I think I got a virus that causes excessive port scans.

Last week a web page wanted to install an active-x feature and I allowed it
to my regret. A few minutes later, I noticed excessive network activity on
my DSL modem. Closing my browser and all open applications, the activity
continued to run wild.

A list of my attempts to find/fix the problem...

1- Updated to Vcom System Suite 7 Pro and ran a full scan.
2- Ran AVG Anti-Spyware Free Edition.
3- Ran McAfee Stinger
4- Ran Spybot Search & Destroy
5- Ran Symantec FixBlast.exe
6- Ran Symantec FixWelch.exe
7- Ran Trend Sysclean
8- Ran windows Defender
9- Ran Symantec online anti-virus scanner

These I've run in normal AND safe mode. Some have found some problems and
cleaned them up but my problem persist.

Watching my network traffic, \system32\services.exe & \system32\svchost.exe
seem to be rapidly trying to reach the internet.
If I try to manually block services & svchost from internet access via Vcom
Firewall I'll see that both will start up multiple instances (many) in the
Vcom Net Defense Firewall list of applications trying to access the
internet. Vcom will see alot of this as high risk port scans and will block
much of it.

When this gets going, my CPU usage will vary from 10%-40% and my bandwidth
gets all eat up making it hard to even browse a web page.

The weird thing is that much of the traffic is between the LAN IP of my PC
and my DSL modem, but then I begin to see IP addresses I don't recognize and
can't seem to backtrace them. Involved port numbers are all over the place,
but seem to start off with port 80.

I'm beginning to wonder if services.exe and/or svchost.exe have been
compromised in some way. Anybody got a clue what's going on here?

Thanks for any help!
(let me know if there is a better place to post my question)

Richard in VA.
+++++++++++++++++++++

Open IE.......Tools.........Manage add ons.......enable or disable addons
find the culprit and shut it down

peter

--
DISCLAIMER: If you find a posting or message from me
offensive, inappropriate, or disruptive, please ignore it.
If you don't know how to ignore a posting, complain to
me and I will be only too happy to demonstrate... ;-)


"Richard In Va." <Reply-none@aol.com> wrote in message
news:e$3JQtOZIHA.4712@TK2MSFTNGP05.phx.gbl...
> I think I got a virus that causes excessive port scans.
>
> Last week a web page wanted to install an active-x feature and I allowed
> it
> to my regret. A few minutes later, I noticed excessive network activity
> on
> my DSL modem. Closing my browser and all open applications, the activity
> continued to run wild.
>
> A list of my attempts to find/fix the problem...
>
> 1- Updated to Vcom System Suite 7 Pro and ran a full scan.
> 2- Ran AVG Anti-Spyware Free Edition.
> 3- Ran McAfee Stinger
> 4- Ran Spybot Search & Destroy
> 5- Ran Symantec FixBlast.exe
> 6- Ran Symantec FixWelch.exe
> 7- Ran Trend Sysclean
> 8- Ran windows Defender
> 9- Ran Symantec online anti-virus scanner
>
> These I've run in normal AND safe mode. Some have found some problems and
> cleaned them up but my problem persist.
>
> Watching my network traffic, \system32\services.exe &
> \system32\svchost.exe seem to be rapidly trying to reach the internet.
> If I try to manually block services & svchost from internet access via
> Vcom Firewall I'll see that both will start up multiple instances (many)
> in the Vcom Net Defense Firewall list of applications trying to access the
> internet. Vcom will see alot of this as high risk port scans and will
> block much of it.
>
> When this gets going, my CPU usage will vary from 10%-40% and my bandwidth
> gets all eat up making it hard to even browse a web page.
>
> The weird thing is that much of the traffic is between the LAN IP of my PC
> and my DSL modem, but then I begin to see IP addresses I don't recognize
> and can't seem to backtrace them. Involved port numbers are all over the
> place, but seem to start off with port 80.
>
> I'm beginning to wonder if services.exe and/or svchost.exe have been
> compromised in some way. Anybody got a clue what's going on here?
>
> Thanks for any help!
> (let me know if there is a better place to post my question)
>
> Richard in VA.
> +++++++++++++++++++++
>
>
>

