Malware that Randomly Affects Internet Connection Throughput

By glitterbomb ยท 11 replies
Sep 16, 2010
  1. Hi,

    I have some sort of malware or worm that seems to have a sense of humor. It randomly slows or speeds up my broadband connection. Lately, I get download speeds averaging 6 kbps on a cable broadband connection. This will vary at other times. I have run every malware and antivirus program I can find, and nothing helps. At one point in time I install Google Chrome and it seemed immune to the malware of worm, but this changed in time. It affect FTP and any other type of connection as well. This malware also affects the loading speed of html and similar files that are stored on my hard drive. These files should load immediately, but something is sitting between either messing with dns, packets or something so as to slow things down.

    It is well-hidden and deliberately irritating, almost as if it has a personality of its own.

    Please help me overcome this problem. I have attached the logs requested in the 8 Steps guide.


    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Welcome aboard [​IMG]

    Download SUPERAntiSpyware Free for Home Users:

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here:
    * Close SUPERAntiSpyware.

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):

    • Close browsers before scanning.
      Scan for tracking cookies.
      Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.

    • Click Preferences, then click the Statistics/Logs tab.
      Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.


    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.


    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:

    %systemroot%\*. /mp /s
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %PROGRAMFILES%\Common Files\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %USERPROFILE%\Favorites\*.url /x
    %ALLUSERSPROFILE%\*.dat /x
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %systemroot%\pchealth\helpctr\System\*.exe /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  3. glitterbomb

    glitterbomb TS Rookie Topic Starter

    Logs and Thanks!

    I really appreciate your help, Broni. I apologize, but I had to attach (instead of pasting here) the requested logs due to a character limit error. My 396,365 characters wouldn't fit in the space of the 20,000 allowed characters. I guess that says something about my computer usage (or maybe not). Anyway, it looks like I have a faked boot record to fix, two now-defunct trojans, and a horde of deleted cookies. My hosts file is rather long as I customize it to sequester ads and other garbage. If, for some reason, you need the entire file, please let me know. I hope there's not too much to look over here. I tend to be on the extreme end of usage, I think.

    I'm a little ashamed that I haven't beaten this beast. I usually manage to figure them out if the scanners don't fix them. This one is beyond me.

    I will provide anything else you need. Just let me know.

    Again, I am grateful!


    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    What is drive T?
  5. glitterbomb

    glitterbomb TS Rookie Topic Starter

    Drive T

    It's an external USB drive (two drives spanned to be exact).. It has nothing on it that isn't on another drive on the machine (at least nothing deliberately placed on the drive). All the files are copies for the purposes of backing up, and it is powered off much of the time.
  6. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Update your Java version here:

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
      O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files (x86)\STOPzilla!\SZIEBHO.dll (iS3, Inc.)
      O4:[b]64bit:[/b] - HKLM..\Run: [COMODO Firewall Pro] C:\Program Files\Comodo\Firewall\cfp.exe File not found
      O4:[b]64bit:[/b] - HKLM..\Run: [DeltTray] C:\Windows\SysWOW64\DeltTray.exe File not found
      O4 - HKCU..\Run: [AdobeBridge]  File not found
      O4 - HKCU..\Run: [doubleTwist] C:\Program Files (x86)\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe File not found
      O4 - HKCU..\Run: [sdasetup] C:\Users\shan\Desktop\sdasetup.exe File not found
      O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
      O9 - Extra Button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll File not found
      O9 - Extra 'Tools' menuitem : Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll File not found
      O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
      O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
      O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} (Reg Error: Key error.)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (Reg Error: Value error.)
      O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O28 - HKLM ShellExecuteHooks: {16664848-0E00-11D2-8059-000000000000} - Reg Error: Key error. File not found
      O33 - MountPoints2\{1c16c912-3a25-11df-80d6-0009dd100a8d}\Shell\AutoRun\command - "" = p3vwxx.exe
      O33 - MountPoints2\{1c16c912-3a25-11df-80d6-0009dd100a8d}\Shell\open\Command - "" = p3vwxx.exe
      [2010/09/14 06:18:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\STOPzilla!
      [2010/09/14 06:18:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\iS3
      [2010/09/14 06:18:06 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
      [2008/11/22 01:21:06 | 000,262,144 | ---- | C] ( -- C:\Program Files (x86)\Uninstall Ask Toolbar.dll
      [2 C:\Users\shan\AppData\Roaming\*.tmp files -> C:\Users\shan\AppData\Roaming\*.tmp -> ]
      @Alternate Data Stream - 4 bytes -> C:\Windows\win.ini:s1
      @Alternate Data Stream - 158 bytes -> C:\ProgramData\TEMP:DFC5A2B2
      @Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:C8B8CEBD
      C:\Program Files (x86)\STOPzilla!
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  7. glitterbomb

    glitterbomb TS Rookie Topic Starter

    After running OTL as per your instructions, my Internet connectivity is no longer. When I view the status, everything looks fine. I'm getting a valid IP address from DHCP, the DNS info is correct. There's no indication whatsoever that there's a problem with the connection. But, when I open a browser and request a URL, I get the browser's error page.

    So, it appears as though we've located the issue, so to speak, but by eradicating it we may have taken out my ability to make external requests.

    I also had issues with the loading of the updated Java. I receive an error right after the downloading of the update completes. I can send you the exact error info, if you need that.

    Should I go ahead and run the temp cleaner?
  8. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Hold on there....
    Let's see, if you do have connection, or not....

    1. Click Start>Run (Start>"Start search" in Vista).

    2. Type in (or copy and paste):

    cmd /c ping>%temp%\$.$&notepad %temp%\$.$

    and press Enter.

    3. Notepad will open.

    4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.
  9. glitterbomb

    glitterbomb TS Rookie Topic Starter

    Ping Reply

    Here is the ping reply you requested:

    Pinging [] with 32 bytes of data:
    Reply from bytes=32 time=49ms TTL=50
    Reply from bytes=32 time=62ms TTL=50
    Reply from bytes=32 time=47ms TTL=50
    Reply from bytes=32 time=47ms TTL=50

    Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 47ms, Maximum = 62ms, Average = 51ms

    It might also be worth mentioning that when I try to execute Putty, it get an error stating that it couldn't initilise winsock. So, I attempted to reset winsock, and that did nothing to get my programs connected again. I think that there may be a problem with the LSPs being removed with the winsock reset.
  10. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Your connection is perfectly fine.

    What browser?
    Did you try different browser?
  11. glitterbomb

    glitterbomb TS Rookie Topic Starter


    I did try several browsers, and none of them would connect.
    It wasn't until I ran LSPfix that I could connect through a browser.
    However, my problem is not solved unfortunately, as the same issues are still present after getting my connection back.
  12. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Can you give me some more details?
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...