Inexplicable net activity

Status
Not open for further replies.

ravisunny2

Posts: 1,053   +11
Howard,

I had a strange experience.

Even though I wasn't downloading anything & IE was not opening any page,
there was a slow but steady trickle (aprox. 0.7 KB/s) for ten minutes.

Since I couldn't figure out what was going on, I disconnected from the net.

And, yes, Google had given me a message that there was a virus or spyware in my pc.

AVG free & Ad-Aware didn't pickup anything.

Can you pls have a look at the hjt log ?
 

Attachments

  • hijackthis.txt
    4.5 KB · Views: 6
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

wucrtupd.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\SYSTEM\wucrtupd.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having any problems.

Regards Howard :)

This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks

Thank you, Howard.

But what were those creatures, anyway ?

And, my broadband has started crawling like a dialup.

Could be a problem with the ISP.
 
See HERE for info on the wucrtupd.exe file.

The O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file) was just a BHO(browser helper object), that was unknown and had a file missing.

Your problem may be caused by your ISP. I suggest to contact them and see what they say. They should be able to run some tests, that will help to determine if there`s a problem at either their end or your end.

Go HERE and follow the instructions for the AVG Antispyware programme.

Post the AVG Antispyware log as well as a fresh HJT log.

Regards Howard :)

This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thank you, Howard.

My broadband is back to normal speed, so that must have been a problem at the ISP site.

I guess I have to move to Win XP, as most of the utilities (particularly the free ones) wont run on the Win 98 platform.

I was unable to install the trial version of AVG, so I can't post a meaningful HJT log.

I am planning to change the motherboard. Till then I'm stuck with Win 98.

Regards,

Ravi Banthia
 
Some extra net activity again

There seems to be extraneous net activity once again.
Can you please have a look at the HJT log ?

Thanks,

Ravi
 
It looks like your system is infected with malware.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :)

This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Okay Howard, Thanks.

But most of the tools aren't available on win98.

Will use what ever tools I can.
 
Yes, just do what you can and post whatever logfiles you can from those requested.

Regards Howard :)

This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
The latest

Tool1 : won't work on 98SE
Tool2 : won't work on 98SE
Tool3 : Vundofix -> no infected files found

combofix : gives the error msg

C:\Windows\Command.com
The program issued a command but the command length is incorrect.

AVG Antirootkit & Antispyware don't work on 98SE

AVG Free , Spybot & Ad-Aware found nothing.

Killed this entry in HJT log : O2 - BHO: (no name) .... (no file)

The only thing I can provide is the HJT log.
 
Nothing nasty there.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

Regards Howard :)
 
The only thing I can see in your Autoruns log that may be cause for concern, is the sulfnbk.exe file. This file is a Microsoft file, but can also be infected with malware. The file is not system critical and is used for restoring long filenames.

Navigate to c:\windows\command\sulfnbk.exe and zip the file up into an archive, then delete the sulfnbk.exe file. That way, should you have cause to suddenly need the sulfnbk.exe file, you have it readily available in the zip archive. Even if the file is infected, it can`t do any harm as long as it`s zipped up.

As for you unexplainable net activity, all I can suggest is you open your task manager and see if you can spot a process that coincides with the activity.

Regards Howard :)

This thread is for the use of ravisunny2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
eTrust PestPatrol (trial) says I've got Trojan.Win32.Dialer.hc

Ad-aware & Spybot were unable to pick it up.

Any suggestions how to double check and get rid of it ?

BTW, I've got Win98SE, so most of the free anti-spy s/w won't work.

Thank you.
 
Hi,

Could you run HijackThis and ComboFix then? Those two logs will help alot.


Regards,
Your friendly momok =)

This thread is for the use of ravisunny only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
THIS IS A FALSE POSITIVE condition. Pest Patrol is known to do this :(
That's a FP. I have Pest Patrol and got that same FP. It's a false positive due to IESpyad. Try to disable IESpyad's protection and scan again and you'll see PP won't detect it anymore.

see this blog
 
Comodo firewall has a page that shows which connections are R/W to the net :)

Cports will display all connections. clicking the column heading Remote address,
you get the remote addresses on top and the locals on the bottom.
The Process Path will show the program that is operating the connection.
 
THIS IS A FALSE POSITIVE condition. Pest Patrol is known to do this

Thanks, jobeard.

I wonder if comodo firewall works on Win98SE.

The last time I used a firewall, I had a terrible experience. There was more extraneous net activity after installing it, and I had to uninstall it.
 
Latest status

Thanks, momok.

Combofix gave the error msg : Cannot find cmd.exe (or one of its components).

HJT log is attached

In addition to Sygate, Fileseclab & Jetico (which I downloaded today), I have a few month old copy of avg75afwt_433a904 (antivir plus firewall).

Which do you reccomend ?

Should the firewall be installed while online ?

Regards,

Ravi
 
Yea, comodo will not run on win98se. I recommended it ONLY as a means to
view the actual byte counts being R/W.

Cports will run:
This utility works perfectly under Windows NT, Windows 2000, Windows XP, Windows Server 2003, And Windows Vista. If you want to use this utility on Windows NT, you should install psapi.dll in your system32 directory.
You can also use this utility on older versions of Windows (Windows 98/ME), but in these versions of Windows, the process information for each port won't be displayed.
 
In addition to Sygate, Fileseclab & Jetico (which I downloaded today), I have a few month old copy of avg75afwt_433a904 (antivir plus firewall).

Which do you reccomend ?

Fellow Techspot members. I would appreciate you input regarding which firewall to use.

Please keep in mind that I am a total rookie in the Security area.

The only thing I had installed, before joining Techspot, was eTrust antivirus.

Thanks in advance.

Ravi
 
Hi,

See my reply to your PM for the firewall.

Have HijackThis fix this:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bysoft.com/stayalivelinkfirst.html

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

Search for all instances of "cmd" on your system and let me know the result. (The full filepaths of each entry)


Regards,
Your friendly momok =)

This thread is for the use of ravisunny only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Latest status

1) I have attached the autoruns log.

2) There is no file by the name of cmd.exe ( or cmd.*) on my PC

These files are probably irrelevant, but I'm still listing them

Cmdl32.exe C:\WINDOWS\SYSTEM
Cmdl32.exe C:\win_bakup\SYSTEM
Cmds.exe C:\WINDOWS\All Users\ApplicationData\Symantec\ Ghost\template\common

NeroCmd .exe C:\Program Files\Ahead\Nero
Pltcmdln.arx C:\Program Files\AutoCAD 2002
Nircmd.exe C:\Program Files\%systemdrive%\ComboFix
Cmd_ex.bas C:\Aaaa\QBASIC\ADVR_EX
Tcmdr700.exe C:\Aaaa\Aa_lastx\TotalCommander
SmitfraudFix.cmd C:\Aaaa\Aa_lastx\Aa_Support\SmitfraudFix
 
Hi,

That log looks clean to me too. I do notice that you have AVG installed. Try running a full scan in safe mode to see if anything is detected. It seems more likely now that your concerns with the eTrust warnings are centred around false positives as jobeard mentioned.


Regards,
Your friendly momok =)

This thread is for the use of ravisunny2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back