Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DSL tests ok, cpu speed ok, very slow page loads - all websites. [Moved]


  • Please log in to reply
24 replies to this topic

#1 junkcpu

junkcpu

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 15 June 2009 - 09:50 PM

I just posted this in the Windows 2000/ME section by accident.....

From the beginning:

I visited a website that gave me a virus that was picked up by my Avast & Malwarebytes. Both programs deleted the bad files. The next time I started the computer, my internet connection became almost unusable due to it's slowness. Scans of the system turned up nothing.

I unplugged the Cat-5 cable from my DSL modem, connected a USB cable to the usb port on the modem, & restarted. My connection was back to normal for a few days, until my wife had some issue & she restarted the computer. After that, I'm back to maddening slowness!

Also, when I do a search on Google, I get redirected when I click on any results to "results.google.com". I also cannot download ANYTHING from Microsoft -- when I try it says "not available on this server"

This has all the makings of a virus, but it's not showing up on anything. I visted Pc Pitstop & paid $30 for Optimizer 3, which did nothing. I just completed a 2+ hour scan in safe mode with Avast, which again turned up nothing. All DSL performance scans turn up normal.

I called Verizon & they used gotoassist to check out my computer. They said my connection is actually quicker than what I am paying for, but you wouldn't know that after counting to 10 slowly before seeing any websites -- including this one.

I downloaded & ran Combofix at the recommendation of someone on another forum, but I had to shut the computer down & lost the results -- I can run again if need be.

Also, after a recent restart, I lost my POP3 settings for Outlook Express mysteriously & was unable to send/receive mail until I re-entered all that information that has been there for years. Now I have lost all my shortcuts next to the start button on the lower toolbar.

Thanks in advance to anyone who can help!

This post has been edited by junkcpu: Today, 10:40 PM
Go to the top of the page


Edit Post

BC AdBot (Login to Remove)

 


#2 fairjoeblue

fairjoeblue

  • Members
  • 1,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:24 PM

Posted 15 June 2009 - 10:27 PM

You may have aquired a "rootkit"
Some are very hard to detect & remove.

Go here,

http://www.pchell.com/support/rootkitremovaltools.shtml

You should be able to find something there to find out if a rootkit is the problem.
OCZ StealthXstream 700W,Gigabyte GA-EP45-UD3R , E8500, Arctic Freezer Pro 7, 3GB G.Skill PC8500,Gigabyte Radeon HD 4850 OC [1GB ], Seagate 250GB SATA II X2 in RAID 0, Samsung SATA DVD burner.

#3 junkcpu

junkcpu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 16 June 2009 - 11:14 AM

Just ran GMER & it found a few things -- not sure what to do with this info:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-16 12:13:17
Windows 5.1.2600 Service Pack 3


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\USB_RNDIS_XP \Device\{FD5730A6-B8E6-4875-B5B0-6F27CB13925A} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation)

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xADA786B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xADA78574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xADA78A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xADA7814C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xADA7864E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xADA7808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xADA780F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xADA7876E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xADA7872E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xADA788AE]

---- EOF - GMER 1.0.15 ----

#4 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 17 June 2009 - 08:00 PM

Some things might show up in the GMER scan even if there are not rootkits present. Please try running the Kaspersky Online Scanner, as Kaspersky products have excellent detection ratings. Here is how:

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Open the Kaspersky WebScanner page. http://www.kaspersky.com/virusscanner
Click on the button on the main page.
The program will launch and fill in the Information section on the left.
Read the "Requirements and Limitations" then press the accept button.
The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
Once the files have been downloaded, click on the settings button.
In the scan settings make sure the following are selected:
Detect malicious programs of the following categories:
Viruses, Worms, Trojan Horses, Rootkits
Spyware, Adware, Dialers and other potentially dangerous programs
Scan compound files (doesn't apply to the File scan area):
Archives
Mail databases
By default the above items should already be checked.
Click the Save button, if you made any changes.
Now under the Scan section on the left:

Select My Computer

The program will now start and scan your system. This will run for a while, be patient and let it finish.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.
Refer to this animation: http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif if needed

Edited by Alex_Computer, 17 June 2009 - 08:03 PM.


#5 junkcpu

junkcpu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 18 June 2009 - 09:17 AM

Looks like I've got a pretty smart virus -- I tried to run that, but it kept failing to update.

Out of desperation, I just wasted $100 at Plumchoice online repair -- they couldn't do a thing. Guy was telling me it's my connection -- WHAT A WASTE OF MONEY!! I'd have been better off stuffing $100 in my disc drive & setting the unit on fire!

This is looking hopeless. Might have to cut my losses & wipe the disks... :thumbsup:

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:24 PM

Posted 18 June 2009 - 09:50 AM

I guess that I have to ask the obvious...why didn't you try BleepingComputer.com - Am I infected What do I do - http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/ , rather than the XP Forum?

Since it seems...from your initial post...that all your problems began with what was interpreted as malware?

Just idle curiosity, does not require an answer.

Louis

#7 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 18 June 2009 - 10:11 AM

1. Try the Conficker check here: http://www.confickerworkinggroup.org/infec...cfeyechart.html. Then let me known what that result is.

Then

2. Run the Kaspersky Virus Removal Tool. This is the offline version of the scanner so it does not require updating. Here is the direct link to it. Please download and run: http://downloads5.kaspersky-labs.com/devbu....2009_08-52.exe.

You can get help on running it here: http://www.myantispyware.com/2009/03/26/ho...s-removal-tool/.

Let us known of the results of both of those steps!

#8 junkcpu

junkcpu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 18 June 2009 - 10:31 AM

On the eyechart, the top middle pic was blank for 10 seconds, then appeared. I closed the window, then went back & all 6 were there & visible.

I just clicked that direct link to the Kaspersky, & after almost 1 solid minute, it says "The connection to the server was reset while the page was loading". Can't get there.

Then I clicked on your last link, which worked -- but when I clicked on the Cyber defender anti-spyware download at top of page, I got a re-direct to hxxp://results.googleadservices.com/

Edited by Orange Blossom, 11 February 2013 - 05:22 AM.
Deactivated link. ~ OB


#9 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 18 June 2009 - 10:39 AM

Ok, Please give me a few minutes while i am making an alternative download site for the Kaspersky file. I will post back when it's up.

#10 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 18 June 2009 - 11:28 AM

Ok, its up. Please download from here: http://cid-d99d8881313b6ab3.skydrive.live....oval%20Tool.exe.

Please let me know of the results

#11 junkcpu

junkcpu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 18 June 2009 - 11:56 AM

When I tried to download it, this is what I got: "Firefox can't establish a connection to the server at xrsbqa.bay.livefilestore.com."


I need to take a breather before I get the torch & gasoline out ...........


Thanks for the help. I appreciate your efforts.

#12 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 18 June 2009 - 12:01 PM

I understand your frustration. Make sure you update malwarebytes, run a quick scan, and post a fresh log. Thanks

#13 junkcpu

junkcpu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 18 June 2009 - 03:20 PM

Ok, just did a Malwarebytes scan & it turned up 2 trojans! I was unable to update Malwarebytes too.

Here's the log:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/18/2009 4:07:25 PM
mbam-log-2009-06-18 (16-07-25).txt

Scan type: Quick Scan
Objects scanned: 83652
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ee4bd774-d051-4286-8d95-2bdba4059d4c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.59 85.255.112.120 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ee4bd774-d051-4286-8d95-2bdba4059d4c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.59 85.255.112.120 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 18 June 2009 - 03:25 PM

Now please run a Malwarebytes full scan. Try to update once more, but if it doesnt update, just run the full scan anyway

#15 junkcpu

junkcpu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 18 June 2009 - 04:51 PM

Still unable to update -- getting "error 732(0,0)".

Every time I scan, it;s finding these trojans........and the second I hit "fix selected items", my computer shuts down & restarts without any prompts or warnings.

Here's the full scan:



Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/18/2009 5:40:56 PM
mbam-log-2009-06-18 (17-40-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 161500
Time elapsed: 50 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ee4bd774-d051-4286-8d95-2bdba4059d4c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.59 85.255.112.120 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ee4bd774-d051-4286-8d95-2bdba4059d4c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.59 85.255.112.120 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users