Massive data upload when dialup adapter is running

[videobruce 0]

After a few minutes without a browser running using DU Meter as a in/out monitor I'm getting a massive (for a analog connection) upload of unknown data to a unknown destination by a unknown process.

 

I have:

Done a virus scan (though not up to date definations)

Used AdAware V6 and SpyBot V1.2

Checked processes running

 

I am running 2k w/sp3 The laptop was upgraded with Idiot Exploiter 6 from M$'s site (this isn't my laptop BTW).

 

Before the dialer was starting byself, now it seems ok, but not sure yet.

The laptop freezes where only a reboot solves the condition (no browser running the last time).

 

The IE update was the last upgrade/change AFAIK.

 

It is almost as this machine was doing a DOS attack to another site by uploading massive amounts of data somewhere.

[Sampson 0]

It sounds a lot like the Opaserv virus. Check to see if there are any of these files: ALEVIR.EXE, BRASIL.EXE, BRASIL.PIF, SCRSVR.EXE or MARCO!.SCR on the hard drive. There is also another Trojan called Q-Hosts. See if the hosts file occurs more than once.

[videobruce 0]

All came up negitive.

 

Tried to install Zone Alarm, but I get a KMODE exception when I try to run iy. I guess there are problems with display drivers and this is a Laptop with no updated driver. I even turned the accerlation down all the way and I still get a BSOD.

[Sampson 0]

There was a virus that did this same kind of thing called the Backdoor.NTHack virus. Norton's explains it here: http://www.symantec.com/avcenter/venc/data/backdoor.nthack.html

[videobruce 0]

To make a short story long, it appears to be a worm;

 

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.A

 

Problem is I can't install that M$ patch because the install I did is a slipstreamed SP3 burned CD and on top of that I also I do a 'LittleWhiteDog NTOSKRNL mod' using Resource Hacker to change that damn M$ splash screen.

I get a error when I try to install that patch stating I need something newer that SP2. I already have SP3 installed.

 

Not to stop there, since I didn't know what was doing this and thought it was the dialup adapter I connected the Laptop to my network so I could d/l a updated virus package from TrendMicro (which I did). After running the updated virus definitions that NACHI.A worm showed up.

I had my main box on also and that got affected also!

 

NACHI.A just did my machine.

 

I did a manual remove on both machines and it seems to be gone. Too early to tell yet. I don't know where he got it from.

[jmmijo 1]

Quote:

{snip}

I did a manual remove on both machines and it seems to be gone. Too early to tell yet. I don't know where he got it from.

Is there any P2P app installed on the machine or some extra .SCR files say from a news group ?!?

As for the Slipstream install CD, you can update it to SP4 the same way, just create a new Slipstreamed CD with SP4 instead then add the hack back afterwards unless of course the hack doesn't work with SP4