Unsolved
This post is more than 5 years old
5 Posts
0
839
Unauthorised internet traffic on default connection
Logfile of HijackThis v1.99.1
Scan saved at 3:03:14 PM, on 19/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Scan saved at 3:03:14 PM, on 19/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\HJT\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
RKinner
5.9K Posts
0
July 19th, 2005 18:00
Botrytis
5 Posts
0
July 20th, 2005 02:00
My computer was not conected to the internet at the time I made this log. I will try another log with the internet connection up and running.
The problems with my machine are:
when I connect to the default cable internet connection, I get downloads at the rate of 1 MByte per second. My cable ISP records these downloads and charges me for them. Uploads are much less, perhaps 10kB/s.
If I make my dial-up connection the default connection then the same thing happens on that connection, but the cable connection behaves normally.
When I changed the default connection from cable to dial-up all my settings, preferences, address book and so on were wiped.
ipconfig program has been interfered with. When the problem first appeared ipconfig worked normally, although I am not that familiar with it. It showed a normal connection and a connection involving a 'teredo tunneling virtual interface'. When I try to run ipconfig now, all that happens is that a black screen appears for a second and disappears again.
I also had some problelms with booting from diskette since the keyboard was disabled during bootup. I made a few changes and that problem has gone for the moment.
I have formatted my C:/ system disk and reloaded Windows Xp 3 times. I have not formatted my D:/ disc where I keep only data and zipped files. I have taken the battery out and replaced it. The problem persists.
I have run uptodate Norton AntiVirus, Adaware, Registry Mechanic, an Internet analyser and Task Manager and have not found any suspicious activity. I have Zone Alarm firewall up-to-date and on.
I am puzzled where the hjijacker could be lurking. Should I try reinstalling the BIOS?
Cheers
Botrytis
5 Posts
0
July 20th, 2005 09:00
Hi
Here are my logs from HijackThis and Ewido. The HijackThis scan was made while the internet connection was active and downloading illegally. The rate of download is 1 kByte/s, not 1 MByte/s as I said in the previous message.
I could not find the item "F@ -REG:system.ini:Shell=Explorer.exe C:\Windows\Nail.exe" in the HijackThis log nor fix it as described in the Nail.exe FAQ entry.
Cheers
Logfile of HijackThis v1.99.1
Scan saved at 7:40:20 PM, on 20/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wpabaln.exe
C:\HijackThis.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 5:54:25 PM, 20/07/2005
+ Report-Checksum: 489DA04A
+ Scan result:
No infected objects found.
::Report End
RKinner
5.9K Posts
0
July 20th, 2005 13:00
I wonder if what you are seeing might just be XP's automatic updates? HijackThis says you are way behind in your patches so if Automatic updates is turned on it will try to download sp2. Also there are several services in XP that if allowed to run will try to contact other Windows systems to map your network neighborhood. Depending on your PC there may also be several services added by the manufacturer that talk a lot. Compaq is notorious for this and HP once made a keyboard that continually pinged the internet to see if you were connected. That's why I suggested ZoneAlarm. It will not let anything out without permission and identifes the process so you would know what is trying to access the internet. Alternatively, an unpatched system is vulnerable to many attacks and it could be that as soon as you go on line you get reinfected. You need to make sure that when you go on line that you either have the XP firewall turned on (in pre SP2 it has a few holes) or run Zone Alarm.
If you do Start, Run, cmd, OK to bring up the black cmd window then type:
netstat -a
or
netstat -an
you should get a display of all ip connections. The first one gives the infomation by URL/port names and the other one by IP address/port numbers. That will tell you who you are talking to and what port. If you capture that information:
netstat -an >C:\junk.txt
and post the file in a reply I can tell you more about what is going on.
There is also a better program that does something similar but gives you more info. It is tcpview which is a free download from:
http://www.sysinternals.com/Utilities/TcpView.html
I have no idea what happened to msconfig unless your login does not have admin priv. You can download the program again at:
http://downloads.thetechguide.com/msconfig.zip and see if that helps.
Some of the programs at:
http://www.sysinternals.com/ProcessesAndThreadsUtilities.html
may help if you are an experienced user.
Ron
Botrytis
5 Posts
0
July 21st, 2005 00:00
Hi
The 'illegal activity' started while my system was fully up-to-date with all patches etc. I am now operating with the old system from my Windows XP CD. I am about to do my 4th reinstallation of the system so I don't want the hassle of patching the system over the 56kb dial-up connection I am using now.
