Urgent Help Required - Sudden high Web/File/Network Traffic

Hi there,

I have been leaving my computer on for countless months now. Earlier today, I received a message from my ISP that I had exceeded my bandwidth, by a lot. When I finally got home and reviewed the logs, I found that I had used 15 GB of data in less than 24 hours. To give you a rough gauge of how much data this computer actually sees, my last month’s usage was 1.07 GB.

I checked avast! Web, File System, and Network Shields. While none of them detected any malicious activity, all three saw a HUGE spike in activity from approximately 9 PM yesterday until the time I got someone in my household (I wasn’t home the entire day) to pull the plug on my computer (in hindsight, I should have rushed home to see what was running).

I understand that avast! is unable to, as far as I know, show logs of what it had scanned if they were not “Infected”, since it doesn’t log non-infected files.

What I did was to do a custom search of my entire C: drive (datemodified:13/4/2012, datemodified: 14/4/2012). This showed that roughly around 9:43 PM, consistent with the spike in avast!'s logs, the folder "C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player#SharedObjects\FQCVEGH9" was accessed throughout the night all the way until the plug was pulled. Several folders were created, and one was consistent throughout all these folders (file names are websites that look considerably malicious, I’ve never seen them before though), and edited/accessed multiple times, “ltas.swf”, which contains 8 files, all of which have the “.sol” extension. These files were constantly downloaded/replaced, which appears to have caused the network spike.

Now that the computer is restarted, the problem seems to have ceased and I am no longer seeing any activity in that particular folder, or any other activity for that matter.

I would like to know if anyone has any clue what happened, or how I can check and see how the files got accessed, etc. I have already run a virus-scan in avast! as well as a scan in MalwareBytes, both of which turned up fine.

Sorry for the long post, and thanks for taking time to read through this.

Follow the guide here and attach logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

Then one of the malware removal expets will have a look, and see if they spot something suspicious

It probably could’ve been a Trojan downloader. Do a registry scan with a registry cleaner to make sure your computer is free of malicious software.

-GuitarLord

Maybe one of those Fileless Bots?

See: http://www.securelist.com/en/blog/687/A_unique_fileless_bot_attacks_news_site_visitors

Explains how it works and why no current infection may be seen. But just revisiting the site will re-infect if the site is still infected. Rebooting will clear the infection as per the article as it resides in RAM but can return as above.

Registry cleaners are not recommended, and in any case, ineffective against this strategy.

Maybe this maybe that…Speculative ideas does not help

The only thing that Work is to attach the logs, and checked by removal spesialists

"C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\FQCVEGH9\" was accessed throughout the night all the way until the plug was pulled. Several folders were created, and one was consistent throughout all these folders (file names are websites that look considerably malicious, I've never seen them before though), and edited/accessed multiple times, "ltas.swf", which contains 8 files, all of which have the ".sol" extension. These files were constantly downloaded/replaced, which appears to have caused the network spike.
@Pondus,

You are right, this does look like malicious activity.

+1

Thanks all. Attached are the MBAM, OTL, and aswMBR logs.

With the way it was happening at a specific time leads me to suspect the tasks on your system

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found. O3 - HKU\S-1-5-21-2354993341-2317176385-3448678489-1000\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found. O3 - HKU\S-1-5-21-2354993341-2317176385-3448678489-1000\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found. O3 - HKU\S-1-5-21-2354993341-2317176385-3448678489-1000\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found. O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe File not found O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe File not found O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) [2012/04/15 05:32:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012/04/15 01:46:10 | 000,000,020 | ---- | M] () -- C:\Windows\°öœ [2012/04/14 21:08:38 | 000,214,141 | ---- | M] () -- C:\Windows\System\viewed.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

The malwarebytes log You posted, show that You are running a old and not updated version

Update to latest version, then update to latest signature and run a new quick scan

Question, I think I’m going to reformat this particular computer and re-purpose it for other use.

That being said, I don’t think I’ll need a fix for this issue. I’m just curious as to what caused the issue. If anyone knows of a way to find out what CAUSED the issue, then I’d love to hear it. If not, I think I’ll simply reformat the computer.

Thanks.

Ran Malwarebytes with latest engine/definitions, nothing found. It’s either long gone or something else, I guess.

Are you up to date with Adobe and Java? Latest versions?

Did You Follow the step in reply #7 … Where you should also post a new OTL log