TechSpot

Inexplicable net activity

By ravisunny2
Mar 4, 2007
  1. Howard,

    I had a strange experience.

    Even though I wasn't downloading anything & IE was not opening any page,
    there was a slow but steady trickle (aprox. 0.7 KB/s) for ten minutes.

    Since I couldn't figure out what was going on, I disconnected from the net.

    And, yes, Google had given me a message that there was a virus or spyware in my pc.

    AVG free & Ad-Aware didn't pickup anything.

    Can you pls have a look at the hjt log ?
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    wucrtupd.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\SYSTEM\wucrtupd.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having any problems.

    Regards Howard :)

    This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Thanks

    Thank you, Howard.

    But what were those creatures, anyway ?

    And, my broadband has started crawling like a dialup.

    Could be a problem with the ISP.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    See HERE for info on the wucrtupd.exe file.

    The O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file) was just a BHO(browser helper object), that was unknown and had a file missing.

    Your problem may be caused by your ISP. I suggest to contact them and see what they say. They should be able to run some tests, that will help to determine if there`s a problem at either their end or your end.

    Go HERE and follow the instructions for the AVG Antispyware programme.

    Post the AVG Antispyware log as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Thank you, Howard.

    My broadband is back to normal speed, so that must have been a problem at the ISP site.

    I guess I have to move to Win XP, as most of the utilities (particularly the free ones) wont run on the Win 98 platform.

    I was unable to install the trial version of AVG, so I can't post a meaningful HJT log.

    I am planning to change the motherboard. Till then I'm stuck with Win 98.

    Regards,

    Ravi Banthia
     
  6. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Some extra net activity again

    There seems to be extraneous net activity once again.
    Can you please have a look at the HJT log ?

    Thanks,

    Ravi
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It looks like your system is infected with malware.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Okay Howard, Thanks.

    But most of the tools aren't available on win98.

    Will use what ever tools I can.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, just do what you can and post whatever logfiles you can from those requested.

    Regards Howard :)

    This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    The latest

    Tool1 : won't work on 98SE
    Tool2 : won't work on 98SE
    Tool3 : Vundofix -> no infected files found

    combofix : gives the error msg

    C:\Windows\Command.com
    The program issued a command but the command length is incorrect.

    AVG Antirootkit & Antispyware don't work on 98SE

    AVG Free , Spybot & Ad-Aware found nothing.

    Killed this entry in HJT log : O2 - BHO: (no name) .... (no file)

    The only thing I can provide is the HJT log.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Nothing nasty there.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    Regards Howard :)
     
  12. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    The Autoruns log

    Howard, here is the autoruns log.

    Thanks.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The only thing I can see in your Autoruns log that may be cause for concern, is the sulfnbk.exe file. This file is a Microsoft file, but can also be infected with malware. The file is not system critical and is used for restoring long filenames.

    Navigate to c:\windows\command\sulfnbk.exe and zip the file up into an archive, then delete the sulfnbk.exe file. That way, should you have cause to suddenly need the sulfnbk.exe file, you have it readily available in the zip archive. Even if the file is infected, it can`t do any harm as long as it`s zipped up.

    As for you unexplainable net activity, all I can suggest is you open your task manager and see if you can spot a process that coincides with the activity.

    Regards Howard :)

    This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Okay, thanks Howard.
     
  15. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    eTrust PestPatrol (trial) says I've got Trojan.Win32.Dialer.hc

    Ad-aware & Spybot were unable to pick it up.

    Any suggestions how to double check and get rid of it ?

    BTW, I've got Win98SE, so most of the free anti-spy s/w won't work.

    Thank you.
     
  16. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Could you run HijackThis and ComboFix then? Those two logs will help alot.


    Regards,
    Your friendly momok =)

    This thread is for the use of ravisunny only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. jobeard

    jobeard TS Ambassador Posts: 9,348   +622

    THIS IS A FALSE POSITIVE condition. Pest Patrol is known to do this :(
    see this blog
     
  18. jobeard

    jobeard TS Ambassador Posts: 9,348   +622

    Comodo firewall has a page that shows which connections are R/W to the net :)

    Cports will display all connections. clicking the column heading Remote address,
    you get the remote addresses on top and the locals on the bottom.
    The Process Path will show the program that is operating the connection.
     
  19. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Thanks, jobeard.

    I wonder if comodo firewall works on Win98SE.

    The last time I used a firewall, I had a terrible experience. There was more extraneous net activity after installing it, and I had to uninstall it.
     
  20. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Latest status

    Thanks, momok.

    Combofix gave the error msg : Cannot find cmd.exe (or one of its components).

    HJT log is attached

    In addition to Sygate, Fileseclab & Jetico (which I downloaded today), I have a few month old copy of avg75afwt_433a904 (antivir plus firewall).

    Which do you reccomend ?

    Should the firewall be installed while online ?

    Regards,

    Ravi
     
  21. jobeard

    jobeard TS Ambassador Posts: 9,348   +622

    Yea, comodo will not run on win98se. I recommended it ONLY as a means to
    view the actual byte counts being R/W.

    Cports will run:
    This utility works perfectly under Windows NT, Windows 2000, Windows XP, Windows Server 2003, And Windows Vista. If you want to use this utility on Windows NT, you should install psapi.dll in your system32 directory.
    You can also use this utility on older versions of Windows (Windows 98/ME), but in these versions of Windows, the process information for each port won't be displayed.
     
  22. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Fellow Techspot members. I would appreciate you input regarding which firewall to use.

    Please keep in mind that I am a total rookie in the Security area.

    The only thing I had installed, before joining Techspot, was eTrust antivirus.

    Thanks in advance.

    Ravi
     
  23. momok

    momok TS Rookie Posts: 2,265

    Hi,

    See my reply to your PM for the firewall.

    Have HijackThis fix this:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bysoft.com/stayalivelinkfirst.html

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    Search for all instances of "cmd" on your system and let me know the result. (The full filepaths of each entry)


    Regards,
    Your friendly momok =)

    This thread is for the use of ravisunny only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. ravisunny2

    ravisunny2 TS Ambassador Topic Starter Posts: 1,980   +11

    Latest status

    1) I have attached the autoruns log.

    2) There is no file by the name of cmd.exe ( or cmd.*) on my PC

    These files are probably irrelevant, but I'm still listing them

    Cmdl32.exe C:\WINDOWS\SYSTEM
    Cmdl32.exe C:\win_bakup\SYSTEM
    Cmds.exe C:\WINDOWS\All Users\ApplicationData\Symantec\ Ghost\template\common

    NeroCmd .exe C:\Program Files\Ahead\Nero
    Pltcmdln.arx C:\Program Files\AutoCAD 2002
    Nircmd.exe C:\Program Files\%systemdrive%\ComboFix
    Cmd_ex.bas C:\Aaaa\QBASIC\ADVR_EX
    Tcmdr700.exe C:\Aaaa\Aa_lastx\TotalCommander
    SmitfraudFix.cmd C:\Aaaa\Aa_lastx\Aa_Support\SmitfraudFix
     
  25. momok

    momok TS Rookie Posts: 2,265

    Hi,

    That log looks clean to me too. I do notice that you have AVG installed. Try running a full scan in safe mode to see if anything is detected. It seems more likely now that your concerns with the eTrust warnings are centred around false positives as jobeard mentioned.


    Regards,
    Your friendly momok =)

    This thread is for the use of ravisunny2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...