Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow internet but no obvious virus/trojan signs


  • This topic is locked This topic is locked
32 replies to this topic

#1 IrishStevo

IrishStevo

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 11 January 2009 - 10:23 AM

Hey folks,

One of two computers I have connected to the internet via a router has been suffering from slow internet access for the last couple of months. I've got a 1MB connection, which should give me download speeds of about 120KB/s but on this computer it rarely gets above 30-40KB/s. For example, if I'm downloading a file on this computer at 30-40KB/s and switch to my other computer and download the same file it downloads at 120KB/s.

Over the last couple of weeks I have also replaced the router I use and the same problem exists, so I'm convinced it's something specific to this one computer. Not long before this started happening I did pick up a virus/trojan, so I'm starting to think it's related to that. However, I've done virus checks with my AV (AVG Free) and various spyware scans (Ad-Aware and Spybot) and cleaned it all up, and also installed XP SP3 to make sure Windows is up to date but the problem still persists.

It happens in both IE7 and Firefox 3, so doesn't seem to be browser specific. Also, I have Sygate Personal Firewall installed that allows me to see internet activity and there is no other traffic slowing it down. It just seems to be capping my download speeds at 30-40KB/s. Other than this problem the rest of my computer seems fine - Windows isn't slow and boots up quickly, I don't have any popups or anything else that signifies a virus/trojan.

Any help in either finding or ruling out a virus/trojan would be much appreciated. Below is my DDS log.

Cheers,

Steve

-----------------------------------

DDS (Ver_09-01-07.01) - NTFSx86
Run by Steve at 15:06:40.40 on 11/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1380 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\WinVNC.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DivX\DivX Connected\Bin\DivX Connected\DivXConnected.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DivX\DivX Connected\Bin\DivX Connected\DivXConnectedMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents%20and%20Settings/Steve/My%20Documents/links.html
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DivX Connected] "c:\program files\divx\divx connected\bin\divx connected\DivXConnected.exe" /tray
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] nwiz.exe /install
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {437F7F6F-FFCC-47e1-8A4B-C992493CF6C3} - c:\microgaming\poker\32redmpp\MPPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\lzluekuq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Steve/My%20Documents/links.html
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\lzluekuq.default\extensions\{ca8b7b3d-b6e6-438f-b935-601b3de48d66}\platform\winnt_x86-msvc\components\FFThrottle.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-31 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-19 26824]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-31 76040]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S3 cmuda2;C-Media USB Audio Interface;c:\windows\system32\drivers\cmuda2.sys --> c:\windows\system32\drivers\cmuda2.sys [?]
S4 gupdate1c8c36ede6e9821;Google Update Service (gupdate1c8c36ede6e9821);c:\program files\google\update\GoogleUpdate.exe [2008-12-18 133104]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2005-12-2 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2005-12-2 51840]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-01-11 14:27 2,213,033 a------- c:\temp\AuctioneerSuite-5.1.3715.zip
2009-01-11 13:17 <DIR> --d----- c:\windows\system32\scripting
2009-01-11 13:17 <DIR> --d----- c:\windows\l2schemas
2009-01-11 13:17 <DIR> --d----- c:\windows\system32\en
2009-01-11 13:17 <DIR> --d----- c:\windows\system32\bits
2009-01-11 13:14 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-11 13:02 368,922 a------- c:\temp\dds.scr
2009-01-11 12:04 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-11 12:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-11 11:42 <DIR> --d----- c:\program files\Trend Micro
2009-01-11 11:41 15,083,520 a------- c:\temp\spybotsd160.exe
2009-01-11 11:40 812,344 a------- c:\temp\HJTInstall.exe
2009-01-11 11:34 201,030 a------- c:\temp\lspfix.zip
2009-01-07 17:32 <DIR> --d----- c:\temp\fishping
2009-01-04 17:38 14,568 a------- c:\windows\system32\drivers\wg6n.sys
2009-01-04 17:38 14,568 a------- c:\windows\system32\drivers\wg5n.sys
2009-01-04 17:38 14,568 a------- c:\windows\system32\drivers\wg4n.sys
2009-01-04 17:38 14,568 a------- c:\windows\system32\drivers\wg3n.sys
2009-01-04 17:38 60,496 a------- c:\windows\system32\drivers\Teefer.sys
2009-01-04 17:38 21,075 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-01-04 17:38 83,096 a------- c:\windows\system32\SSSensor.dll
2009-01-04 17:38 <DIR> --d----- c:\program files\Sygate
2009-01-04 12:28 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-04 12:27 <DIR> --d----- c:\windows\Internet Logs
2009-01-04 12:10 267,152 a------- c:\temp\zaSetup_en.exe
2008-12-18 13:13 <DIR> --d----- c:\windows\pss
2008-12-17 21:08 <DIR> --d----- c:\program files\CCleaner
2008-12-17 21:08 2,934,168 a------- c:\temp\ccsetup212.exe
2008-12-12 20:20 <DIR> --d----- c:\temp\netstat
2008-12-12 20:18 57,843 a------- c:\temp\fport.zip

==================== Find3M ====================

2009-01-11 13:20 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-28 22:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2007-12-26 21:27 22,328 a------- c:\docume~1\steve\applic~1\PnkBstrK.sys
2008-10-02 00:04 163 a--sh--- c:\windows\system32\2628468996.dat

============= FINISH: 15:07:11.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:13 PM

Posted 25 January 2009 - 03:11 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. I appologize for the delay in getting you help.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform FULL Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

It has been a while since you posted your log, if you still want help could you please post a new one?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 IrishStevo

IrishStevo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2009 - 02:29 PM

Hey Hoov,

Thanks for helping me out! :-)

*Tell me everything that you have done, if anything, to try and fix this problem.

I have tried full scans with my virus checker, AVG Free, and spyware scans with both Ad-Aware and Spybot. As far as I can see my system appears to be free of viruses and trojans.


Malwarebytes Anti-Malware found a bad registry setting and a suspicious file. Both were removed successfully but the problem persists, even after a reboot.

Below are the logs from Malwarebytes Anti-Malware and DDS. I have attached the attach file from DDS as well.

Cheers,

Steve

---------------

Malwarebytes' Anti-Malware 1.33
Database version: 1696
Windows 5.1.2600 Service Pack 3

26/01/2009 19:11:17
mbam-log-2009-01-26 (19-11-17).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|)
Objects scanned: 234147
Time elapsed: 1 hour(s), 22 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Temp\services.htm (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

---------------


DDS (Ver_09-01-07.01) - NTFSx86
Run by Steve at 19:18:32.64 on 26/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1376 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\WinVNC.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DivX\DivX Connected\Bin\DivX Connected\DivXConnected.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DivX\DivX Connected\Bin\DivX Connected\DivXConnectedMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents%20and%20Settings/Steve/My%20Documents/links.html
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DivX Connected] "c:\program files\divx\divx connected\bin\divx connected\DivXConnected.exe" /tray
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] nwiz.exe /install
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {437F7F6F-FFCC-47e1-8A4B-C992493CF6C3} - c:\microgaming\poker\32redmpp\MPPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\lzluekuq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Steve/My%20Documents/links.html
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-31 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-19 26824]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-31 76040]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S3 cmuda2;C-Media USB Audio Interface;c:\windows\system32\drivers\cmuda2.sys --> c:\windows\system32\drivers\cmuda2.sys [?]
S4 gupdate1c8c36ede6e9821;Google Update Service (gupdate1c8c36ede6e9821);c:\program files\google\update\GoogleUpdate.exe [2008-12-18 133104]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2005-12-2 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2005-12-2 51840]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-11 13:20 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-28 22:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 a------- c:\windows\system32\DivX.dll
2007-12-26 21:27 22,328 a------- c:\docume~1\steve\applic~1\PnkBstrK.sys
2008-10-02 00:04 163 a--sh--- c:\windows\system32\2628468996.dat

============= FINISH: 19:19:37.20 ===============

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:13 PM

Posted 26 January 2009 - 05:37 PM

Question, is the TightVNC installed by you? It could be eating up some of your pipe if you let it run even when not in use.

That said, lets try the easy fix first.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 IrishStevo

IrishStevo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2009 - 06:23 PM

Question, is the TightVNC installed by you? It could be eating up some of your pipe if you let it run even when not in use.

I don't think it's TightVNC causing the problem. It's not using any bandwidth according to Sygate Personal Firewall that I have installed. I also have it installed on my other PC and it doesn't seem to affect that. However, I'd be glad to uninstall it if that helps the diagnosis.

I've installed CCleaner, run it as described and rebooted but it hasn't helped.

By the way, I'm on GMT time so will be logging for the night soon. I'll pick this up again tomorrow.

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:13 PM

Posted 26 January 2009 - 09:26 PM

on both computers right click on the network icon in the system tray and select properties, and tell me what the connection speed is of the good computer and of the problem child.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 IrishStevo

IrishStevo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 January 2009 - 05:19 AM

On the good computer it's: 100.0 Mbps
On the bad computer it's also: 100.0 Mbps

#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:13 PM

Posted 27 January 2009 - 05:26 AM

OK. I am not familiar with the Sygate firewall but you mention being able to tell how much bandwidth is being used with it. When its sitting static, hoe much bandwidth is being used?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 IrishStevo

IrishStevo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 January 2009 - 05:43 AM

When I'm not doing anything on the computer it's reporting zero bandwidth usage, either up or down. When I'm browsing the maximum it ever reaches is about 30-40KB/s. On the good computer it's also zero bandwidth when I'm not doing anything but easily reaches 120KB/s when I'm browsing.

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:13 PM

Posted 27 January 2009 - 10:53 AM

Question, did the computer crash or freeze just before this started?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 IrishStevo

IrishStevo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 January 2009 - 11:09 AM

To be honest I'm not sure. I don't think so. I can't remember it crashing or freezing in a very long time but that could just be my memory failing me :thumbsup:

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:13 PM

Posted 27 January 2009 - 11:26 AM

Try running winsockXPfix It resets the Winsock settings. You said the problem happened after removing a virus, and sometimes the removal can break things. Run it, and at the first popup click fix, then the second windows click yes, and when that's done it will ask about a reboot, click the reboot button. Once it has rebooted, try out the connection and see if it has improved at all.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 IrishStevo

IrishStevo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 January 2009 - 11:43 AM

I really thought that might be it but unfortunately nope. It hasn't made any difference.

#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:13 PM

Posted 27 January 2009 - 11:57 AM

OK, try going to http://www.dslreports.com/tweaks and running the test, it's a java applet. (don't do anything while the test is running) and then click results. Answer the couple questions there. Then when the results popup down at the bottom of the page you will get a URL pointing to the results. Post that URL up so I can get a look at the results.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 IrishStevo

IrishStevo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 January 2009 - 12:36 PM

I wasn't able to get it to finish at all on the bad computer. At first it was timing out when it tried to start to download the file. I had to uninstall Sygate Personal Firewall to stop it timing out. However, now it seems to start the download (I can see packets being sent and received in the LAN connection status window) but after a few seconds it just stops completely.

I thought it might be the firewall on my router causing the problem but I tried it on my good computer and it worked fine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users