Anyone help with this one please?

I have avast installed on 3 comps. One of them is continually uploading large amounts of data to an IP address in Canada, Shaw Communications in Hamilton, Ontario. The IP addy sometimes changes, but the destination is always the same.What its uploading I have no idea. The only way I can stop this happening is to disable BITS. What the hell is going on here avast ??? See attatchment txt for destination info.

Shaw is a trusted communication provider.

What do you mean with BITS?

If you want to have a thorough check:
http://forum.avast.com/index.php?topic=53253.0

(BITS) Background Intelligent Transfer Service. As soon as I start it up again, avast starts transmitting data to Shaw Communications. If I want to send stuff to Shaw Comms I’ll send them an e-mail. I don’t expect my anti virus to do it of its own accord. Also, I run regular scans of Malware, spybot, windows defender and avast. They find nothing. When looking on the internet I find that lots of avast users are having exactly the same issue Again, what the hell is going on avast ???

It certainly is not avast that is sending the data.
If it was, the data would still be send when BITS is disabled.
I suspect a Windows component (update service, defender) or something like that.

Never run (or even think about enabling) Defender when you have avast installed.
They don’t work together very well.

If you want to have a closer look at what is doing what, I can recommend the SysInternal tools.

If you want us to look if it isn’t malware, please follow the instructions:
http://forum.avast.com/index.php?topic=53253.0

In case others want to have a little reading :smiley:

Background Intelligent Transfer Service (BITS) is a component of Microsoft Windows XP and later operating systems that facilitates prioritized, throttled, and asynchronous transfer of files between machines using idle network bandwidth. It is most commonly used by recent versions of Windows Update, Microsoft Update, Windows Server Update Services, and Systems Management Server to deliver software updates to clients, Microsoft's anti-virus scanner Microsoft Security Essentials (later merged to and renamed to Windows Defender) to fetch signature updates, and is also used by Microsoft's instant messaging products to transfer files.
  1. Uninstall SpyBot S&D it’s worthless. Use MalwareBytes instead.
  2. Disable Windows Defender, it could create a possible conflict.

If you desire to keep SpyBot disable the tea-timer. The tea-timer is known to cause issues with avast.
MalwareBytes is a much better product.

To download MalwareBytes use this link.

Read this about SpyBot S&D.

Have you disabled Windows Defender, installed Malwarebytes, fully updated both it and Avast and run full computer scans with both ?; as suggested above, you may well wish to post in the appropriate section for a full computer review to see if you are infected with something :frowning:

OK. Done all that was aked. The problem has now shown up on one of my other comps. Log files attatched.

Here are the other two logs asked for.

May I politely request that you do not attach the logs but instead copy and paste the log reports into the forum so they can be easily read by everyone …thanks !!

Sorry, but no. Attaching them is the right way to do it.

What version of Avast are you running I.E 2014 or V8

Using thew latest version 2014.9.0.2013

OK lets look deeper, as BITS should not be sending

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

OK, ran combifix on suspect comp as requested. Also ran it on another comp that was showing same behaviour. Have attatched both logs. The one you are interested in is Comp 3 CombiFix Log. Whatever combifix did, it would appear that it has cured the problem. Any idea as to what was causing this behavior? Oh yes, and thank you very much for taking the time to help, I’m much obliged to you.

They both had the winlogon altered in someway, comp 1 was repaired but we need to do comp 3 manually

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: c:\windows\ServicePackFiles\i386\winlogon.exe|c:\windows\system32\winlogon.exe

File::
c:\windows\TEMP\TMP000000425B372EC79428EBDB

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Ok. Comp 1 is still transmitting data to an IP in Canada, so its not fixed. The only way to stop it is to disable Background intelligent Transfer Service. Tried running combifix on comp3 and it has BSOD’d with the following:-
STOP: c000021a (Fatal System Error)
The Windows Login Process System Process has been terminated unexpectedly with a status of0x00000000 (0x00000000 0x00000000)
The System has Been Shut down.

Download and run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Scanned as requested and log file attatched. This is for comp 3, mentioned above in BSOD post.

Could you also run on comp one please as that checks out the path and files of the BITS system

Could you retry the combofix script on comp 3 please

Ran FFS on comp 1 as requested, log file attatched. Ran combifix on comp 3 as requested, log file attatched.