dayin
2010-08-25, 01:35
(Reposted with DDS logs attached.)
Alright, I know when I'm beat. . .
For a couple of months there has been a low hum of network traffic on one of my new machines when inactive. It never exceeded 6kb/s though, so I wasn't worried about it, until my ISP brought to my attention that it was accessing hundreds of ports at a time, and told me to fix it.
Using Netlimiter monitor I was able to confirm that services.exe and svchost.exe are the culprits, both of them frequently accessing dozens or hundreds of different ports, usually connecting to foreign IPs.
Repeated virus scans in both normal and safe mode from Malwarebytes, Spybot S&D, and windows defender have yielded no results.
As a temporary measure while I figured this out, I downloaded Comodo and told it to restrict all traffic to svchost.exe and services.exe, but that seems to have disabled my internet, as now I get either no, or very slow intermittent, connection in IE or Firefox.
Running Microsoft Vista, SP1, 32 bit.
Included below are my DDS log, and a tasklist /svc scan. (In my research, I've seen it mentioned that that can be relevant to this sort of problem) Please let me know if there's anything you see that could indicate a problem, as well as any other scans or measures I should do to help diagnose or repair. Thanks in advance for any help you can provide.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Jon at 15:27:21.71 on Tue 08/24/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3326.2448 [GMT -7:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
E:\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\users\jon\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\jon\appdata\roaming\micros~1\windows\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
StartupFolder: c:\users\jon\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\users\jon\appdata\roaming\mozilla\firefox\profiles\op7qy7g8.default\
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\jon\appdata\roaming\mozilla\firefox\profiles\op7qy7g8.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 224240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 30112]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2010-3-25 82360]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-6-29 38976]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-6-14 9472]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-11-11 269824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-08-24 03:14:03 0 d-----w- c:\programdata\COMODO
2010-08-24 03:09:48 0 d-----w- c:\program files\COMODO
2010-08-24 03:03:00 0 d-----w- c:\programdata\Comodo Downloader
2010-08-11 13:20:58 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-11 13:20:58 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-11 13:06:24 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 13:06:22 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-11 13:04:32 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-11 13:04:27 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 13:03:39 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-11 13:03:39 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-11 04:10:42 0 d-----w- c:\program files\Trend Micro
2010-08-11 03:53:26 74261 ----a-w- c:\programdata\nvModes.dat
2010-08-11 03:53:24 0 d-----w- c:\users\jon\appdata\roaming\Locktime
2010-08-11 03:50:20 0 d-----w- c:\programdata\Locktime
2010-08-11 03:50:18 0 d-----w- c:\program files\NetLimiter 2 Monitor
2010-08-11 03:37:18 0 d-----w- c:\programdata\NVIDIA Corporation
2010-08-11 03:36:54 0 d-----w- c:\program files\NVIDIA Corporation
2010-07-28 01:27:06 0 d-----w- c:\program files\StarCraft II
==================== Find3M ====================
