Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet VERY slow


  • This topic is locked This topic is locked
23 replies to this topic

#1 honda2nr

honda2nr

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 12 June 2004 - 12:48 PM

I had a few viruses earlier that you guy were able to clear up for me and I appreciate that. However now my internet from page to page is extrememly slow. Seems like im back to 56slow. Im running cable and it has NEVER gone this slow b4. If you could help in anyway I appreciate it. Im not sure this is needed but I will post a hijackthis any way.



Logfile of HijackThis v1.97.7
Scan saved at 1:48:35 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\recover.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\mscmgr.exe
O4 - HKLM\..\Run: [mmsys] C:\recover.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 12 June 2004 - 05:19 PM

Hello honda2nr,
Based on your other thread, found here:
http://www.bleepingcomputer.com/forums/ind...owtopic=401&hl=
I want to try something. We may have missed this before.

Step 1. Download DLLFix from one of the following links. Save it to a folder on your root drive, which is C:\ for most people:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix, open the folder and double-click on start.bat

Step 5. Run Option 1 by pressing 1on the keyboard then enter. The program will now start searching.

Step 6. Once the search is complete a text file should open with the name Output.txt. Copy and Paste the contents of this text file to your next reply to this post.

The thing about people

is they change

when they walk away.--Mipso


#3 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 12 June 2004 - 09:52 PM

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Sat 06/12/2004
10:50 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HP_PAVILION" (6C44:B700) - FS:NTFS clusters:4k
Total: 114 054 631 424 [106G] - Free: 82 683 662 336 [77G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q837009;Q832894;Q831167;



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.


Scanning for main Hijacker:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{63B95211-7D77-11D2-9F80-00104B107C96}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 13 June 2004 - 11:03 AM

OK, good, the about: blank business isn't there.

You have a file I can't find any information on:
C:\recover.exe

Navigate to the root folder in safe mode by double clicking your harddrive icon in My Computer. Find recover.exe, right click and chose Properties. Post back any information that's there, especially the creation date. If this is a file that you know what it does and has been there for a while, ignore any following instructions regarding it.

Now please do this:
First, you need to move HijackThis into its own permanent folder. This is important.
Please follow THESE INSTRUCTIONS.
At the very least you want to make a folder on your desktop and move HT into it so the backups it makes won't be scattered all over your wallpaper.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows


Scan again with HijackThis. Close all other windows, put a checkmark by these entries, double-checking to be sure that only these entries are checked & then click the "Fix checked" button.


O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [mmsys] C:\recover.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe


Not sure what these two are, but you can safely fix them since they will be downloaded again the next time you visit that webpage. If it's something you use, leave it.

O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab


Reboot your computer into Safe Mode and delete this file if it exists:

C:\Program Files\Q330994.exe

Then go to Control Panel and Open Internet Options>General tab>Settings>View Objects. Look for a file that corresponds to this:
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

Right click on it, chose properties and check the CLSID number. Then close properties, right click the file again and choose Remove.

Now right click the Task Bar and choose Task Manager. Find recover.exe in the processes tab, highlite it then choose End Task. Then navigate to C:\ and right click on the file and select “Send To” and “Compressed (zipped) Folder”. Right click on the file and select “Explore”. In “File” select “Add a Password”. Type in "infected" and confirm the password.

Reboot into normal mode, scan again with HijackThis and post another log, please.

The thing about people

is they change

when they walk away.--Mipso


#5 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 13 June 2004 - 02:05 PM

Did as you asked.....WHen I zipped the rceover file am I supposed to delete the origional or no? I have the zipped recover and then recover with the littel program screen thing. Thanks for the help heres the new log...Still runnin slow..

Logfile of HijackThis v1.97.7
Scan saved at 3:03:37 PM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\mscmgr.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 13 June 2004 - 02:56 PM

Yeah, go ahead and delete that file. Leave it in the Recycle Bin for now and if you suffer any ill effects from it's deletion you can restore it.

Send the zipped file as an attachment to papakid at myway.com if you would. In the email message copy the url of this thread from the address bar and paste it in and write that the password is "infected" or the exact spelling that you used.

There are a couple of other things in your log that I need to check on. I'll get back with you later on this evening.

The thing about people

is they change

when they walk away.--Mipso


#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 13 June 2004 - 10:05 PM

Thanks for sending the file honda2nr. It's definitely a baddie.

There's only one other item in your HT log that needs to be fixed:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

The presence of the underscore ( _ ) will not allow HijackThis to fix it, so we'll need to use a regfile to correct that. Copy the contents of the following quotebox and paste it into Notepad. In the "File Name:" field type Remove.reg and in the "Save As Type:" field select All Files. Click Save and select your desktop for now. Doubleclick Remove.reg and when it asks if you're sure you want to do this, click Yes then reboot.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

I'm not sure if this will fix your slowness issue, probably not, but let me know if it does. If not we'll look into why some more.

The thing about people

is they change

when they walk away.--Mipso


#8 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 14 June 2004 - 12:30 PM

Did as you say and it was able to be deleted. And NO the speed is still slow. I dont understand this and its very annoying. I apprecaite all your help again. Hopefully there is a way that you can make it faster./

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 14 June 2004 - 03:03 PM

Sorry to jump in here but curious to see something:

Please download this:

http://www.bleepingcomputer.com/files/forensics/Fport.exe

and save it to the directory c:\forensics

Then click on start, then run and type cmd.exe and press ok.

At the command prompt type cd \forensics and type :

fport > fport.txt and press enter

Then type:

notepad fport.txt and press enter

Then paste the contents of the notepad to a reply to this post

#10 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 15 June 2004 - 12:15 AM

tried doing as you say and it just says bad command Can you be a little more clear with your directions. Im sure I did just as you say. Thanks

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 15 June 2004 - 10:39 AM

Create a directory on your computer in the c: drive called forensics.

Download this:

http://www.bleepingcomputer.com/files/forensics/Fport.exe

and save it to the directory in the c: drive called forensics that we had just made.

Then click on the start button, then click on run and type cmd.exe and press the OK button.

You will now be presented with a black screen.

Type cd \forensics and press enter.

Then type fport > fport.txt and press enter

Then type:

notepad fport.txt and press enter

Then paste the contents of the notepad to a reply to this post

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 15 June 2004 - 12:55 PM

Just to clarify a bit more, it's important that commands are typed in exactly (check your spelling) and when the spacebar is hit can often trip you up. Here's how it should look if you substitute the $ symbol for where the spaces should be.

cd$\forensics
fport$>$fport.txt
notepad$fport.txt

The thing about people

is they change

when they walk away.--Mipso


#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 15 June 2004 - 02:20 PM

honda2nr, Grinler is going to help you with what may be causing the slowness as it relates to possibly having a hidden file still active. There are some other things that can cause slowness and I'll make a few suggestions in that area that you can do at your convenience.

The main thing to look at is basic maintenance. In your first log you had quite bit of junk removed and it's always good to do basic maintenance after cleaning up. Even if you already know this I want to go over it anyway--I'm not trying to insult anyone's intelligence. :thumbsup:

Basic maintenance consists of three programs native to Windows.
1. Disk Cleanup.
2. Scandisk or Checkdisk (XP is Checkdisk and also known as Error Checking).
3. Defragmentation.

They should be run in that order. In XP all three of these utilities can be accessed thru your hard drive's properties (My Computer>right click Local Disk C:\>Properties). Disk Cleanup is located under the General tab and Error Checking and Defrag under the Tools tab.

Disk Cleanup could have a tutorial of it's own, but it is generally desired to have it delete all Temp and Temporary Internet Files (TIF's).

One thing Disk Cleanup won't do is clear Index.dat files. TIF's, Cookies and some other folders contain these files which are basically an index of what is contained in that folder and is supposed to speed up browsing but the index is not cleared when the files are deleted. So index.dat's continue to grw in size and when they get large may cause corruption of IE's cache and problems with browsing. Index.dat's are also part of the shell of NT based systems (XP, 2000) so they are not easy to delete. I've found it is much easier to use a third party utility to substitute for Disk Cleanup that will also delete index.dat's. Until recently there have been very few freeware utilities that will do that. What I use is System Security Suite (3S) that has other functions as well. Once installed, everything that is checked by default under the Items To Clear tab is safe to delete.

Something else that can cause slowness over time and after programs have been uninstalled is a messy registry. The easiest way to correct this is to run a registry cleaner. They should be used with caution, however, since they are making educated guesses as to what needs to go. The most conservative and therefore safest registry cleaner (according to my sources) is EasyCleaner by Toni Arts. You can still get it as freeware here:
http://www.majorgeeks.com/download414.html

I'll get into managing startups later. Let me know what you've done in this area. If your slowness started suddenly, then what Grinler is helping you with is what you should concentrate on.

The thing about people

is they change

when they walk away.--Mipso


#14 honda2nr

honda2nr
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 16 June 2004 - 01:22 AM

FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
916 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
4 System -> 445 TCP
1016 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
4 System -> 1030 TCP
3040 BackWeb-137903 -> 1033 TCP C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
3676 aim -> 1035 TCP C:\Program Files\AIM\aim.exe
3676 aim -> 1045 TCP C:\Program Files\AIM\aim.exe
1320 -> 5000 TCP
3676 aim -> 5180 TCP C:\Program Files\AIM\aim.exe
3756 msmsgs -> 14316 TCP C:\Program Files\Messenger\msmsgs.exe

4 System -> 123 UDP
3676 aim -> 123 UDP C:\Program Files\AIM\aim.exe
3676 aim -> 137 UDP C:\Program Files\AIM\aim.exe
3676 aim -> 138 UDP C:\Program Files\AIM\aim.exe
916 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe
4 System -> 500 UDP
1016 svchost -> 1026 UDP C:\WINDOWS\System32\svchost.exe
4 System -> 1031 UDP
3676 aim -> 1037 UDP C:\Program Files\AIM\aim.exe
1320 -> 1065 UDP
3676 aim -> 1900 UDP C:\Program Files\AIM\aim.exe
3756 msmsgs -> 1900 UDP C:\Program Files\Messenger\msmsgs.exe
3040 BackWeb-137903 -> 9370 UDP C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
0 System -> 13802 UDP
0 System -> 28367 UDP

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 16 June 2004 - 01:02 PM

That looks clean. I do not see anything that would be causing your computer to be running slow anymore.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users