18 replies to this topic

[maketa]

About once a day my Internet speed slows right down to 0 and I cannot access my Internet Connection settings.When I shut down,I get a msg that says 'connections tray not responding'.When the pc eventually shuts down and I restart, everything is back to normal.I have run my antivirus as well as Spybot and Ad-aware and I've defragmented. I already have RR pro which I ran and the repost came out clean. Someone suggested disabling all unnecessary items at Startup, which I have also done to no avail. Is it a new bug that has fallen in love with me? Thank you.

[JeanInMontana]

Hi Maketa, let's get some logs to see what might be going on. Please follow the instructions here http://www.malwareby...?showtopic=2936 .

[maketa]

Thank you so much for responding to my plea for help. I seem to have solved the problem by running a program called 'winsockxpfix' that did some work in the registry and things have been ok for two days now. If the problem recurs, I will follow your instructions. Thank you for always being prompt and courteous on this site.

[maketa]

You won't believe this! As soon as I posted my previous reply .... my speed slowed down to o again after two days! Off I go now to follow your instructions. Thanks.

[maketa]

I have updated Spybot and immunized but I cannot find any info in the tutorial about disabling Tea Timer.

[maketa]

OK.I ran Spybot but nothing was detected. I then ran MBAM and here's the scan report:
Malwarebytes' Anti-Malware 1.11
Database version: 717

Scan type: Full Scan (C:\|)
Objects scanned: 62077
Time elapsed: 49 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3160f356-e8c3-4de2-a698-92eeeb3d3400} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\tata\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.


I'll run the other two scans asap. Thanks again for your help.

[JeanInMontana]

Open SB S&D
Make sure you are in Advanced Mode.
Click on the Tools section and then Resident.
You will see two items.
1. Resident "SD helper" (Internet Explorer bad download blocker.) active
2. Resident "Tea Timer" (Protection of over-all system settings.) active.

Uncheck 2. Leave 1 checked always.

You can enable Tea Timer again if you wish once all special fixes have been done.

I do believe it. I see it all the time.

[maketa]

Hi again.Here's a fresh mbam scan report after having disabled Tea Timer in Spybot.Seems to be clean:
Malwarebytes' Anti-Malware 1.11
Database version: 717

Scan type: Full Scan (C:\|)
Objects scanned: 62183
Time elapsed: 50 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[maketa]

And here are the Panda active scan results:
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-05-06 12:24:40
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Eset NOD32 antivirus system 2.51 2.51 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
01010532 Adware/Gator Adware No 0 Yes No C:\Local Disk (D)\From Disc C\My Downloads\AGSetup0608.exe
02899326 Adware/AdRotator Adware No 0 No No C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\bann.exe[■%%\gzmrt.dll]
02901019 Adware/VapSup Adware No 0 No No C:\Documents and Settings\tata\Local Settings\Temp\tmp40A.tmp.exe[■%%\iebrowserc.dll]
02904726 Adware/AdRotator Adware No 0 Yes No C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\bann.exe
02904732 Adware/AdRotator Adware No 0 Yes No C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\adw.exe
02904747 Adware/AdRotator Adware No 0 No No C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\adw.exe[²ÜÇ\nsBrowserOpt.dll]
02905994 Adware/BHO Adware No 0 No No C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\adw.exe[²ªÇ]
02919505 Trj/Downloader.MDW Virus/Trojan No 1 No No C:\Documents and Settings\tata\Local Settings\Temp\tmp3E6.tmp.exe[²òÇ\adssite_sidebar.dll]
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

[maketa]

... and here's the log from Hijack this:Incidentally I MUST apologise, I've only just noticed that you had already given me instructions on how to disable Tea Timer in your first post. Now the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:13 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1183359875125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 3739 bytes

[JeanInMontana]

How are you running now?

Run HJT again and put a check next to this item and then click fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Please upload all of these files to here http://uploads.malwarebytes.org/ put them in a zip file, no larger than 2MB each.
C:\Local Disk (D)\From Disc C\My Downloads\AGSetup0608.exe
C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\bann.exe[■%%\gzmrt.dll]
C:\Documents and Settings\tata\Local Settings\Temp\tmp40A.tmp.exe[■%%\iebrowserc.dll]
C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\bann.exe
C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\adw.exe
C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\adw.exe[²ÜÇ\nsBrowserOpt.dll]
C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\adw.exe[²ªÇ]
C:\Documents and Settings\tata\Local Settings\Temp\tmp3E6.tmp.exe[²òÇ\adssite_sidebar.dll]



Then get this and run, uncheck the clean registry box and remove everything else it finds as crap. http://www.ccleaner.com/download

Edited by JeanInMontana, 06 May 2008 - 07:45 PM.
to add instructions

[maketa]

Hello again. I have had no problems since my last post.
I ran HJT and fixed the item you mentioned. However that put msn as my home page. I didn't want to have a home page so I clicked 'use blank'. That's ok, isn't it?
The rest of the stuff sounds very complicated so if you don't mind, I'll wait until the problem occurs again and I 'panic' before I attempt to do them.
You know there's something that perhaps I should have mentioned from the start but just didn't occur to me at the time. The reason I notice that my speed slows down until it reaches 0 is because I'm using a p2p program called Shareaza. After Shareaza becomes completely idle, I cannot access the internet at all and I have the problem as I described it in my first post. Do you think this might have something to do with it?
Thanks again for your time and trouble.

[JeanInMontana]

It's OK to have no homepage, but when you do have one and it changes you have an immediate notice something is wrong. The whole idea is to prevent this stuff from happening again. You don't have to be infected ever if you follow good surfing habits and use proper prevention and protection methods.

The reason I would like you to upload those files is to help MBAM protect and remove them in the future. It is really not that hard to do. Just go to the file location, right click on the file and choose send to zipped folder. Then upload the zipped folder to the location http://uploads.malwarebytes.org/ . If you can't do that, then you should run CCleaner and get rid of them. They are malware.

Shareaza and all P2P programs are a huge security risk and often engaged in illegal activities. My advise is to uninstall it. I'm sure it's why your performance is not good and most likely why you got infected.

Are you using the Windows firewall only? This is not sufficient.

We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free

Also the full protection of MBAM is offered at a very low price.

[maketa]

Hello again.
1. I have uninstalled Shareaza.
2. I've chosen the easy way and dowloaded Ccleaner but I can't find the 'clean registry' box so that I can uncheck it. There is a box called 'registry' beneath the brush that says 'cleaner' on ther left panel. Do I click on that and uncheck everything that opens up on the right?
3. I turned Windows Automatic Updates on. So far I've been doing it manually as some items didn't seem to relate to my cinfiguration. Anyway now it's on.
4. Yes, Windows Firewall is the only one I'm using. I'll try your suggestion about an additional firewall. But isn't that going to overload my pc? I have Nod32, Spybot,Adaware, Windows Firewall,RRpro running continuously already. Won't it slow down my pc if I add another item?
5. My homepage has always been blank even when the connections tray was hanging. I has never changed.
6. Concerning the creation of a clean Restore point I guess you mean after I've run ccleaner, yes?
Thank you.

[JeanInMontana]

The registry section is under the cube icon, click it and you will see a list of things all checked, if you just uncheck the very first one all of them will be unchecked.

You will turn off the Windows firewall and no it is not too much security. You can set the updates to only install after you approve them, so you can choose not to get the ones that you don't need. I do this also, no need to get a bunch of stuff you never use. Now SP3 is out and you can get it.

Yes run CCleaner and then set the restore point.

[maketa]

Thanks very much for your help.
p.s. You did say 'turn off Windows Firewall, yes?'

[JeanInMontana]

Turn off the Windows firewall once you have the other one installed. You never want to run two firewalls or two active anti virus programs. Your welcome, hope you never have trouble again but if you do we are here for you.

[maketa]

Boy you are fast! I was juct getting ready to edit my previous post just to let you know that I am now using Online Armor and should I turn off WF? But you beat me to it! Thanks again. Take care.

[JeanInMontana]

Good choice of FW for sure. Take care.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.