Posted 18 June 2011 - 09:10 AM
I've been working on a Vista Home Basic PC that was downloading at full broadband speed 24/7 in normal mode, but not in safe mode.
The responsible agent was either hiding itself as one of several svchost.exe processes or has modified one of them. I have actually stopped it by running Combofix as I needed it back in action so my main purpose in posting is to understand what it was and help others that may encounter the same problem.
Symptoms were a continuous download of data from IP addresses that were often Akamai, Microsoft or similar "legit" sites but several other IP addresses not associated with public facing servers. The download was enough to use up a 2 GB allowance on a 0.5M broadband service in a few days.
PC had Norton Antivirus up to date,windows up to date etc. Malwarebytes antimalware did not find the problem, nor did PrevX CSi or Spybot S&D. Combofix quarantined the following :-
2011-06-18 10:24:53 . 2011-06-18 10:24:53 95,911 ----a-w- C:\Qoobox\Quarantine\C\Windows\Temp\952ba960-743a-4847-9689-d6d9a726a04e\CliSecureRT.dll.vir
2011-06-18 10:20:20 . 2011-06-18 10:20:20 8,104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-18 10:09:49 . 2011-06-18 10:13:14 62 ----a-w- C:\Qoobox\Quarantine\catchme.log
2006-11-02 13:01:44 . 2011-06-18 09:50:12 4,194,304 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Network\Downloader\qmgr1.dat.vir
2006-11-02 13:01:43 . 2011-06-18 09:49:57 4,194,304 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Network\Downloader\qmgr0.dat.vir
and also reported :-
----- BITS: Possible infected sites -----
Anyone advise how to define what the problem was ?