cixo » February 16th, 2006, 6:36 am

For some reason, I can't check to scan through Windows explorer - it simply isn't there!

Nevertheless, I ran a scan, and it didn't find anything suspicious.

Report below:

02/16/06 18:30:38 [Info]: BlackLight Engine 1.0.30 initialized
02/16/06 18:30:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/16/06 18:30:38 [Note]: 7019 4
02/16/06 18:30:38 [Note]: 7005 0
02/16/06 18:30:43 [Note]: 7006 0
02/16/06 18:30:43 [Note]: 7011 2572
02/16/06 18:30:43 [Note]: FSRAW library version 1.7.1014
02/16/06 18:32:40 [Note]: 7007 0
cixo
Active Member
 
Posts: 5
Joined: February 12th, 2006, 10:09 am

Unread postby Nellie2 » March 2nd, 2006, 5:06 pm

cixo

I'm sorry..I didn't get the email to tell me that you had replied to this post. I don't think your problems are malware related, it looks like Counterspy did it's job well and stopped whatever it was from installing.

How is your computer behaving now and has your network administrator managed to provide an explanation of any sort??
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby cixo » March 5th, 2006, 6:47 am

I haven't emailed my network administrators yet, but I will do that.

Thanks for all your help! :)
cixo
Active Member
 
Posts: 5
Joined: February 12th, 2006, 10:09 am

Unread postby Nellie2 » March 5th, 2006, 5:18 pm

If you have any more problems then you know where we are! Here are a few tips to help you keep your system secure;

Make your Internet Explorer more secure - This can be done by following these simple instructions:

  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.

    1. Change the Download signed ActiveX controls to Prompt
    2. Change the Download unsigned ActiveX controls to Disable
    3. Change the Initialise and script ActiveX controls not marked as safe to Disable
    4. Change the Installation of desktop items to Prompt
    5. Change the Launching programs and files in an IFRAME to Prompt
    6. Change the Navigate sub-frames across different domains to Prompt
    7. When all these settings have been made, click on the OK button.
    8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Computer Safety On line - Anti-Virus

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
Computer Safety On line - Software Firewalls

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby cixo » March 10th, 2006, 4:16 am

Thanks Nellie2!!

Anyway the problem seems to be my network adaptor driver. Apparently the old driver had a problem where it reports the number of outgoing packets incorrectly. Once the driver was updated, everything turned out fine :)
cixo
Active Member
 
Posts: 5
Joined: February 12th, 2006, 10:09 am

Unread postby Nellie2 » March 10th, 2006, 5:23 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware