Unexplained high broadband traffic

[Jim]

A real challenge to all spyware and malware experts.

Please excuse my bad manners in publishing this article in two
newsgroups simultaneously. I am not sure which one is most likely to
provide help in solving my problem.

If there is another newsgroup that in which I should post this article
please let me know.


The problem that I have is driving me mad!


The problem is that my broadband traffic is at times extremely high
for completely unexplained reasons.

This is indicated by (1) the daily log kept by my ISP and (2) more
visibly by the icon in the lower right-hand corner on my screen that
consists of the two little monitor symbols. It these symbols indicate
broadband activity by lighting up in light blue - one for up traffic
and the other for down traffic.

The problem has been around on and off for three months now.

Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
Aware SE Personal. The last of these I run only on demand - usually
once a day.

When the problem is occurring the daily ISP log shows 4 or 5 times
normal megabytes per day and the monitor symbols are lit up all the
time.

Normally the log and the monitor symbols show low broadband activity.
I have been a fairly light user of the internet. No movie downloads,
etc. Just emails and web page accesses.

The high activity problem has occurred in two episodes. During the
first of these (a couple of weeks) the high traffic was more or less
equally divided between uploading and downloading. But during the most
recent episode (a couple of days) downloading has been very high while
uploading was normal.

My traffic has been so high that my ISP's monthly limit is 60% used
while I am only 40% into the month. I will be charged for any excess.
I have become so concerned that I am leaving my modem connection to my
phone line unplugged except when I need to access the internet.

Regarding the first episode: I tried PREVX. It found and removed some
malware. It reported that it put the following items in "jail".
zrmkxe.exe (4 KB)
ykouzmp.exe (4 KB)
ugstzfqp.exe (4 KB)
tftp4904 (4 KB)
shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
rphekn.exe (4 KB)
gpiawddx.exe 4 KB)
avgmb.exe (4 KB)

This cleared up the problem but PREVX and Norton 360 do not get along
with each other - Norton 360 will not work properly unless PREVX is
not present in the same system.

I spent a considerable amount of time on the Symantec technical help
line. Symantec finally apparently fixed the problem by activating the
Norton 360 backup facility. Traffic dropped back down to its normal
level for a while. I can't understand why this worked - what is the
connection between backup and the high traffic problem?

Broadband traffic went back to normal for a while but eventually the
high traffic problem returned on several occasions. They were fixed by
(1) installing PREVX, (2) doing a scan with it whereby it cleared out
some malware, and (3) uninstalling PREVX - all of this while
temporarily disabling Norton 360.

As I said earlier, the second and last episode of the high traffic
broadband problem began a few days ago. This seems to be different
than the first episode because the high traffic is mainly downloading
while uploading is normal.

The big issue with all this is that I need to find out what spyware
malware is causing my high traffic. Can anyone tell me how to do this.
Is there some diagnostic software that could be of use here?

Below are some items that might help diagnose my problem. All of these
were obtained when broadband traffic was very high as indicated by the
monitor symbols being lit up constantly.

The first item is a HijackThis log file. The last two are snapshots
are the most active processes in the Windows Task Manager process
display.

Thanks in advance for your help.

Jim

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

Logfile of HijackThis v1.99.1
Scan saved at 23:41:58, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin
\AppleMobileDeviceService.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\System32\vssvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\fxssvc.exe
C:\WINNT\system32\dllhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
=
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no
file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:
\Program Files\Common Files\Symantec Shared\coShared\Browser
\1.7\NppBho.dll
O2 - BHO: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C}
- C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:
\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-
FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro
\wsbho2k0.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:
\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: SolidConverter PDF - {259F616C-A300-44F5-B04A-
ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF
\ExploreExtPDF.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-
FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared
\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real
\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and
Settings\Jim.JIM-HOMEPC\Local Settings\Temp\ImInstaller\IncrediMail
\incredimail_install[1].exe -startup -product IncrediMail
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O9 - Extra button: (no name) - SolidConverterPDF - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -
http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156704428640
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload
Manager Class) - http://www.kodakgallery.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) -
http://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: {94908617-0D0A-470E-977F-7BAB6920D184}
(CustomToolbar.Setup) - http://www.infocrawler.com/toolbar/Customtoolbar.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -
http://register.btinternet.com/templates/btwebcontrol023.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
- C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files
\Common Files\Apple\Mobile Device Support\bin
\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT
\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT
\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:
\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
(file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner -
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h
ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) -
Unknown owner - C:\Program Files\Common Files\Symantec Shared
\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin
\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki
\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec
\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINNT
\system32\oodag.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT
\System32\PGPsdkServ.exe
O23 - Service: PMounter - Unknown owner - C:\WINNT
\system32\PMounter.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental)
(rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f
"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:
\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

Two snapshots of the most active processes as displayed in the Windows
Task Manager:

psp.exe
System Idle Process
ccSvcHst.exe
LUCOMS~1.EXE
taskmgr.exe
eraser.exe
[svchost.exe
LuCallbackProxy , exe

psp.exe
System Idle Process
LuCallbackProxy , exe
taskmgr.exe
explorer.exe
KService.exe
eraser.exe
lsvchost.exe
LUALLEXE
LuCallbackProxy , exe
LuCallbackProxy , exe
LuCallbackProxy , exe
msdtc.exe

 

[Malke]

Jim wrote:
> A real challenge to all spyware and malware experts.
>
> Please excuse my bad manners in publishing this article in two
> newsgroups simultaneously. I am not sure which one is most likely to
> provide help in solving my problem.
>
> If there is another newsgroup that in which I should post this article
> please let me know.
>
>
> The problem that I have is driving me mad!
>
>
> The problem is that my broadband traffic is at times extremely high
> for completely unexplained reasons.
>
> This is indicated by (1) the daily log kept by my ISP and (2) more
> visibly by the icon in the lower right-hand corner on my screen that
> consists of the two little monitor symbols. It these symbols indicate
> broadband activity by lighting up in light blue - one for up traffic
> and the other for down traffic.
>
> The problem has been around on and off for three months now.
>
> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
> Aware SE Personal. The last of these I run only on demand - usually
> once a day.
>
> When the problem is occurring the daily ISP log shows 4 or 5 times
> normal megabytes per day and the monitor symbols are lit up all the
> time.
>
> Normally the log and the monitor symbols show low broadband activity.
> I have been a fairly light user of the internet. No movie downloads,
> etc. Just emails and web page accesses.
>
> The high activity problem has occurred in two episodes. During the
> first of these (a couple of weeks) the high traffic was more or less
> equally divided between uploading and downloading. But during the most
> recent episode (a couple of days) downloading has been very high while
> uploading was normal.
>
> My traffic has been so high that my ISP's monthly limit is 60% used
> while I am only 40% into the month. I will be charged for any excess.
> I have become so concerned that I am leaving my modem connection to my
> phone line unplugged except when I need to access the internet.
>
> Regarding the first episode: I tried PREVX. It found and removed some
> malware. It reported that it put the following items in "jail".
> zrmkxe.exe (4 KB)
> ykouzmp.exe (4 KB)
> ugstzfqp.exe (4 KB)
> tftp4904 (4 KB)
> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
> rphekn.exe (4 KB)
> gpiawddx.exe 4 KB)
> avgmb.exe (4 KB)
>
> This cleared up the problem but PREVX and Norton 360 do not get along
> with each other - Norton 360 will not work properly unless PREVX is
> not present in the same system.
>
> I spent a considerable amount of time on the Symantec technical help
> line. Symantec finally apparently fixed the problem by activating the
> Norton 360 backup facility. Traffic dropped back down to its normal
> level for a while. I can't understand why this worked - what is the
> connection between backup and the high traffic problem?
>
> Broadband traffic went back to normal for a while but eventually the
> high traffic problem returned on several occasions. They were fixed by
> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
> some malware, and (3) uninstalling PREVX - all of this while
> temporarily disabling Norton 360.
>
> As I said earlier, the second and last episode of the high traffic
> broadband problem began a few days ago. This seems to be different
> than the first episode because the high traffic is mainly downloading
> while uploading is normal.
>
> The big issue with all this is that I need to find out what spyware
> malware is causing my high traffic. Can anyone tell me how to do this.
> Is there some diagnostic software that could be of use here?
>
> Below are some items that might help diagnose my problem. All of these
> were obtained when broadband traffic was very high as indicated by the
> monitor symbols being lit up constantly.
>
> The first item is a HijackThis log file. The last two are snapshots
> are the most active processes in the Windows Task Manager process
> display.
>
> Thanks in advance for your help.

(snip HJT log)

We ask that you not post HijackThis logs in the MS newsgroups. HJT logs
take a great deal of time and expertise to analyze and you will not get
the assistance you need here. Instead, please register at one of the
following specialty sites below where you will get guided help. Your
computer is heavily infected and should definitely be taken off the
Internet until it is clean. It is also probable that you have a rootkit
or similar malware that is running a hidden process. Cleaning this type
of malware is extremely difficult, if not impossible.

So you have some choices:

1. Do as suggested and post to one of the forums below. This will
require that you have another computer from which to work since you
should *not* have the infected machine on the Internet. You will need
time and patience as well. You may still need to wipe the machine and
start over.

In any case, back up your data *now* if you haven't done it.

2. Or take the machine to a professional computer repair shop (not your
local version of BigComputerStore/GeekSquad) for cleaning. Please be
aware that not all local shops are skilled at removing malware and even
if they are, your computer may be so infested that Windows will need to
be clean-installed. Have all your data backed up before you take the
machine into a shop.

3. Or do a clean install of Windows. Do not connect to the Internet
until you are protected by the Windows Firewall built into XP and Vista.

http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows -
What you will need on-hand

HijackThis specialty forums:

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[pcbutts1]

Go to my website http://www.pcbutts1.com/downloads use the email link at the
bottom, put "Running Now" in the subject line and email me. I will send you
my more extensive diagnostic tool, it works better than HJT, with
instructions on how to use it.


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"Jim" <koehler@btinternet.com> wrote in message
news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>A real challenge to all spyware and malware experts.
>
> Please excuse my bad manners in publishing this article in two
> newsgroups simultaneously. I am not sure which one is most likely to
> provide help in solving my problem.
>
> If there is another newsgroup that in which I should post this article
> please let me know.
>
>
> The problem that I have is driving me mad!
>
>
> The problem is that my broadband traffic is at times extremely high
> for completely unexplained reasons.
>
> This is indicated by (1) the daily log kept by my ISP and (2) more
> visibly by the icon in the lower right-hand corner on my screen that
> consists of the two little monitor symbols. It these symbols indicate
> broadband activity by lighting up in light blue - one for up traffic
> and the other for down traffic.
>
> The problem has been around on and off for three months now.
>
> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
> Aware SE Personal. The last of these I run only on demand - usually
> once a day.
>
> When the problem is occurring the daily ISP log shows 4 or 5 times
> normal megabytes per day and the monitor symbols are lit up all the
> time.
>
> Normally the log and the monitor symbols show low broadband activity.
> I have been a fairly light user of the internet. No movie downloads,
> etc. Just emails and web page accesses.
>
> The high activity problem has occurred in two episodes. During the
> first of these (a couple of weeks) the high traffic was more or less
> equally divided between uploading and downloading. But during the most
> recent episode (a couple of days) downloading has been very high while
> uploading was normal.
>
> My traffic has been so high that my ISP's monthly limit is 60% used
> while I am only 40% into the month. I will be charged for any excess.
> I have become so concerned that I am leaving my modem connection to my
> phone line unplugged except when I need to access the internet.
>
> Regarding the first episode: I tried PREVX. It found and removed some
> malware. It reported that it put the following items in "jail".
> zrmkxe.exe (4 KB)
> ykouzmp.exe (4 KB)
> ugstzfqp.exe (4 KB)
> tftp4904 (4 KB)
> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
> rphekn.exe (4 KB)
> gpiawddx.exe 4 KB)
> avgmb.exe (4 KB)
>
> This cleared up the problem but PREVX and Norton 360 do not get along
> with each other - Norton 360 will not work properly unless PREVX is
> not present in the same system.
>
> I spent a considerable amount of time on the Symantec technical help
> line. Symantec finally apparently fixed the problem by activating the
> Norton 360 backup facility. Traffic dropped back down to its normal
> level for a while. I can't understand why this worked - what is the
> connection between backup and the high traffic problem?
>
> Broadband traffic went back to normal for a while but eventually the
> high traffic problem returned on several occasions. They were fixed by
> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
> some malware, and (3) uninstalling PREVX - all of this while
> temporarily disabling Norton 360.
>
> As I said earlier, the second and last episode of the high traffic
> broadband problem began a few days ago. This seems to be different
> than the first episode because the high traffic is mainly downloading
> while uploading is normal.
>
> The big issue with all this is that I need to find out what spyware
> malware is causing my high traffic. Can anyone tell me how to do this.
> Is there some diagnostic software that could be of use here?
>
> Below are some items that might help diagnose my problem. All of these
> were obtained when broadband traffic was very high as indicated by the
> monitor symbols being lit up constantly.
>
> The first item is a HijackThis log file. The last two are snapshots
> are the most active processes in the Windows Task Manager process
> display.
>
> Thanks in advance for your help.
>
> Jim
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> -
>

 

[wng_z3r0]

Regardless of the nature of pcbutts, which I won't get into here, I strongly
advise you NEVER to download code from an unknown entity on the internet in
a scenario that pcbutts is proposing. Not only do you not have any
information about pcbutts, but you could not even look at reviews from a
'trusted authority' such as perhaps CNET as for all you know, you could be
receiving a unique malware file that is emailed to you. Just a suggestion on
safe(r) internet habits.

Anyways, specifically concerning your network traffic, try installing
wireshark, and running a packet trace when the internet connection spikes:
http://www.wireshark.org/

As it appears you have a malware infestation on your computer, there is a
possibility that this malware is leeching private information in the
computer (such as passwords etc) back to a remote server, or perhaps the
computer is used as a 'bot'. In either case, you really should disconnect
the computer from the internet until the computer is cleaned. Not doing so
puts your computer at more risk and most likely others as well.

To begin cleaning your computer, can you please tell me what version of
windows you are running?

wng


"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:fes0ee$phg$1@blackhelicopter.databasix.com...
> Go to my website http://www.pcbutts1.com/downloads use the email link at
> the bottom, put "Running Now" in the subject line and email me. I will
> send you my more extensive diagnostic tool, it works better than HJT, with
> instructions on how to use it.
>
>
> --
>
> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
> The list grows. Leythos the stalker http://www.leythosthestalker.com,
> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>
>
>
> "Jim" <koehler@btinternet.com> wrote in message
> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>A real challenge to all spyware and malware experts.
>>
>> Please excuse my bad manners in publishing this article in two
>> newsgroups simultaneously. I am not sure which one is most likely to
>> provide help in solving my problem.
>>
>> If there is another newsgroup that in which I should post this article
>> please let me know.
>>
>>
>> The problem that I have is driving me mad!
>>
>>
>> The problem is that my broadband traffic is at times extremely high
>> for completely unexplained reasons.
>>
>> This is indicated by (1) the daily log kept by my ISP and (2) more
>> visibly by the icon in the lower right-hand corner on my screen that
>> consists of the two little monitor symbols. It these symbols indicate
>> broadband activity by lighting up in light blue - one for up traffic
>> and the other for down traffic.
>>
>> The problem has been around on and off for three months now.
>>
>> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
>> Aware SE Personal. The last of these I run only on demand - usually
>> once a day.
>>
>> When the problem is occurring the daily ISP log shows 4 or 5 times
>> normal megabytes per day and the monitor symbols are lit up all the
>> time.
>>
>> Normally the log and the monitor symbols show low broadband activity.
>> I have been a fairly light user of the internet. No movie downloads,
>> etc. Just emails and web page accesses.
>>
>> The high activity problem has occurred in two episodes. During the
>> first of these (a couple of weeks) the high traffic was more or less
>> equally divided between uploading and downloading. But during the most
>> recent episode (a couple of days) downloading has been very high while
>> uploading was normal.
>>
>> My traffic has been so high that my ISP's monthly limit is 60% used
>> while I am only 40% into the month. I will be charged for any excess.
>> I have become so concerned that I am leaving my modem connection to my
>> phone line unplugged except when I need to access the internet.
>>
>> Regarding the first episode: I tried PREVX. It found and removed some
>> malware. It reported that it put the following items in "jail".
>> zrmkxe.exe (4 KB)
>> ykouzmp.exe (4 KB)
>> ugstzfqp.exe (4 KB)
>> tftp4904 (4 KB)
>> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
>> rphekn.exe (4 KB)
>> gpiawddx.exe 4 KB)
>> avgmb.exe (4 KB)
>>
>> This cleared up the problem but PREVX and Norton 360 do not get along
>> with each other - Norton 360 will not work properly unless PREVX is
>> not present in the same system.
>>
>> I spent a considerable amount of time on the Symantec technical help
>> line. Symantec finally apparently fixed the problem by activating the
>> Norton 360 backup facility. Traffic dropped back down to its normal
>> level for a while. I can't understand why this worked - what is the
>> connection between backup and the high traffic problem?
>>
>> Broadband traffic went back to normal for a while but eventually the
>> high traffic problem returned on several occasions. They were fixed by
>> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
>> some malware, and (3) uninstalling PREVX - all of this while
>> temporarily disabling Norton 360.
>>
>> As I said earlier, the second and last episode of the high traffic
>> broadband problem began a few days ago. This seems to be different
>> than the first episode because the high traffic is mainly downloading
>> while uploading is normal.
>>
>> The big issue with all this is that I need to find out what spyware
>> malware is causing my high traffic. Can anyone tell me how to do this.
>> Is there some diagnostic software that could be of use here?
>>
>> Below are some items that might help diagnose my problem. All of these
>> were obtained when broadband traffic was very high as indicated by the
>> monitor symbols being lit up constantly.
>>
>> The first item is a HijackThis log file. The last two are snapshots
>> are the most active processes in the Windows Task Manager process
>> display.
>>
>> Thanks in advance for your help.
>>
>> Jim
>>
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>> -
>>
>
>

 

[Heather]

If you value your computer, totally ignore this idiot. He knows nothing
other than how to steal programs from the rightful authors. That and he
has an obsession with porn......as more than one person on these news
groups can prove to you.

Heather

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:fes0ee$phg$1@blackhelicopter.databasix.com...
> Go to my website http://www.pcbutts1.com/downloads use the email link
> at the bottom, put "Running Now" in the subject line and email me. I
> will send you my more extensive diagnostic tool, it works better than
> HJT, with instructions on how to use it.
>
>
> --
>
> Newsgroup Trolls. Read about mine here
> http://www.pcbutts1.com/downloads
> The list grows. Leythos the stalker http://www.leythosthestalker.com,
> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>
>
>
> "Jim" <koehler@btinternet.com> wrote in message
> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>A real challenge to all spyware and malware experts.
>>
>> Please excuse my bad manners in publishing this article in two
>> newsgroups simultaneously. I am not sure which one is most likely to
>> provide help in solving my problem.
>>
>> If there is another newsgroup that in which I should post this
>> article
>> please let me know.
>>
>>
>> The problem that I have is driving me mad!
>>
>>

 

[Frank Saunders, MS-MVP IE]

Jim, Ignore this troll.

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:fes0ee$phg$1@blackhelicopter.databasix.com...
> Crap
>
> "Jim" <koehler@btinternet.com> wrote in message
> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>A real challenge to all spyware and malware experts.
>>
>> Please excuse my bad manners in publishing this article in two
>> newsgroups simultaneously. I am not sure which one is most likely to
>> provide help in solving my problem.
>>
>> If there is another newsgroup that in which I should post this article
>> please let me know.
>>
>>SNIP

 

[pcbutts1]

Well okay now! Seems like I woke up the sleeping giants. How about answering
his question Mr. MVP or is it because you can't? If you are not smart enough
to help this guy fix his computer then stay out of this thread. Idiot.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:fes0ee$phg$1@blackhelicopter.databasix.com...
> Go to my website http://www.pcbutts1.com/downloads use the email link at
> the bottom, put "Running Now" in the subject line and email me. I will
> send you my more extensive diagnostic tool, it works better than HJT, with
> instructions on how to use it.
>
>
> --
>
> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
> The list grows. Leythos the stalker http://www.leythosthestalker.com,
> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>
>
>
> "Jim" <koehler@btinternet.com> wrote in message
> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>A real challenge to all spyware and malware experts.
>>
>> Please excuse my bad manners in publishing this article in two
>> newsgroups simultaneously. I am not sure which one is most likely to
>> provide help in solving my problem.
>>
>> If there is another newsgroup that in which I should post this article
>> please let me know.
>>
>>
>> The problem that I have is driving me mad!
>>
>>
>> The problem is that my broadband traffic is at times extremely high
>> for completely unexplained reasons.
>>
>> This is indicated by (1) the daily log kept by my ISP and (2) more
>> visibly by the icon in the lower right-hand corner on my screen that
>> consists of the two little monitor symbols. It these symbols indicate
>> broadband activity by lighting up in light blue - one for up traffic
>> and the other for down traffic.
>>
>> The problem has been around on and off for three months now.
>>
>> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
>> Aware SE Personal. The last of these I run only on demand - usually
>> once a day.
>>
>> When the problem is occurring the daily ISP log shows 4 or 5 times
>> normal megabytes per day and the monitor symbols are lit up all the
>> time.
>>
>> Normally the log and the monitor symbols show low broadband activity.
>> I have been a fairly light user of the internet. No movie downloads,
>> etc. Just emails and web page accesses.
>>
>> The high activity problem has occurred in two episodes. During the
>> first of these (a couple of weeks) the high traffic was more or less
>> equally divided between uploading and downloading. But during the most
>> recent episode (a couple of days) downloading has been very high while
>> uploading was normal.
>>
>> My traffic has been so high that my ISP's monthly limit is 60% used
>> while I am only 40% into the month. I will be charged for any excess.
>> I have become so concerned that I am leaving my modem connection to my
>> phone line unplugged except when I need to access the internet.
>>
>> Regarding the first episode: I tried PREVX. It found and removed some
>> malware. It reported that it put the following items in "jail".
>> zrmkxe.exe (4 KB)
>> ykouzmp.exe (4 KB)
>> ugstzfqp.exe (4 KB)
>> tftp4904 (4 KB)
>> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
>> rphekn.exe (4 KB)
>> gpiawddx.exe 4 KB)
>> avgmb.exe (4 KB)
>>
>> This cleared up the problem but PREVX and Norton 360 do not get along
>> with each other - Norton 360 will not work properly unless PREVX is
>> not present in the same system.
>>
>> I spent a considerable amount of time on the Symantec technical help
>> line. Symantec finally apparently fixed the problem by activating the
>> Norton 360 backup facility. Traffic dropped back down to its normal
>> level for a while. I can't understand why this worked - what is the
>> connection between backup and the high traffic problem?
>>
>> Broadband traffic went back to normal for a while but eventually the
>> high traffic problem returned on several occasions. They were fixed by
>> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
>> some malware, and (3) uninstalling PREVX - all of this while
>> temporarily disabling Norton 360.
>>
>> As I said earlier, the second and last episode of the high traffic
>> broadband problem began a few days ago. This seems to be different
>> than the first episode because the high traffic is mainly downloading
>> while uploading is normal.
>>
>> The big issue with all this is that I need to find out what spyware
>> malware is causing my high traffic. Can anyone tell me how to do this.
>> Is there some diagnostic software that could be of use here?
>>
>> Below are some items that might help diagnose my problem. All of these
>> were obtained when broadband traffic was very high as indicated by the
>> monitor symbols being lit up constantly.
>>
>> The first item is a HijackThis log file. The last two are snapshots
>> are the most active processes in the Windows Task Manager process
>> display.
>>
>> Thanks in advance for your help.
>>
>> Jim
>>
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>> -
>>
>
>

 

[pcbutts1]

Why are you replying to me? If you read the question it states what OS he is
using. BTW I am a contributor to Wireshark so you trying to be an AHole
backfired.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"wng_z3r0" <wng_z3r0@newsgroups.nospam> wrote in message
news:8EF12E32-AA6C-4A5B-A7D0-CBEA958CF402@microsoft.com...
> Regardless of the nature of pcbutts, which I won't get into here, I
> strongly advise you NEVER to download code from an unknown entity on the
> internet in a scenario that pcbutts is proposing. Not only do you not have
> any information about pcbutts, but you could not even look at reviews from
> a 'trusted authority' such as perhaps CNET as for all you know, you could
> be receiving a unique malware file that is emailed to you. Just a
> suggestion on safe(r) internet habits.
>
> Anyways, specifically concerning your network traffic, try installing
> wireshark, and running a packet trace when the internet connection spikes:
> http://www.wireshark.org/
>
> As it appears you have a malware infestation on your computer, there is a
> possibility that this malware is leeching private information in the
> computer (such as passwords etc) back to a remote server, or perhaps the
> computer is used as a 'bot'. In either case, you really should disconnect
> the computer from the internet until the computer is cleaned. Not doing so
> puts your computer at more risk and most likely others as well.
>
> To begin cleaning your computer, can you please tell me what version of
> windows you are running?
>
> wng
>
>
> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
> news:fes0ee$phg$1@blackhelicopter.databasix.com...
>> Go to my website http://www.pcbutts1.com/downloads use the email link at
>> the bottom, put "Running Now" in the subject line and email me. I will
>> send you my more extensive diagnostic tool, it works better than HJT,
>> with instructions on how to use it.
>>
>>
>> --
>>
>> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
>> The list grows. Leythos the stalker http://www.leythosthestalker.com,
>> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
>> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>>
>>
>>
>> "Jim" <koehler@btinternet.com> wrote in message
>> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>>A real challenge to all spyware and malware experts.
>>>
>>> Please excuse my bad manners in publishing this article in two
>>> newsgroups simultaneously. I am not sure which one is most likely to
>>> provide help in solving my problem.
>>>
>>> If there is another newsgroup that in which I should post this article
>>> please let me know.
>>>
>>>
>>> The problem that I have is driving me mad!
>>>
>>>
>>> The problem is that my broadband traffic is at times extremely high
>>> for completely unexplained reasons.
>>>
>>> This is indicated by (1) the daily log kept by my ISP and (2) more
>>> visibly by the icon in the lower right-hand corner on my screen that
>>> consists of the two little monitor symbols. It these symbols indicate
>>> broadband activity by lighting up in light blue - one for up traffic
>>> and the other for down traffic.
>>>
>>> The problem has been around on and off for three months now.
>>>
>>> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
>>> Aware SE Personal. The last of these I run only on demand - usually
>>> once a day.
>>>
>>> When the problem is occurring the daily ISP log shows 4 or 5 times
>>> normal megabytes per day and the monitor symbols are lit up all the
>>> time.
>>>
>>> Normally the log and the monitor symbols show low broadband activity.
>>> I have been a fairly light user of the internet. No movie downloads,
>>> etc. Just emails and web page accesses.
>>>
>>> The high activity problem has occurred in two episodes. During the
>>> first of these (a couple of weeks) the high traffic was more or less
>>> equally divided between uploading and downloading. But during the most
>>> recent episode (a couple of days) downloading has been very high while
>>> uploading was normal.
>>>
>>> My traffic has been so high that my ISP's monthly limit is 60% used
>>> while I am only 40% into the month. I will be charged for any excess.
>>> I have become so concerned that I am leaving my modem connection to my
>>> phone line unplugged except when I need to access the internet.
>>>
>>> Regarding the first episode: I tried PREVX. It found and removed some
>>> malware. It reported that it put the following items in "jail".
>>> zrmkxe.exe (4 KB)
>>> ykouzmp.exe (4 KB)
>>> ugstzfqp.exe (4 KB)
>>> tftp4904 (4 KB)
>>> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
>>> rphekn.exe (4 KB)
>>> gpiawddx.exe 4 KB)
>>> avgmb.exe (4 KB)
>>>
>>> This cleared up the problem but PREVX and Norton 360 do not get along
>>> with each other - Norton 360 will not work properly unless PREVX is
>>> not present in the same system.
>>>
>>> I spent a considerable amount of time on the Symantec technical help
>>> line. Symantec finally apparently fixed the problem by activating the
>>> Norton 360 backup facility. Traffic dropped back down to its normal
>>> level for a while. I can't understand why this worked - what is the
>>> connection between backup and the high traffic problem?
>>>
>>> Broadband traffic went back to normal for a while but eventually the
>>> high traffic problem returned on several occasions. They were fixed by
>>> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
>>> some malware, and (3) uninstalling PREVX - all of this while
>>> temporarily disabling Norton 360.
>>>
>>> As I said earlier, the second and last episode of the high traffic
>>> broadband problem began a few days ago. This seems to be different
>>> than the first episode because the high traffic is mainly downloading
>>> while uploading is normal.
>>>
>>> The big issue with all this is that I need to find out what spyware
>>> malware is causing my high traffic. Can anyone tell me how to do this.
>>> Is there some diagnostic software that could be of use here?
>>>
>>> Below are some items that might help diagnose my problem. All of these
>>> were obtained when broadband traffic was very high as indicated by the
>>> monitor symbols being lit up constantly.
>>>
>>> The first item is a HijackThis log file. The last two are snapshots
>>> are the most active processes in the Windows Task Manager process
>>> display.
>>>
>>> Thanks in advance for your help.
>>>
>>> Jim
>>>
>>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>> -
>>>
>>
>>
>

 

[Frank Saunders, MS-MVP IE]

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:fes5je$78s$1@blackhelicopter.databasix.com...
> Well okay now! Seems like I woke up the sleeping giants. How about
> answering his question Mr. MVP or is it because you can't? If you are not
> smart enough to help this guy fix his computer then stay out of this
> thread. Idiot.


Because Malke already did.

--
Frank Saunders, MS-MVP IE, OE/WM
I won't answer email.

 

[pcbutts1]

No she did not. She referred him to a computer store and asked him to post
his question in another group. How does that fix his computer. That's the
kind of answer you give somebody when you don't know the answer ( no
disrespect intended Malke). She did much more then you. All you did was
start a flame war for no reason. Do you really want to get into it with me?

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"Frank Saunders, MS-MVP IE" <franksaunders@mvps.org> wrote in message
news:20879171-6449-4002-A2B7-A38A1E053265@microsoft.com...
> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
> news:fes5je$78s$1@blackhelicopter.databasix.com...
>> Well okay now! Seems like I woke up the sleeping giants. How about
>> answering his question Mr. MVP or is it because you can't? If you are not
>> smart enough to help this guy fix his computer then stay out of this
>> thread. Idiot.
>
>
> Because Malke already did.
>
> --
> Frank Saunders, MS-MVP IE, OE/WM
> I won't answer email.

 

[wng_z3r0]

Well then congratulations for contributing to such a wonderful open source
project. I can't seem to find your handle or email anywhere in the source,
but that's ok I'm sure you have a valid reason. Anyways, you seem to have
missed the point that I was making. See, the OP could easily check the
validity of wireshark by googling it, looking at reviews etc etc before
actually downloading the program. Also the fact that the program is open
source on SourceForge also helps to signify that wireshark is not malicious.
Compare that with your distribution system.

