Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Lot Of Internet Activity Without Browsing


  • This topic is locked This topic is locked
1 reply to this topic

#1 fftempest

fftempest

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 11 May 2007 - 10:55 PM

I noticed a lot of internet activity (sending and receiving packets) without browsing the internet. Upon further investigation - scans with AVG, SPYBOT S&D, AdawareSE Personal (all latest versions and up to date) - each found a couple of items and removed them. Now scans with each of them produce clean results. BUT - when I do a 'netstat' from the command prompt I get something similar to the following...
C:\Documents and Settings\King1>netstat

Active Connections

Proto Local Address Foreign Address State
TCP king:4401 c-68-52-96-18.hsd1.tn.comcast.net:4093 ESTABLISHED
TCP king:4402 adsl-76-214-176-130.dsl.ipltin.sbcglobal.net:6529 TIME_WAIT
TCP king:4404 bd04b993.sts.virtua.com.br:8819 TIME_WAIT
TCP king:4410 cpe-66-68-16-83.austin.res.rr.com:4076 ESTABLISHED
TCP king:4412 cpe-76-49-246-196.buffalo.res.rr.com:15150 TIME_WAIT
TCP king:4414 74-137-166-25.dhcp.insightbb.com:14970 TIME_WAIT
TCP king:4418 cpe-74-76-18-173.nycap.res.rr.com:30101 TIME_WAIT
TCP king:4419 ip68-109-184-200.ph.ph.cox.net:28647 TIME_WAIT
TCP king:4420 modemcable185.182-83-70.mc.videotron.ca:15613 TIME_WAIT
TCP king:4421 gsmtp167-2.google.com:smtp TIME_WAIT
TCP king:4427 mail.citb.co.uk:smtp TIME_WAIT
TCP king:4432 mx3.as8607.net:smtp SYN_SENT
TCP king:4436 mx2.netbenefit.co.uk:smtp ESTABLISHED
TCP king:4437 smtp1.gxn.net:smtp ESTABLISHED
TCP king:4439 host217-46-164-1.in-addr.btopenworld.com:smtp ESTABLISHED
TCP king:4440 62-244-178-176.cust-62.exponential-e.net:smtp LAST_ACK
TCP king:4441 mta-v1.bt.level3.mail.ukl.yahoo.com:smtp LAST_ACK
TCP king:4442 mx5.uk.tiscali.com:smtp ESTABLISHED
TCP king:4443 smtpin.ispmail.ntl.com:smtp ESTABLISHED
TCP king:4444 mail.algeos.com:smtp ESTABLISHED
TCP king:4445 mail.ringway.co.uk:smtp ESTABLISHED
TCP king:4446 mail139.messagelabs.com:smtp SYN_SENT
TCP king:4447 mx.onetel.net.uk:smtp SYN_SENT

Below is the hijackthis log...
Logfile of HijackThis v1.99.1
Scan saved at 11:04:46 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dumprep.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\dwwin.exe
C:\CWS\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

If I boot into safe mode my 'netstat' looks like this...
Proto Local Address Foreign Address State
TCP king:epmap king:0 LISTENING
TCP king:microsoft-ds king:0 LISTENING
TCP king:netbios-ssn king:0 LISTENING
UDP king:microsoft-ds *:*
UDP king:1026 *:*
UDP king:netbios-ns *:*
UDP king:netbios-dgm *:*

Even in safe mode the packets (sent and received) increment every few seconds. I think I got infected around May 8th and I've deleted all files in the system32 directory that had a date of May 1st or greater. I've looked at task manager and I'm only running around 18 processes so I can't figure out what's going on.
Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 fftempest

fftempest
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 12 May 2007 - 11:38 AM

I noticed nobody replied to my post, which is ok because after reading many posts yesterday and today I ran a free online scan from bitdefender which found the infected file c:\windows\system32\windev-52a-71b3.sys (it was infected with trojan.peed.ni) and was deleted. Now my system is running fine again.
I am only disappointed that my avg anti-virus did not find the infection.

Thank you bleeping computer and bitdefender.

Edited by fftempest, 12 May 2007 - 11:39 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users