Jump to content


Photo

Unknown Upload


  • Please log in to reply
3 replies to this topic

#1 Xyper

Xyper

    Member

  • New Member
  • Pip
  • 2 posts

Posted 12 June 2004 - 01:57 AM

Hi, I need some help. I've got a dial-up connection which has been uploading for no reason. There has been a continous data upload to somewhere. I've tried ad-aware and spybot and using netlimiter to stop uploading but none of these worked. From the dial up properties it seems that the upload speed is around 1 to 2 Kbps.

Hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 2:52:54 PM, on 12/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\TrayIcon.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\WINDOWS\htpatch.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
D:\WINDOWS\System32\msconfg.exe
D:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
D:\WINDOWS\System32\lcslpf.exe
D:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\hNCPlus\hNCPlus.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Justin Tan\Local Settings\Temp\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DisplayTrayIcon] D:\WINDOWS\System32\TrayIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HTpatch] D:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dsdrvshchid] D:\WINDOWS\System32\lcslpf.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O10 - Unknown file in Winsock LSP: d:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\idmmbc.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8142.8112847222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEB3662F-25B4-4F34-8292-88E9807B0B5E}: NameServer = 203.12.160.35 203.12.160.36

#2 discogail

discogail

    "All you need is a gorilla and a dream"

  • Emeritus
  • Pip
  • 86 posts

Posted 12 June 2004 - 08:16 AM

First.....create a new folder.......place HijackThis in it.............then, w/ all other browser windows closed...and only HijackThis running.....check off:

O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [dsdrvshchid] D:\WINDOWS\System32\lcslpf.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe


"Fix Checked"........Reboot to SAFE mode
How to start the computer in Safe mode

Show hidden files and folders-->
Show hidden files & folders

go to:
D:\WINDOWS\System32 & delete lcslpf.exe...msconfg.exe *NOTE the spelling........do not touch msconf.exe...that's legit

reboot normally.....check yourself out......if no joy..rescan & post a new log into your next reply.
BTW..do you currently have an Antivirus installed?

#3 Xyper

Xyper

    Member

  • New Member
  • Pip
  • 2 posts

Posted 12 June 2004 - 09:47 AM

yup, got it.
Its not uploading anymore. What was it anyway? Some trojan? And I had avast! antivirus install but I deleted it a few days ago.

#4 discogail

discogail

    "All you need is a gorilla and a dream"

  • Emeritus
  • Pip
  • 86 posts

Posted 12 June 2004 - 10:01 AM

Yup...most likely an IRC/SdBot trojan...........running w/ out an antivirus is not recommended.............
another free one is AVG-->
http://www.grisoft.c...s_dwnl_free.php




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button