A wierd one

[]SK[]

One of our customers PC is causing their Internet connection to be VERY active. I went round yesterday and performed an online virus scan in safemode. It picked up 20 infected files, total of 8 different virus's. Some were cleaned others were deleted. I went away leaving the machine working. Hes rang up this morning to tell me its started again. I left him doing a scan again for it to finish finding nothing.
The problem is only doing it when he boots up normally. Im convinced its a virus. Ive tried telneting port 25 to make sure hes got no mail server running and its not that being spammed. I will look later to see what program is trying to access the network. Other than this anything else I can do to see what is happening?

 

[sibanac]

just sniff the traffic using ethereal(or whatever sniffer), that should atleast give you an idee what the trafic is all about.

then use http://www.dshield.org/port_report.php to figure out what is causing it

 

[]SK[]

I use a program called aports.exe (Active Ports). It tells me what program is running on which port. Ill most likly close each program down one at a time and see if traffic calms down when doing so.

 

[]SK[]

Right ive been using this painfully slow machine and monitoring its activity. At first it wasnt too bad so I installed some windows updates. Since then it started being really really slow and my router has been flashing constantly. So bad I couldnt browse at all on my other PC's. Task manager shows one process (netclna.exe) to be running at 99%. After closing this the internet was once again usable. After messing about I found this file to be a service. The service is one ive never heard of before and isnt on my XP install. Ive disabled it for now and the PC runs alot better. Ideas on what this is at all? Do you have it?

Description reads:

Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Ive disabled i and the PC doesnt fall over or anything.

 

[phlash]

Hmm. Is it part of a non-microsoft network client (Novell?). Does the offending file have any version info?

 

[Nightchill]

Possible spyware? Can't find anything out about it. Not listed at http://www.answersthatwork.com/Tasklist_pages/tasklist.htm either.

 

[]SK[]

Nope and neither an a fair few others who have looked. It doesnt exist. No AV scanners think its dodgy either.

 

[sibanac]

You might wanne try and do a sniff, to see where its connecting to and what its destination port is

 

[]SK[]

I found the offending file and just disabled it. I was happy just to fix it rather than investigate further. Blame work for making every job seem as dull as the next.

 

[]SK[]

I do not think this is a SpyWare problem;
C:\WINDOWS\system32\netclna.exe refers to a backdoor virus I recently detected on a laptop of on of our employees. Though we run a real-time virus check, it was not detected. It´s very similar to BOXED virus as reported in the encyclopedia of Symantec and/or TrendMicro. It constantly checks up ip addresses reversively and builds up nul sessions like a crazy if not blocked by a firewall. It results in a saturated line which is experienced by not having access to Internet.
I disabled the automatic integrity system check in order XP does not auto restore the file. Then delete the file and the registry entry that points to it.
Lets see whether you´ll regain access again and good luck.

Taken from another forum.