Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware causing large download transfers


  • Please log in to reply
No replies to this topic

#1 PhilT

PhilT

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 18 June 2011 - 09:10 AM

I've been working on a Vista Home Basic PC that was downloading at full broadband speed 24/7 in normal mode, but not in safe mode.

The responsible agent was either hiding itself as one of several svchost.exe processes or has modified one of them. I have actually stopped it by running Combofix as I needed it back in action so my main purpose in posting is to understand what it was and help others that may encounter the same problem.

Symptoms were a continuous download of data from IP addresses that were often Akamai, Microsoft or similar "legit" sites but several other IP addresses not associated with public facing servers. The download was enough to use up a 2 GB allowance on a 0.5M broadband service in a few days.

PC had Norton Antivirus up to date,windows up to date etc. Malwarebytes antimalware did not find the problem, nor did PrevX CSi or Spybot S&D. Combofix quarantined the following :-


2011-06-18 10:24:53 . 2011-06-18 10:24:53 95,911 ----a-w- C:\Qoobox\Quarantine\C\Windows\Temp\952ba960-743a-4847-9689-d6d9a726a04e\CliSecureRT.dll.vir
2011-06-18 10:20:20 . 2011-06-18 10:20:20 8,104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-18 10:09:49 . 2011-06-18 10:13:14 62 ----a-w- C:\Qoobox\Quarantine\catchme.log
2006-11-02 13:01:44 . 2011-06-18 09:50:12 4,194,304 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Network\Downloader\qmgr1.dat.vir
2006-11-02 13:01:43 . 2011-06-18 09:49:57 4,194,304 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Network\Downloader\qmgr0.dat.vir


and also reported :-

----- BITS: Possible infected sites -----
.
hxxp://buy-download.norton.com




Anyone advise how to define what the problem was ?

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users