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Richard In Va. wrote:
> I think I got a virus that causes excessive port scans.
>
> Last week a web page wanted to install an active-x feature and I allowed
> it
> to my regret. A few minutes later, I noticed excessive network activity
> on
> my DSL modem. Closing my browser and all open applications, the activity
> continued to run wild.
>
> A list of my attempts to find/fix the problem...
>
> 1- Updated to Vcom System Suite 7 Pro and ran a full scan.
> 2- Ran AVG Anti-Spyware Free Edition.
> 3- Ran McAfee Stinger
> 4- Ran Spybot Search & Destroy
> 5- Ran Symantec FixBlast.exe
> 6- Ran Symantec FixWelch.exe
> 7- Ran Trend Sysclean
> 8- Ran windows Defender
> 9- Ran Symantec online anti-virus scanner
>
> These I've run in normal AND safe mode. Some have found some problems and
> cleaned them up but my problem persist.
>
> Watching my network traffic, \system32\services.exe &
> \system32\svchost.exe
> seem to be rapidly trying to reach the internet.
> If I try to manually block services & svchost from internet access via
> Vcom
> Firewall I'll see that both will start up multiple instances (many) in the
> Vcom Net Defense Firewall list of applications trying to access the
> internet. Vcom will see alot of this as high risk port scans and will
> block
> much of it.
>
> When this gets going, my CPU usage will vary from 10%-40% and my bandwidth
> gets all eat up making it hard to even browse a web page.
>
> The weird thing is that much of the traffic is between the LAN IP of my PC
> and my DSL modem, but then I begin to see IP addresses I don't recognize
> and
> can't seem to backtrace them. Involved port numbers are all over the
> place,
> but seem to start off with port 80.
>
> I'm beginning to wonder if services.exe and/or svchost.exe have been
> compromised in some way. Anybody got a clue what's going on here?
>
> Thanks for any help!
> (let me know if there is a better place to post my question)
>
> Richard in VA.
> +++++++++++++++++++++

Would a system restore help?

"PA Bear [MS MVP]" <PABearMVP******.com> wrote in message
news:OoSod0OZIHA.4140@TK2MSFTNGP04.phx.gbl...
> Unexplained computer behavior may be caused by deceptive software
> http://support.microsoft.com/kb/827315
>
> Run a /thorough/ check for hijackware, including posting your hijackthis
> log to an appropriate forum.
>
> Checking for/Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://wiki.castlecops.com/Malware_R...:_Introduction
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine2.blogspot.com/
> http://www.elephantboycomputers.com/...moving_Malware
>
> When all else fails, HijackThis v2.0.2
> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware with
> assistance from an expert. **Post your log to
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://castlecops.com/forum67.html,
> http://forums.subratam.org/index.php?showforum=7,
> http://aumha.net/viewforum.php?f=30, or other appropriate forums for
> expert analysis, not here.**
>
> If the procedures look too complex - and there is no shame in admitting
> this isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA) computer repair shop.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
> Richard In Va. wrote:
>> I think I got a virus that causes excessive port scans.
>>
>> Last week a web page wanted to install an active-x feature and I allowed
>> it
>> to my regret. A few minutes later, I noticed excessive network activity
>> on
>> my DSL modem. Closing my browser and all open applications, the activity
>> continued to run wild.
>>
>> A list of my attempts to find/fix the problem...
>>
>> 1- Updated to Vcom System Suite 7 Pro and ran a full scan.
>> 2- Ran AVG Anti-Spyware Free Edition.
>> 3- Ran McAfee Stinger
>> 4- Ran Spybot Search & Destroy
>> 5- Ran Symantec FixBlast.exe
>> 6- Ran Symantec FixWelch.exe
>> 7- Ran Trend Sysclean
>> 8- Ran windows Defender
>> 9- Ran Symantec online anti-virus scanner
>>
>> These I've run in normal AND safe mode. Some have found some problems and
>> cleaned them up but my problem persist.
>>
>> Watching my network traffic, \system32\services.exe &
>> \system32\svchost.exe
>> seem to be rapidly trying to reach the internet.
>> If I try to manually block services & svchost from internet access via
>> Vcom
>> Firewall I'll see that both will start up multiple instances (many) in
>> the
>> Vcom Net Defense Firewall list of applications trying to access the
>> internet. Vcom will see alot of this as high risk port scans and will
>> block
>> much of it.
>>
>> When this gets going, my CPU usage will vary from 10%-40% and my
>> bandwidth
>> gets all eat up making it hard to even browse a web page.
>>
>> The weird thing is that much of the traffic is between the LAN IP of my
>> PC
>> and my DSL modem, but then I begin to see IP addresses I don't recognize
>> and
>> can't seem to backtrace them. Involved port numbers are all over the
>> place,
>> but seem to start off with port 80.
>>
>> I'm beginning to wonder if services.exe and/or svchost.exe have been
>> compromised in some way. Anybody got a clue what's going on here?
>>
>> Thanks for any help!
>> (let me know if there is a better place to post my question)
>>
>> Richard in VA.
>> +++++++++++++++++++++
>

Thanks PA Bear for all the great links, alot to sift through here!

Nope, I've already disabled system restore.

Tonight, I'll try HijackThis and RootKitRevealer and continue from there....
Also I'll shut down some browser add-ons....

I did try to run Ad-aware, but that scanner shuts down the PC and then
reboots for some reason???

If I don't see any resolution soon, I guess I'll go buy a new hard drive and
reinstall and start all over, hate to havta go through all that tho...!

Richard in VA (at work on a safe PC)

+++++++++++++++++++++++++++++++++
"Just.some.guy" <return.email@address.not.valid.com> wrote in message
news:dXHoj.65$Ou1.21@trnddc07...
> Would a system restore help?
>
> "PA Bear [MS MVP]" <PABearMVP******.com> wrote in message
> news:OoSod0OZIHA.4140@TK2MSFTNGP04.phx.gbl...
>> Unexplained computer behavior may be caused by deceptive software
>> http://support.microsoft.com/kb/827315
>>
>> Run a /thorough/ check for hijackware, including posting your hijackthis
>> log to an appropriate forum.
>>
>> Checking for/Help with Hijackware
>> http://aumha.org/a/parasite.htm
>> http://aumha.org/a/quickfix.htm
>> http://aumha.net/viewtopic.php?t=5878
>> http://wiki.castlecops.com/Malware_R...:_Introduction
>> http://mvps.org/winhelp2002/unwanted.htm
>> http://inetexplorer.mvps.org/data/prevention.htm
>> http://inetexplorer.mvps.org/tshoot.html
>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> http://defendingyourmachine2.blogspot.com/
>> http://www.elephantboycomputers.com/...moving_Malware
>>
>> When all else fails, HijackThis v2.0.2
>> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
>> It will help you to both identify and remove any hijackware/spyware with
>> assistance from an expert. **Post your log to
>> http://forums.spybot.info/forumdisplay.php?f=22,
>> http://castlecops.com/forum67.html,
>> http://forums.subratam.org/index.php?showforum=7,
>> http://aumha.net/viewforum.php?f=30, or other appropriate forums for
>> expert analysis, not here.**
>>
>> If the procedures look too complex - and there is no shame in admitting
>> this isn't your cup of tea - take the machine to a local, reputable and
>> independent (i.e., not BigBoxStoreUSA) computer repair shop.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> AumHa VSOP & Admin http://aumha.net
>> DTS-L http://dts-l.net/
>>
>> Richard In Va. wrote:
>>> I think I got a virus that causes excessive port scans.
>>>
>>> Last week a web page wanted to install an active-x feature and I allowed
>>> it
>>> to my regret. A few minutes later, I noticed excessive network activity
>>> on
>>> my DSL modem. Closing my browser and all open applications, the
>>> activity
>>> continued to run wild.
>>>
>>> A list of my attempts to find/fix the problem...
>>>
>>> 1- Updated to Vcom System Suite 7 Pro and ran a full scan.
>>> 2- Ran AVG Anti-Spyware Free Edition.
>>> 3- Ran McAfee Stinger
>>> 4- Ran Spybot Search & Destroy
>>> 5- Ran Symantec FixBlast.exe
>>> 6- Ran Symantec FixWelch.exe
>>> 7- Ran Trend Sysclean
>>> 8- Ran windows Defender
>>> 9- Ran Symantec online anti-virus scanner
>>>
>>> These I've run in normal AND safe mode. Some have found some problems
>>> and
>>> cleaned them up but my problem persist.
>>>
>>> Watching my network traffic, \system32\services.exe &
>>> \system32\svchost.exe
>>> seem to be rapidly trying to reach the internet.
>>> If I try to manually block services & svchost from internet access via
>>> Vcom
>>> Firewall I'll see that both will start up multiple instances (many) in
>>> the
>>> Vcom Net Defense Firewall list of applications trying to access the
>>> internet. Vcom will see alot of this as high risk port scans and will
>>> block
>>> much of it.
>>>
>>> When this gets going, my CPU usage will vary from 10%-40% and my
>>> bandwidth
>>> gets all eat up making it hard to even browse a web page.
>>>
>>> The weird thing is that much of the traffic is between the LAN IP of my
>>> PC
>>> and my DSL modem, but then I begin to see IP addresses I don't recognize
>>> and
>>> can't seem to backtrace them. Involved port numbers are all over the
>>> place,
>>> but seem to start off with port 80.
>>>
>>> I'm beginning to wonder if services.exe and/or svchost.exe have been
>>> compromised in some way. Anybody got a clue what's going on here?
>>>
>>> Thanks for any help!
>>> (let me know if there is a better place to post my question)
>>>
>>> Richard in VA.
>>> +++++++++++++++++++++
>>
>
>

