On four or five occassions this past week

[Mr Bean]

[Jintan]

Not really sure that one file removed by ComboFix is malware, and still no malware settings/functions showing in the scan logs. Those usage spikes get known by you after the fact, yes? Do you actually experience periods where such heavy activity is reflected by terrible slowness there? I am thinking if using something like Process Explorer (here) would help pinpoint a culprit.

[Mr Bean]

My logs show EXTREME activity for one hour periods up to about 20gbs.  I managed to find a possible ip address to somewhere in NJ.  

If that helps I'm all ears.:thumbup:

[Mr Bean]

On the contrary there is absolutely no activity on my network which shows anything which should cause me grief.

[Jintan]

As I know you are capable of figuring it out, go here and download Wireshark and install that. Also allow it to install WinPCap should it ask. Then run Wireshark.

Under Capture select Options, then use the drop down at the top to select your current connection. Also make sure this is checked:

Automatic scrolling in live capture

Then click Start. If you see no activity in the log you have selected the wrong Interface (net connection device). The activity of interest will be hilighted green.

Watch for large groupings of similar net activity that might suggest these spurts you are mentioning. You'll have to tweak with Wireshark a little to get the hang of it.

If you see a "TCP segment", right click that and select "Follow TCP stream". This will tie together/reassemble the segmented packets into the entire packet, which may provide info as to what is being sent, and for what reasons.

[Mr Bean]

All the ones I checked seemed to head towards Gmail.

[Jintan]

Your PM of course indicates you have figured things out, and located the source.

[Mr Bean]

Thanks mate.  :thumbup:

[Jintan]

Is there a plan underway to share with our MalwareCrypt viewing audience the source of these spikes?

[Mr Bean]

Absolutely.  

I have turned off my utorrent software and it's stopped.  I am obviously stupid enough to use this kind of thing so all I can expect is to be taken advantage of.  It's taken a while to be compromised but it's happened.  All I can do now is go in for a format and stop using it.  Unfortunately for me it's the only way I can watch rugby of any calibre these days so it looks like that'll have to stop.  I fly to Wales tomorrow for three weeks so I'll take care of it when I get back.

[Jintan]

The airport in Wales is also open on weekdays now?

[Mr Bean]

LOL no but London Gatwick is.  Don't worry I'll jump straight in the Afon Llywd when I get there to rid myself of the acrid stench of the Saes.

[Jintan]

I'll post a smiley and pretend like I know what an "SAES" is.

As you and I have done these type repairs in other forums, I know you know the procedures now to remove what our brief bit of work added there. None of the tools, except HijackThis itself, installed, so just deleting their folders and files will remove them.

[Mr Bean]

Thank you for your time.  We can carry this on in private at our leisure.