wng


"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:fes6df$8ug$1@blackhelicopter.databasix.com...
> Why are you replying to me? If you read the question it states what OS he
> is using. BTW I am a contributor to Wireshark so you trying to be an AHole
> backfired.
>
> --
>
> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
> The list grows. Leythos the stalker http://www.leythosthestalker.com,
> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>
>
>
> "wng_z3r0" <wng_z3r0@newsgroups.nospam> wrote in message
> news:8EF12E32-AA6C-4A5B-A7D0-CBEA958CF402@microsoft.com...
>> Regardless of the nature of pcbutts, which I won't get into here, I
>> strongly advise you NEVER to download code from an unknown entity on the
>> internet in a scenario that pcbutts is proposing. Not only do you not
>> have any information about pcbutts, but you could not even look at
>> reviews from a 'trusted authority' such as perhaps CNET as for all you
>> know, you could be receiving a unique malware file that is emailed to
>> you. Just a suggestion on safe(r) internet habits.
>>
>> Anyways, specifically concerning your network traffic, try installing
>> wireshark, and running a packet trace when the internet connection
>> spikes:
>> http://www.wireshark.org/
>>
>> As it appears you have a malware infestation on your computer, there is a
>> possibility that this malware is leeching private information in the
>> computer (such as passwords etc) back to a remote server, or perhaps the
>> computer is used as a 'bot'. In either case, you really should disconnect
>> the computer from the internet until the computer is cleaned. Not doing
>> so puts your computer at more risk and most likely others as well.
>>
>> To begin cleaning your computer, can you please tell me what version of
>> windows you are running?
>>
>> wng
>>
>>
>> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
>> news:fes0ee$phg$1@blackhelicopter.databasix.com...
>>> Go to my website http://www.pcbutts1.com/downloads use the email link at
>>> the bottom, put "Running Now" in the subject line and email me. I will
>>> send you my more extensive diagnostic tool, it works better than HJT,
>>> with instructions on how to use it.
>>>
>>>
>>> --
>>>
>>> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
>>> The list grows. Leythos the stalker http://www.leythosthestalker.com,
>>> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
>>> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>>>
>>>
>>>
>>> "Jim" <koehler@btinternet.com> wrote in message
>>> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>>>A real challenge to all spyware and malware experts.
>>>>
>>>> Please excuse my bad manners in publishing this article in two
>>>> newsgroups simultaneously. I am not sure which one is most likely to
>>>> provide help in solving my problem.
>>>>
>>>> If there is another newsgroup that in which I should post this article
>>>> please let me know.
>>>>
>>>>
>>>> The problem that I have is driving me mad!
>>>>
>>>>
>>>> The problem is that my broadband traffic is at times extremely high
>>>> for completely unexplained reasons.
>>>>
>>>> This is indicated by (1) the daily log kept by my ISP and (2) more
>>>> visibly by the icon in the lower right-hand corner on my screen that
>>>> consists of the two little monitor symbols. It these symbols indicate
>>>> broadband activity by lighting up in light blue - one for up traffic
>>>> and the other for down traffic.
>>>>
>>>> The problem has been around on and off for three months now.
>>>>
>>>> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
>>>> Aware SE Personal. The last of these I run only on demand - usually
>>>> once a day.
>>>>
>>>> When the problem is occurring the daily ISP log shows 4 or 5 times
>>>> normal megabytes per day and the monitor symbols are lit up all the
>>>> time.
>>>>
>>>> Normally the log and the monitor symbols show low broadband activity.
>>>> I have been a fairly light user of the internet. No movie downloads,
>>>> etc. Just emails and web page accesses.
>>>>
>>>> The high activity problem has occurred in two episodes. During the
>>>> first of these (a couple of weeks) the high traffic was more or less
>>>> equally divided between uploading and downloading. But during the most
>>>> recent episode (a couple of days) downloading has been very high while
>>>> uploading was normal.
>>>>
>>>> My traffic has been so high that my ISP's monthly limit is 60% used
>>>> while I am only 40% into the month. I will be charged for any excess.
>>>> I have become so concerned that I am leaving my modem connection to my
>>>> phone line unplugged except when I need to access the internet.
>>>>
>>>> Regarding the first episode: I tried PREVX. It found and removed some
>>>> malware. It reported that it put the following items in "jail".
>>>> zrmkxe.exe (4 KB)
>>>> ykouzmp.exe (4 KB)
>>>> ugstzfqp.exe (4 KB)
>>>> tftp4904 (4 KB)
>>>> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
>>>> rphekn.exe (4 KB)
>>>> gpiawddx.exe 4 KB)
>>>> avgmb.exe (4 KB)
>>>>
>>>> This cleared up the problem but PREVX and Norton 360 do not get along
>>>> with each other - Norton 360 will not work properly unless PREVX is
>>>> not present in the same system.
>>>>
>>>> I spent a considerable amount of time on the Symantec technical help
>>>> line. Symantec finally apparently fixed the problem by activating the
>>>> Norton 360 backup facility. Traffic dropped back down to its normal
>>>> level for a while. I can't understand why this worked - what is the
>>>> connection between backup and the high traffic problem?
>>>>
>>>> Broadband traffic went back to normal for a while but eventually the
>>>> high traffic problem returned on several occasions. They were fixed by
>>>> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
>>>> some malware, and (3) uninstalling PREVX - all of this while
>>>> temporarily disabling Norton 360.
>>>>
>>>> As I said earlier, the second and last episode of the high traffic
>>>> broadband problem began a few days ago. This seems to be different
>>>> than the first episode because the high traffic is mainly downloading
>>>> while uploading is normal.
>>>>
>>>> The big issue with all this is that I need to find out what spyware
>>>> malware is causing my high traffic. Can anyone tell me how to do this.
>>>> Is there some diagnostic software that could be of use here?
>>>>
>>>> Below are some items that might help diagnose my problem. All of these
>>>> were obtained when broadband traffic was very high as indicated by the
>>>> monitor symbols being lit up constantly.
>>>>
>>>> The first item is a HijackThis log file. The last two are snapshots
>>>> are the most active processes in the Windows Task Manager process
>>>> display.
>>>>
>>>> Thanks in advance for your help.
>>>>
>>>> Jim
>>>>
>>>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>>> -
>>>>
>>>
>>>
>>
>
>

 

[Far Canal]

In article <1192286950.230976.246240@i38g2000prf.googlegroups.com>,
koehler@btinternet.com says...
> A real challenge to all spyware and malware experts.
>
> Please excuse my bad manners in publishing this article in two
> newsgroups simultaneously. I am not sure which one is most likely to
> provide help in solving my problem.
>
> If there is another newsgroup that in which I should post this article
> please let me know.
>
>
> The problem that I have is driving me mad!
>


Nothing you can't fix by formatting your hd.

 

[What's in a Name?]

"pcbutts1" after much thought,came up with this jewel:

> No she did not. She referred him to a computer store and asked him
> to post his question in another group. How does that fix his
> computer. That's the kind of answer you give somebody when you
> don't know the answer ( no disrespect intended Malke). She did
> much more then you. All you did was start a flame war for no
> reason. Do you really want to get into it with me?
>
can I play too?

Want to know what PCBUTTS1 is really about?
Here are some thoughts from real people.
http://www.besttechie.net/2006/09/07/pcbutts1-back-at-it/
http://www.atribune.org/Blog/?p=16
http://www.viruslist.com/en/weblog?weblogid=197597102
http://www.bleepingcomputer.com/securityblog/2006/09/07/pcbutts1what-
a-royal-pain-in-the-butt/
http://msmvps.com/blogs/spywaresucks/archive/2006/09/08/I-do-believe-
PCBUTTS1-has-finally-lost-the-plot.aspx
http://www.digg.com/security/PCButts1_Under_Attack
http://www.siteadvisor.com/sites/pcbutts1.com
http://bughunter.it-mate.co.uk/PCBUTTS.TXT

max
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply.

 

[pcbutts1]

Everything I put out is well documented and explained on my website.
Everything is safe and tested. Because I choose not to share those links in
these NG's is by choice. If I am as bad as everybody says I am then why no
complaints from user of my files? Why is my site still up, why has it always
been up. If I am a thief they why did I beat two DMCA complaints? The
easiest way to take down any website is to file a DMCA yet my site is still
up. Get your facts straight.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"wng_z3r0" <wng_z3r0@newsgroups.nospam> wrote in message
news:8EF12E32-AA6C-4A5B-A7D0-CBEA958CF402@microsoft.com...
> Regardless of the nature of pcbutts, which I won't get into here, I
> strongly advise you NEVER to download code from an unknown entity on the
> internet in a scenario that pcbutts is proposing. Not only do you not have
> any information about pcbutts, but you could not even look at reviews from
> a 'trusted authority' such as perhaps CNET as for all you know, you could
> be receiving a unique malware file that is emailed to you. Just a
> suggestion on safe(r) internet habits.
>
> Anyways, specifically concerning your network traffic, try installing
> wireshark, and running a packet trace when the internet connection spikes:
> http://www.wireshark.org/
>
> As it appears you have a malware infestation on your computer, there is a
> possibility that this malware is leeching private information in the
> computer (such as passwords etc) back to a remote server, or perhaps the
> computer is used as a 'bot'. In either case, you really should disconnect
> the computer from the internet until the computer is cleaned. Not doing so
> puts your computer at more risk and most likely others as well.
>
> To begin cleaning your computer, can you please tell me what version of
> windows you are running?
>
> wng
>
>
> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
> news:fes0ee$phg$1@blackhelicopter.databasix.com...
>> Go to my website http://www.pcbutts1.com/downloads use the email link at
>> the bottom, put "Running Now" in the subject line and email me. I will
>> send you my more extensive diagnostic tool, it works better than HJT,
>> with instructions on how to use it.
>>
>>
>> --
>>
>> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
>> The list grows. Leythos the stalker http://www.leythosthestalker.com,
>> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
>> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>>
>>
>>
>> "Jim" <koehler@btinternet.com> wrote in message
>> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>>A real challenge to all spyware and malware experts.
>>>
>>> Please excuse my bad manners in publishing this article in two
>>> newsgroups simultaneously. I am not sure which one is most likely to
>>> provide help in solving my problem.
>>>
>>> If there is another newsgroup that in which I should post this article
>>> please let me know.
>>>
>>>
>>> The problem that I have is driving me mad!
>>>
>>>
>>> The problem is that my broadband traffic is at times extremely high
>>> for completely unexplained reasons.
>>>
>>> This is indicated by (1) the daily log kept by my ISP and (2) more
>>> visibly by the icon in the lower right-hand corner on my screen that
>>> consists of the two little monitor symbols. It these symbols indicate
>>> broadband activity by lighting up in light blue - one for up traffic
>>> and the other for down traffic.
>>>
>>> The problem has been around on and off for three months now.
>>>
>>> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
>>> Aware SE Personal. The last of these I run only on demand - usually
>>> once a day.
>>>
>>> When the problem is occurring the daily ISP log shows 4 or 5 times
>>> normal megabytes per day and the monitor symbols are lit up all the
>>> time.
>>>
>>> Normally the log and the monitor symbols show low broadband activity.
>>> I have been a fairly light user of the internet. No movie downloads,
>>> etc. Just emails and web page accesses.
>>>
>>> The high activity problem has occurred in two episodes. During the
>>> first of these (a couple of weeks) the high traffic was more or less
>>> equally divided between uploading and downloading. But during the most
>>> recent episode (a couple of days) downloading has been very high while
>>> uploading was normal.
>>>
>>> My traffic has been so high that my ISP's monthly limit is 60% used
>>> while I am only 40% into the month. I will be charged for any excess.
>>> I have become so concerned that I am leaving my modem connection to my
>>> phone line unplugged except when I need to access the internet.
>>>
>>> Regarding the first episode: I tried PREVX. It found and removed some
>>> malware. It reported that it put the following items in "jail".
>>> zrmkxe.exe (4 KB)
>>> ykouzmp.exe (4 KB)
>>> ugstzfqp.exe (4 KB)
>>> tftp4904 (4 KB)
>>> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
>>> rphekn.exe (4 KB)
>>> gpiawddx.exe 4 KB)
>>> avgmb.exe (4 KB)
>>>
>>> This cleared up the problem but PREVX and Norton 360 do not get along
>>> with each other - Norton 360 will not work properly unless PREVX is
>>> not present in the same system.
>>>
>>> I spent a considerable amount of time on the Symantec technical help
>>> line. Symantec finally apparently fixed the problem by activating the
>>> Norton 360 backup facility. Traffic dropped back down to its normal
>>> level for a while. I can't understand why this worked - what is the
>>> connection between backup and the high traffic problem?
>>>
>>> Broadband traffic went back to normal for a while but eventually the
>>> high traffic problem returned on several occasions. They were fixed by
>>> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
>>> some malware, and (3) uninstalling PREVX - all of this while
>>> temporarily disabling Norton 360.
>>>
>>> As I said earlier, the second and last episode of the high traffic
>>> broadband problem began a few days ago. This seems to be different
>>> than the first episode because the high traffic is mainly downloading
>>> while uploading is normal.
>>>
>>> The big issue with all this is that I need to find out what spyware
>>> malware is causing my high traffic. Can anyone tell me how to do this.
>>> Is there some diagnostic software that could be of use here?
>>>
>>> Below are some items that might help diagnose my problem. All of these
>>> were obtained when broadband traffic was very high as indicated by the
>>> monitor symbols being lit up constantly.
>>>
>>> The first item is a HijackThis log file. The last two are snapshots
>>> are the most active processes in the Windows Task Manager process
>>> display.
>>>
>>> Thanks in advance for your help.
>>>
>>> Jim
>>>
>>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>> -
>>>
>>
>>
>

 

[wng_z3r0]

Don't try to change the argument. I have not once mentioned anything about
stealing code. That is irrelevant to this discussion.
Who cares if you have documented everything on your website or have
'reviews' on your website? Look at any of the smitfraud variant websites,
you will see EXACTLY the same thing (remember winfixer.com ? ). Any
'guarantees' from an author's website are essentially useless from a trust
perspective, as you are trying to guage the trust of that website in the
first place.

You have not presented one valid counter claim to my supposition that
receiving private executables from unknown people on the internet is a 'bad
thing'. Unless you wish to discuss this point or the OP replies to this
thread, I will not waste any more of my time on this topic.

wng
"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:fetkvv$kkj$1@blackhelicopter.databasix.com...
> Everything I put out is well documented and explained on my website.
> Everything is safe and tested. Because I choose not to share those links
> in these NG's is by choice. If I am as bad as everybody says I am then why
> no complaints from user of my files? Why is my site still up, why has it
> always been up. If I am a thief they why did I beat two DMCA complaints?
> The easiest way to take down any website is to file a DMCA yet my site is
> still up. Get your facts straight.
>
> --
>
> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
> The list grows. Leythos the stalker http://www.leythosthestalker.com,
> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>
>
>
> "wng_z3r0" <wng_z3r0@newsgroups.nospam> wrote in message
> news:8EF12E32-AA6C-4A5B-A7D0-CBEA958CF402@microsoft.com...
>> Regardless of the nature of pcbutts, which I won't get into here, I
>> strongly advise you NEVER to download code from an unknown entity on the
>> internet in a scenario that pcbutts is proposing. Not only do you not
>> have any information about pcbutts, but you could not even look at
>> reviews from a 'trusted authority' such as perhaps CNET as for all you
>> know, you could be receiving a unique malware file that is emailed to
>> you. Just a suggestion on safe(r) internet habits.
>>
>> Anyways, specifically concerning your network traffic, try installing
>> wireshark, and running a packet trace when the internet connection
>> spikes:
>> http://www.wireshark.org/
>>
>> As it appears you have a malware infestation on your computer, there is a
>> possibility that this malware is leeching private information in the
>> computer (such as passwords etc) back to a remote server, or perhaps the
>> computer is used as a 'bot'. In either case, you really should disconnect
>> the computer from the internet until the computer is cleaned. Not doing
>> so puts your computer at more risk and most likely others as well.
>>
>> To begin cleaning your computer, can you please tell me what version of
>> windows you are running?
>>
>> wng
>>
>>
>> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
>> news:fes0ee$phg$1@blackhelicopter.databasix.com...
>>> Go to my website http://www.pcbutts1.com/downloads use the email link at
>>> the bottom, put "Running Now" in the subject line and email me. I will
>>> send you my more extensive diagnostic tool, it works better than HJT,
>>> with instructions on how to use it.
>>>
>>>
>>> --
>>>
>>> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
>>> The list grows. Leythos the stalker http://www.leythosthestalker.com,
>>> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
>>> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>>>
>>>
>>>
>>> "Jim" <koehler@btinternet.com> wrote in message
>>> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>>>A real challenge to all spyware and malware experts.
>>>>
>>>> Please excuse my bad manners in publishing this article in two
>>>> newsgroups simultaneously. I am not sure which one is most likely to
>>>> provide help in solving my problem.
>>>>
>>>> If there is another newsgroup that in which I should post this article
>>>> please let me know.
>>>>
>>>>
>>>> The problem that I have is driving me mad!
>>>>
>>>>
>>>> The problem is that my broadband traffic is at times extremely high
>>>> for completely unexplained reasons.
>>>>
>>>> This is indicated by (1) the daily log kept by my ISP and (2) more
>>>> visibly by the icon in the lower right-hand corner on my screen that
>>>> consists of the two little monitor symbols. It these symbols indicate
>>>> broadband activity by lighting up in light blue - one for up traffic
>>>> and the other for down traffic.
>>>>
>>>> The problem has been around on and off for three months now.
>>>>
>>>> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
>>>> Aware SE Personal. The last of these I run only on demand - usually
>>>> once a day.
>>>>
>>>> When the problem is occurring the daily ISP log shows 4 or 5 times
>>>> normal megabytes per day and the monitor symbols are lit up all the
>>>> time.
>>>>
>>>> Normally the log and the monitor symbols show low broadband activity.
>>>> I have been a fairly light user of the internet. No movie downloads,
>>>> etc. Just emails and web page accesses.
>>>>
>>>> The high activity problem has occurred in two episodes. During the
>>>> first of these (a couple of weeks) the high traffic was more or less
>>>> equally divided between uploading and downloading. But during the most
>>>> recent episode (a couple of days) downloading has been very high while
>>>> uploading was normal.
>>>>
>>>> My traffic has been so high that my ISP's monthly limit is 60% used
>>>> while I am only 40% into the month. I will be charged for any excess.
>>>> I have become so concerned that I am leaving my modem connection to my
>>>> phone line unplugged except when I need to access the internet.
>>>>
>>>> Regarding the first episode: I tried PREVX. It found and removed some
>>>> malware. It reported that it put the following items in "jail".
>>>> zrmkxe.exe (4 KB)
>>>> ykouzmp.exe (4 KB)
>>>> ugstzfqp.exe (4 KB)
>>>> tftp4904 (4 KB)
>>>> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
>>>> rphekn.exe (4 KB)
>>>> gpiawddx.exe 4 KB)
>>>> avgmb.exe (4 KB)
>>>>
>>>> This cleared up the problem but PREVX and Norton 360 do not get along
>>>> with each other - Norton 360 will not work properly unless PREVX is
>>>> not present in the same system.
>>>>
>>>> I spent a considerable amount of time on the Symantec technical help
>>>> line. Symantec finally apparently fixed the problem by activating the
>>>> Norton 360 backup facility. Traffic dropped back down to its normal
>>>> level for a while. I can't understand why this worked - what is the
>>>> connection between backup and the high traffic problem?
>>>>
>>>> Broadband traffic went back to normal for a while but eventually the
>>>> high traffic problem returned on several occasions. They were fixed by
>>>> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
>>>> some malware, and (3) uninstalling PREVX - all of this while
>>>> temporarily disabling Norton 360.
>>>>
>>>> As I said earlier, the second and last episode of the high traffic
>>>> broadband problem began a few days ago. This seems to be different
>>>> than the first episode because the high traffic is mainly downloading
>>>> while uploading is normal.
>>>>
>>>> The big issue with all this is that I need to find out what spyware
>>>> malware is causing my high traffic. Can anyone tell me how to do this.
>>>> Is there some diagnostic software that could be of use here?
>>>>
>>>> Below are some items that might help diagnose my problem. All of these
>>>> were obtained when broadband traffic was very high as indicated by the
>>>> monitor symbols being lit up constantly.
>>>>
>>>> The first item is a HijackThis log file. The last two are snapshots
>>>> are the most active processes in the Windows Task Manager process
>>>> display.
>>>>
>>>> Thanks in advance for your help.
>>>>
>>>> Jim
>>>>
>>>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>>> -
>>>>
>>>
>>>
>>
>
>

 

[pcbutts1]

I wrote a malware removal program called Spyerase. Everybody said I stole it
from someone else. I sold Spyerase last year and made a pretty penny for it
too. I sold it to a major Anti-malware Anti-virus company who found me in
these NG's and in my forums. I am not unknown. If I can write something that
works then people have the right to use it. You can try to back out of this
thread if you want but I know exactly what your intentions were in your
first post.


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"wng_z3r0" <wng_z3r0@newsgroups.nospam> wrote in message
news:CD640A2D-0757-4146-A3A6-FA240FDA2599@microsoft.com...
> Don't try to change the argument. I have not once mentioned anything about
> stealing code. That is irrelevant to this discussion.
> Who cares if you have documented everything on your website or have
> 'reviews' on your website? Look at any of the smitfraud variant websites,
> you will see EXACTLY the same thing (remember winfixer.com ? ). Any
> 'guarantees' from an author's website are essentially useless from a trust
> perspective, as you are trying to guage the trust of that website in the
> first place.
>
> You have not presented one valid counter claim to my supposition that
> receiving private executables from unknown people on the internet is a
> 'bad thing'. Unless you wish to discuss this point or the OP replies to
> this thread, I will not waste any more of my time on this topic.
>
> wng
> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
> news:fetkvv$kkj$1@blackhelicopter.databasix.com...
>> Everything I put out is well documented and explained on my website.
>> Everything is safe and tested. Because I choose not to share those links
>> in these NG's is by choice. If I am as bad as everybody says I am then
>> why no complaints from user of my files? Why is my site still up, why has
>> it always been up. If I am a thief they why did I beat two DMCA
>> complaints? The easiest way to take down any website is to file a DMCA
>> yet my site is still up. Get your facts straight.
>>
>> --
>>
>> Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
>> The list grows. Leythos the stalker http://www.leythosthestalker.com,
>> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
>> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>>
>>
>>
>> "wng_z3r0" <wng_z3r0@newsgroups.nospam> wrote in message
>> news:8EF12E32-AA6C-4A5B-A7D0-CBEA958CF402@microsoft.com...
>>> Regardless of the nature of pcbutts, which I won't get into here, I
>>> strongly advise you NEVER to download code from an unknown entity on the
>>> internet in a scenario that pcbutts is proposing. Not only do you not
>>> have any information about pcbutts, but you could not even look at
>>> reviews from a 'trusted authority' such as perhaps CNET as for all you
>>> know, you could be receiving a unique malware file that is emailed to
>>> you. Just a suggestion on safe(r) internet habits.
>>>
>>> Anyways, specifically concerning your network traffic, try installing
>>> wireshark, and running a packet trace when the internet connection
>>> spikes:
>>> http://www.wireshark.org/
>>>
>>> As it appears you have a malware infestation on your computer, there is
>>> a possibility that this malware is leeching private information in the
>>> computer (such as passwords etc) back to a remote server, or perhaps the
>>> computer is used as a 'bot'. In either case, you really should
>>> disconnect the computer from the internet until the computer is cleaned.
>>> Not doing so puts your computer at more risk and most likely others as
>>> well.
>>>
>>> To begin cleaning your computer, can you please tell me what version of
>>> windows you are running?
>>>
>>> wng
>>>
>>>
>>> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
>>> news:fes0ee$phg$1@blackhelicopter.databasix.com...
>>>> Go to my website http://www.pcbutts1.com/downloads use the email link
>>>> at the bottom, put "Running Now" in the subject line and email me. I
>>>> will send you my more extensive diagnostic tool, it works better than
>>>> HJT, with instructions on how to use it.
>>>>
>>>>
>>>> --
>>>>
>>>> Newsgroup Trolls. Read about mine here
>>>> http://www.pcbutts1.com/downloads
>>>> The list grows. Leythos the stalker http://www.leythosthestalker.com,
>>>> David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
>>>> Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
>>>>
>>>>
>>>>
>>>> "Jim" <koehler@btinternet.com> wrote in message
>>>> news:1192286950.230976.246240@i38g2000prf.googlegroups.com...
>>>>>A real challenge to all spyware and malware experts.
>>>>>
>>>>> Please excuse my bad manners in publishing this article in two
>>>>> newsgroups simultaneously. I am not sure which one is most likely to
>>>>> provide help in solving my problem.
>>>>>
>>>>> If there is another newsgroup that in which I should post this article
>>>>> please let me know.
>>>>>
>>>>>
>>>>> The problem that I have is driving me mad!
>>>>>
>>>>>
>>>>> The problem is that my broadband traffic is at times extremely high
>>>>> for completely unexplained reasons.
>>>>>
>>>>> This is indicated by (1) the daily log kept by my ISP and (2) more
>>>>> visibly by the icon in the lower right-hand corner on my screen that
>>>>> consists of the two little monitor symbols. It these symbols indicate
>>>>> broadband activity by lighting up in light blue - one for up traffic
>>>>> and the other for down traffic.
>>>>>
>>>>> The problem has been around on and off for three months now.
>>>>>
>>>>> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and
>>>>> Ad-
>>>>> Aware SE Personal. The last of these I run only on demand - usually
>>>>> once a day.
>>>>>
>>>>> When the problem is occurring the daily ISP log shows 4 or 5 times
>>>>> normal megabytes per day and the monitor symbols are lit up all the
>>>>> time.
>>>>>
>>>>> Normally the log and the monitor symbols show low broadband activity.
>>>>> I have been a fairly light user of the internet. No movie downloads,
>>>>> etc. Just emails and web page accesses.
>>>>>
>>>>> The high activity problem has occurred in two episodes. During the
>>>>> first of these (a couple of weeks) the high traffic was more or less
>>>>> equally divided between uploading and downloading. But during the most
>>>>> recent episode (a couple of days) downloading has been very high while
>>>>> uploading was normal.
>>>>>
>>>>> My traffic has been so high that my ISP's monthly limit is 60% used
>>>>> while I am only 40% into the month. I will be charged for any excess.
>>>>> I have become so concerned that I am leaving my modem connection to my
>>>>> phone line unplugged except when I need to access the internet.
>>>>>
>>>>> Regarding the first episode: I tried PREVX. It found and removed some
>>>>> malware. It reported that it put the following items in "jail".
>>>>> zrmkxe.exe (4 KB)
>>>>> ykouzmp.exe (4 KB)
>>>>> ugstzfqp.exe (4 KB)
>>>>> tftp4904 (4 KB)
>>>>> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
>>>>> rphekn.exe (4 KB)
>>>>> gpiawddx.exe 4 KB)
>>>>> avgmb.exe (4 KB)
>>>>>
>>>>> This cleared up the problem but PREVX and Norton 360 do not get along
>>>>> with each other - Norton 360 will not work properly unless PREVX is
>>>>> not present in the same system.
>>>>>
>>>>> I spent a considerable amount of time on the Symantec technical help
>>>>> line. Symantec finally apparently fixed the problem by activating the
>>>>> Norton 360 backup facility. Traffic dropped back down to its normal
>>>>> level for a while. I can't understand why this worked - what is the
>>>>> connection between backup and the high traffic problem?
>>>>>
>>>>> Broadband traffic went back to normal for a while but eventually the
>>>>> high traffic problem returned on several occasions. They were fixed by
>>>>> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
>>>>> some malware, and (3) uninstalling PREVX - all of this while
>>>>> temporarily disabling Norton 360.
>>>>>
>>>>> As I said earlier, the second and last episode of the high traffic
>>>>> broadband problem began a few days ago. This seems to be different
>>>>> than the first episode because the high traffic is mainly downloading
>>>>> while uploading is normal.
>>>>>
>>>>> The big issue with all this is that I need to find out what spyware
>>>>> malware is causing my high traffic. Can anyone tell me how to do this.
>>>>> Is there some diagnostic software that could be of use here?
>>>>>
>>>>> Below are some items that might help diagnose my problem. All of these
>>>>> were obtained when broadband traffic was very high as indicated by the
>>>>> monitor symbols being lit up constantly.
>>>>>
>>>>> The first item is a HijackThis log file. The last two are snapshots
>>>>> are the most active processes in the Windows Task Manager process
>>>>> display.
>>>>>
>>>>> Thanks in advance for your help.
>>>>>
>>>>> Jim
>>>>>
>>>>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>>>> -
>>>>>
>>>>
>>>>
>>>
>>
>>
>

 

[---Fitz---]

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:fetooc$slr$1@blackhelicopter.databasix.com...
>I wrote a malware removal program called Spyerase. Everybody said I stole
>it from someone else. I sold Spyerase last year and made a pretty penny for
>it too. I sold it to a major Anti-malware Anti-virus company who found me
>in these NG's and in my forums. I am not unknown.

You sold it...yeah, right. You're right about not being unknown
though...Chris.

 

[spears list]

On Oct 13, 9:49 am, Jim <koeh...@btinternet.com> wrote:
> A real challenge to all spyware and malware experts.
>
> Please excuse my bad manners in publishing this article in two
> newsgroups simultaneously. I am not sure which one is most likely to
> provide help in solving my problem.
>
> If there is another newsgroup that in which I should post this article
> please let me know.
>
> The problem that I have is driving me mad!
>
> The problem is that my broadband traffic is at times extremely high
> for completely unexplained reasons.
>
> This is indicated by (1) the daily log kept by my ISP and (2) more
> visibly by the icon in the lower right-hand corner on my screen that
> consists of the two little monitor symbols. It these symbols indicate
> broadband activity by lighting up in light blue - one for up traffic
> and the other for down traffic.
>
> The problem has been around on and off for three months now.
>
> Environment: Windows XP SP2, Symantec Norton 360, Namesco (ISP) and Ad-
> Aware SE Personal. The last of these I run only on demand - usually
> once a day.
>
> When the problem is occurring the daily ISP log shows 4 or 5 times
> normal megabytes per day and the monitor symbols are lit up all the
> time.
>
> Normally the log and the monitor symbols show low broadband activity.
> I have been a fairly light user of the internet. No movie downloads,
> etc. Just emails and web page accesses.
>
> The high activity problem has occurred in two episodes. During the
> first of these (a couple of weeks) the high traffic was more or less
> equally divided between uploading and downloading. But during the most
> recent episode (a couple of days) downloading has been very high while
> uploading was normal.
>
> My traffic has been so high that my ISP's monthly limit is 60% used
> while I am only 40% into the month. I will be charged for any excess.
> I have become so concerned that I am leaving my modem connection to my
> phone line unplugged except when I need to access the internet.
>
> Regarding the first episode: I tried PREVX. It found and removed some
> malware. It reported that it put the following items in "jail".
> zrmkxe.exe (4 KB)
> ykouzmp.exe (4 KB)
> ugstzfqp.exe (4 KB)
> tftp4904 (4 KB)
> shell64.dll (14 KB) (http://www.auditmypc.com/process/shell64.asp)
> rphekn.exe (4 KB)
> gpiawddx.exe 4 KB)
> avgmb.exe (4 KB)
>
> This cleared up the problem but PREVX and Norton 360 do not get along
> with each other - Norton 360 will not work properly unless PREVX is
> not present in the same system.
>
> I spent a considerable amount of time on the Symantec technical help
> line. Symantec finally apparently fixed the problem by activating the
> Norton 360 backup facility. Traffic dropped back down to its normal
> level for a while. I can't understand why this worked - what is the
> connection between backup and the high traffic problem?
>
> Broadband traffic went back to normal for a while but eventually the
> high traffic problem returned on several occasions. They were fixed by
> (1) installing PREVX, (2) doing a scan with it whereby it cleared out
> some malware, and (3) uninstalling PREVX - all of this while
> temporarily disabling Norton 360.
>
> As I said earlier, the second and last episode of the high traffic
> broadband problem began a few days ago. This seems to be different
> than the first episode because the high traffic is mainly downloading
> while uploading is normal.
>
> The big issue with all this is that I need to find out what spyware
> malware is causing my high traffic. Can anyone tell me how to do this.
> Is there some diagnostic software that could be of use here?
>
> Below are some items that might help diagnose my problem. All of these
> were obtained when broadband traffic was very high as indicated by the
> monitor symbols being lit up constantly.
>
> The first item is a HijackThis log file. The last two are snapshots
> are the most active processes in the Windows Task Manager process
> display.
>
> Thanks in advance for your help.
>
> Jim
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> -
>
> Logfile of HijackThis v1.99.1
> Scan saved at 23:41:58, on 10/12/2007
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.6000.16544)
>
> Running processes:
> C:\WINNT\System32\smss.exe
> C:\WINNT\system32\winlogon.exe
> C:\WINNT\system32\services.exe
> C:\WINNT\system32\lsass.exe
> C:\WINNT\system32\Ati2evxx.exe
> C:\WINNT\system32\svchost.exe
> C:\WINNT\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
> C:\WINNT\system32\Ati2evxx.exe
> C:\WINNT\Explorer.EXE
> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
> C:\WINNT\system32\spoolsv.exe
> C:\Program Files\Common Files\Apple\Mobile Device Support\bin
> \AppleMobileDeviceService.exe
> C:\WINNT\system32\CTsvcCDA.exe
> C:\WINNT\system32\inetsrv\inetinfo.exe
> C:\Program Files\Kontiki\KService.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
> C:\WINNT\System32\PGPsdkServ.exe
> C:\WINNT\system32\dllhost.exe
> C:\WINNT\System32\vssvc.exe
> C:\Program Files\RealVNC\VNC4\WinVNC4.exe
> C:\WINNT\System32\MsPMSPSv.exe
> C:\WINNT\system32\fxssvc.exe
> C:\WINNT\system32\dllhost.exe
> C:\Program Files\Common Files\Real\Update_OB\realsched.exe
> C:\Program Files\QuickTime\QTTask.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\WINNT\system32\ctfmon.exe
> C:\Program Files\Intense Language Office\COMMON\Offman.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\Program Files\Eraser\eraser.exe
> C:\Program Files\Kontiki\KHost.exe
> C:\Program Files\iPod\bin\iPodService.exe
> C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
> C:\WINNT\system32\taskmgr.exe
> C:\WINNT\system32\notepad.exe
> C:\Program Files\HJT\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
> =http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =http://go.microsoft.com/fwlink/?LinkId=69157
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
> =
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
> =
> O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no
> file)
> O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:
> \Program Files\Common Files\Symantec Shared\coShared\Browser
> \1.7\NppBho.dll
> O2 - BHO: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C}
> - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
> O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:
> \PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
> O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-
> FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro
> \wsbho2k0.dll
> O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:
> \PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
> O3 - Toolbar: SolidConverter PDF - {259F616C-A300-44F5-B04A-
> ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF
> \ExploreExtPDF.dll
> O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-
> FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared
> \Browser\1.7\UIBHO.dll
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real
> \Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
> \QTTask.exe" -atboottime
> O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and
> Settings\Jim.JIM-HOMEPC\Local Settings\Temp\ImInstaller\IncrediMail
> \incredimail_install[1].exe -startup -product IncrediMail
> O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
> \iTunesHelper.exe"
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
> background
> O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
> O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
> O9 - Extra button: (no name) - SolidConverterPDF - (no file)
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
> O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
> - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
> O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
> d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
> \xpnetdiag.exe (file missing)
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
> BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
> O11 - Options group: [INTERNATIONAL] International*
> O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
> O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
> O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
> scanner) -http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff..cab
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
> -http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client...
> O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
> Utility Class) -http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
> O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload
> Manager Class) -http://www.kodakgallery.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
> O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} ...
>
> read more »

Check to see if this software helps because it saved my pc! www.eliteatm.biz