TechSpot

Need help removing darksma and "internet speed monitor"

By makenzie71
Dec 1, 2008
Topic Status:
Not open for further replies.
  1. First please let me apologize for posting in the manner I'm about to do. It's a requirement that I have 5 posts to have a link and my HJT log is full of links...which means I can't get help without having five posts and if I've got to ***** up five posts I may as well not trash another person's thread with either misguided advice or nonsense. Please stay tuned.

    ...plus probably half a dozen other things. It seems like I have WAY too many things running at one time and I can't figure out why. For kicks here's a screen shot of my process manager...

    [​IMG]

    I don't know what half that crap is...of course it's an old computer and lots can happen over 6 years but still.

    Anyway...CA detects both the darksma and internet speed monitor (ISM from here on because that's irritating to write) and says it's removed them, but they come right back on the next scan. Adaware doesn't even detect them...much less remove them. I've tried running all my programs in safe mode and no change.

    I did some searching here and found references to this same bug but when it came to deleting/repairing files the ones listed in the forum weren't found on my PC. I ran HJT but, as said, the files listed weren't found on my PC. Here's the log file cut-n-paste:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:13:03 PM, on 11/30/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ftp://www.photoartclub.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn0\ycomp5_5_7_0.dll
    O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [a4b0434f] rundll32.exe "C:\WINDOWS\system32\jdmwqfgu.dll",b
    O4 - HKCU\..\Run: [GetModule30] C:\Program Files\GetModule\GetModule30.exe
    O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O20 - AppInit_DLLs: tfrkqk.dll
    O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
    O23 - Service: hpdj - HP - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

    --
    End of file - 5914 bytes


    Any help is much appreciated!

    Thanks!
    Duncan

    P.S. Please, again, accept my apologies for the following four pointless posts. I don't know how else to get my log file to display. Thank you for your patience!
  2. makenzie71

    makenzie71 TS Rookie Topic Starter

    again, my sincerest apologies.
  3. makenzie71

    makenzie71 TS Rookie Topic Starter

    I really am sorry.
  4. makenzie71

    makenzie71 TS Rookie Topic Starter

    just one more...
  5. makenzie71

    makenzie71 TS Rookie Topic Starter

    I would like to add that I do not use Internet Explorer for anything other than uploading files to my website.
  6. Kazi

    Kazi TS Enthusiast Posts: 121

    Follow this : http://www.techspot.com/vb/topic58138.html

    Post back the three logs IN A ATTACHMENT
    to know how to attach go to this link http://www.techspot.com/vb/topic19133.html

    I recommend to uninstall CA and install any one of these, (only install 1) (you don't have to uninstall by the way)

    AVG free http://free.avg.com/download-avg-anti-virus-free-edition
    Avira Free http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
    Avast Free http://www.avast.com/eng/avast_4_home.html

    Cleaning of the Hijackthis log will be after the 8 steps
  7. makenzie71

    makenzie71 TS Rookie Topic Starter

    Thanks Kazi...I was working on getting the logs. The log time is crap...says it took 14 hours to scan my computer but it took well over 24...bleh...

    Anyway, here are the two logs I could get:

    http://photoartclub.net/viruslogs/ccleanerlog1.txt
    http://photoartclub.net/viruslogs/malwarelog1.txt

    I've tried to get the antivir log but it takes three to four hours for the thing to scan my computer and the instant it hits 100% I get an error message and the program closes.

    I'm also having issues get zonealarm to work...I don't know why, though, because I've had it before. Avira's firewall thing uses too much memory. My poor old PC can't handle it and running WOW at the same time.

    Oh and I can attach the files if absolutely necessary, but I don't like doing that when I have a perfectly good host that I don't use near enough available.
  8. makenzie71

    makenzie71 TS Rookie Topic Starter

    http://photoartclub.net/viruslogs/hijackthislog.txt

    I ran all the "quick" scanners again, including CA's little dinky thing, and darksma and internet speed monitor are both gone and I no longer have a plague of pop-ups, but now this is popping up:

    ImIServer IEPlugin

    The computer is still a bit slower than she should be, and there's lag when changing windows/tabs and still a lot when opening new ones.
  9. Kazi

    Kazi TS Enthusiast Posts: 121

    UMM you still shouldn't be feeling right
    sorry for the late post

    In your malwarebyte log you did not remove anything at all saying no action taken.
    Run a scan with malwarebyte again and tell me if anything comes out

    if something comes out do these
    You have not ran Superantispyware it seems, you don't need to attach a log for ccleaner




    ? Avira free doesn't have a firewall.
    currently your computer is SLOW it seems
    you could always try the lightning fast antivirus everyone loves
    HOWEVER if you wish to keep CA, you can

    NOD32 www.eset.com/beta
    Smart security 4 is going beta and is free until 3/2/09

    Tell me the error of zonalarm firewall

    I cannot access your hijackthis log


  10. makenzie71

    makenzie71 TS Rookie Topic Starter

    http://photoartclub.net/viruslogs/hijackthis.log

    Sorry I screwed up the extension.

