Problem with my internet

[davef89]

Basicallly, whenever i connect to the net, it says that i am always uploading. There is always about 50Kbps - 100Kbps being transmitted and i dont know why. As a result, i am getting really poor connections on xbox live at the minute. This has only just started happening, and i would very much appreciate some help. I just dont know what is eating up my bandwidth. Is there any way to find out what is being uploaded and downloaded?

 

[etaf]

Hi, and welcome to the TSG forum

i suspect you have spyware
ave you run a virus checker ?
have you run any spyware programs such as ad-aware / spybot

if not
do the following

FIRST:-

run a virus scan with your own scanner
If you have a Virus Scnner of your own - first make sure your scanner is fully up-to-date with the latest definitions
or
you can Run an online scan from here
http://housecall.antivirus.com/pc_housecall
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

see here http://forums.techguy.org/t110854.html for other online scanners

System Restore:-
Remember to turn off system restore in WinME and XP http://service1.symantec.com/SUPPOR...8825696500726d13?OpenDocument&src=bar_sch_nam

SAFEMODE:-
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam
http://support.microsoft.com/default.aspx?kbid=315222

If Not all clear - please post results before continuing

ONCE ALL CLEAR of virus from the above scans:

SECOUND:-

SPYWARE - note the spyware tools websites often come under attack (hence more than 1 location)

CWShedder:
it would be worth running CWShredder first -
download from these sites
http://tinyurl.com/mn7e
http://www.majorgeeks.com/download4086.html
http://209.133.47.200/~merijn/downloads.html
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
http://www.thespykiller.co.uk/
http://downloads.subratam.org/CWShredder.exe

Run the program and let it do it's thing. Make sure to click on "Fix" and not scan only.

Reboot:

Now RUN

AD-AWARE:
If required A TutorIal IS HERE http://www.bleepingcomputer.com/forums/index.php?showtutorial=48


download, update and run ad-aware
http://www.lavasoftusa.com/
http://www.networkingfiles.com/Cookie/adaware.htm
http://www.lavasoftusa.com/support/download/

Before you scan with AdAware, check for updates of the reference file by clicking on "Check for updates now", connect.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use Custom Scanning Options' then click Customize' and have these options selected: Under Drives and Folders put a check by Scan Within Archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select: Unload recognized processes during scanning and under Cleaning Engine select: Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.


NOW RUN

SPYBOT:
If required A TutorIal IS HERE http://www.bleepingcomputer.com/forums/index.php?showtutorial=43


Make sure its Version 1.3, if you have been using 1.2 you can install right over it. If you downloaded and used 1.3 beta it is suggested you remove it and reboot prior to installing.

download, update and run spybot
http://spybot.safer-networking.de/
http://tomcoyote.org/SPYBOThttp://www.download.com/3000-8022-10122137.html
http://www.spybot.us/spybotsd13.exe
http://www.safer-networking.org/

Make sure to check for updates prior to running the scan.
Click on "Search For updates" when prompted.
Scan, click on fix problems.
Reboot:


then post what happened - how its going -

next we can run hjackthis and ask a secruity guru to view and advise

 

[davef89]

Well i was speaking to someone on Live today, and they thought that it was a trojan virus and that i should download this antivirus program from f-secure.com. I ran an indepth scan, with all the settings that you told to use, and it is picking up lots of infected files and registry keys. As soon as it has finished, i shall delete those bad files and then run spybot and ,hopefully, the virus or whatever it is shall be gone. Thanks alot for your help, by the way. It is much appreciated.

 

[etaf]

when finished run a hijackthis log and a secruity expert here can check its all clean

HIJACK THIS:


Download and copy hijackthis to its own folder , it makes backups so keeping them separate and available can be useful.

Note the Spyware tools websites are very often under attack and so I have provided more than 1 location to download from:

http://www.tomcoyote.org/hjt/
http://209.133.47.200/~merijn/downloads.html
http://www.thespykiller.co.uk/
http://www.majorgeeks.com/download3155.html
http://aumha.org/downloads/hijackthis.exe
http://www.thewhities.com/
http://www.sherrylynn.us/privacypolicy (this has an older version 1.97 - if you can not get to any of the above sites)

Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”.
Click on “Save Log” and then save it to NotePad.
Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.
DO NOT FIX ANYTHING wait advice from one of the many security experts in this forum.

I currently do not have the skill/competence to advise and poor advice can be far more damaging to your PC with this software, and so I will be unable to add any advice on the log and so will nolonger be replying to your post with regards to the HJT issue, so please have patience and wait for one of the secruity experts to provide further detailed advice

 

[davef89]

I ran Hijack This and this is what it found:

Logfile of HijackThis v1.97.7
Scan saved at 16:58:11, on 21/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hjt[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-uk3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-uk3.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-uk3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-uk3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-uk3.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C7C4BD-D5E4-46B7-BBC1-F7E80279357E}: NameServer = 212.74.114.129 212.74.114.193

So is there anything bad in there?

 

[etaf]

sorry davef89 can you post a log with version 1.98.2 - should be available from all the sites above - except as indicated

 

[davef89]

Right, then, here it is:

Logfile of HijackThis v1.98.2
Scan saved at 17:44:34, on 23/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\F6CVNXKT\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-uk3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-uk3.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-uk3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-uk3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-uk3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C7C4BD-D5E4-46B7-BBC1-F7E80279357E}: NameServer = 212.74.114.129 212.74.114.193