Hi there,
I have been leaving my computer on for countless months now. Earlier today, I received a message from my ISP that I had exceeded my bandwidth, by a lot. When I finally got home and reviewed the logs, I found that I had used 15 GB of data in less than 24 hours. To give you a rough gauge of how much data this computer actually sees, my last month’s usage was 1.07 GB.
I checked avast! Web, File System, and Network Shields. While none of them detected any malicious activity, all three saw a HUGE spike in activity from approximately 9 PM yesterday until the time I got someone in my household (I wasn’t home the entire day) to pull the plug on my computer (in hindsight, I should have rushed home to see what was running).
I understand that avast! is unable to, as far as I know, show logs of what it had scanned if they were not “Infected”, since it doesn’t log non-infected files.
What I did was to do a custom search of my entire C: drive (datemodified:13/4/2012, datemodified: 14/4/2012). This showed that roughly around 9:43 PM, consistent with the spike in avast!'s logs, the folder "C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player#SharedObjects\FQCVEGH9" was accessed throughout the night all the way until the plug was pulled. Several folders were created, and one was consistent throughout all these folders (file names are websites that look considerably malicious, I’ve never seen them before though), and edited/accessed multiple times, “ltas.swf”, which contains 8 files, all of which have the “.sol” extension. These files were constantly downloaded/replaced, which appears to have caused the network spike.
Now that the computer is restarted, the problem seems to have ceased and I am no longer seeing any activity in that particular folder, or any other activity for that matter.
I would like to know if anyone has any clue what happened, or how I can check and see how the files got accessed, etc. I have already run a virus-scan in avast! as well as a scan in MalwareBytes, both of which turned up fine.
Sorry for the long post, and thanks for taking time to read through this.