    I'll remove everything malwarebytes comes up with next time...I thought I was supposed to wait for further instruction before removing all that stuff.

    I missed the superantispyware thing...when I tried to d/l it the other night it never started the process but it's going now. I'll post anything it comes up with when I get off work this afternoon.

    When I open zonealarm it immediately has a program error message and no attached details. Just won't start up. I haven't had time to uninstall and try again yet
  11. mflynn

    mflynn TS Rookie Posts: 2,793

    makenzie71

    Do exactly this The TechSpot 8 Steps

    Do step by step skip no steps and attach the logs.

    Do this right and we can make short work of this.

    Mike
     
  12. Kazi

    Kazi TS Enthusiast Posts: 121

    When done attach the logs
  13. makenzie71

    makenzie71 TS Rookie Topic Starter

    Superantispyware says no errors found.

    CCleaner finds no issues.

    Malwarebytes finds no issues.

    AntiVir won't be done scanning until tomorrow afternoon...bleh...

    CA still pulls up the same IMIserver IEPlugin thing, though, and the PC still isn't as quick as she should be.

    New HJT log: http://photoartclub.net/viruslogs/hijackthis1.log
  14. Kazi

    Kazi TS Enthusiast Posts: 121

    I don't think you should be using 2 anti viruses at the same time

    Anyways remove these from HJT
    close all other stuff besides HJT before removing
    Run a kaspersky online scan as i said in earlier post




    I think that will be all i can do, as i'm kinda bad in the combofix and sd-fix parts
  15. makenzie71

    makenzie71 TS Rookie Topic Starter

    Kazi, any help is great help and I really appreciate it! I'm urnning the kapersky thing but it's going to be Monday before it's done scanning apparently.
  16. Kazi

    Kazi TS Enthusiast Posts: 121

  17. mflynn

    mflynn TS Rookie Posts: 2,793

    Good advice on Comodo!

    The below is not as complex as it looks one step at a time. It is your choice if you do it or not.

    But ZA is stickie hard to remove like Norton. Even after (just the Add/Remove ZA uninstall) it can cause obvious and undetermind issues and slowdowns.

    This may be an eye opening experience as you see what a poor uninstall leaves behind.

    The below is my full ZA removal process but you have already done a standard uninstall and the Add/remove entry is now gone so Revo will not detect ZA. So begin at the point after that.

    Removing and cleaning ZoneAlarm
    Uncheck all to turn off and or disable ZA then reboot

    Uninstall with Revo http://www.revouninstaller.com/ Used Advance and remove leftover Registry and Disk files.

    Download Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    Make sure hidden files and folders are shown. Open Windows Explorer. Depending on your OS click Tools or View and then Folder Options > View.

    Choose Show hidden files and folders, uncheck Hide protected operating system files and click OK.

    Then:

    Left Drag mouse to highlight and copy all text in the box below.
    Code:
    Zonelabs; "zone labs"; "Internet logs"; vsconfig.xml; vsdata.dll; vsdata95.vxd; vsdatant.sys; vsmon.*; vsmonapi.dll; vsnetutils.dll;vspubapi.dll; zaplus.*; zapro.*; zllictbl.dat; zlparser.dll; zonealarm.exe; zoneband.dll; vsutil.dll; zlclient.*
    Next:
    Start-Search-Files and Folders. In location set to search your Local Hard Drive (usually C:\ ) or All Local Drives.

    Select Advanced Search Options and set to search subfolders and hidden files.

    Now paste the copied lines from above into the search box and click Search Now.

    Delete all it finds! Empty Recycle bin.


    Next:
    To remove all ZoneLabs keys left in the Windows registry.

    Highlight and copy for pasting, the below (between the lines)
    ----------------------------------------------------------------------
    Code:
    REGEDIT4
    [-HKEY_CLASSES_ROOT\ZAMailSafe]
    [-HKEY_CURRENT_USER\Software\Zone Labs]
    [-HKEY_LOCAL_MACHINE\Software\Zone Labs]
    [-HKEY_USERS\.DEFAULT\Software\Zone Labs]
    ----------------------------------------------------------------------

    Paste the lines into Notepad.
    Save as (All Files) removeza.reg.
    Once saved double click removeza.reg and allow - accept the prompts for changes to be made.

