Argh! Virus/botnet?

[MercFanUk]

Hi all, having some issues on the PC...

network traffic is through the roof, causing massive headaches. Tried all manner of scanners etc, to no avail (Including the RUBotted tool).

Hijack this shows nothing untoward either. Spybot S&D find nothing but a couple of cookies. Tried Ad Aware, nothing found. Same for Kapersky's rootkit buster and windows defender.

Heres an example of what CommView sees (below). Always a different host, so cant just block the ip

If anyone has any ideas, I'd love to hear them I have booted up in safemode (with networking), and the scumbag doesn't run. Scans still dont find anything though

 

[Cabe]

If you feel up to it, check in the following registry locations

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

That is where the little buggers hide, google/printscreen and post here anything you are unsure of before you delete it. Make sure you are 100% positive its a virus, THIS CAN EASILY TRASH YOUR MACHINE!

 

[MercFanUk]

Hijack this reports these as being there:

O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Live Update 5] C:\Program Files\MSI\Live Update 5\LU5.exe /reminder
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

I'll quickly do a manual check now though too - edit, checked myself, all looks as above

 

[Colin_b]

Looks odd. I'd suspect a DOS attack on some Israeli site, looking at the IP addr.

Anything odd running?

 

[MercFanUk]

Nothing whatsoever - that site is just one, it'll change with every new burst. Always a different IP/server/country.

 

[MercFanUk]

I've installed the free version of Zone Alarm, and so far no more traffic Although unusually, it never popped up anything unusual that was requesting access... I'll keep an eye on the inbound traffic though incase something is still trying to come in to initiate the program...

 

[MercFanUk]

Update: Getting lots of inbound probes to my httpd service from one particular IP (I have a local apache server for testing), I'm guessing that I have a version that's exploitable. I'll have to update it and see how things go

 

[Stratman]

While Zonealarm may well be stopping the nasties accessing the outside world, it's still probable the infection is still on your PC. Download and run Malwarebytes to see what it can find.

 

[MercFanUk]

I'd already tried that, found nada

So far I think it's a hole in my apache server. Going to test thoroughly tomorrow though, and for now enjoy some internet that works

 

[Stratman]

If you're running Win7, try the Resource Monitor

Start>All Programs>Accessories>System Tools>Resource Monitor

Click on the Network tab and it will list all processes accessing the network. Or at least those that are allowed to announce their presence

 

[Colin_b]

While Zonealarm may well be stopping the nasties accessing the outside world, it's still probable the infection is still on your PC. Download and run Malwarebytes to see what it can find.

Worth running the MS Malicious software removal tool as well, just to be sure.