All PCs in network lose internet access after i logon to a specific user account

Hello
I have a problem.
I have a wired network with 3 PCs (Win7) and 1 Mac. After I log on to my standard user account on a win7 PC (not admin account) my computer start CONTINUOUSLY SEND DATA to internet and after one or two minutes ALL the PCs of the network (i think the Mac also) LOSE INTERNET ACCESS. If I unplugged the particularly PC from the router the other PCs immediately gain access to internet and continue working normally. If I log off the “infected user account” and log on to admin account everything is working normally. I run MBAM (full scan) and found 1 infected file (i don’t think this is the problem because i never had run this file), anyway i clean the file - restart the PC as suggested by MBAM BUT THE PROBLEM REPEATED. I have avast antivirus - i run full system scan but i don’t find anything.

I would really appreciate if you can help me with this.
Below is the requested files … I run the programs from admin account.

Thank you in advance.
Vasilis

I forgot the last log
Thanks again

Uhh,

Hi.

Drive X: | 232.88 Gb Total Space | 232.75 Gb Free Space | 99.95% Space Free | Partition Type: NTFS
Drive Y: | 465.76 Gb Total Space | 269.01 Gb Free Space | 57.76% Space Free | Partition Type: NTFS

Are those network drives? Or shared between a Virtual Machine?

Also, A quick look through your OTL scan shows you’re using P2P programs (Peer-2-Peer). These are dangerous and could likely be your issue.

I’ve asked a malware remover to help you. Sit tight and disconnect the infected PC from the internet and all access to other computers. (So, USB, CD,DVD etc)

Both drives are normal hard drives inside “infected” PC. None of them are shared between virtual machines. But to tell you the truth i “feel” that the problems start when i install a Win7 iso in a new virtual machines (no shares) or when I install Genymotion (android emulator). Both of them I install it the same period.

Could you run the OTL scan on the affected account please rather that the admin account

I run the OTL Program from the “infected” account. It ask me for admin credentials so I input the admin account credentials. After scan I could not find the EXTRA.txt file. I don’t know why.
Below is the OTL.Txt file
Thanks you.

OK a few questions first :slight_smile: are you aware of the following two programmes on the system :

http://www.fieldstonsoftware.com/software/gsyncit3/ this one synchronises all e-mail/calendar/contacts on start
http://render.otoy.com/ this does graphics rendering in the cloud

Also uTorrent is installed, I do not know whether or not it is used as a node though

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..extensions.enabledAddons: gmailthis%40lazyrussian.com:2.3.0

:Files
C:\Users\Bill_U\AppData\Local\temp\_MEI59642

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN
Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hello again
I know about gsyncit. I use it.
About render.otoy.com i have uninstall it before some time. It shouldn’t be there (if you have saw it anywhere).
I use utorrent sometime but something happening with the latest installation. I don’t understand what … i have install it but every time i run it seems like it install it shelf again.

After i run the programs the infected account seemed OK until I run Firefox. Then after 30 sec start again sending data to internet. In avast statistics screen i saw that my PC communicates with the “http://gtssl-ocsp.geotrust.com” and then start send data to internet. I remember that my PC use to continuously bring on screen a dialog box from java (or something like that) asking me to accept a certificate that reference geotrust. My other PC still asking about this approve. I don’t remember if in my PC I accepted the offer by mistake after so many times that it ask me.

Below is the log files

Thank you

OK a little investigation shows that Geotrust issues certificates for browser, the initial connection downloads a very small file which I am unable to interpret. However, it has full permissions
http://www.geotrust.com/

I would like to use a separate programme to look at firefox, unfortunately none of my programmes cover all areas

Meanwhile could you start Firefox in safe mode https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode#w_how-to-start-firefox-in-safe-mode and let me know if the transmissions continue


Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

The data transmission take place even without browser running. And the bad thing is that now i think this happening on admin account also

Please help

below is the log file

Maybe i was in a harry to say that data transmission happens also to admin account. After 2 min send data now it stop. At least looks like

Sorry

Could you temporarily disable googledrivesync via msconfig, reboot and see if the transmissions stop

Press the Windows and R key together and type in msconfig
Go to the startup section and remove the tick from googledrivesync and reboot
Does the traffic start again ?

The traffic seems to stopped. I try to upload some files on Google Drive but for some reason had block and after some minutes disconnected it shelf (gray icon). I thought to solve the problem later. You think Google drive is the problem?

I try to upload some files before some days … :). (I read the post and looks like now i try to upload some files)

Yes, as no malware is apparent… My thoughts are that you are trying to upload a file and for some reason it is getting stuck in a loop. If disabling Google sync stops the network traffic then that would be the logical cause. This can be confirmed if you run msconfig again and place a tick alongside googledrivesync, if after the reboot the network problems re-appear then we could have the cause

I will try it. I will observe for some time and I will inform you.
Thank you.

Makes a change to have something non-malware related :slight_smile:

Hello again

I use the PC today and all seems to work normal. I had to uninstall GDrive and install it again and everything seems to work OK.

Thank you for your help. I appreciate it.

Thanks again
Vasilis

Glad it is resolved :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: