PC painfully slow please help

By wolfblitz
Jul 7, 2008
Topic Status:
Not open for further replies.
  1. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    hi xxdanielxx thanks for your reply
    removed the items you highlighted and couldn't connect to the internet so I restored them one by one it turn out that
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51

    are somthing to do with internet connetion does this seem right ? the other two items I left removed and everything seems ok can post new HJT log if you want6 to see

    Cheers

    -----------------------------------------------------

    Hi tragicallyhip thanks for your reply
    F-Secure is a free srvice provided by my banks internet service and I alwavs thought it was ok software and easy to use didn't realise itwas so bad I bought norton when I first got a pc but quickly discarded it for being too slow and complicated
    What would you or anyone else recommend as a good anti virus software.

    You highlighted kontiki and Kservice as being dangerous I knew they were connected to 4OD and BBCiplayer but take a look at this I found some things I didn't know

    http://mou.me.uk/2007/05/09/kserviceexe-channel-4-and-the-stolen-bandwith/
  2. Rage_3K_Moiz

    Rage_3K_Moiz Sith Lord Posts: 7,280   +23

    Yes those entries are related to your ISP. As for an antivirus, for a paid one I recommend NOD32, while Avast and Avira are the best free ones.
  3. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Many thanks Rage for all your help and advice pc running much much better than before
  4. tragicallyhip

    tragicallyhip TechSpot Enthusiast Posts: 106   +9

    I dont have a software firewall at all,I use a hardware firewall called alphashield and I immunize myself from trojans ,keyloggers et.al with spybot S@D and never surf with anything but firefox 3.0.To prevent other infections I never open junk mail in outlook and only from people I know and sites I trust.Never had a problem.You can unsubscribe from F-Secure with your ip provider which leaves you without a firewall.My personal choice for an excellent FREE program would be Online Armour which can be downloaded directly from their site or from Download.com.
    Good luck and keep posting
  5. Rage_3K_Moiz

    Rage_3K_Moiz Sith Lord Posts: 7,280   +23

    hey tragicallyhip, I'm asking you this since you seem to be very knowledgeable about this stuff. I'm planning to create a hardware firewall using my old PC and IP Cop for my home LAN. Do you think I should buy an AlphaShield product instead?

    @wolfblitz, don't thank me mate. It's xxdanielxx who deserves the credit.
  6. tragicallyhip

    tragicallyhip TechSpot Enthusiast Posts: 106   +9

    Creating a hardware firewall from another pc is something I have only heard about and never thought about attempting, in theory it sounds like an effective way to go as a solution.I tend to over think a problem and over apply the solution so I limit myself to the KISS method (Keep It Simple Stupid) and I find I'm much better off for it.
    So my answer to you would be to aquire AlphaShield or surf to yoggie.com and look at another similar device for your security needs.
    good luck and keep posting
  7. xxdanielxx

    xxdanielxx Newcomer, in training Posts: 1,214

    goto this location and change HijackThis.exe to crusty then post a fresh log

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
  8. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    hi tragicallyhip thanks for your reply and all your help much apreciated
    Cheers
    ---------------------------------------------

    Hi xxdanielxx thanks for your reply what did the change do
    here's the log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:48:32, on 11/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
    C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\crusty.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 5952 bytes
  9. xxdanielxx

    xxdanielxx Newcomer, in training Posts: 1,214

    I dont see any type of malware make sure to update java as it is a easy way to get infected if it is not up-to date how is your computer running is it still slow
  10. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Hi xxdanielxx
    thanks for all your help and advice have updated java as sugested
    My pc is running much quicker than it was it's usable again startup is incredibly quicker without having to wait for all the progs to load up 2-3 minutes instead of 15-20

    Thanks again to you and all who helped with this problem

    wolfblitz
  11. xxdanielxx

    xxdanielxx Newcomer, in training Posts: 1,214

    can you do one more thing download malwarebytes from my sig it is the one in blue text. Make sure to install and update it then fun a full system scan in safe mode
     
  12. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Hi xxdanielxx thanks for you reply

    did what you asked here's the log

    Malwarebytes' Anti-Malware 1.20
    Database version: 944
    Windows 5.1.2600 Service Pack 2

    13:29:52 13/07/2008
    mbam-log-7-13-2008 (13-29-52).txt

    Scan type: Full Scan (A:\|C:\|D:\|E:\|)
    Objects scanned: 117794
    Time elapsed: 1 hour(s), 4 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdmzj.exe -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{1E4D328E-23F6-4240-93F0-A8FCE0113E10}\RP13\A0009177.exe (Rogue.Installer) -> Quarantined and deleted successfully.
  13. xxdanielxx

    xxdanielxx Newcomer, in training Posts: 1,214

    Hey it looks like you had a Rootkit.DNSChanger & Rogue.Installer

    first disable system restore and leave it off for the time being until I ask you to turn it back on now go to the link below and follow the guide then post a link to the new thread along with the 3 logs.

    Combofix
    Hijackthis
    MBAM

    http://www.techspot.com/vb/topic58138.html
  14. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Hi xxanielxx
    thanks for your reply
    logs posted in two seperate posts because of length

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:13:26, on 15/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
    C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Trend Micro\HijackThis\crusty.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 6191 bytes

    Malwarebytes' Anti-Malware 1.20
    Database version: 957
    Windows 5.1.2600 Service Pack 2

    06:05:01 16/07/2008
    mbam-log-7-16-2008 (06-04-35).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 85013
    Time elapsed: 38 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdmzj.exe -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  15. xxdanielxx

    xxdanielxx Newcomer, in training Posts: 1,214

    SmitfraudFix

    • Download SmitFraudFix to your deskop
    • reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infect files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt (Attach the log to your next reply)

    ComboFix

    • Download ComboFix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  16. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Hi xxdanielxx
    Have run combofix but the log will not post as it is too long

    SmitFraudFix v2.329

    Scan done at 18:15:14.53, 16/07/2008
    Run from C:\Documents and Settings\Geoff\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» VACFix

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer=62.24.218.50,62.24.218.51
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{B2E9AACE-488D-441C-8A60-95C5BB138019}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer=62.24.218.50,62.24.218.51
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{B2E9AACE-488D-441C-8A60-95C5BB138019}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer=62.24.218.50,62.24.218.51
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{B2E9AACE-488D-441C-8A60-95C5BB138019}: DhcpNameServer=208.67.220.220,208.67.222.222


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "system"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
  17. xxdanielxx

    xxdanielxx Newcomer, in training Posts: 1,214

    attach the combofix log
  18. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    The text you have entered is too long please(91135)please shorten it to 10000



    this is the error message I get when \I try to post the combofix log
    please advise
  19. Rage_3K_Moiz

    Rage_3K_Moiz Sith Lord Posts: 7,280   +23

    Don't copy-paste it, attach it as a .txt file to your post using the attachments button in Advanced Mode.
  20. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks Rage never thought of that
  21. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

  22. Rage_3K_Moiz

    Rage_3K_Moiz Sith Lord Posts: 7,280   +23

    Yeah, they're both about the same, so either will do ok. Make sure it's the same frequency supported by the board though.
  23. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Hi Rage thanks for your reply take a look at this,am I right in thinking the numbers after DDR are the frequency's the board can use? If not how can I find out what frequency's the board uses?

    [​IMG]
  24. Rage_3K_Moiz

    Rage_3K_Moiz Sith Lord Posts: 7,280   +23

    Yes, you are right. The board will support that RAM then. Looks like you're good to go. :)
  25. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Hey Rage thanks for your advice much appreciated
    Cheers
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.