Unable to identify net usage

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Tathagata, Apr 27, 2010.

  1. Tathagata

    Tathagata Private E-2

    Hi,

    Currently I have 3 computers in a remote location that access the WAN via a Cisco router.
    Trend Micro is used as anti virus suite with malwarebytes used whenever there is a possibility of infection.

    There has been an unusual amount of activity from these three computers over the last week. Going from no more than about 150Mb a day up to nearly 3Gb per day in the last week. The average download usage seems to be about 1.5Gb to 2Gb a day at present.

    I am ensuring the computers are turned off at night, this has stopped all usage during the evening. I am checking the standard ports including standard peer to peer ports on the router, with nothing unusual logged yet.
    I have run through many malware scans, I had removed some malware early on but in the scans I have done following your tutorials nothing has come up.

    I dont think the issues here extend to unspecified access points being brought into the LAN. At this point I about the only thing I am sure of is that it seems to be affecting all 3 computers and it is definitely only on the computers (as it stops when they are off and immediately begins when they are on).

    Logs from your walk through are attached. I would really appreciate any help to figure out what is going on here.

    Thank you!
     

    Attached Files:

    Tathagata, Apr 27, 2010
    #1
  2. Tathagata

    Tathagata Private E-2

    and the last one :)
     

    Attached Files:

    Tathagata, Apr 27, 2010
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs are all clean. I would ask what the below is used for and is it secured?

    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.exe

    If you believe that you still have diskspace being used up and if you think it is coming from the network/internet, perhaps you should installed an packet sniffer tool like below to see if you can trace it out:

    Wireshark
     
    chaslang, Apr 27, 2010
    #3
  4. Tathagata

    Tathagata Private E-2

    Thank you Chaslang.
    I believe I have the problem sorted, Ill detail it just in case this helps anyone else in a similar circumstance.

    Before I do that...Dameware is a remote desktop application that allows me to log into a remote machine and control it, without booting off the user at the other end.

    Ok, so the computers at the remote site use Trend Micro Worry Free Security. This product uses a server to control the application and the clients (on the remote machines) talk to the server to download updates, etc.

    In this case 2 of the clients had somehow become glitched and were constantly trying to update thier virus definitions. This would happen at half hourly intervals.
    Completely removing the clients from the machines and then reinstalling them with the latest client seems to have corrected the problem.

    I had setup an access list on the router that I was monitoring, but this didnt really help much. I was at the point of installing Wireshark when I noticed the constant regular activity from my ISPs logs and put 2 and 2 together.

    Thank you very much for your excellent tutorial on Malware removal, I will certainly be using that again in the future.
     
    Tathagata, Apr 28, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. I'm happy to hear you have it all sorted out.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 29, 2010
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds