Issue that is costing me money monthly

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Scwolf, Sep 22, 2011.

  1. Scwolf

    Scwolf Private E-2

    I seem to have a whole bunch of active connections going on my computer, which are apparently using up my bandwidth like crazy. I'm in Canada, and using Rogers as a service provider. I have 100GB's of monthly usage, and because of this spyware I'm apparently using 11+ gig's a day. This is costing us a fortune, and I seriously need some help.

    I have tried using Malwarebytes full version, doing a full scan, and Super anti-spyware. I also do full system scans, defrag, and clean my computer's registry, temp files, and broken shortcuts about 3 times a week. This is a brand new computer, and runs flawlessly, I just have this spyware issue that is costing me a ton on my internet bill. Please help me, I'm trying my best to figure things out on my own, but I've finally decided to ask for help, and I wanted help from the best.

    This is what I see when I check my active connections in CMD:

    http://i115.photobucket.com/albums/n289/SCWolf/Sigs%20And%20Graphics/this.png
     
    Scwolf, Sep 22, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to the Malware Removal Forum.

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    Kestrel13!, Sep 23, 2011
    #2
  3. Scwolf

    Scwolf Private E-2

    Ok so I did what you told me to and it has literally made no difference, it has really only made me have more problems with running programs. My issue is that because of what I get in my "netstat" my incoming bandwidth rises at ridiculous amounts. It goes up by about 100MB's every 15 minutes. Yesterday I did nothing on my computer but let it run and according to my Day-To-Day usage meter, I used 700+MB's yesterday.

    I ran everything that I could possibly run, which is what you told me to run and it picked up nothing. PLEASE give me some help here, I don't have the money to keep paying for this.

    Sorry if any of this comes off as rude, I'm just insanely frustrated :\
     

    Attached Files:

    Scwolf, Sep 23, 2011
    #3
  4. thisisu

    thisisu Malware Consultant

    While I can understand that you are frustrated, it does come off as rude. We are all volunteers here and some patience is required.

    How was Kestrel13! supposed to help you without any logs to analyze?? You just now followed the directions and attached logs for analysis. You have to be patient as you are not the only person waiting to be helped.

    If you want a quick solution -- reformat and reload Windows.
     
    thisisu, Sep 23, 2011
    #4
  5. Scwolf

    Scwolf Private E-2

    I may end up doing that :/
     
    Scwolf, Sep 23, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What are you currently using for antivirus?

    Java(TM) 6 Update 26     <--- uninstall outdated Java.

    Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.


