37 replies to this topic

[LisaF]

Hi, I’m having a problem at the moment with my internet usage, it has increased to really high levels (for me) for no apparent reason. I haven’t changed my browsing habits (I don’t download video/music etc) and I haven’t been receiving large emails, but my usage is three times what it was! I spoke to my ISP who said to disable my Antivirus software for a few days to see if it is causing the downloads. I’m not happy to do that, and besides my auto-update for that is set to weekly, not daily download. I had one scheduled task called “Rescue reminder for 2HAA405M” which the ISP person told me to delete. I did that (I hope that’s not going to cause any problems with anything?). I've found a way to check which things are connecting to the internet, using the netstat command. I have an activity log of this but I'm not able to work out if there is any problem there. Perhaps someone can understand it. I did this with no browser open, and again when I had IE open. I will paste the info below: No Browser: Active Connections Proto Local Address Foreign Address State PID TCP XXXX:1068 a72-247-247-35.deploy.akamaitechnologies.com:http ESTABLISHED 1076 c:\windows\system32\WS2_32.dll c:\windows\system32\WINHTTP.dll -- unknown component(s) -- [svchost.exe] TCP XXXX:1069 65.55.200.221:http ESTABLISHED 1076 c:\windows\system32\WS2_32.dll c:\windows\system32\WINHTTP.dll [svchost.exe] With Browser (with only Google home page open): Active Connections Proto Local Address Foreign Address State PID TCP XXXX:1706 69.60.7.199:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1725 digg.com:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1727 69.60.7.210:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1731 digg.com:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1739 a-61-9-209-150.deploy.akamaitechnologies.com:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1740 reserved-82.euroclick.com:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1750 a-61-9-209-153.deploy.akamaitechnologies.com:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1764 69.60.7.199:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1765 69.60.7.199:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1786 a-61-9-209-166.deploy.akamaitechnologies.com:http ESTABLISHED 3016 [iexplore.exe] TCP XXXX:1703 cf-in-f104.google.com:http CLOSE_WAIT 3016 [iexplore.exe] TCP XXXX:1741 cf-in-f127.google.com:http CLOSE_WAIT 3016 [iexplore.exe] I have also had a look through my active processes and can not see anything that looks like it would be a problem. The only questionable one was DevSvc.exe but that apparently is fine. Any ideas...this is costing me a lot of money in excess usage charges and I need to get it fixed! Thanks, Lisa

[Abydos]

Hi Lisa

The connection is for Akamai.Technologies, a content distribution service. Having servers all over the world, they
"help" speed up connection to some sites. But not all Akamai are good, tracking cookies can be a large part of their
"services". Even MS updates and many Anti-virus updates relies on them.

Advice(s) :

Download and install MVPS Host File

This will block the services you do not need from Akamai, and keep those you need.

http://www.mvps.org/...p2002/hosts.htm

And here, some info and help with the installation of the MVPS Host File

http://www.mvps.org/...2002/hosts2.htm


In addition, you may wanna get rid of the existing tracking Cookies.

Dowload both these programs, update and then run full scans.

MBAM (MalwareBytes Anti-Malware) Free version available.

SuperAntispyware Free version available.

Hope this will solve your problem. If not, you may want to check if you have more installed than just Tracking Cookies.

Regards Abydos

[Digerati]

I spoke to my ISP who said to disable my Antivirus software for a few days to see if it is causing the downloads. I’m not happy to do that

A few days???? You were wise to question that. It only takes a few minutes (seconds) to see if the AV is the problem.

I agree with Abydos' recommended course of action - that is, make sure your system is free of spyware. You did not specify your version of Windows, or what AV you are using. In any event, make sure your system is fully updated with the latest patches and updates. You might also do some supplemental AV scanning with one, two or all three (in turn) of these free on-line virus scanners as a double or even triple check. Some very malicious malware have been known to disable PC based ant-virus (AV) scanners. These on-line scanners help compensate for that. Temporarily (not for days! ) disable your real-time AV scanner first. If prompted to install an ActiveX component, these sites are legitimate are safe and you need to say Yes to continue.

• Kaspersky Online Scanner (Items found and not removed will be listed in report.)
  or
• Trend Micro HouseCall
  or
• PandaSoft ActiveScan

As for devsvc.exe, it is not clear that is legitimate - at lease most sites I found report that it is still under review. Some reporting that some malware disguises itself with that file name. In any event, the legitimate version is apparently for InterVideo and is not need for normal computing use. I would disable it.

Have you looked in msconfig to see what loads at startup?

