[sn4td]

I have XP Home SP2.

I'm very confused. I recently upgraded my bandwidth from 5 to 20 meg and it was still going around 5. So I called my ISP and talked to a tech person and after looking at my network settings they said that I have 27 different connections using up my bandwidth - and that was in safe mode!

So if anyone can help me identify the culprit programs/services/? I'd REALLY appreciate it.

Now I don't think it's a virus or spyware because I'm super-meticulous about downloading and surfing. I use Firefox 3 with NoScript to automatically block unknown scripts for webpages and allow only sites I trust. I routinely scan my computer with Spybot and Avira AntiVir. But I'm not completely ruling malicious software out. I just think it's unlikely.

[lunarlander]

You can use a web based Whois to find out who you are talking to. Available here:
http://cqcounter.com/whois/

I checked out the list you provided, and those connections were to Belkin, Verisign and Google. Nothing unusual.

Maybe you can run a HijackThis scan and let some of the Gold Shield members take a look to see if any strange programs are lurking.

http://www.trendsecure.com/portal/en...kthis/download

Use "Do a system scan and save a log file", and notepad will open with a log of what it finds, copy and paste the contents here. Don't ask it to fix anything.

[sn4td]

Thank you.

But why would I be having those outgoing connections to the internet constantly? And why are they using 3/4 of my bandwidth?

FYI my other computer does not have this bandwidth problem.

[Blackmirror]

What firewall are you using ?

[sn4td]

Sygate 5.6

[sn4td]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:39 PM, on 6/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINNT\system32\netdde.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKLM\..\Policies\Explorer\Run: [application] C:\Program Files\AKProg\AKProg.exe hs
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1235509196981
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/soft...01/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1235509186245
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/soft...5108/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{057B8255-F42F-4CB5-A609-B21C6523BFDE}: NameServer = 24.158.63.28,24.158.63.29
O17 - HKLM\System\CS2\Services\Tcpip\..\{057B8255-F42F-4CB5-A609-B21C6523BFDE}: NameServer = 24.158.63.28,24.158.63.29
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ImDisk Virtual Disk Driver Helper (ImDskSvc) - Olof Lagerkvist - C:\WINNT\system32\imdsksvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Tony\My Documents\My Pictures\s_5541b84e62a0cf146a5bf661c4e16237.gif

--
End of file - 5975 bytes

[sn4td]

And I'm getting port scans from China (61.160.216.63, 61.139.105.163) all of a sudden. And I've never seen a port scan warning before.

[perfume]

Dear sn4td,
"IP Address. . . . . . . . . . . . : 75.143.169.188

Subnet Mask . . . . . . . . . . . : 255.255.240.0

IP Address. . . . . . . . . . . . : fe80::205:1bff:fe00:3c02%5

Default Gateway . . . . . . . . . : 75.143.160.1

DHCP Server . . . . . . . . . . . : 68.114.38.114

DNS Servers . . . . . . . . . . . : 24.158.63.28"
Your Ip address is now known to the one's who "can" hack into your system. It's sort of posting your email address with the password. I suggest you ,a change of firewall like Outpost(free) or better still, install Avira Antivir (free)"pronto". Website :http://www.free-av.com/en/trialpay_d...a_antivir_pers . if you want a complete suite for free install Comodo Internet Security Suite. Website :http://www.comodo.com/

Are you behind a hardware firewall?

[sn4td]

I don't think I am. How would I know?

[perfume]

Dearsn4td,
When you pull out the wallet,open it,take out those precious dollars or Euros and buy a "Router" if you are using the pc at home. To be frank i don't like the accuracy of the word "router" and prefer "NAT" ( Regular Network Address Translation ). A good example is Express EtherNetwork DI-604.This is sort of unfamiliar territory for me, but a real router generates many IP addresses and masks you that way,whereas a basic router gives you only a single external IP address. All said, you have to configure it and unless you do that it's as useless as an unconfigured software firewall!Best wishes.

[Frank4d]

One of your startup items appears to be a keylogger, and another looks suspicious. A malware removal expert needs to help with this.

[sn4td]

where do I go for help with this?

[sn4td]

I formatted the computer and reinstalled windows. So if it was malware it's not a problem anymore.

As far as bandwidth, it's because my computer is old and I have USB 1 to connect to my modem.

Thanks for the help.

[Frank4d]

Glad you got it sorted. As you are using your computer after reinstalling Windows and applications, check that these don't re-appear:
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O4 - HKLM\..\Policies\Explorer\Run: [application] C:\Program Files\AKProg\AKProg.exe hs