    Now REBOOT.

    left drag mouse and select all in the box below for pasting.
    Code:
    @echo off
    :: Cleanup ZA after install
    
    cd\
    
    rd /s /q "C:\Program Files\Zone Labs"
    rd /s /q "C:\WINDOWS\Start Menu\Programs\Zone Labs"
    
    attrib -h -s -r ZAMailSa*.* /s
    attrib -h -s -r "zonealarm pro"*.* /s
    attrib -h -s -r Zonelabs*.* /s
    attrib -h -s -r "zone labs*.*" /s
    attrib -h -s -r "Internet logs"*.* /s
    attrib -h -s -r vsconfig.xml /s
    attrib -h -s -r vsdata.dll /s
    attrib -h -s -r vsdata95.vxd /s
    attrib -h -s -r vsdatant.sys /s
    attrib -h -s -r vsmon.* /s
    attrib -h -s -r vsmonapi.dll /s
    attrib -h -s -r vsnetutils.dll /s
    attrib -h -s -r vspubapi.dll /s
    attrib -h -s -r zaplus.* /s
    attrib -h -s -r zapro.* /s
    attrib -h -s -r zllictbl.dat /s
    attrib -h -s -r zlparser.dll /s
    attrib -h -s -r zonealarm.exe /s
    attrib -h -s -r zoneband.dll /s
    attrib -h -s -r vsutil.dll /s
    attrib -h -s -r zlclient.* /s
    attrib -h -s -r Zonelabs*.* /s
    
    
    del ZAMailSa*.* /f /q
    del "zonealarm pro"*.* /f /q
    del Zonelabs*.* /f /q
    del "zone labs*.*" /f /q
    del "Internet logs*.*" /f /q
    del vsconfig.xml /f /q
    del vsdata.dll /f /q
    del vsdata95.vxd /f /q
    del vsdatant.sys /f /q
    del vsmon.* /f /q
    del vsmonapi.dll /f /q
    del vsnetutils.dll /f /q
    del vspubapi.dll /f /q
    del zaplus.* /f /q
    del zapro.* /f /q
    del zllictbl.dat /f /q
    del zlparser.dll /f /q
    del zonealarm.exe /f /q
    del zoneband.dll /f /q
    del vsutil.dll /f /q
    del zlclient.* /f /q
    del Zonelabs*.* /f /q
    del Zonelabs*.* /f /q
    
    
    del "C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm Pro.lnk" /f /q
    del C:\WINDOWS\SYSTEM\vsdata.dll /f /q
    del C:\WINDOWS\SYSTEM\Vsdata95.vxd /f /q
    del C:\WINDOWS\SYSTEM\vsdatant.sys /f /q 
    del C:\WINDOWS\SYSTEM\vsmonapi.dll /f /q 
    del C:\WINDOWS\SYSTEM\vspubapi.dll /f /q 
    del C:\WINDOWS\SYSTEM\vsutil.dll /f /q 
    del C:\WINDOWS\SYSTEM\zllictbl.dat /f /q 
    del C:\WINDOWS\SYSTEM\zlparser.dll /f /q 
    del C:\WINDOWS\SYSTEM\ZoneLabs\Migrate.dll /f /q 
    del C:\WINDOWS\SYSTEM\ZoneLabs\vsdb.dll /f /q 
    del C:\WINDOWS\SYSTEM\ZoneLabs\vsmon.exe /f /q 
    del C:\WINDOWS\SYSTEM\ZoneLabs\vsruledb.dll /f /q 
    del C:\WINDOWS\SYSTEM\ZoneLabs\minilog.exe /f /q 
    del C:\WINDOWS\Internet Logs\IAMDB.RDB /f /q 
    del "C:\WINDOWS\Internet Logs\W98-DHIGHT.ldb" /f /q 
    del C:\WINDOWS\SYSTEM\ZoneLabs\html.tdr /f /q
    
    reg delete HKEY_CLASSES_ROOT\ZAMailSafe
    reg delete HKEY_CURRENT_USER\Software\Zone Labs
    reg delete HKEY_LOCAL_MACHINE\Software\Zone Labs
    reg delete HKEY_USERS\.DEFAULT\Software\Zone Labs
    reg delete HKLM\System\ControlSet001\enum\Root\LEGACY_VSMON
    reg delete HKLM\System\ControlSet001\enum\Root\LEGACY_VSDATANT
    reg delete HKLM\System\ControlSet002\enum\Root\LEGACY_VSMON
    reg delete HKLM\System\ControlSet002\enum\Root\LEGACY_VSDATANT
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VSDATA9
    
    exit
    exit
    Once the above is selected the open a cmd prompt and paste to the black screen.

    Run AutoRuns click the Everything Tab look down the column Publisher for anything not Microsoft delete any line referencing Zone alarm or Zonelabs.
    ----------------------------------------------------------------------------------------------------------------------------------
    If you are paranoid do the following also.

    D/L Regseeker http://www.hoverdesk.net/freeware.htm

    Run it and select "Find in Registry" the following 1 at a time.
    zonelabs
    zone labs
    zonealarm
    zoneband
    zlclient
    zaplus
    zapro
    zamailsafe
    zllictbl
    zlparser
    Internet logs
    vsconfig
    vsdata
    vsmon
    vsnetutils
    vspubapi
    vsutil

    Then in Regseeker select Clean Registry and do a general Reg clean before rebooting.

    And finally you will be clean of ZA.

    Mike
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.