[Solved] Unknown Internet traffic

[tonylukac]

The antispyware program Ad-Aware by Lavasoft appears to be spyware of its own. Just recently it started wildly sending data across the internet while scanning, old and new versions alike. Here's a nice reason for open source. In my conspiracy theories, it is from Sweden and that's where the pirate bay was from, so perhaps they have some kind of agreement with some government to list your files to see if your computer contains illegal downloads. Perhaps it is simply taking control of your computer when it scans. Either way, avoid it.

================================
EDIT: The subject of this thread has been changed. The previous subject has not been documented and may be misleading to members. Member has been advised of change.
================================

 

[Bobbye]

You will have to be more specific to make an accusation like this.

Just recently it started wildly sending data across the internet while scanning

What are you basing this on?
Does this happen on your computer?Explain exactly why and what you think is spyware.
Explain what this "data" is that you think is being transmitted.

 

[tonylukac]

On two Vista partitions (happened in 2 places) it is installed on large amounts of data are being sent to the internet during the scan, like files being listed, because the modem and router lights flash to beat the band. Ending the scan ends the router/modem flashing. Just thought you should know.

 

[Bobbye]

Sorry, I don't consider this adequate to damn AdAware for spyware!. How do you know that AdAware is sending this data? What kind of 'data' are you referring to?

Routers blink constantly.

 

[tonylukac]

We shall try an experiment and I'll get back to you. Not totally reproducible. Routers connected to cable modems flash a lot, but my dsl connection is quite steady and never blinks unless in use. I just recently went thru such an argument with someone who has cable.

 

[Bobbye]

I am still hard pressed as to how you can attribute this to AdAware 'spying.' Are you just seeing the light flash on the router? I have a router and a cable modem and both of them flash all the time! If you're going to accuse a company of putting out spyware with their security program, then you need to have a lot more than just a flashing light!

It would be interesting to run your system through malware cleaning, don't you think?

Follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans. Do not use a Registry cleaner or make any changes in the Registry.

 

[tonylukac]

I shall do it when I get there. It happened on 2 systems, one rarely used and just recently installed, so I don't think this will bear fruit. On the one "gaming" partition Kaspersky routinely flags something caused I think by Need For Speed's secure rom copy protection, but I don't have this game installed on the other partition and it has the flashing router lights also. Remember, I have dsl and you have cable; a different setup.

 

[Bobbye]

So the subject ad substance of your first post is misleading. I'm going to change the subject to:

Unknown Internet Traffic

If you find any particular cause and think people need to be warned, then it would be more appropriate.

Changing subject of thread as stated. Subject is not documented and can be misleading.

 

[tonylukac]

Thank you for all your time. First, IE8 would not allow me to download anything due to Need For Speed's Secure Rom. I downloaded it with Firefox. Second, GMER gave a BSOD but worked when I unchecked "Devices". Sorry, in trying to copy and paste I got the message to Please shorten text to 20000 characters, so I attached the files instead. I don't think you'll find anything as mine is a clean machine. Thank you for your time and expertise.

 

[Broni]

Message from Bobbye:

Due to family matters that require my time and efforts, I am unable to continue helping with malware cleaning at this time. If and when these matters are resolved, I will return to the board.

Since the only other helper in the Virus and Malware forum is Broni, I will ask him to pickup the open threads I have going, if and when he can.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[tonylukac]

Combofix deleted my autorun.inf. Did that have a virus. I undeleted it, but turns out I didn't need it anyway. It was from the old drive.

 

[Broni]

Our instructions clearly say not to do anything else, than what we ask for.
Please, obey the rules

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[tonylukac]

Here's the MBRCheck:

 

[Broni]

I don't see much so far....

What are the current issues?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[tonylukac]

You cannot copy and paste these logs, even individually. Together they comprise over 50000 characters exceeding the 20000 character posting limit. I attached them instead. The problem was that some program was generating a lot of internet traffic, thought to be Ad-Aware. Then, it was thought that some spyware was generating it. I didn't think the machine had much spyware on it since it is rarely used.

 

[Broni]

Ad-aware is rather a tool of the past. You can safely uninstall it and rely on Malwarebytes, the best antimalware tool, you can get for free. I see, you also have Superantispyware, which is another excellent program.


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
  "DisableMonitoring" =-
  "" =-
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

 

[tonylukac]

Sorry, the first time I did it I copied and pasted from the email which had one line split into 2. It got stuck at "Processing Registry data Center\Monitoring\KasperskyAntiVIrus]..."
The second time I ran it I used the post and it worked. Here is the log:

All processes killed
========== OTL ==========
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\\DisableMonitoring deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\\ deleted successfully.
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Tony
->Temp folder emptied: 469068 bytes
->Temporary Internet Files folder emptied: 6313718 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 32638538 bytes
->Flash cache emptied: 1154 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50351 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 38.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Tony
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08082010_072250

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Broni]

Good

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMPORTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[tonylukac]

How about trying Spybot Search and Destroy? It rids the computer of botnets which can generate undue internet traffic. Below is the result of the Security Check scanner. TFC was already run, but I ran it again anyway. It didn't produce a log since it rebooted and there was no log. ESET found no threats thus didn't produce a log either.

Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Kaspersky Internet Security 2010
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
Mozilla Firefox (4.0b2.) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Windows Defender MSASCui.exe
Kaspersky Lab Kaspersky Internet Security 2010 avp.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

 

[Broni]

Spybot is rather a tool of the past and I don't recommend it anymore.

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

========================================================================

Your computer is clean


1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI). The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.

 

[tonylukac]

Thank you for all of your time.

 

[Broni]

You're very welcome

Good luck and stay safe

I assume, your computer is behaving properly?

 

[tonylukac]

Looks like I was having the same problem after all that, but Jobeard gave me a remote connections ip tracing program to see what ip the connection was going to. It was going to an ip address in Washington, DC. But all it was was a Kaspersky virus definition update. Nice website to trace ip addresses too.

 

[Broni]

Cool ........

 

[tonylukac]

Another problem has come up. It seems that Windows is no longer monitoring Kaspersky's firewall nor the antivirus. In security center, it says the firewall is turned off and it says it can't find an antivirus program. Any ideas? I know you can get rid of the error messages in the systray by not having Windows monitor for this, but this is not WIndows full capability. Any registry changes I could put back, if there were any? I uninstalled and reinstalled Kaspersky using another of the 3 licenses, to no avail. Did GMER or OTL do something?