Something is constantly uploading

Discussion in 'Computer Security' started by Bookman, Mar 4, 2014.

  1. Bookman

    Bookman New Member

    Messages:
    6
    Gentlemen,

    Can anyone find anything wrong with this HijackThis logfile? Something is constantly uploading and eating into my expensive prepaid broadband.

    Thankyou


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 01:25:23, on 5/03/2014
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v11.0 (11.00.9600.16518)
    Boot mode: Normal

    Running processes:
    C:\ProgramData\DatacardService\DCSHelper.exe
    C:\Program Files (x86)\Norton Zone\Engine\1.2.0.4\NZ.exe
    C:\Program Files (x86)\Second Copy 8\SecCopy.exe
    C:\Program Files (x86)\ClipMate7\ClipMate.exe
    C:\Program Files (x86)\Internet Download Manager\IDMan.exe
    C:\Program Files (x86)\Windows Sidebar\sidebar.exe
    C:\Users\me\AppData\Roaming\1823\WmiPrv\WmiPrvSE.e xe
    C:\Windows\SysWOW64\C2MP\UpdateChecker.exe
    C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe
    C:\Program Files (x86)\TurboLaunch\TurboLaunch.exe
    C:\Program Files (x86)\DFX\DFX.exe
    C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\N360.exe
    C:\Program Files (x86)\DFX\Universal\Apps\DfxSharedApp32.exe
    C:\Program Files (x86)\DFX\Universal\Apps\dfxItunesSong.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
    C:\Program Files (x86)\Notepad++\notepad++.exe
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files (x86)\Virgin Mobile Broadband\Virgin Mobile Broadband.exe
    C:\Program Files (x86)\XYplorer\XYplorer.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/redirects/se...pvid=20.3.1.22
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = socks=127.0.0.1:9050
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
    O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\coIEPlg.dll
    O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\IPS\IPSBHO.DLL
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\coIEPlg.dll
    O4 - HKLM\..\Run: [DFX] C:\Program Files (x86)\DFX\DFX.exe -startup
    O4 - HKCU\..\Run: [Second Copy] "C:\Program Files (x86)\Second Copy 8\SecCopy.exe"
    O4 - HKCU\..\Run: [Multi Reminders] "C:\Program Files (x86)\Multi Reminders\reminder.exe" -c
    O4 - HKCU\..\Run: [ClipMate7] C:\Program Files (x86)\ClipMate7\ClipMate.exe
    O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: TurboLaunch.lnk = C:\Program Files (x86)\TurboLaunch\TurboLaunch.exe
    O4 - Global Startup: Hard Disk Sentinel.lnk = C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe
    O8 - Extra context menu item: &Download All using 4shared Desktop - res://C:\Program Files (x86)\4shared Desktop\Desktop.32/D_ALL_LINK
    O8 - Extra context menu item: &Download using 4shared Desktop - res://C:\Program Files (x86)\4shared Desktop\Desktop.32/D_ONE_LINK
    O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O15 - Trusted Zone: http://novastor.cleverreach.com
    O15 - Trusted Zone: http://*.google-analytics.com
    O15 - Trusted Zone: *.incrediblecharts.com
    O15 - Trusted Zone: http://*.novastor.com
    O15 - Trusted Zone: *.incrediblecharts.com (HKLM)
    O15 - ESC Trusted Zone: *.incrediblecharts.com
    O15 - ESC Trusted Zone: *.incrediblecharts.com (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pu...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{120E9387-83BB-471B-9E92-15F0DFAED111}: NameServer =
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5CA37E37-1FC6-4547-90C7-DB692BA422C8}: NameServer = 123.200.191.17 123.200.191.18
    O17 - HKLM\System\CS1\Services\Tcpip\..\{120E9387-83BB-471B-9E92-15F0DFAED111}: NameServer =
    O17 - HKLM\System\CS2\Services\Tcpip\..\{120E9387-83BB-471B-9E92-15F0DFAED111}: NameServer =
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpda teService.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
    O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
    O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
    O23 - Service: Dragon Service (DragonSvc) - Nuance Communications, Inc. - C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: Remote Connections Service (FlexService) - Unknown owner - C:\Program Files (x86)\RapidBIT\cisvc.exe (file missing)
    O23 - Service: FSDcSvc - FarStone Inc. - C:\Program Files (x86)\FarStone DriveClone\Files\FsSvcExe.exe
    O23 - Service: Genie Timeline Service (GenieTimelineService) - Genie9 - C:\Program Files\Genie9\Genie Timeline\GenieTimelineService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: HideMyIpSRV - Hide My IP - C:\Program Files (x86)\Hide My IP\HideMyIpSrv.exe
    O23 - Service: HWDeviceService64.exe - Unknown owner - C:\ProgramData\DatacardService\HWDeviceService64.e xe
    O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
    O23 - Service: MediaFire NTFS Monitor (MF NTFS Monitor) - Unknown owner - C:\Users\me\AppData\Local\MEDIAF~1\MFUSNM~1.EXE
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\N360.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\SysWOW64\NLSSRV32.EXE
    O23 - Service: NovaStor NovaBACKUP Backup/Copy Engine (nsService) - NovaStor - C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe
    O23 - Service: Norton Zone (NZ) - Symantec Corporation - C:\Program Files (x86)\Norton Zone\Engine\1.2.0.4\NZ.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Sandboxie Service (SbieSvc) - Sandboxie Holdings, LLC - C:\Program Files\Sandboxie\SbieSvc.exe
    O23 - Service: Second Copy VSS Service x64 (ScVssService64) - Centered Systems - C:\Program Files (x86)\Second Copy 8\ScVssService64.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: Virgin Mobile Broadband. OUC (Virgin Mobile Broadband. RunOuc) - Unknown owner - C:\Program Files (x86)\Virgin Mobile Broadband\UpdateDog\ouc.exe
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: Wireless Broadband. OUC (Wireless Broadband. RunOuc) - Unknown owner - C:\Program Files (x86)\Internode Wireless Broadband\UpdateDog\ouc.exe
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 11827 bytes
     
  2. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,205
    I'm at work right now but read the first sticky in the security section and run the programs suggested and post the logs. Then we will go from there.
     
  3. voyagerfan99

    voyagerfan99 The Chicken Master Staff Member

    Messages:
    19,799
    I've moved this into the security section. Follow what John said (instructions of which I have posted here as well).

    1.

    Please download AdwCleaner by Xplode onto your Desktop.



    •Please close all open programs and internet browsers.
    •Double click on adwcleaner.exe to run the tool.
    •Click on Scan.
    •After the scan you will need to click on clean for it to delete the adware.
    •Your computer will be rebooted automatically. A text file will open after the restart.
    •Please post the content of that logfile in your reply.
    •You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

    2.

    Please download Junkware Removal Tool to your desktop.

    •Shutdown your antivirus to avoid any conflicts.
    •Very important that you run the tool in this manner:
    Right-mouse click JRT.exe and select Run as administrator
    Do NOT just double-click it.
    •The tool will open and start scanning your system.
    •Please be patient as this can take a while to complete.
    •On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    •Post the contents of JRT.txt in your next message.

    3.

    Please download Malwarebytes' Anti-Malware and save it to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

    If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

    EXPLORER.EXE
    IEXPLORE.EXE
    USERINIT.EXE
    WINLOGON.EXE

    But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.

    Please post the log that Malwarebytes displays on your screen.

    4.

    Download OTL to your Desktop


    •Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    •Click on Minimal Output at the top
    •Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    ◦When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Just post the OTL.txt file in your reply.

    So in your original thread asking for help, please give us a short description of what the problem is and then post the logs from the following 4 programs.

    1. Adwcleaner
    2. Junkware removal tool
    3. Malwarebytes
    4. OTL
     
  4. Bookman

    Bookman New Member

    Messages:
    6
    Gentlemen,

    Thankyou for your response.

    Alas I had already used System Restore to fix the problem, taking the above HijackThis snapshot first so as to ensure I did not reinstal whatever caused the bleed. I simply hoped someone, in examination of the HijackThis report, would be able to point to the culprit.

    Thankyou for your efforts.
     
  5. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,205
    There is so much malware out there right now that will not show up in a hijackthis log. Hijackthis is outdated and really no longer used in malware removal forums.
     

Share This Page