btw, the culprit... whatever it is, starts up before any user logs on.

In case this helps any in identifying it...

Richard in VA.
++++++++++++++++++

"Richard In Va." <Reply-none@aol.com> wrote in message
news:ep61fMPZIHA.504@TK2MSFTNGP02.phx.gbl...
> Thanks PA Bear for all the great links, alot to sift through here!
>
> Nope, I've already disabled system restore.
>
> Tonight, I'll try HijackThis and RootKitRevealer and continue from
> there....
> Also I'll shut down some browser add-ons....
>
> I did try to run Ad-aware, but that scanner shuts down the PC and then
> reboots for some reason???
>
> If I don't see any resolution soon, I guess I'll go buy a new hard drive
> and reinstall and start all over, hate to havta go through all that
> tho...!
>
> Richard in VA (at work on a safe PC)
>
> +++++++++++++++++++++++++++++++++
> "Just.some.guy" <return.email@address.not.valid.com> wrote in message
> news:dXHoj.65$Ou1.21@trnddc07...
>> Would a system restore help?
>>
>> "PA Bear [MS MVP]" <PABearMVP******.com> wrote in message
>> news:OoSod0OZIHA.4140@TK2MSFTNGP04.phx.gbl...
>>> Unexplained computer behavior may be caused by deceptive software
>>> http://support.microsoft.com/kb/827315
>>>
>>> Run a /thorough/ check for hijackware, including posting your hijackthis
>>> log to an appropriate forum.
>>>
>>> Checking for/Help with Hijackware
>>> http://aumha.org/a/parasite.htm
>>> http://aumha.org/a/quickfix.htm
>>> http://aumha.net/viewtopic.php?t=5878
>>> http://wiki.castlecops.com/Malware_R...:_Introduction
>>> http://mvps.org/winhelp2002/unwanted.htm
>>> http://inetexplorer.mvps.org/data/prevention.htm
>>> http://inetexplorer.mvps.org/tshoot.html
>>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>>> http://defendingyourmachine2.blogspot.com/
>>> http://www.elephantboycomputers.com/...moving_Malware
>>>
>>> When all else fails, HijackThis v2.0.2
>>> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to
>>> use. It will help you to both identify and remove any hijackware/spyware
>>> with assistance from an expert. **Post your log to
>>> http://forums.spybot.info/forumdisplay.php?f=22,
>>> http://castlecops.com/forum67.html,
>>> http://forums.subratam.org/index.php?showforum=7,
>>> http://aumha.net/viewforum.php?f=30, or other appropriate forums for
>>> expert analysis, not here.**
>>>
>>> If the procedures look too complex - and there is no shame in admitting
>>> this isn't your cup of tea - take the machine to a local, reputable and
>>> independent (i.e., not BigBoxStoreUSA) computer repair shop.
>>> --
>>> ~Robear Dyer (PA Bear)
>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>> AumHa VSOP & Admin http://aumha.net
>>> DTS-L http://dts-l.net/
>>>
>>> Richard In Va. wrote:
>>>> I think I got a virus that causes excessive port scans.
>>>>
>>>> Last week a web page wanted to install an active-x feature and I
>>>> allowed it
>>>> to my regret. A few minutes later, I noticed excessive network
>>>> activity on
>>>> my DSL modem. Closing my browser and all open applications, the
>>>> activity
>>>> continued to run wild.
>>>>
>>>> A list of my attempts to find/fix the problem...
>>>>
>>>> 1- Updated to Vcom System Suite 7 Pro and ran a full scan.
>>>> 2- Ran AVG Anti-Spyware Free Edition.
>>>> 3- Ran McAfee Stinger
>>>> 4- Ran Spybot Search & Destroy
>>>> 5- Ran Symantec FixBlast.exe
>>>> 6- Ran Symantec FixWelch.exe
>>>> 7- Ran Trend Sysclean
>>>> 8- Ran windows Defender
>>>> 9- Ran Symantec online anti-virus scanner
>>>>
>>>> These I've run in normal AND safe mode. Some have found some problems
>>>> and
>>>> cleaned them up but my problem persist.
>>>>
>>>> Watching my network traffic, \system32\services.exe &
>>>> \system32\svchost.exe
>>>> seem to be rapidly trying to reach the internet.
>>>> If I try to manually block services & svchost from internet access via
>>>> Vcom
>>>> Firewall I'll see that both will start up multiple instances (many) in
>>>> the
>>>> Vcom Net Defense Firewall list of applications trying to access the
>>>> internet. Vcom will see alot of this as high risk port scans and will
>>>> block
>>>> much of it.
>>>>
>>>> When this gets going, my CPU usage will vary from 10%-40% and my
>>>> bandwidth
>>>> gets all eat up making it hard to even browse a web page.
>>>>
>>>> The weird thing is that much of the traffic is between the LAN IP of my
>>>> PC
>>>> and my DSL modem, but then I begin to see IP addresses I don't
>>>> recognize and
>>>> can't seem to backtrace them. Involved port numbers are all over the
>>>> place,
>>>> but seem to start off with port 80.
>>>>
>>>> I'm beginning to wonder if services.exe and/or svchost.exe have been
>>>> compromised in some way. Anybody got a clue what's going on here?
>>>>
>>>> Thanks for any help!
>>>> (let me know if there is a better place to post my question)
>>>>
>>>> Richard in VA.
>>>> +++++++++++++++++++++
>>>
>>
>>
>
>

"Richard In Va." <Reply-none@aol.com> wrote in
news:#ij38oPZIHA.484@TK2MSFTNGP06.phx.gbl:

> btw, the culprit... whatever it is, starts up before any user logs on.
>
> In case this helps any in identifying it...

Richard, if one of the possible culprits is an instance of svchost.exe..

Are you sure it's svchost.exe and not some similarly named
file.....svchosts.exe, scvhost.exe, etc ?

To start off troubleshooting this, you can D/L the SysInternals Process
Explorer utility from MS to see which services each svchost.exe is
hosting. Process Explorer is a task manager replacement, and far better
than Task Manager. D/L, unzip (no install necessary) and start Process
Explorer.

Move the cursor over the offending svchost.exe to see what services it
hosts.

You can then disable the services one by one to eliminate whichever one
may be the offending culprit.

It's a start.

Regards,

DanS




>
> Richard in VA.
> ++++++++++++++++++
>
> "Richard In Va." <Reply-none@aol.com> wrote in message
> news:ep61fMPZIHA.504@TK2MSFTNGP02.phx.gbl...
>> Thanks PA Bear for all the great links, alot to sift through here!
>>
>> Nope, I've already disabled system restore.
>>
>> Tonight, I'll try HijackThis and RootKitRevealer and continue from
>> there....
>> Also I'll shut down some browser add-ons....
>>
>> I did try to run Ad-aware, but that scanner shuts down the PC and
>> then reboots for some reason???
>>
>> If I don't see any resolution soon, I guess I'll go buy a new hard
>> drive and reinstall and start all over, hate to havta go through all
>> that tho...!
>>
>> Richard in VA (at work on a safe PC)
>>
>> +++++++++++++++++++++++++++++++++
>> "Just.some.guy" <return.email@address.not.valid.com> wrote in message
>> news:dXHoj.65$Ou1.21@trnddc07...
>>> Would a system restore help?
>>>
>>> "PA Bear [MS MVP]" <PABearMVP******.com> wrote in message
>>> news:OoSod0OZIHA.4140@TK2MSFTNGP04.phx.gbl...
>>>> Unexplained computer behavior may be caused by deceptive software
>>>> http://support.microsoft.com/kb/827315
>>>>
>>>> Run a /thorough/ check for hijackware, including posting your
>>>> hijackthis log to an appropriate forum.
>>>>
>>>> Checking for/Help with Hijackware
>>>> http://aumha.org/a/parasite.htm
>>>> http://aumha.org/a/quickfix.htm
>>>> http://aumha.net/viewtopic.php?t=5878
>>>> http://wiki.castlecops.com/Malware_R...ion:_Introduct
>>>> ion http://mvps.org/winhelp2002/unwanted.htm
>>>> http://inetexplorer.mvps.org/data/prevention.htm
>>>> http://inetexplorer.mvps.org/tshoot.html
>>>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>>>> http://defendingyourmachine2.blogspot.com/
>>>> http://www.elephantboycomputers.com/...moving_Malware
>>>>
>>>> When all else fails, HijackThis v2.0.2
>>>> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool
>>>> to use. It will help you to both identify and remove any
>>>> hijackware/spyware with assistance from an expert. **Post your log
>>>> to http://forums.spybot.info/forumdisplay.php?f=22,
>>>> http://castlecops.com/forum67.html,
>>>> http://forums.subratam.org/index.php?showforum=7,
>>>> http://aumha.net/viewforum.php?f=30, or other appropriate forums
>>>> for expert analysis, not here.**
>>>>
>>>> If the procedures look too complex - and there is no shame in
>>>> admitting this isn't your cup of tea - take the machine to a local,
>>>> reputable and independent (i.e., not BigBoxStoreUSA) computer
>>>> repair shop. --
>>>> ~Robear Dyer (PA Bear)
>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>>> AumHa VSOP & Admin http://aumha.net
>>>> DTS-L http://dts-l.net/
>>>>
>>>> Richard In Va. wrote:
>>>>> I think I got a virus that causes excessive port scans.
>>>>>
>>>>> Last week a web page wanted to install an active-x feature and I
>>>>> allowed it
>>>>> to my regret. A few minutes later, I noticed excessive network
>>>>> activity on
>>>>> my DSL modem. Closing my browser and all open applications, the
>>>>> activity
>>>>> continued to run wild.
>>>>>
>>>>> A list of my attempts to find/fix the problem...
>>>>>
>>>>> 1- Updated to Vcom System Suite 7 Pro and ran a full scan.
>>>>> 2- Ran AVG Anti-Spyware Free Edition.
>>>>> 3- Ran McAfee Stinger
>>>>> 4- Ran Spybot Search & Destroy
>>>>> 5- Ran Symantec FixBlast.exe
>>>>> 6- Ran Symantec FixWelch.exe
>>>>> 7- Ran Trend Sysclean
>>>>> 8- Ran windows Defender
>>>>> 9- Ran Symantec online anti-virus scanner
>>>>>
>>>>> These I've run in normal AND safe mode. Some have found some
>>>>> problems and
>>>>> cleaned them up but my problem persist.
>>>>>
>>>>> Watching my network traffic, \system32\services.exe &
>>>>> \system32\svchost.exe
>>>>> seem to be rapidly trying to reach the internet.
>>>>> If I try to manually block services & svchost from internet access
>>>>> via Vcom
>>>>> Firewall I'll see that both will start up multiple instances
>>>>> (many) in the
>>>>> Vcom Net Defense Firewall list of applications trying to access
>>>>> the internet. Vcom will see alot of this as high risk port scans
>>>>> and will block
>>>>> much of it.
>>>>>
>>>>> When this gets going, my CPU usage will vary from 10%-40% and my
>>>>> bandwidth
>>>>> gets all eat up making it hard to even browse a web page.
>>>>>
>>>>> The weird thing is that much of the traffic is between the LAN IP
>>>>> of my PC
>>>>> and my DSL modem, but then I begin to see IP addresses I don't
>>>>> recognize and
>>>>> can't seem to backtrace them. Involved port numbers are all over
>>>>> the place,
>>>>> but seem to start off with port 80.
>>>>>
>>>>> I'm beginning to wonder if services.exe and/or svchost.exe have
>>>>> been compromised in some way. Anybody got a clue what's going on
>>>>> here?
>>>>>
>>>>> Thanks for any help!
>>>>> (let me know if there is a better place to post my question)
>>>>>
>>>>> Richard in VA.
>>>>> +++++++++++++++++++++
>>>>
>>>
>>>
>>
>>
>
>