2010-08-24 22:27:31 823808 ----a-w- c:\windows\system32\drivers\wxhotx.sys
2010-08-24 03:10:32 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-24 03:10:31 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-08-24 03:10:25 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-09 23:37:10 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-07-09 23:37:10 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 23:37:10 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 23:37:10 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 23:37:10 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 20:46:46 604776 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-06-29 19:35:05 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2010-06-28 16:17:26 833024 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13:32 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-11 15:31:42 274432 ----a-w- c:\windows\system32\schannel.dll
2010-06-02 02:00:52 278288 ----a-w- c:\windows\system32\guard32.dll
2010-05-27 19:16:09 81920 ----a-w- c:\windows\system32\iccvid.dll
2008-11-15 14:50:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 15:29:00.55 ===============
C:\Users\Jon>tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 472 N/A
csrss.exe 540 N/A
wininit.exe 600 N/A
csrss.exe 608 N/A
services.exe 648 N/A
winlogon.exe 672 N/A
lsass.exe 696 SamSs
lsm.exe 704 N/A
svchost.exe 860 DcomLaunch, PlugPlay
nvvsvc.exe 904 nvsvc
svchost.exe 932 RpcSs
cmdagent.exe 996 cmdAgent
svchost.exe 1080 CryptSvc, Dnscache, NlaSvc, TapiSrv,
TermService
svchost.exe 1096 WinDefend
svchost.exe 1216 Audiosrv, Dhcp, Eventlog, lmhosts
svchost.exe 1244 AudioEndpointBuilder, EMDMgmt, hidserv,
Netman, PcaSvc, SysMain,
TabletInputService, TrkWks, UxSms,
WdiSystemHost, WPDBusEnum, wudfsvc
svchost.exe 1256 AeLookupSvc, BITS, Browser, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt
audiodg.exe 1320 N/A
SLsvc.exe 1364 slsvc
svchost.exe 1424 EventSystem, fdPHost, FDResPub,
LanmanWorkstation, netprofm, nsi, SSDPSRV,
SstpSvc, upnphost, W32Time, WebClient
nvvsvc.exe 1472 N/A
spoolsv.exe 1768 Spooler
svchost.exe 1800 BFE, DPS, MpsSvc
taskeng.exe 304 N/A
taskeng.exe 1308 N/A
dwm.exe 1352 N/A
explorer.exe 1896 N/A
MSASCui.exe 2064 N/A
VDeck.exe 2072 N/A
jusched.exe 2116 N/A
reader_sl.exe 2124 N/A
AdobeARM.exe 2132 N/A
networx.exe 2140 N/A
cfp.exe 2168 N/A
sidebar.exe 2184 N/A
TeaTimer.exe 2204 N/A
ONENOTEM.EXE 2248 N/A
PdaNetPC.exe 2260 N/A
SPUVolumeWatcher.exe 2276 N/A
nlsvc.exe 3028 N/A
NLClient.exe 3304 N/A
PnkBstrA.exe 3736 PnkBstrA
svchost.exe 3752 PolicyAgent
nvSCPAPISvr.exe 3772 Stereo Service
svchost.exe 3820 stisvc
svchost.exe 3852 WerSvc
SearchIndexer.exe 3916 WSearch
WUDFHost.exe 4012 N/A
cmd.exe 3288 N/A
tasklist.exe 3692 N/A
WmiPrvSE.exe 3700 N/A
Alright, I know when I'm beat. . .
For a couple of months there has been a low hum of network traffic on one of my new machines when inactive. It never exceeded 6kb/s though, so I wasn't worried about it, until my ISP brought to my attention that it was accessing hundreds of ports at a time, and told me to fix it.
Using Netlimiter monitor I was able to confirm that services.exe and svchost.exe are the culprits, both of them frequently accessing dozens or hundreds of different ports, usually connecting to foreign IPs.
Repeated virus scans in both normal and safe mode from Malwarebytes, Spybot S&D, and windows defender have yielded no results.
As a temporary measure while I figured this out, I downloaded Comodo and told it to restrict all traffic to svchost.exe and services.exe, but that seems to have disabled my internet, as now I get either no, or very slow intermittent, connection in IE or Firefox.
Running Microsoft Vista, SP1, 32 bit.
Included below are my DDS log, and a tasklist /svc scan. (In my research, I've seen it mentioned that that can be relevant to this sort of problem) Please let me know if there's anything you see that could indicate a problem, as well as any other scans or measures I should do to help diagnose or repair. Thanks in advance for any help you can provide.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Jon at 15:27:21.71 on Tue 08/24/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3326.2448 [GMT -7:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
E:\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\users\jon\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\jon\appdata\roaming\micros~1\windows\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
StartupFolder: c:\users\jon\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\users\jon\appdata\roaming\mozilla\firefox\profiles\op7qy7g8.default\
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\jon\appdata\roaming\mozilla\firefox\profiles\op7qy7g8.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 224240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 30112]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2010-3-25 82360]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-6-29 38976]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-6-14 9472]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-11-11 269824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-08-24 03:14:03 0 d-----w- c:\programdata\COMODO
2010-08-24 03:09:48 0 d-----w- c:\program files\COMODO
2010-08-24 03:03:00 0 d-----w- c:\programdata\Comodo Downloader
2010-08-11 13:20:58 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-11 13:20:58 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-11 13:06:24 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 13:06:22 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-11 13:04:32 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-11 13:04:27 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 13:03:39 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-11 13:03:39 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-11 04:10:42 0 d-----w- c:\program files\Trend Micro
2010-08-11 03:53:26 74261 ----a-w- c:\programdata\nvModes.dat
2010-08-11 03:53:24 0 d-----w- c:\users\jon\appdata\roaming\Locktime
2010-08-11 03:50:20 0 d-----w- c:\programdata\Locktime
2010-08-11 03:50:18 0 d-----w- c:\program files\NetLimiter 2 Monitor
2010-08-11 03:37:18 0 d-----w- c:\programdata\NVIDIA Corporation
2010-08-11 03:36:54 0 d-----w- c:\program files\NVIDIA Corporation
2010-07-28 01:27:06 0 d-----w- c:\program files\StarCraft II
==================== Find3M ====================
2010-08-24 22:27:31 823808 ----a-w- c:\windows\system32\drivers\wxhotx.sys
2010-08-24 03:10:32 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-24 03:10:31 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-08-24 03:10:25 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-09 23:37:10 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-07-09 23:37:10 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 23:37:10 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 23:37:10 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 23:37:10 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 20:46:46 604776 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-06-29 19:35:05 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2010-06-28 16:17:26 833024 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13:32 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-11 15:31:42 274432 ----a-w- c:\windows\system32\schannel.dll
2010-06-02 02:00:52 278288 ----a-w- c:\windows\system32\guard32.dll
2010-05-27 19:16:09 81920 ----a-w- c:\windows\system32\iccvid.dll
2008-11-15 14:50:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 15:29:00.55 ===============
C:\Users\Jon>tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 472 N/A
csrss.exe 540 N/A
wininit.exe 600 N/A
csrss.exe 608 N/A
services.exe 648 N/A
winlogon.exe 672 N/A
lsass.exe 696 SamSs
lsm.exe 704 N/A
svchost.exe 860 DcomLaunch, PlugPlay
nvvsvc.exe 904 nvsvc
svchost.exe 932 RpcSs
cmdagent.exe 996 cmdAgent
svchost.exe 1080 CryptSvc, Dnscache, NlaSvc, TapiSrv,
TermService
svchost.exe 1096 WinDefend
svchost.exe 1216 Audiosrv, Dhcp, Eventlog, lmhosts
svchost.exe 1244 AudioEndpointBuilder, EMDMgmt, hidserv,
Netman, PcaSvc, SysMain,
TabletInputService, TrkWks, UxSms,
WdiSystemHost, WPDBusEnum, wudfsvc
svchost.exe 1256 AeLookupSvc, BITS, Browser, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt
audiodg.exe 1320 N/A
SLsvc.exe 1364 slsvc
svchost.exe 1424 EventSystem, fdPHost, FDResPub,
LanmanWorkstation, netprofm, nsi, SSDPSRV,
SstpSvc, upnphost, W32Time, WebClient
nvvsvc.exe 1472 N/A
spoolsv.exe 1768 Spooler
svchost.exe 1800 BFE, DPS, MpsSvc
taskeng.exe 304 N/A
taskeng.exe 1308 N/A
dwm.exe 1352 N/A
explorer.exe 1896 N/A
MSASCui.exe 2064 N/A
VDeck.exe 2072 N/A
jusched.exe 2116 N/A
reader_sl.exe 2124 N/A
AdobeARM.exe 2132 N/A
networx.exe 2140 N/A
cfp.exe 2168 N/A
sidebar.exe 2184 N/A
TeaTimer.exe 2204 N/A
ONENOTEM.EXE 2248 N/A
PdaNetPC.exe 2260 N/A
SPUVolumeWatcher.exe 2276 N/A
nlsvc.exe 3028 N/A
NLClient.exe 3304 N/A
PnkBstrA.exe 3736 PnkBstrA
svchost.exe 3752 PolicyAgent
nvSCPAPISvr.exe 3772 Stereo Service
svchost.exe 3820 stisvc
svchost.exe 3852 WerSvc
SearchIndexer.exe 3916 WSearch
WUDFHost.exe 4012 N/A
cmd.exe 3288 N/A
tasklist.exe 3692 N/A
WmiPrvSE.exe 3700 N/A