Here are some logs from TCPView:
The first was taken while connected to the cable and unauthorised traffic was going on;
lsass.exe:600 UDP bob-e5o0wvx7ygp:isakmp *:*
msmsgs.exe:1924 UDP bob-e5o0wvx7ygp:1032 *:*
msmsgs.exe:1924 TCP 169.254.148.119:7025 bob-e5o0wvx7ygp:0 LISTENING
msmsgs.exe:1924 UDP 169.254.148.119:12513 *:*
msmsgs.exe:1924 UDP 169.254.148.119:49748 *:*
NAVAPW32.EXE:1660 TCP bob-e5o0wvx7ygp:1027 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:768 TCP bob-e5o0wvx7ygp:epmap bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:768 UDP bob-e5o0wvx7ygp:epmap *:*
svchost.exe:792 TCP bob-e5o0wvx7ygp:1025 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:792 UDP bob-e5o0wvx7ygp:1026 *:*
svchost.exe:792 UDP bob-e5o0wvx7ygp:ntp *:*
svchost.exe:792 UDP 169.254.148.119:ntp *:*
svchost.exe:864 UDP bob-e5o0wvx7ygp:1079 *:*
svchost.exe:908 TCP bob-e5o0wvx7ygp:5000 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:908 UDP bob-e5o0wvx7ygp:1900 *:*
svchost.exe:908 UDP 169.254.148.119:1900 *:*
System:4 TCP bob-e5o0wvx7ygp:microsoft-ds bob-e5o0wvx7ygp:0 LISTENING
System:4 TCP bob-e5o0wvx7ygp:1029 bob-e5o0wvx7ygp:0 LISTENING
System:4 UDP bob-e5o0wvx7ygp:microsoft-ds *:*
System:4 TCP 169.254.148.119:netbios-ssn bob-e5o0wvx7ygp:0 LISTENING
System:4 UDP 169.254.148.119:netbios-ns *:*
System:4 UDP 169.254.148.119:netbios-dgm *:*
vsmon.exe:1532 TCP bob-e5o0wvx7ygp:1028 bob-e5o0wvx7ygp:0 LISTENING
lsass.exe:600 UDP bob-e5o0wvx7ygp:isakmp *:*
msmsgs.exe:1924 UDP bob-e5o0wvx7ygp:1032 *:*
msmsgs.exe:1924 TCP 169.254.148.119:7025 bob-e5o0wvx7ygp:0 LISTENING
msmsgs.exe:1924 UDP 169.254.148.119:12513 *:*
msmsgs.exe:1924 UDP 169.254.148.119:20204 *:*
msmsgs.exe:1924 UDP 169.254.148.119:47401 *:*
NAVAPW32.EXE:1660 TCP bob-e5o0wvx7ygp:1027 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:768 TCP bob-e5o0wvx7ygp:epmap bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:768 UDP bob-e5o0wvx7ygp:epmap *:*
svchost.exe:792 TCP bob-e5o0wvx7ygp:1025 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:792 UDP bob-e5o0wvx7ygp:1026 *:*
svchost.exe:792 UDP bob-e5o0wvx7ygp:ntp *:*
svchost.exe:792 UDP 169.254.148.119:ntp *:*
svchost.exe:864 UDP bob-e5o0wvx7ygp:1079 *:*
svchost.exe:908 TCP bob-e5o0wvx7ygp:5000 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:908 UDP bob-e5o0wvx7ygp:1900 *:*
svchost.exe:908 UDP 169.254.148.119:1900 *:*
System:4 TCP bob-e5o0wvx7ygp:microsoft-ds bob-e5o0wvx7ygp:0 LISTENING
System:4 TCP bob-e5o0wvx7ygp:1029 bob-e5o0wvx7ygp:0 LISTENING
System:4 UDP bob-e5o0wvx7ygp:microsoft-ds *:*
System:4 TCP 169.254.148.119:netbios-ssn bob-e5o0wvx7ygp:0 LISTENING
System:4 UDP 169.254.148.119:netbios-ns *:*
System:4 UDP 169.254.148.119:netbios-dgm *:*
vsmon.exe:1532 TCP bob-e5o0wvx7ygp:1028 bob-e5o0wvx7ygp:0 LISTENING
lsass.exe:600 UDP bob-e5o0wvx7ygp:isakmp *:*
msmsgs.exe:1924 UDP bob-e5o0wvx7ygp:1032 *:*
msmsgs.exe:1924 UDP bob-e5o0wvx7ygp:14003 *:*
NAVAPW32.EXE:1660 TCP bob-e5o0wvx7ygp:1027 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:768 TCP bob-e5o0wvx7ygp:epmap bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:768 UDP bob-e5o0wvx7ygp:epmap *:*
svchost.exe:792 TCP bob-e5o0wvx7ygp:1025 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:792 UDP bob-e5o0wvx7ygp:1026 *:*
svchost.exe:792 UDP bob-e5o0wvx7ygp:ntp *:*
svchost.exe:792 UDP bob-e5o0wvx7ygp:1128 *:*
svchost.exe:864 UDP bob-e5o0wvx7ygp:1079 *:*
svchost.exe:908 TCP bob-e5o0wvx7ygp:5000 bob-e5o0wvx7ygp:0 LISTENING
svchost.exe:908 UDP bob-e5o0wvx7ygp:1900 *:*
System:4 TCP bob-e5o0wvx7ygp:microsoft-ds bob-e5o0wvx7ygp:0 LISTENING
System:4 TCP bob-e5o0wvx7ygp:1029 bob-e5o0wvx7ygp:0 LISTENING
System:4 UDP bob-e5o0wvx7ygp:microsoft-ds *:*
vsmon.exe:1532 TCP bob-e5o0wvx7ygp:1028 bob-e5o0wvx7ygp:0 LISTENING
RKinner
5.9K Posts
0
July 21st, 2005 14:00
Botrytis
5 Posts
0
July 28th, 2005 03:00
The problem is still there but I am working around it by connecting to the cable modem through the USB rather than the ethernet card.
The problem persisted even when the only services I had running were 'Plug and Play' and 'Remote Procedure Call' . Under these conditions the IP address was 0.0.0.0. As far as I can make out my ISP did not bill me for downloads to this address. I downloaded and installed a new copy of the driver for the ethernet card, but this did not get rid of the problem.
Thanks for your help.
Cheers