Unauthorised internet traffic on default connection

My computer was not conected to the internet at the time I made this log.  I will try another log with the internet connection up and running.

The problems with my machine are:

when I connect to the default cable internet connection, I get downloads at the rate of 1 MByte per second.  My cable ISP records these downloads and charges me for them.  Uploads are much less, perhaps 10kB/s.

If I make my dial-up connection the default connection then the same thing happens on that connection, but the cable connection behaves normally.

When I changed the default connection from cable to dial-up all my settings, preferences, address book and so on were wiped.

 ipconfig program has been interfered with.  When the problem first appeared ipconfig worked normally, although I am not that familiar with it.  It showed a normal connection and a connection involving a 'teredo tunneling virtual interface'.  When I try to run ipconfig now, all that happens is that a black screen appears for a second and disappears again.

I also had some problelms with booting from diskette since the keyboard was disabled during bootup.  I made a few changes and that problem has gone for the moment.

I have formatted my C:/ system disk and reloaded Windows Xp 3 times.  I have not formatted my D:/ disc where I keep only data and zipped files.  I have taken the battery out and replaced it.  The problem persists.

I have run uptodate Norton AntiVirus, Adaware, Registry Mechanic, an Internet analyser and Task Manager and have not found any suspicious activity.  I have Zone Alarm firewall up-to-date and on.

I am puzzled where the hjijacker could be lurking.  Should I try reinstalling the BIOS?

Cheers

Hi

Here are my logs from HijackThis and Ewido.  The HijackThis scan was made while the internet connection was active and downloading illegally.  The rate of download is 1 kByte/s, not 1 MByte/s as I said in the previous message.

I could not find the item "F@ -REG:system.ini:Shell=Explorer.exe C:\Windows\Nail.exe" in the HijackThis log nor fix it as described in the Nail.exe FAQ entry.

Cheers

Logfile of HijackThis v1.99.1
Scan saved at 7:40:20 PM, on 20/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wpabaln.exe
C:\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:   5:54:25 PM, 20/07/2005
 + Report-Checksum:  489DA04A

 + Scan result:

 No infected objects found.

::Report End

I wonder if what you are seeing might just be XP's automatic updates?  HijackThis says you are way behind in your patches so if Automatic updates is turned on it will try to download sp2.  Also there are several services in XP that if allowed to run will try to contact other Windows systems to map your network neighborhood.  Depending on your PC there may also be several services added by the manufacturer that talk a lot.  Compaq is notorious for this and HP once made a keyboard that continually pinged the internet to see if you were connected.  That's why I suggested ZoneAlarm.  It will not let anything out without permission and identifes the process so you would know what is trying to access the internet.   Alternatively, an unpatched system is vulnerable to many attacks and it could be that as soon as you go on line you get reinfected.  You need to make sure that when you go on line that you either have the XP firewall turned on (in pre SP2 it has a few holes) or run Zone Alarm. 

If you do Start, Run, cmd, OK to bring up the black cmd window then type:

netstat -a

or

netstat -an 

you should get a display of all ip connections.  The first one gives the infomation by URL/port names and the other one by IP address/port numbers.  That will tell you who you are talking to and what port.  If you capture that information:

netstat -an >C:\junk.txt

and post the file in a reply I can tell you more about what is going on.

There is also a better program that does something similar but gives you more info.  It is tcpview which is a free download from:

http://www.sysinternals.com/Utilities/TcpView.html

I have no idea what happened to msconfig unless your login does not have admin priv.  You can download the program again at:

http://downloads.thetechguide.com/msconfig.zip  and see if that helps.

Some of the programs at:

http://www.sysinternals.com/ProcessesAndThreadsUtilities.html

may help if you are an experienced user.

Ron

Hi

The 'illegal activity' started while my system was fully up-to-date with all patches etc.   I am now operating with the old system from my Windows XP CD.  I am about to do my 4th reinstallation of the system so I don't want the hassle of patching the system over the 56kb dial-up connection I am using now.

Here are some logs from TCPView:

The first was taken while connected to the cable and unauthorised traffic was going on;