Something is constantly uploading

Bookman

New Member
Gentlemen,

Can anyone find anything wrong with this HijackThis logfile? Something is constantly uploading and eating into my expensive prepaid broadband.

Thankyou


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:25:23, on 5/03/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.16518)
Boot mode: Normal

Running processes:
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files (x86)\Norton Zone\Engine\1.2.0.4\NZ.exe
C:\Program Files (x86)\Second Copy 8\SecCopy.exe
C:\Program Files (x86)\ClipMate7\ClipMate.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Users\me\AppData\Roaming\1823\WmiPrv\WmiPrvSE.e xe
C:\Windows\SysWOW64\C2MP\UpdateChecker.exe
C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe
C:\Program Files (x86)\TurboLaunch\TurboLaunch.exe
C:\Program Files (x86)\DFX\DFX.exe
C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\N360.exe
C:\Program Files (x86)\DFX\Universal\Apps\DfxSharedApp32.exe
C:\Program Files (x86)\DFX\Universal\Apps\dfxItunesSong.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Users\me\AppData\Local\Google\Chrome\Applicatio n\chrome.exe
C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files (x86)\Virgin Mobile Broadband\Virgin Mobile Broadband.exe
C:\Program Files (x86)\XYplorer\XYplorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/redirects/se...pvid=20.3.1.22
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = socks=127.0.0.1:9050
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\IPS\IPSBHO.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\coIEPlg.dll
O4 - HKLM\..\Run: [DFX] C:\Program Files (x86)\DFX\DFX.exe -startup
O4 - HKCU\..\Run: [Second Copy] "C:\Program Files (x86)\Second Copy 8\SecCopy.exe"
O4 - HKCU\..\Run: [Multi Reminders] "C:\Program Files (x86)\Multi Reminders\reminder.exe" -c
O4 - HKCU\..\Run: [ClipMate7] C:\Program Files (x86)\ClipMate7\ClipMate.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: TurboLaunch.lnk = C:\Program Files (x86)\TurboLaunch\TurboLaunch.exe
O4 - Global Startup: Hard Disk Sentinel.lnk = C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe
O8 - Extra context menu item: &Download All using 4shared Desktop - res://C:\Program Files (x86)\4shared Desktop\Desktop.32/D_ALL_LINK
O8 - Extra context menu item: &Download using 4shared Desktop - res://C:\Program Files (x86)\4shared Desktop\Desktop.32/D_ONE_LINK
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://novastor.cleverreach.com
O15 - Trusted Zone: http://*.google-analytics.com
O15 - Trusted Zone: *.incrediblecharts.com
O15 - Trusted Zone: http://*.novastor.com
O15 - Trusted Zone: *.incrediblecharts.com (HKLM)
O15 - ESC Trusted Zone: *.incrediblecharts.com
O15 - ESC Trusted Zone: *.incrediblecharts.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pu...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{120E9387-83BB-471B-9E92-15F0DFAED111}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CA37E37-1FC6-4547-90C7-DB692BA422C8}: NameServer = 123.200.191.17 123.200.191.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{120E9387-83BB-471B-9E92-15F0DFAED111}: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{120E9387-83BB-471B-9E92-15F0DFAED111}: NameServer =
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpda teService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Service (DragonSvc) - Nuance Communications, Inc. - C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Remote Connections Service (FlexService) - Unknown owner - C:\Program Files (x86)\RapidBIT\cisvc.exe (file missing)
O23 - Service: FSDcSvc - FarStone Inc. - C:\Program Files (x86)\FarStone DriveClone\Files\FsSvcExe.exe
O23 - Service: Genie Timeline Service (GenieTimelineService) - Genie9 - C:\Program Files\Genie9\Genie Timeline\GenieTimelineService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HideMyIpSRV - Hide My IP - C:\Program Files (x86)\Hide My IP\HideMyIpSrv.exe
O23 - Service: HWDeviceService64.exe - Unknown owner - C:\ProgramData\DatacardService\HWDeviceService64.e xe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
O23 - Service: MediaFire NTFS Monitor (MF NTFS Monitor) - Unknown owner - C:\Users\me\AppData\Local\MEDIAF~1\MFUSNM~1.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\N360.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\SysWOW64\NLSSRV32.EXE
O23 - Service: NovaStor NovaBACKUP Backup/Copy Engine (nsService) - NovaStor - C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe
O23 - Service: Norton Zone (NZ) - Symantec Corporation - C:\Program Files (x86)\Norton Zone\Engine\1.2.0.4\NZ.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - Sandboxie Holdings, LLC - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Second Copy VSS Service x64 (ScVssService64) - Centered Systems - C:\Program Files (x86)\Second Copy 8\ScVssService64.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Virgin Mobile Broadband. OUC (Virgin Mobile Broadband. RunOuc) - Unknown owner - C:\Program Files (x86)\Virgin Mobile Broadband\UpdateDog\ouc.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Wireless Broadband. OUC (Wireless Broadband. RunOuc) - Unknown owner - C:\Program Files (x86)\Internode Wireless Broadband\UpdateDog\ouc.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11827 bytes
 

johnb35

Administrator
Staff member
I'm at work right now but read the first sticky in the security section and run the programs suggested and post the logs. Then we will go from there.
 

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
I've moved this into the security section. Follow what John said (instructions of which I have posted here as well).

1.

Please download AdwCleaner by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Scan.
•After the scan you will need to click on clean for it to delete the adware.
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

2.

Please download Junkware Removal Tool to your desktop.

•Shutdown your antivirus to avoid any conflicts.
•Very important that you run the tool in this manner:
Right-mouse click JRT.exe and select Run as administrator
Do NOT just double-click it.
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Post the contents of JRT.txt in your next message.

3.

Please download Malwarebytes' Anti-Malware and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE

But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.

Please post the log that Malwarebytes displays on your screen.

4.

Download OTL to your Desktop


•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Click on Minimal Output at the top
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
◦When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Just post the OTL.txt file in your reply.

So in your original thread asking for help, please give us a short description of what the problem is and then post the logs from the following 4 programs.

1. Adwcleaner
2. Junkware removal tool
3. Malwarebytes
4. OTL
 

Bookman

New Member
Gentlemen,

Thankyou for your response.

Alas I had already used System Restore to fix the problem, taking the above HijackThis snapshot first so as to ensure I did not reinstal whatever caused the bleed. I simply hoped someone, in examination of the HijackThis report, would be able to point to the culprit.

Thankyou for your efforts.
 

johnb35

Administrator
Staff member
There is so much malware out there right now that will not show up in a hijackthis log. Hijackthis is outdated and really no longer used in malware removal forums.
 
Top