unknown program running in background using up my internet allowance

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bestspirit35, Sep 7, 2012.

  1. bestspirit35

    bestspirit35 Private E-2

    Someone is using my internet connection to upload and download data. I usually use perhaps 10 GB of internet usage per month on average, but for the last couple of months, my connection has been racking up 40 plus GB's, and I have to pay extra for it. I've disabled every program I can detect that isnt necessary, and I've run both SuperAntiSpyware and Malwarebyte Anti Malware programs as well as my own Bit Defender Anti Virus program in deep, full system scans to try to detect the cause, but they all come up with a clean report. I am attaching a HiJackThis log from a scan I took yesterday for your perusal and also an "Activity scan" I completed from advice on another source. This is driving me nuts! Sure hope someone can help me get to the bottom of it.
     

    Attached Files:

    bestspirit35, Sep 7, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do you use a router? Perhaps you have not secured it correctly. (Not topic for this forum, but you could further discuss it in the software forum)

    To completely check for any malware, we ask that you do slightly more than you have done: READ & RUN ME FIRST. Malware Removal Guide
     
    Kestrel13!, Sep 8, 2012
    #2
  3. bestspirit35

    bestspirit35 Private E-2

    Many many thanks for your help and your suggestions. I followed them all, and correctly for the most part. However, with Hitman, I didn't read far enough down on the screen soon enough and missed the opportunity to save a log showing the discovery of two trojans: "nb-driver", and "perfect installer", which Hitman quarantined. After I realized my error, I took a screen shot of Hitman showing the discoveries, and then ran it again, saving the log this time, which of course showed no problems. You will find both the screen shot and the log attached. This used up the five attachments I am allowed. I hope this is satisfactory.

    Since Hitman found two trojans, and quarantined them, I'm assuming, (for the time being) that my problem has been solved. I will monitor the situation for a few days to determine if that is true, and if not, will be contacting you again.

    I want to express my sincere thanks to Major Geeks and especially to Kestrel13, for all your help in this matter. Without you guys, I, and probably many many others would be sunk. You have my deepest gratitude.

    Bestspirit35
     

    Attached Files:

    bestspirit35, Sep 8, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hello there. :) Do you have the Mglogs.zip from running MGTools.exe?
     
    Kestrel13!, Sep 8, 2012
    #4
  5. bestspirit35

    bestspirit35 Private E-2

    Duhhhhhh! Yes....lol, I forgot to attach it. Probably because I had used up the 5 places to attach files, still no excuse. I'm attaching it to this reply.

    Btw, I had already checked the router security and actually changed all passwords twice before I contacted Major Geeks, so I'm fairly sure that is not an issue

    Many thanks again
    Bestspirit35
     

    Attached Files:

    bestspirit35, Sep 8, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hello there. The only thing I would question is this file here.

    C:\Windows\90C7D912BE2316.sys Do you know what it is?

    Also, click start > type in services.msc and click ENTER scroll down to the Background Intelligent Transfer Service and let me know its start up type and status please.
     
    Kestrel13!, Sep 9, 2012
    #6
  7. bestspirit35

    bestspirit35 Private E-2

    I have no idea at all what that file in C:\Windows\ * is. Total mystery to me. I used Google to look for it, and the only real reference I found was from the Malwarbytes Forum, where someone was infected and getting help from a support person there. After a number of different scans were run and logs saved, the support person advised the infected writer to kill several files, one of them being "C:\Windows\90C7D912BE2316.sys". He didn't give any info about it, just instructed the person to "kill" it, which the person did. So, it would seem that it was considered a rogue file. After all scans were done, the person reported that everything was now ok, and computer was running well with no problems. What do you think? Should I delete that file from my computer too?

    As for BITS, its startup type is "manual", and its status is blank. Nothing is written in there at all. Other lines are either blank like that, or "started".

    Again...thanks so much for your time and effort in helping me. I truly appreciate it very much.

    Bestspirit35
     
    bestspirit35, Sep 9, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome. :)

    Yes, then reboot, and check it's still gone.

    Now download this file to your desktop.

    BITS.reg



    • Now please click Start, and type regedit into the search box.
    • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
    • Right click on regedit.exe and select Run As Administrator
    • Then in the Registry Editor menu click File and select Import.
    • Navigate to the BITS.reg file saved to your Desktop and double click it. Allow it to be added to the registry.

    Reboot!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Sep 9, 2012
    #8
  9. bestspirit35

    bestspirit35 Private E-2

    Hi, I tried to import the Bits file, but was unable to. I got the message: "Not all data was written to the registry. Some keys are open by the system or other processes. I am attaching the MGlogs.zip file. Will wait to hear from you for further instructions.
    BestSpirit35
     

    Attached Files:

    bestspirit35, Sep 11, 2012
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    BITS is back in place beautifully, is everything running nicely? Ready for final steps? :)
     
    Kestrel13!, Sep 11, 2012
    #10
  11. bestspirit35

    bestspirit35 Private E-2

    Indeed I am, ready, willing and able. :-D
     
    bestspirit35, Sep 11, 2012
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    :-D OK then... here we go.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Sep 12, 2012
    #12
  13. bestspirit35

    bestspirit35 Private E-2

    Ooops.... I hate to report this but it looks like I spoke too soon! Upon checking my internet usage this morning, I find that it is still much higher than it should be, in both uploads and downloads, despite my not being personally active on the computer though I have been leaving the computer on 24 hours a day in order to monitor usage. . :( Are there any other scans that we can run to try to uncover whatever is responsible for this usage?

    BestSpirit35
     
    Last edited by a moderator: Sep 12, 2012
    bestspirit35, Sep 12, 2012
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I think you should ask about it in the networking forum. :)
     
    Kestrel13!, Sep 12, 2012
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds