Unexplained high broadband traffic

Discussion in 'Security Software' started by Jim, Oct 13, 2007.

  1. Jim

    Jim Guest

    A real challenge to all spyware and malware experts.

    Please excuse my bad manners in publishing this article in two
    newsgroups simultaneously. I am not sure which one is most likely to
    provide help in solving my problem.

    If there is another newsgroup that in which I should post this article
    please let me know.

    The problem that I have is driving me mad!

    The problem is that my broadband traffic is at times extremely high
    for completely unexplained reasons.

    This is indicated by (1) the daily log kept by my ISP and (2) more
    visibly by the icon in the lower right-hand corner on my screen that
    consists of the two little monitor symbols. It these symbols indicate
    broadband activity by lighting up in light blue - one for up traffic
    and the other for down traffic.

    The problem has been around on and off for three months now.

    Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
    Aware SE Personal. The last of these I run only on demand - usually
    once a day.

    When the problem is occurring the daily ISP log shows 4 or 5 times
    normal megabytes per day and the monitor symbols are lit up all the

    Normally the log and the monitor symbols show low broadband activity.
    I have been a fairly light user of the internet. No movie downloads,
    etc. Just emails and web page accesses.

    The high activity problem has occurred in two episodes. During the
    first of these (a couple of weeks) the high traffic was more or less
    equally divided between uploading and downloading. But during the most
    recent episode (a couple of days) downloading has been very high while
    uploading was normal.

    My traffic has been so high that my ISP's monthly limit is 60% used
    while I am only 40% into the month. I will be charged for any excess.
    I have become so concerned that I am leaving my modem connection to my
    phone line unplugged except when I need to access the internet.

    Regarding the first episode: I tried PREVX. It found and removed some
    malware. It reported that it put the following items in "jail".
    zrmkxe.exe (4 KB)
    ykouzmp.exe (4 KB)
    ugstzfqp.exe (4 KB)
    tftp4904 (4 KB)
    shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
    rphekn.exe (4 KB)
    gpiawddx.exe 4 KB)
    avgmb.exe (4 KB)

    This cleared up the problem but PREVX and Norton 360 do not get along
    with each other - Norton 360 will not work properly unless PREVX is
    not present in the same system.

    I spent a considerable amount of time on the Symantec technical help
    line. Symantec finally apparently fixed the problem by activating the
    Norton 360 backup facility. Traffic dropped back down to its normal
    level for a while. I can't understand why this worked - what is the
    connection between backup and the high traffic problem?

    Broadband traffic went back to normal for a while but eventually the
    high traffic problem returned on several occasions. They were fixed by
    (1) installing PREVX, (2) doing a scan with it whereby it cleared out
    some malware, and (3) uninstalling PREVX - all of this while
    temporarily disabling Norton 360.

    As I said earlier, the second and last episode of the high traffic
    broadband problem began a few days ago. This seems to be different
    than the first episode because the high traffic is mainly downloading
    while uploading is normal.

    The big issue with all this is that I need to find out what spyware
    malware is causing my high traffic. Can anyone tell me how to do this.
    Is there some diagnostic software that could be of use here?

    Below are some items that might help diagnose my problem. All of these
    were obtained when broadband traffic was very high as indicated by the
    monitor symbols being lit up constantly.

    The first item is a HijackThis log file. The last two are snapshots
    are the most active processes in the Windows Task Manager process

    Thanks in advance for your help.


    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Logfile of HijackThis v1.99.1
    Scan saved at 23:41:58, on 10/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Intense Language Office\COMMON\Offman.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:
    \Program Files\Common Files\Symantec Shared\coShared\Browser
    O2 - BHO: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C}
    - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-
    FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:
    O3 - Toolbar: SolidConverter PDF - {259F616C-A300-44F5-B04A-
    ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-
    FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real
    \Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
    \QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and
    Settings\Jim.JIM-HOMEPC\Local Settings\Temp\ImInstaller\IncrediMail
    \incredimail_install[1].exe -startup -product IncrediMail
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O9 - Extra button: (no name) - SolidConverterPDF - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
    - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
    d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
    \xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
    BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
    scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
    - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156704428640
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
    Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload
    Manager Class) - http://www.kodakgallery.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) -
    O16 - DPF: {94908617-0D0A-470E-977F-7BAB6920D184}
    (CustomToolbar.Setup) - http://www.infocrawler.com/toolbar/Customtoolbar.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -
    O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
    - C:\WINNT\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files
    \Common Files\Apple\Mobile Device Support\bin
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:
    \Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
    (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner -
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h
    ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) -
    Unknown owner - C:\Program Files\Common Files\Symantec Shared
    \ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology
    Ltd - C:\WINNT\system32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin
    O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINNT
    O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT
    O23 - Service: PMounter - Unknown owner - C:\WINNT
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental)
    (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f
    "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:
    \Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Two snapshots of the most active processes as displayed in the Windows
    Task Manager:

    System Idle Process
    LuCallbackProxy , exe

    System Idle Process
    LuCallbackProxy , exe
    LuCallbackProxy , exe
    LuCallbackProxy , exe
    LuCallbackProxy , exe
    Jim, Oct 13, 2007
    1. Advertisements

  2. Jim

    Malke Guest

    (snip HJT log)

    We ask that you not post HijackThis logs in the MS newsgroups. HJT logs
    take a great deal of time and expertise to analyze and you will not get
    the assistance you need here. Instead, please register at one of the
    following specialty sites below where you will get guided help. Your
    computer is heavily infected and should definitely be taken off the
    Internet until it is clean. It is also probable that you have a rootkit
    or similar malware that is running a hidden process. Cleaning this type
    of malware is extremely difficult, if not impossible.

    So you have some choices:

    1. Do as suggested and post to one of the forums below. This will
    require that you have another computer from which to work since you
    should *not* have the infected machine on the Internet. You will need
    time and patience as well. You may still need to wipe the machine and
    start over.

    In any case, back up your data *now* if you haven't done it.

    2. Or take the machine to a professional computer repair shop (not your
    local version of BigComputerStore/GeekSquad) for cleaning. Please be
    aware that not all local shops are skilled at removing malware and even
    if they are, your computer may be so infested that Windows will need to
    be clean-installed. Have all your data backed up before you take the
    machine into a shop.

    3. Or do a clean install of Windows. Do not connect to the Internet
    until you are protected by the Windows Firewall built into XP and Vista.

    http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
    http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows -
    What you will need on-hand

    HijackThis specialty forums:

    http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
    another tutorial
    http://aumha.net/ - Click on the HijackThis forum. Read the announcement
    and the stickies *first*.

    Malke, Oct 13, 2007
    1. Advertisements

  3. Jim

    pcbutts1 Guest

    Go to my website http://www.pcbutts1.com/downloads use the email link at the
    bottom, put "Running Now" in the subject line and email me. I will send you
    my more extensive diagnostic tool, it works better than HJT, with
    instructions on how to use it.


    Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
    The list grows. Leythos the stalker http://www.leythosthestalker.com, David
    H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
    Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
    pcbutts1, Oct 14, 2007
  4. Jim

    wng_z3r0 Guest

    Regardless of the nature of pcbutts, which I won't get into here, I strongly
    advise you NEVER to download code from an unknown entity on the internet in
    a scenario that pcbutts is proposing. Not only do you not have any
    information about pcbutts, but you could not even look at reviews from a
    'trusted authority' such as perhaps CNET as for all you know, you could be
    receiving a unique malware file that is emailed to you. Just a suggestion on
    safe(r) internet habits.

    Anyways, specifically concerning your network traffic, try installing
    wireshark, and running a packet trace when the internet connection spikes:

    As it appears you have a malware infestation on your computer, there is a
    possibility that this malware is leeching private information in the
    computer (such as passwords etc) back to a remote server, or perhaps the
    computer is used as a 'bot'. In either case, you really should disconnect
    the computer from the internet until the computer is cleaned. Not doing so
    puts your computer at more risk and most likely others as well.

    To begin cleaning your computer, can you please tell me what version of
    windows you are running?

    wng_z3r0, Oct 14, 2007
  5. Jim

    Heather Guest

    If you value your computer, totally ignore this idiot. He knows nothing
    other than how to steal programs from the rightful authors. That and he
    has an obsession with porn......as more than one person on these news
    groups can prove to you.

    Heather, Oct 14, 2007
  6. Jim, Ignore this troll.

    Frank Saunders, MS-MVP IE, Oct 14, 2007
  7. Jim

    pcbutts1 Guest

    Well okay now! Seems like I woke up the sleeping giants. How about answering
    his question Mr. MVP or is it because you can't? If you are not smart enough
    to help this guy fix his computer then stay out of this thread. Idiot.


    Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
    The list grows. Leythos the stalker http://www.leythosthestalker.com, David
    H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
    Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
    pcbutts1, Oct 14, 2007
  8. Jim

    pcbutts1 Guest

    Why are you replying to me? If you read the question it states what OS he is
    using. BTW I am a contributor to Wireshark so you trying to be an AHole


    Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
    The list grows. Leythos the stalker http://www.leythosthestalker.com, David
    H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
    Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
    pcbutts1, Oct 14, 2007

  9. Because Malke already did.
    Frank Saunders, MS-MVP IE, Oct 14, 2007
  10. Jim

    pcbutts1 Guest

    No she did not. She referred him to a computer store and asked him to post
    his question in another group. How does that fix his computer. That's the
    kind of answer you give somebody when you don't know the answer ( no
    disrespect intended Malke). She did much more then you. All you did was
    start a flame war for no reason. Do you really want to get into it with me?


    Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
    The list grows. Leythos the stalker http://www.leythosthestalker.com, David
    H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
    Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
    pcbutts1, Oct 14, 2007
  11. Jim

    wng_z3r0 Guest

    Well then congratulations for contributing to such a wonderful open source
    project. I can't seem to find your handle or email anywhere in the source,
    but that's ok; I'm sure you have a valid reason. Anyways, you seem to have
    missed the point that I was making. See, the OP could easily check the
    validity of wireshark by googling it, looking at reviews etc etc before
    actually downloading the program. Also the fact that the program is open
    source on SourceForge also helps to signify that wireshark is not malicious.
    Compare that with your distribution system.

    wng_z3r0, Oct 14, 2007
  12. Jim

    Far Canal Guest

    Nothing you can't fix by formatting your hd.
    Far Canal, Oct 14, 2007
  13. "pcbutts1" after much thought,came up with this jewel:
    can I play too?

    Want to know what PCBUTTS1 is really about?
    Here are some thoughts from real people.

    What's in a Name?, Oct 14, 2007
  14. Jim

    pcbutts1 Guest

    Everything I put out is well documented and explained on my website.
    Everything is safe and tested. Because I choose not to share those links in
    these NG's is by choice. If I am as bad as everybody says I am then why no
    complaints from user of my files? Why is my site still up, why has it always
    been up. If I am a thief they why did I beat two DMCA complaints? The
    easiest way to take down any website is to file a DMCA yet my site is still
    up. Get your facts straight.


    Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
    The list grows. Leythos the stalker http://www.leythosthestalker.com, David
    H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
    Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
    pcbutts1, Oct 14, 2007
  15. Jim

    wng_z3r0 Guest

    Don't try to change the argument. I have not once mentioned anything about
    stealing code. That is irrelevant to this discussion.
    Who cares if you have documented everything on your website or have
    'reviews' on your website? Look at any of the smitfraud variant websites,
    you will see EXACTLY the same thing (remember winfixer.com ? ). Any
    'guarantees' from an author's website are essentially useless from a trust
    perspective, as you are trying to guage the trust of that website in the
    first place.

    You have not presented one valid counter claim to my supposition that
    receiving private executables from unknown people on the internet is a 'bad
    thing'. Unless you wish to discuss this point or the OP replies to this
    thread, I will not waste any more of my time on this topic.

    wng_z3r0, Oct 14, 2007
  16. Jim

    pcbutts1 Guest

    I wrote a malware removal program called Spyerase. Everybody said I stole it
    from someone else. I sold Spyerase last year and made a pretty penny for it
    too. I sold it to a major Anti-malware Anti-virus company who found me in
    these NG's and in my forums. I am not unknown. If I can write something that
    works then people have the right to use it. You can try to back out of this
    thread if you want but I know exactly what your intentions were in your
    first post.


    Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
    The list grows. Leythos the stalker http://www.leythosthestalker.com, David
    H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
    Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
    pcbutts1, Oct 14, 2007
  17. Jim

    ---Fitz--- Guest

    You sold it...yeah, right. You're right about not being unknown
    ---Fitz---, Oct 14, 2007
  18. Jim

    spears list Guest

    Check to see if this software helps because it saved my pc! www.eliteatm.biz
    spears list, Oct 16, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.