Internet sending far more packets than receiving

[tlwash123]

Hi, for about the past month my laptops internet has been going very very slow. I checked the connection status and after being connected to the internet for 2 minutes I have sent 208,000 packets and only recived 2,000. It has been taking me from 2-10 minutes to load one page. I did the 8 step process thing and I am only able to actually use the internet when im in safe mode with networking.

If anyone could help me plz and thx



View attachment 46628

View attachment 46629

View attachment hijackthis.log

 

[Bobbye]

I would guess that it's the Vundo kids calling home! And their cousins are around also. You have a lot of malware on that system. Rather than remove the HijackThis entries now, Please do the following:

Please download VundoFix.exe HERE and save to the desktop.( to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the ‘Fix Vundo’ button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download SDFix HERE and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

When finished, rescan with HijackThis and post log and reports from Vundo Fix and SDFix.

 

[tlwash123]

Ok, i did all of the things you said

Here's the logs

View attachment 46689

View attachment 46690

View attachment 46691

 

[Bobbye]

hijackthis SDFix.txt is HiJacjThis log

SDFix.txt is SDFix log.

hijackthis Vundo.txt is another HJ...where is the Vundo report?

 

[tlwash123]

Once i ran it and it finished it said it has found 0 problems and click ok and then it was done

 

[Bobbye]

Safe mode with network support

Run it again in Normal Mode! You are full of Vundo and a few other things!

O4 - HKCU\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\winlogqn.exe
O4 - HKCU\..\Run: [nhqsinkg38i5ag] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\cb2ehoceq2r.exe
O4 - HKCU\..\Run: [s8x2lbm9eg0d44v0unu3dog85pi0yh2at20m2ewn] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\gaji8f1xwre.exe
O4 - HKCU\..\Run: [vk9y0uyaqm6lrj9wsewah3zktyg6bnaibgqd] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\a5gzgb6gq.exe
O4 - HKCU\..\Run: [ormm54ctu5oy14qm3siou9gujrlq6shq0rg86327hkw4e] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\nojmi3agib.exe
O4 - HKCU\..\Run: [pmln6enrwbvo1296bzuab] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\qslksmwb0wm.exe
O4 - HKCU\..\Run: [v3vao1yp04z2847cxemmfige6] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\oizb5p8t.exe
O4 - HKCU\..\Run: [i9vv8twvchjmy] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\yyq3lh74psbtx.exe
O4 - HKCU\..\Run: [w8xwj7iwr7mdmbmgjtld0dny1e6mm29oyqiq] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\zcguejv.exe
O4 - HKCU\..\Run: [doiu9qdcdj5norin] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\v891u1.exe
O4 - HKCU\..\Run: [kxcvuk0wh18h] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\wmi9nmhy.exe
O4 - HKCU\..\Run: [gpahrwe7mkl62113jetri7oiqlejp0q1lx] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\vacp889k.exe
O4 - HKCU\..\Run: [tyhozz38iihcmz9ymjnhm5j] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\xf7e9ahg79n.exe
O4 - HKCU\..\Run: [z1bw1841lrd44qoe7urqk13ujimc6nx87] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\e80kmlc0wkgsc.exe
O4 - HKCU\..\Run: [ipzj428bwkugrfipmhd70] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\ukq99w.exe
O4 - HKCU\..\Run: [lvsotpcmu3dki5lwv65apfkgslc8i11fti7h7qn3z7p8] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\xw8wgv.exe
O4 - HKCU\..\Run: [r7roy5o8cbz1gj0qaessxm9ekq47t2k1q6p8n9cz18s21s] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\nry43n1.exe
O4 - HKCU\..\Run: [c66mhqg2veph3fxbvr8c7saqxqo0p2okg] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\xq0h1bik.exe
O4 - HKCU\..\Run: [nugb5z7sn9w86wzsxohv4gs6acwh1mm] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\xqpyss.exe
O4 - HKCU\..\Run: [uo1k6idtrufutw7hxwsafxktoycr7h5a7] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\ax385z3o.exe
O4 - HKCU\..\Run: [dd4lsumgt7m3subvz1jm7pptohm6zz] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\tyl4d4bs.exe
O4 - HKCU\..\Run: [f5jhda7fg7rewq] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\j8ega1jho8f2.exe
O4 - HKCU\..\Run: [mpq3k7etoslw5s5jfuusrpqrlb2d0va87ugu30tb187m7tz] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\vadu9cqk.exe
O4 - HKCU\..\Run: [jy3dekj0t0vk7lfcq1j3uu7gel] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\um7fk9102jok.exe
O4 - HKCU\..\Run: [cty0ofulcxcbd3m8x9ku6sj27qfeodwlumsehayi] C:\DOCUME~1\Vanessa\LOCALS~1\Temp\smnawa6.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [kesimodupe] Rundll32.exe "C:\WINDOWS\system32\semasowa.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [kesimodupe] Rundll32.exe "C:\WINDOWS\system32\semasowa.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\WINDOWS\TEMP\winlogqn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\WINDOWS\TEMP\winlogqn.exe (User 'Default user')

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\duweweba.dll kjojmc.dll c:\windows\system32\huhevita.dll peschz.dll c:\windows\system32\tamuyiko.dll c:\windows\system32\biboyudi.dll jtsfvm.dll c:\windows\system32\jaritumo.dll

 

[tlwash123]

i ran vundo fix in normal mode like u said and it still found nothing

 

[Bobbye]

Please download ATF Cleaner by Atribune HERE & save it to your desktop.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* Click Exit on the Main menu to close the program.

Using Safe Mode:
Right click on Start> Explore> Windows System 32 on the right screen, find and right click> delete any of the following if found:

semasowa.dll"
duweweba.dll
kjojmc.dll
huhevita.dll
peschz.dll
tamuyiko.dll
biboyudi.dll
jtsfvm.dll
jaritumo.dll

Now see if you can boot into Normal Mode.
UPDATE and scan with Malwarebytes again, in Normal Mode, follow with new scan using HijackThis.

Please attach both logs.

 

[tlwash123]

I ran atf cleaner then I searched for those files and found none

View attachment mbam-log-2009-04-13 (15-49-34).txt

View attachment 47156

 

[Bobbye]

Mbam shows No Action Taken: this means that the malware was found and nothing was done-you need to do this when running it:
* Make sure that everything is checked, and click Remove Selected.

Since there was no progress, let's do this:
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

 

[tlwash123]

I ran combofix but when I started it, it said that the realtime process symantec antivirus was running and I didn't know how to disable that

View attachment 47187

View attachment hijackthis after combofix.txt

 

[Bobbye]

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

Boot into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK ALL of the Symantec processes (look like about 4)Apply> OK

While still in Safe Mode:
Start> Run> services.msc> double-click on each of the following and change their Startup type to Disabled:

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

When finished reboot into Normal Mode. Ignore the nag message and close after checking 'don't show message again.' Stay in Selective Startup.

With your internet connection disabled, run Combofix again and post new report.

You have many unnecessary processes starting on boot. Those will run in the background. Some will be contacting the internet, looking for 'updates. For instance:
Zune, QuickTime, Real Player, DVD Launcher, HP Updater, ITunes Helper>> NONE need to start on boot.

The following processes set on Global Startup will start when ANY user logs on. NONE need to be on Startup. NONE should be on Global Startup.

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

Once we remove the malware, you are still going to see more packets transmitting> every update you see running is going to call home

You also have processes running for GoToAssist Express Customer. But you are here on TechSpot asking for help. So why start this program on boot and run it in the background? One day, if you need to use it, you can start it manually.

 

[tlwash123]

I ran combofix again

View attachment 48459

 

[Bobbye]

The AV was still on. running a program here and there over a 6 week period isn't going to be effective.

Please describe exactly what problems you are having now.

It would be in your best interest to run the 3 preliminary cleaning again. UPDATE and scan with Malware bytes. UPDATE and scan with Superantispyware. follow with a new HijackThis scan. Attach all three logs.

Are you still using Symantec security? Please run a full system scan with it. If ANY malware is found, include that log in your next reply.

I sm having you stasrt this process over. 6 weeks is too long to try and use the logs.