[LisaF]

Hi Abydos & Digerati, thanks for your replies and suggestions. I have done as suggested and have downloaded and installed the host file. I have also installed SuperAntispyware and have run it. It found 95 tracking cookies which have been removed. I am running WinXPSP3 and my usual Antivirus is McAfee VirusScan which is kept updated, I also use AdAware but probably not reguaraly enough. I've used the "Windows Live OneCare safety scanner" but I will also try the Kaspersky one recommended (I will try one first and see how that goes - I'm trying to download as little as possible as I'm already over my limit and every download is costing me - but of course it will be worth it if it fixes the problem!) I only use the built-in Windows Firewall at the moment - I'm guessing people are going to tell me that I need to get another one? I'll let you know how it goes, thanks again for your suggestions. Lisa

[Digerati]

I only use the built-in Windows Firewall at the moment - I'm guessing people are going to tell me that I need to get another one?

Well, normally, Windows Firewall is just fine, despite what others may tell you. I have it (with MS Windows Defender) running on two test systems here just fine. The problem with Windows Firewall (in XP) is that it does not block any unauthorized outgoing access attempts. So, if some malicious code manages to get by all your other security defenses (not easy with a disciplined user and updated PC), it will be free to "phone home" with your personal data, use your system to propagate itself, as a spamming machine, or as a zombie in a DDoS attack.

So, if you were to move to another firewall, such as Sunbelt Kerio Personal Firewall
or Comodo Firewall Pro (Free), the advantage for you now, during these times is that you could block all (incoming and outgoing) access with just a couple clicks. Or course, unplugging the connection cable will do the same thing.

Now that it is a new month, are you still over your limit?

95 tracking cookies seem like a lot, considering you just ran ATF, but note that most tracking cookies are good - they allow you to reenter sites without having to reenter your username and password. And tracking cookies by themselves are harmless as they only collect information - some other code must be able to access the data, then exploit it some how.

How sure are you that this excess traffic is coming from this machine? How do you connect to the Internet? Do you have a router? Is that the only computer that uses that connection? Are you using wireless? If wireless, do you have neighbors in close proximity? Are you the only user of that computer?

Here's a pretty good little tutorial for netstat, Working with the NETSTAT command.

Just for clarification, in your opening post, you said you were having excessive levels of Internet use (implying up and downloads), but then a couple lines down, you said your ISP recommended disabling your AV to see if that was causing the excess downloads. That's a significant difference. If you have excess downloads, eventually you will run out of disk space.

I have seen bad NICs (network interface cards) take down entire networks and simply disconnecting the Ethernet cable restored the network. Swapping out the $10 card fixed the problem. You might at least try uninstalling the your network card drivers, powering down AND UNPLUG the PC from the wall for about 30 seconds (to remove the +5Vsb ATX standby voltages from the PCI bus - or flip the Master Power Switch for 30 seconds on the back of your power supply if your supply is so equipped - most are not) then bring it back up and see what happens.

Did you look in MSCONFIG > Startup to see what is loaded up at startup?

Do you have any BHOs (browser helper objects)? These "add-ons" may be added toolbars, or something else that uses IE, supposedly to make your life easier. Some do, but not all. If, for example, you have the Yahoo Toolbar and the Google Toolbar, get rid of one. You can go to Tools > Manage Add-ons to see what is running and consider disabling anything that is not from MS.

Or, start over - that is, "reset" IE by going to Tools > Internet Options > Advanced and hit the Reset button.

Okay, I know that is a lot, and to be truthful, at this point, I am just tossing out ideas. Considering you seem to be a disciplined user, you use anti-malware tools, your HJT log is clean, there just is nothing blaring that stands out.

[LisaF]

Hi Digerati, Thanks again for your continued advice. Yes, I've actually resorted to turning off my modem until I have to have it on! It seems to be the only thing guaranteed to work! To answer some of your questions: * I am into a new month but have already used 56% of my usage (my month starts/finishes on the 28th) and I am being very careful and hardly doing anything at all (nothing other than the things recommended here). Last month I was more than 200% - closer to 250% I think. I have never done that before, I have only ever gone over 100% once or twice, and then only very slightly. *The problem is all download, my upload has been fine. *My connection is cable, a direct connection, no routers and not wireless. It’s a stand-alone PC, no network. I’m the only user. * I’ve had a look in MSCONFIG, I will include screenshots in an attachement, can you see anything you recognize as a problem?  msconfig_progs_in_startup.doc   75KB   44 downloads *I have had a look at the IE add-ons and was surprised at how many there were! I only expected to see Google toolbar in there. Most look as though they are normal things like Flash, Java etc. I did disable 5 things that don’t seem necessary. Nothing looked suspicious except for the fact that “Windows Messenger” was listed without a publisher or a file name like the other Microsoft ones had. Does that seem normal to you? I’ll have a look at the Netstat link you provided. Thanks again, Lisa

[Digerati]

Wow, I thought the 17 items in my MSCONFIG Startup was a lot! You have way too much loading at startup - much I don't recognize off the bat - and many can be disabled. If nothing else, many of those items do not need to be started every time you boot up and therefore are consuming valuable resources. My instinct is to have you download more stuff to help you manage this, but I don't want you to use up your allotment.

You should definitely start by disabling Windows Messenger (and yes, that is how it normally looks) - it is a not-needed, often exploited service there primarily for corporate networks and not for home PCs. The best way is to disable the service so it does not even start, is to disable it completely. This is done through Control Panel > Administrative Tools > Services. Scroll down and right click on Messenger and click the Stop button. Then in the Startup Type, change the value to Disabled and Ok your way back out. (Ref: MS Article, Disabling Messenger Service). Also a good read is Shoot The Messenger. This alone might be your problem.

I do think you should download and install a different firewall - unfortunately, those files are big. The one with the smallest download that I can find is Kerio, at 6.48Mb. Besides the advantage of being a 2 way-firewall, it will yell at you every time it sees a new program trying to access the Internet. This is important because stuff is not being downloaded to your machine on its own. Something on your machine is going out and requesting those downloads. So when you first fire up the new firewall, you will be blasted with all kinds of prompts, asking what to do - Allow once, Allow always, Block once, Block always. Only Always allow those items you know are legitimate that need regular access. These include your browser, email, and AV. None of your media players and viewers (Realtek, Macromedia/Macrovision, iTunes, Intervideo, uvpl, QuckTime, AdobeUdateManager) need full time access. If a program seeks access without any prompt from you (for example, you did not start a program and suddenly your FW is alerting you to some activity), be suspicious and at most, only grant one-time access until you are sure it is okay.

I allow NOTHING to automatically check, or download updates except for my anti-virus (AVG) and my anti-spyware (SUPERAntispyware - Paid version with realtime protection). Everything else I have set to manual - Even Windows Update I have set to only check, then notify me. So I suggest you go through all your programs and verify settings.

All the things in your MSCONFIG (and in Task Manager) can be verified by simply plugging the file name in Google and going to the Process Information sites that come up. The main sites I use to verify the validity of any entries are:

Uniblue Process Library
Bleeping Computer Startup Programs Database
CastleCops Startup List

You can use those sites to determine if it is safe to disable, or completely remove the service. You can also uncheck items in MSCONFIG and then reboot. However, care must be taken so you don't uncheck a critical item so do your homework first. When Windows comes up again, MSCONFIG will prompt to run and you can say no to proceed (otherwise MSCONFIG starts again).

Then I think you should refer to the What TheTech HijackThis Log Procedures for complete instructions on running HijackThis, then post a log where instructed. Hopefully the HJT analysts will see something. Please refer to this post so they can catch up, then post back here with a status when done.

[LisaF]

Thanks Digerati.....guess what??? I think this problem is fixed! It seems as though the problem was due to RealPlayer! I downloaded NetLimiter2 Monitor (file size wasn't too big) and found that as soon as my modem was connected almost instantly 12MB came through via a program only called "temp12.exe" this file was supposed to be in my "documents&settings/owner/..." folder but even when viewing hidden files I could not actually locate it (but I did find about 8 or 9 similarly named files e.g "temp1.exe"). When viewed in NetLimiter though it was shown with a little "R" icon the same as the RealPlayer icon. I don't use RealPlayer so I uninstalled it - and guess what - no more strange downloads! So far that is - that was only yesterday afternoon, but it's looking good! Now as I said, I don't even use RealPlayer, so I have no idea what has promted it to start doing this all of a sudden? Anyway I'm rid of it now. I'm still going to go and get rid of some things from startup anyway as I'm sure it will improve my PC's performance. Thank you so much for all your help and advice! Lisa

[Digerati]

Great, Lisa! I am glad you got it going and thanks for the followup. I must admit, I have never been a fan of Realplayer because it is so intrusive. What prompted you to try NetLimiter?

[LisaF]

I was following up with my ISP - told them I would have to disconnect my service if I could not get this fixed, as there was no way I was going to keep paying excess usage. This time the person I spoke to suggested I try NetLimiter - a good suggestion as it turns out!

[Digerati]

I was following up with my ISP - told them I would have to disconnect my service if I could not get this fixed

Good for you!!! Hit 'em where it hurts!!! I have had to battle my ISP (Cox Communications) more than once - especially when they implemented a new spam blocker that automatically moved "suspected" spam to some obscure webfolder - and after 30 days it would be automatically deleted. So if you used all 7 of the email addresses provided, you were forced to log into each account, find this obscure folder and make sure they did not falsely identify good mail as spam, then log out, and log in the next email address' obscure folder until you worked your way through all 7 accounts. It seems Cox assumed (or chose to ignore the fact) that no one uses a client (PC) based email program like the little known () Outlook or Outlook Express! - even though they provide POP3 access from such clients. The sad part is, NO spam blocker is perfect and there was, and always will be, false positives.

What made it worse was there was no way to disable their spam blocker, or change how it behaved. Fortunately, I am in a position to make some noise and I did! We were able make them re-write the code so now we have the option to have suspected spam tagged as spam, but remain in our inboxes for our own email programs and spam blockers to access and process. But like you, it took threats to move to the competition to get action - and they got quite a few.

What helped to persuade them was when their spam blocker continually tagged their own newsletters as spam! lol

Back to NetLimiter - it is a useful tool but it too is quite intrusive, as you may have noticed - for example, it is pretty insistent about loading at start, whether you want, or need it to or not. I would recommend you remove (uninstall) it once you are sure your problem is resolved for good.

Anyway I assume your fix is holding and you are still happy. Thanks again for the followup.

[Ztruker]

I don't mean to be an alarmist, but any time I see any executable starting with temp I get very suspicious about possible malware. Lisa, did you complete the online malware scans you said you were going to do?

[LisaF]

Hi Ztruker, thanks for the reply...I hadn't actually completed the scans, and I was feeling pretty happy that my problem was resolved. But your post promted me to think about it a bit further and I thought I should go back and delete the other similarly named files that I mentioned (I have just deleted these files). And I also then did the Kaspersky online check and found that YES I do have an infection and YES it is the very same location that those files were in! (Well done Digerati - I would've found the problem using your advice).

Here is the info form the Kaspersky scan:

C:\Documents and Settings\Owner\Local Settings\Temp\stdmemio.sys Infected: Rootkit.Win32.Small.b

I did a Google search on "stdmemio.sys" and found only one site in English that mentions it. http://www.spywarete...tkitSmallb.html. They say that it is a "medium, unclassified" threat.

Have you heard of or used Spywareterminator? Would you recommend using that or something else ( I haven't checked the download size yet) ?

Thanks again for the post, without it I probably would have just thought everything was good.

Digerati, you're right about NetLimiter - don't know why it wants to come up on StartUp - also noticed that it comes up a lot in the Kaspersky scan as having "locked" files. Wonder why? Anyway, I'm still happy to have it for the moment, but I will remove it once this issue is finally sorted out.

Lisa

[Digerati]

Ooh! Good catch, Rich.

(Well done Digerati - I would've found the problem using your advice).

Thanks, but Rich is right - I should have picked up on that earlier and elevated the sense of urgency for you to complete the scans - in particular, the HJT scan recommended earlier. Rootkits can be tricky, and sometimes impossible to remove. So I still recommend you have a HJT log analyzed as mentioned above. Note in my canned text, Cleaning Out Malware the Warning about fake and malicious anti-spyware programs. You will see that Spywareterminator is not the same program as Spyware Terminator by Crawler - the latter is valid, the other is not. Your link goes to the good (or "not bad", since I have no experience with the legitimate one) program.

[Abydos]

I have some experience with Spyware Terminator from Crawler.inc.

Have tested it in the past, and found it adequate. It doesn't find / eliminate
the really tough malware programs. So don't expect a whole lot for nothing.
Spyware Terminator can be a little intrusive upon installation and some
time ahead, till it learns your habits / starting executing programs.
It also comes bundled with the Crawler Toolbar, which you have to de-select
upon installation, along with the Web Security Guard (A site-advisor)
I also found, that their support are really slow to respond upon emails. Not recommended
when you talk something as important as security! I value support response time alot,
but if you can wait 2-3 extra days before getting answered, don't let that hold you back.
Start-up times are medium for such a program. It doesn't hog resources except during
scans. Scanning is neither fast nor slow, but false positives can and will appear frequently.
That doesn't have to be all negative tho, its just flagging any suspicious files it finds, legit or
not.

The program also comes with a history that haven't promoted its use. The maker's behind
Spyware Terminator, used to "sleep" with some of the bad-guys that manufactured spyware!!
And back in those days, it was considered a Rogue program. But all that is history, but thought
I should still mention it.


Recommending it is another matter.

For instance, I would rather have Windows Defender along with spywareblaster (Also free of charge) than
Spyware Terminator, but if you have no other programs employing HIPS,
It could be a consideration worth installing Spyware Terminator.

In addition, the two programs I linked to earlier in my first post(MBAM and SuperAntispyware),
are much better programs than Spyware Terminator could ever hope to be. So use them as
on-demand scanner's. SuperAntispyware Pro. is also relatively cheap for a life-long license.

If you need more specific answers, I'll need to find my notes about Spyware Terminator. Haven't had
it for some long time now. Things might have changed for the better (or worse). But its free to try, and
if you don't like it, just uninstall.


Regards Abydos