unknown outbound traffic

Hello,

On my local LAN I have unknown continuous outbound traffic on several of my boxes now since I switched my satellite ISP to hughesnet. I’m running W2K SP2, all updates, zonealarm pro and
avast 4.8 home with all the latest updates. I’ve never seen this behavior before, and every check I’ve run shows up OK. I did detect some trojans but avast removed them all (renamed/moved). I can’t figure out what could still be causing this problem Everything scans clean but on a few boxes I still get immediate outbound packet traffic (viewing the status window for the NIC) that doesn’t ever stop! (with no other applications, ie. boinc clients are the only thing running - trying to send or receive data) Here is a copy of hijack’s log from one box with
the problem:

Logfile of HijackThis v1.99.1
Scan saved at 5:53:48 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\NetTime\NetTime.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\U-ABIT\uGuru\uGuru.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\boinc.bakerlab.org_rosetta\rosetta_beta_5.98_windows_intelx86.exe
C:\Program Files\BOINC\projects\boinc.bakerlab.org_rosetta\rosetta_beta_5.98_windows_intelx86.exe
C:\Program Files\BOINC\projects\boinc.bakerlab.org_rosetta\minirosetta_1.32_windows_intelx86.exe
C:\Program Files\BOINC\projects\boinc.bakerlab.org_rosetta\rosetta_beta_5.98_windows_intelx86.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/webplayerdemo/en?rcv=1&dist=divxdotcom
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\uGuru\uGuru.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have most of the zonealarm and avast security settings pretty much maxed out for tightest
security, and my local lan is all static ip’s in a fixed range, everything outside the range is blocked by zonealarm. I’ve also ran the avast rootkit detector software and nothing turns up. I’ve scheduled boot time scans with avast, again no luck on anything funny.

I don’t get it. Any help greatly appreciated.

/amgthis


You are using an old version of HJT.

Please download HijackThis from the link below.

http://filehippo.com/download_hijackthis/


Right
delete HJT from your desktop if that is where it is and create a new folder C:\HJT
when you download HJT to your new folder rename it AMGthisHJT.exe
be sure and close all browser windows

Did you say Windows 2000? why not SP4?

is your spyware doctor up to date and a version which provides real time protection?
spyware doctor scan shows nothing?

you might want to run a spyware doctor scan and if you have time A MalwareBytes AntiMalware scan and/or SAS scan then your new HJT
quarantine do not remove/delete (except MBAM which says remove when it means quarantine and remove :slight_smile:

which trojans were found? are they in the Chest?
With the Avast providers Standard, e-mail, internet set to HIGH
that should prevent you from being a spambot

what does your task panel show as far as tasks running?

Thanks for the replies, I downloaded the new HJT and I’ll follow your instructions and see
what turns up. I’m running Windows XP SP2 and I was putting found trojans into the chest
but I started ‘moving and renaming’ them - and now I just delete them.

I never saw any named unusual processes running in the Task Manager, and even
‘netstat /a’ in a command window never really showed anything I could put my fingers
on as the culprit. I’ll follow your advices and see what I can turn up.

In the meantime I’ve locked down my local lan very tight, I had all the local boxes
in the ‘internet zone’ in ZA which meant no more file sharing. I’ve started just
disabling the NIC on each box unless there was something I needed to transfer at the
moment, while I could attend to it.

Running distributed computing projects means the boxes could get hungry for more work
almost anytime, so that’s not a real good solution. Most of the boxes are ‘quiet’ now
when the NIC is enabled to the LAN, but there are still a couple that exhibit the constant
flow of packets out, and scans with Avast and spyware doctor turn nothing up. I’ll
see what the new HJT can do.

Thanks again, I’ll get back with more info when I can. I’d really like to sort this out.

/amgthis