    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\Windows\„ør
Folder::
C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
DirLook::
C:\Users\Chris\AppData\Local\{054C8DD6-9B72-4D5C-B94C-52B0DB58BEBC}
C:\Users\Chris\AppData\Local\{06F02B49-1173-4032-AD62-3594791E78BB}
C:\Users\Chris\AppData\Local\{09479246-131C-4A01-94D5-C0D6E50AAE1B}
C:\Users\Chris\AppData\Local\{0CB69E4F-A1A2-49F9-8B4F-2BCA07911C4A}
C:\Users\Chris\AppData\Local\{0DEBABA5-CDEE-49B1-8EC9-BAAC95FA80EF}
C:\Users\Chris\AppData\Local\{11BC1E4A-CC69-4776-AFCA-A60E2BB97105}
C:\Users\Chris\AppData\Local\{134AD1E5-5F83-4194-AABA-306E6B1A856F}
C:\Users\Chris\AppData\Local\{144312C8-AB89-4225-BF1E-A2E46F7AACE4}
C:\Users\Chris\AppData\Local\{1514A083-0AED-43CF-A345-08E218943753}
C:\Users\Chris\AppData\Local\{1727C015-774A-46FB-A2F0-C5BF6E5A33F8}
C:\Users\Chris\AppData\Local\{1B80FAA7-C86F-46B9-91B9-D9B356230179}
C:\Users\Chris\AppData\Local\{1C3206D8-8D4F-443D-A914-2F800D861C07}
C:\Users\Chris\AppData\Local\{214B74D5-EE7B-4FFF-9DB2-EA3C1037FE49}
C:\Users\Chris\AppData\Local\{234D5787-A3E6-47A5-A4D1-F0A94655D82C}
C:\Users\Chris\AppData\Local\{2796D392-3752-4E05-87BB-2701C84D219C}
C:\Users\Chris\AppData\Local\{27FF78C3-9BAD-48C8-B28B-5D83BDAC4233}
C:\Users\Chris\AppData\Local\{28DCAAAC-0F8E-4766-AEC2-F164AF263E8B}
C:\Users\Chris\AppData\Local\{28E34C53-5139-4525-B373-EED575DF82DB}
C:\Users\Chris\AppData\Local\{2A0C0B12-0F51-4A15-BD56-BB4FB0B50660}
C:\Users\Chris\AppData\Local\{311C2F65-7301-4E20-893B-CA99F4130BC7}
C:\Users\Chris\AppData\Local\{3783768B-64FA-4D2E-9ECE-F9633E3E8CA4}
C:\Users\Chris\AppData\Local\{3B929DC0-68C8-4477-A77E-1C949FEB9733}
C:\Users\Chris\AppData\Local\{45DFA0BC-265D-4301-BD43-D01B3C154969}
C:\Users\Chris\AppData\Local\{47ABB10A-992E-4C3B-81D1-C939F33CB393}
C:\Users\Chris\AppData\Local\{4A4BDDB3-08B4-43A2-A797-D185A48C2DFE}
C:\Users\Chris\AppData\Local\{4D79B72D-170E-4D39-8EB9-0828D5ED2B3B}
C:\Users\Chris\AppData\Local\{4D7CAAD6-B4C4-4384-8DC9-F348ACFCEFA0}
C:\Users\Chris\AppData\Local\{52B0956A-0BB1-47D1-B41B-987D6496F9C2}
C:\Users\Chris\AppData\Local\{52B7B22E-A451-43B3-B29A-22585B295C26}
C:\Users\Chris\AppData\Local\{56496158-BD49-459B-B49E-C8AF4BF10872}
C:\Users\Chris\AppData\Local\{567E2616-A940-4260-ACD9-6916C449E93A}
C:\Users\Chris\AppData\Local\{56D2E263-EF25-4FF2-9D03-6FE5A5A1E59D}
C:\Users\Chris\AppData\Local\{56D7073C-A129-46EB-92A5-2331C5582D4E}
C:\Users\Chris\AppData\Local\{571866CC-12A5-48C3-91D1-2518A3D717B6}
C:\Users\Chris\AppData\Local\{5841B65E-DA18-4B3A-8234-0B4EDE4028F0}
C:\Users\Chris\AppData\Local\{58ECBE86-EDB4-40DF-BA9F-FB35CF6CFA32}
C:\Users\Chris\AppData\Local\{5C6BA455-054D-401F-8262-B8082526BDE9}
C:\Users\Chris\AppData\Local\{63831B23-876F-40D8-B77B-6046CEED6F44}
C:\Users\Chris\AppData\Local\{65C41D57-93F7-4149-AA42-DAF5CA58F1DC}
C:\Users\Chris\AppData\Local\{6955E084-5063-477F-8A77-B2717219D771}
C:\Users\Chris\AppData\Local\{6C6F1CED-D079-46D3-B062-E9EB05831EBB}
C:\Users\Chris\AppData\Local\{768B5BC2-2BB7-4E1C-A8D8-5FBBFF08F4CD}
C:\Users\Chris\AppData\Local\{7B759F78-9112-4FAA-B32A-3952E64602C4}
C:\Users\Chris\AppData\Local\{86AAEBA8-82B5-468C-B211-FEB115FB0DFE}
C:\Users\Chris\AppData\Local\{8CEB07A1-3486-43F2-9D5D-9C119AAEA1AC}
C:\Users\Chris\AppData\Local\{8F4850D1-803E-4176-BA43-4C132CF77A94}
C:\Users\Chris\AppData\Local\{905F904E-8E97-43F2-B521-C06174A93922}
C:\Users\Chris\AppData\Local\{9209EBFC-F2B0-43A7-8399-0FFD0710F1C4}
C:\Users\Chris\AppData\Local\{962A7261-7956-4234-9E7D-D1F1BC1D7CF1}
C:\Users\Chris\AppData\Local\{96F2B7B3-12D4-4394-A056-89DAB7BCB185}
C:\Users\Chris\AppData\Local\{998FD983-1E52-4D9F-8EE7-E2D08E08E368}
C:\Users\Chris\AppData\Local\{9DB2A4CF-9CAB-4CBA-8C7D-3F2ADE1087C6}
C:\Users\Chris\AppData\Local\{9EF391D8-9619-4337-A307-B09173524F11}
C:\Users\Chris\AppData\Local\{A24942CC-E318-4A54-B9A8-002D681104BE}
C:\Users\Chris\AppData\Local\{A6E3968B-BB81-4BCE-B4ED-11C5E1EA874D}
C:\Users\Chris\AppData\Local\{ABF24BF0-8F20-416F-A8D5-68D844E398DC}
C:\Users\Chris\AppData\Local\{ACEBAFA0-D523-4DAA-B752-497CDD74D60C}
C:\Users\Chris\AppData\Local\{B36CB876-D79B-4B23-9016-01651FD6BAFE}
C:\Users\Chris\AppData\Local\{B80DA41C-CB27-41E4-B436-5B18CFB197D1} 
C:\Users\Chris\AppData\Local\{BD2E2F24-8962-4C6B-8E00-6CC56121529B}
C:\Users\Chris\AppData\Local\{BD8A67FD-2091-4A21-B4F5-F154AD1D5D4E}
C:\Users\Chris\AppData\Local\{BF7BB36C-7308-4700-AD2D-AAA1D9107D85}
C:\Users\Chris\AppData\Local\{C5FD7917-D7B8-465F-85AF-88D8A0050490}
C:\Users\Chris\AppData\Local\{CA37ADCE-7255-4EBA-BD74-3BA6697BDA94}
C:\Users\Chris\AppData\Local\{CBD4A445-CC23-41A8-B7D5-2497D37804F1}
C:\Users\Chris\AppData\Local\{EBC87EF9-1BD1-4D53-9655-8977889DB73A}
C:\Users\Chris\AppData\Local\{ED0CA1FE-73F4-4A62-9270-5C067216CC73}
C:\Users\Chris\AppData\Local\{ED10037A-C02B-4730-96E8-42BCB68C631E}
C:\Users\Chris\AppData\Local\{F1513793-9D76-474E-A968-91459FC64856}
C:\Users\Chris\AppData\Local\{F49199B3-FC80-4DA7-8B68-4FE684BF06EE}
C:\Users\Chris\AppData\Local\{F58817E1-4661-406A-9F0A-9B7F72C6BF57}
C:\Users\Chris\AppData\Local\{FB4CDB4E-BBAD-4621-93DB-A1AC4F74A481}
C:\Users\Chris\AppData\Local\{FC76BBF1-9B57-4A43-864C-5F5CB374B56B}
C:\Users\Chris\AppData\Local\{FCC51616-8057-44A7-820A-57995A6F39BC}
C:\Users\Chris\AppData\Local\{FDD3BF81-BA09-4396-9037-7CC3036A18DD}
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.



    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

    It may be that I send you off to the networking forum to seek advice.
     
    Kestrel13!, Sep 24, 2011
    #6
  7. Scwolf

    Scwolf Private E-2

    Alright I am definitely going to do all of this when I get home from work today. I'm sorry about before and I greatly appreciate the help you're giving me. Working in a Rogers PLUS retail outlet, I should know not to get so frustrated because it doesn't help in any way. Yesterday I did do an online support chat with a technician and my problem completely stumped him. He even took remote control of my computer and still could not figure out what was going on.

    Here are some more netstat's that he asked me to do for him. It might give you some idea on what I'm dealing with. And I am 100% going to do everything you told me to do once I'm home from work tonight, this is just to give you more of an idea on what I'm dealing with if nothing works out tonight.

    http://i115.photobucket.com/albums/n289/SCWolf/netstat-b.png
    This first picture is with Google Chrome running. This is a netstat -b

    http://i115.photobucket.com/albums/n289/SCWolf/thisshit.png
    This second is without Chrome running. Also a netstat -b

    http://i115.photobucket.com/albums/n289/SCWolf/whateven.png
    This is also without Chrome running. Just a normal netstat.

    PS: I use AVG Internet Security Paid version. Not that I really use it, I don't usually ever get viruses. This is really the first issue I've ever run into like this. Also not that I won't try again later, but I did have the up-to-date version of SUPERAnti-Spyware, and I got the same results. I will try again after work though.
     
    Scwolf, Sep 24, 2011
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes attach the logs and I will have a look, then we will decide whether or not you should instead be asking about your problem in the Networking forum.
     
    Kestrel13!, Sep 24, 2011
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds