1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Problem with my internet

Discussion in 'Web & Email' started by davef89, Sep 16, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. davef89

    davef89 Thread Starter

    Joined:
    Sep 16, 2004
    Messages:
    27
    Basicallly, whenever i connect to the net, it says that i am always uploading. There is always about 50Kbps - 100Kbps being transmitted and i dont know why. As a result, i am getting really poor connections on xbox live at the minute. This has only just started happening, and i would very much appreciate some help. I just dont know what is eating up my bandwidth. Is there any way to find out what is being uploaded and downloaded?
     
  2. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
    Hi, and welcome to the TSG forum :) (y)

    i suspect you have spyware
    ave you run a virus checker ?
    have you run any spyware programs such as ad-aware / spybot

    if not
    do the following

    FIRST:-

    run a virus scan with your own scanner
    If you have a Virus Scnner of your own - first make sure your scanner is fully up-to-date with the latest definitions
    or
    you can Run an online scan from here
    http://housecall.antivirus.com/pc_housecall
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    see here http://forums.techguy.org/t110854.html for other online scanners

    System Restore:-
    Remember to turn off system restore in WinME and XP http://service1.symantec.com/SUPPOR...8825696500726d13?OpenDocument&src=bar_sch_nam

    SAFEMODE:-
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam
    http://support.microsoft.com/default.aspx?kbid=315222

    If Not all clear - please post results before continuing

    ONCE ALL CLEAR of virus from the above scans:

    SECOUND:-

    SPYWARE - note the spyware tools websites often come under attack (hence more than 1 location)

    CWShedder:
    it would be worth running CWShredder first -
    download from these sites
    http://tinyurl.com/mn7e
    http://www.majorgeeks.com/download4086.html
    http://209.133.47.200/~merijn/downloads.html
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip
    http://www.thespykiller.co.uk/
    http://downloads.subratam.org/CWShredder.exe

    Run the program and let it do it's thing. Make sure to click on "Fix" and not scan only.

    Reboot:

    Now RUN

    AD-AWARE:
    If required A TutorIal IS HERE http://www.bleepingcomputer.com/forums/index.php?showtutorial=48


    download, update and run ad-aware
    http://www.lavasoftusa.com/
    http://www.networkingfiles.com/Cookie/adaware.htm
    http://www.lavasoftusa.com/support/download/

    Before you scan with AdAware, check for updates of the reference file by clicking on "Check for updates now", connect.

    Make sure the following settings are made and on -------ON=GREEN

    From main window :Click Start then Activate in-depth scan (recommended)

    Click Use Custom Scanning Options' then click Customize' and have these options selected: Under Drives and Folders put a check by Scan Within Archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select: Unload recognized processes during scanning and under Cleaning Engine select: Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.


    NOW RUN

    SPYBOT:
    If required A TutorIal IS HERE http://www.bleepingcomputer.com/forums/index.php?showtutorial=43


    Make sure its Version 1.3, if you have been using 1.2 you can install right over it. If you downloaded and used 1.3 beta it is suggested you remove it and reboot prior to installing.

    download, update and run spybot
    http://spybot.safer-networking.de/
    http://tomcoyote.org/SPYBOThttp://www.download.com/3000-8022-10122137.html
    http://www.spybot.us/spybotsd13.exe
    http://www.safer-networking.org/

    Make sure to check for updates prior to running the scan.
    Click on "Search For updates" when prompted.
    Scan, click on fix problems.
    Reboot:


    then post what happened - how its going -

    next we can run hjackthis and ask a secruity guru to view and advise
     
  3. davef89

    davef89 Thread Starter

    Joined:
    Sep 16, 2004
    Messages:
    27
    Well i was speaking to someone on Live today, and they thought that it was a trojan virus and that i should download this antivirus program from f-secure.com. I ran an indepth scan, with all the settings that you told to use, and it is picking up lots of infected files and registry keys. As soon as it has finished, i shall delete those bad files and then run spybot and ,hopefully, the virus or whatever it is shall be gone. Thanks alot for your help, by the way. It is much appreciated.
     
  4. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
    when finished run a hijackthis log and a secruity expert here can check its all clean

    HIJACK THIS:


    Download and copy hijackthis to its own folder , it makes backups so keeping them separate and available can be useful.

    Note the Spyware tools websites are very often under attack and so I have provided more than 1 location to download from:

    http://www.tomcoyote.org/hjt/
    http://209.133.47.200/~merijn/downloads.html
    http://www.thespykiller.co.uk/
    http://www.majorgeeks.com/download3155.html
    http://aumha.org/downloads/hijackthis.exe
    http://www.thewhities.com/
    http://www.sherrylynn.us/privacypolicy (this has an older version 1.97 - if you can not get to any of the above sites)

    Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”.
    Click on “Save Log” and then save it to NotePad.
    Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.
    DO NOT FIX ANYTHING wait advice from one of the many security experts in this forum.

    I currently do not have the skill/competence to advise and poor advice can be far more damaging to your PC with this software, and so I will be unable to add any advice on the log and so will nolonger be replying to your post with regards to the HJT issue, so please have patience and wait for one of the secruity experts to provide further detailed advice
     
  5. davef89

    davef89 Thread Starter

    Joined:
    Sep 16, 2004
    Messages:
    27
    I ran Hijack This and this is what it found:

    Logfile of HijackThis v1.97.7
    Scan saved at 16:58:11, on 21/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hjt[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-uk3.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-uk3.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-uk3.hpwis.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O9 - Extra button: Researcher (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C7C4BD-D5E4-46B7-BBC1-F7E80279357E}: NameServer = 212.74.114.129 212.74.114.193

    So is there anything bad in there?
     
  6. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
    sorry davef89 can you post a log with version 1.98.2 - should be available from all the sites above - except as indicated
     
  7. davef89

    davef89 Thread Starter

    Joined:
    Sep 16, 2004
    Messages:
    27
    Right, then, here it is:

    Logfile of HijackThis v1.98.2
    Scan saved at 17:44:34, on 23/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\F6CVNXKT\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-uk3.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-uk3.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-uk3.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-uk3.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C7C4BD-D5E4-46B7-BBC1-F7E80279357E}: NameServer = 212.74.114.129 212.74.114.193
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274788

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice