Is this a virus?

[Sirius]

Computer connects to internet OK and then connection gets slower and slower
till nothing is coming in but data continues to go out. At best the
connection is very slow. Shut down takes ages. Startup is normal.

Netstat shows 10 to 12 TCP connections (all from different ports and mostly
where the foreign address appears to be the computer itself ) and also 10 to
12 UDP connections mostly to *.* (*.* I don't understand)

There was only one normal connection listed and that was to 193.86.103.11
which I think was valid as I was trying to get an AVG antivirus update.
(Whois suggests this is valid) No other foreign addresses were given in the
list of 22 or so connections, data continued to flow out and yet the AVG
update KB counter had halted and did not move again. I think it has the
built in firewall on.

Computer is a 1½ years old Dell, Windows XP home, and I think its had the
Dell restore disk used on it. I'm a 100 miles away now, but I'm hoping I can
help my uncle sort it out remotely.

On my own computer netstat shows only a handful of entries, not the 22 or so
I saw on his. Malware is likely as he would not have been updating his anti
virus, but would it still be there after the Dell restore process?

Does this sound like hardware, malware or configuration? I did try
reinstalling the modem. (Yes I know he should be updating defs and running a
decent firewall. I told him that too)

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

Computer connects to internet OK and then connection gets slower and slower
till nothing is coming in but data continues to go out. At best the
connection is very slow. Shut down takes ages. Startup is normal.

Netstat shows 10 to 12 TCP connections (all from different ports and mostly
where the foreign address appears to be the computer itself ) and also 10 to
12 UDP connections mostly to *.* (*.* I don't understand)

There was only one normal connection listed and that was to 193.86.103.11
which I think was valid as I was trying to get an AVG antivirus update.
(Whois suggests this is valid) No other foreign addresses were given in the
list of 22 or so connections, data continued to flow out and yet the AVG
update KB counter had halted and did not move again. I think it has the
built in firewall on.

Computer is a 1½ years old Dell, Windows XP home, and I think its had the
Dell restore disk used on it. I'm a 100 miles away now, but I'm hoping I can
help my uncle sort it out remotely.

On my own computer netstat shows only a handful of entries, not the 22 or so
I saw on his. Malware is likely as he would not have been updating his anti
virus, but would it still be there after the Dell restore process?

Does this sound like hardware, malware or configuration? I did try
reinstalling the modem. (Yes I know he should be updating defs and running a
decent firewall. I told him that too)

Maybe Debbie could elaborate, but I'm guessing you might have become
someone's zombie box in a DDOS event. Can you access any of the online
scans, or better yet, get hijackthis, and see what all is playing in
there?
Hijackthis:
http://mjc1.com/mirror/hjt/
or another good one is Process Viewer:
http://www.teamcti.com/pview/

 

[Dr Halonfire$ \(L'Girl\)]

#

I reckon you have one of the latest trojans.
Details on all the latest viruses from Sophos linked from my site, as is a
lot more .
--
My main website is at
http://tinyurl.com/t7tg
More images; more pages; more music;
more information + XP help - more
to browse.
There's 13.4 Mb of data onsite with
links to many more megabytes on other
sites.

 

[Sirius]

#

I reckon you have one of the latest trojans.

So we have 2 votes for malware. Thanks. I've sent him the latest AVG defs on
CD. Hope that will come up with the answer.

 

[Sirius]

In Message-ID:<[email protected]> posted on

Maybe Debbie could elaborate, but I'm guessing you might have become
someone's zombie box in a DDOS event. Can you access any of the online
scans, or better yet, get hijackthis, and see what all is playing in
there?
Hijackthis:
http://mjc1.com/mirror/hjt/
or another good one is Process Viewer:
http://www.teamcti.com/pview/

Hmm, I've had a quick try with the first one. (The second one didn't
download properly, so I need to try again.) Hijackthis certainly shows up a
lot of processes but I don't know that I'd be able to identify the offending
one - even if I do get down to access the computer again. I don't think I
could have accessed an online scan. I've used some before and there is quite
a download first which it doesn't seem able to do. If the malware can
disable the AVG perhaps I'll need to look into trying a dos scan from CD.
Dunno if that would work with NTFS though.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

Hijackthis certainly shows up a
lot of processes but I don't know that I'd be able to identify the offending
one

Try to post the hijackthis log here:
http://tinyurl.com/u7we
or here in this newsgroup.

 

[Sirius]

In Message-ID:<[email protected]> posted on


Try to post the hijackthis log here:
http://tinyurl.com/u7we
or here in this newsgroup.

OK thanks, I may take up that offer if I get a chance.