All PCs in network lose internet access after i logon to a specific user account

[bill_dwnld]

Hello
I have a problem.
I have a wired network with 3 PCs (Win7) and 1 Mac. After I log on to my standard user account on a win7 PC (not admin account) my computer start CONTINUOUSLY SEND DATA to internet and after one or two minutes ALL the PCs of the network (i think the Mac also) LOSE INTERNET ACCESS. If I unplugged the particularly PC from the router the other PCs immediately gain access to internet and continue working normally. If I log off the "infected user account" and log on to admin account everything is working normally. I run MBAM (full scan) and found 1 infected file (i don't think this is the problem because i never had run this file), anyway i clean the file - restart the PC as suggested by MBAM BUT THE PROBLEM REPEATED. I have avast antivirus - i run full system scan but i don't find anything.

I would really appreciate if you can help me with this.
Below is the requested files ... I run the programs from admin account.

Thank you in advance.
Vasilis

[bill_dwnld]

I forgot the last log
Thanks again

[Michael (alan1998)]

Uhh,

Hi.

Drive X: | 232.88 Gb Total Space | 232.75 Gb Free Space | 99.95% Space Free | Partition Type: NTFS
Drive Y: | 465.76 Gb Total Space | 269.01 Gb Free Space | 57.76% Space Free | Partition Type: NTFS

Are those network drives? Or shared between a Virtual Machine?

Also, A quick look through your OTL scan shows you're using P2P programs (Peer-2-Peer). These are dangerous and could likely be your issue.

I've asked a malware remover to help you. Sit tight and disconnect the infected PC from the internet and all access to other computers. (So, USB, CD,DVD etc)

[bill_dwnld]

Both drives are normal hard drives inside "infected" PC. None of them are shared between virtual machines. But to tell you the truth i "feel" that the problems start when i install a Win7 iso in a new virtual machines (no shares) or when I install Genymotion (android emulator). Both of them I install it the same period.

[essexboy]

Could you run the OTL scan on the affected account please rather that the admin account

[bill_dwnld]

I run the OTL Program from the "infected" account. It ask me for admin credentials so I input the admin account credentials. After scan I could not find the EXTRA.txt file. I don't know why.
Below is the OTL.Txt file
Thanks you.

[essexboy]

OK a few questions first are you aware of the following two programmes on the system :

http://www.fieldstonsoftware.com/software/gsyncit3/  this one synchronises all e-mail/calendar/contacts  on start
http://render.otoy.com/ this does graphics rendering in the cloud

Also uTorrent is installed, I do not know whether or not it is used as a node though


Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..extensions.enabledAddons: gmailthis%40lazyrussian.com:2.3.0

:Files
C:\Users\Bill_U\AppData\Local\temp\_MEI59642

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN
Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[bill_dwnld]

Hello again
I know about gsyncit. I use it.
About render.otoy.com i have uninstall it before some time. It shouldn't be there (if you have saw it anywhere).
I use utorrent sometime but something happening with the latest installation. I don't understand what ... i have install it but every time i run it seems like it install it shelf again.

After i run the programs the infected account seemed  OK until I run Firefox. Then after 30 sec start again sending data to internet. In avast statistics screen i saw that my PC communicates with the "http://gtssl-ocsp.geotrust.com" and then start send data to internet. I remember that my PC use to continuously bring on screen a dialog box from java (or something like that) asking me to accept a certificate that reference geotrust. My other PC still asking about this approve. I don't remember if in my PC I accepted the offer by mistake after so many times that it ask me.

Below is the log files

Thank you

[essexboy]

OK a little investigation shows that Geotrust issues certificates for browser, the initial connection downloads a very small file which I am unable to interpret.  However, it has full permissions
http://www.geotrust.com/

I would like to use a separate programme to look at firefox, unfortunately none of my programmes cover all areas

Meanwhile  could you start Firefox in safe mode https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode#w_how-to-start-firefox-in-safe-mode  and let me know if the transmissions continue





Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from. 
  
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
  

[bill_dwnld]

The data transmission take place even without browser running. And the bad thing is that now i think this happening on admin account also

Please help

below is the log file

[bill_dwnld]

Maybe i was in a harry to say that data transmission happens also to admin account. After 2 min send data now it stop. At least looks like

Sorry

[essexboy]

Could you temporarily disable googledrivesync via msconfig, reboot and see if the transmissions stop

Press the Windows and R key together and type in msconfig
Go to the startup section and remove the tick from googledrivesync and reboot
Does the traffic start again ?

[bill_dwnld]

The traffic seems to stopped. I try to upload some files on Google Drive but for some reason had block and after some minutes disconnected it shelf (gray icon). I thought to solve the problem later. You think Google drive is the problem?

[bill_dwnld]

I try to upload some files before some days .... . (I read the post and looks like now i try to upload some files)

[essexboy]

Yes, as no malware is apparent..  My thoughts are that you are trying to upload a file and for some reason it is getting stuck in a loop.  If disabling Google sync stops the network traffic then that would be the logical cause.  This can be confirmed if you run msconfig again and place a tick alongside googledrivesync,   if after the reboot the network problems re-appear then we could have the cause