Inactive Malware that Randomly Affects Internet Connection Throughput

[glitterbomb]

Hi,

I have some sort of malware or worm that seems to have a sense of humor. It randomly slows or speeds up my broadband connection. Lately, I get download speeds averaging 6 kbps on a cable broadband connection. This will vary at other times. I have run every malware and antivirus program I can find, and nothing helps. At one point in time I install Google Chrome and it seemed immune to the malware of worm, but this changed in time. It affect FTP and any other type of connection as well. This malware also affects the loading speed of html and similar files that are stored on my hard drive. These files should load immediately, but something is sitting between either messing with dns, packets or something so as to slow things down.

It is well-hidden and deliberately irritating, almost as if it has a personality of its own.

Please help me overcome this problem. I have attached the logs requested in the 8 Steps guide.

Thanks!!!

 

[Broni]

Welcome aboard

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

• 
  Close browsers before scanning.
  Scan for tracking cookies.
  Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.

• 
  Click Preferences, then click the Statistics/Logs tab.
  Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  Please copy and paste the Scan Log results in your next reply.

* Click Close to exit the program.
Post SUPERAntiSpyware log.

=======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=======================================================================

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[glitterbomb]

Logs and Thanks!

I really appreciate your help, Broni. I apologize, but I had to attach (instead of pasting here) the requested logs due to a character limit error. My 396,365 characters wouldn't fit in the space of the 20,000 allowed characters. I guess that says something about my computer usage (or maybe not). Anyway, it looks like I have a faked boot record to fix, two now-defunct trojans, and a horde of deleted cookies. My hosts file is rather long as I customize it to sequester ads and other garbage. If, for some reason, you need the entire file, please let me know. I hope there's not too much to look over here. I tend to be on the extreme end of usage, I think.

I'm a little ashamed that I haven't beaten this beast. I usually manage to figure them out if the scanners don't fix them. This one is beyond me.

I will provide anything else you need. Just let me know.

Again, I am grateful!

-Eric

 

[Broni]

What is drive T?

 

[glitterbomb]

Drive T

It's an external USB drive (two drives spanned to be exact).. It has nothing on it that isn't on another drive on the machine (at least nothing deliberately placed on the drive). All the files are copies for the purposes of backing up, and it is powered off much of the time.

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
  O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files (x86)\STOPzilla!\SZIEBHO.dll (iS3, Inc.)
  O4:[b]64bit:[/b] - HKLM..\Run: [COMODO Firewall Pro] C:\Program Files\Comodo\Firewall\cfp.exe File not found
  O4:[b]64bit:[/b] - HKLM..\Run: [DeltTray] C:\Windows\SysWOW64\DeltTray.exe File not found
  O4 - HKCU..\Run: [AdobeBridge]  File not found
  O4 - HKCU..\Run: [doubleTwist] C:\Program Files (x86)\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe File not found
  O4 - HKCU..\Run: [sdasetup] C:\Users\shan\Desktop\sdasetup.exe File not found
  O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
  O9 - Extra Button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll File not found
  O9 - Extra 'Tools' menuitem : Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll File not found
  O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
  O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
  O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
  O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
  O28 - HKLM ShellExecuteHooks: {16664848-0E00-11D2-8059-000000000000} - Reg Error: Key error. File not found
  O33 - MountPoints2\{1c16c912-3a25-11df-80d6-0009dd100a8d}\Shell\AutoRun\command - "" = p3vwxx.exe
  O33 - MountPoints2\{1c16c912-3a25-11df-80d6-0009dd100a8d}\Shell\open\Command - "" = p3vwxx.exe
  [2010/09/14 06:18:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\STOPzilla!
  [2010/09/14 06:18:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\iS3
  [2010/09/14 06:18:06 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
  [2008/11/22 01:21:06 | 000,262,144 | ---- | C] (Ask.com) -- C:\Program Files (x86)\Uninstall Ask Toolbar.dll
  [2 C:\Users\shan\AppData\Roaming\*.tmp files -> C:\Users\shan\AppData\Roaming\*.tmp -> ]
  @Alternate Data Stream - 4 bytes -> C:\Windows\win.ini:s1
  @Alternate Data Stream - 158 bytes -> C:\ProgramData\TEMP:DFC5A2B2
  @Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:C8B8CEBD
  
  :Services
  
  :Reg
  
  :Files
  C:\Program Files (x86)\STOPzilla!
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

=======================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[glitterbomb]

After running OTL as per your instructions, my Internet connectivity is no longer. When I view the status, everything looks fine. I'm getting a valid IP address from DHCP, the DNS info is correct. There's no indication whatsoever that there's a problem with the connection. But, when I open a browser and request a URL, I get the browser's error page.

So, it appears as though we've located the issue, so to speak, but by eradicating it we may have taken out my ability to make external requests.

I also had issues with the loading of the updated Java. I receive an error right after the downloading of the update completes. I can send you the exact error info, if you need that.

Should I go ahead and run the temp cleaner?

 

[Broni]

Hold on there....
Let's see, if you do have connection, or not....

1. Click Start>Run (Start>"Start search" in Vista).

2. Type in (or copy and paste):

cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

and press Enter.

3. Notepad will open.

4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.

 

[glitterbomb]

Ping Reply

Here is the ping reply you requested:

Pinging google.com [74.125.95.147] with 32 bytes of data:
Reply from 74.125.95.147: bytes=32 time=49ms TTL=50
Reply from 74.125.95.147: bytes=32 time=62ms TTL=50
Reply from 74.125.95.147: bytes=32 time=47ms TTL=50
Reply from 74.125.95.147: bytes=32 time=47ms TTL=50

Ping statistics for 74.125.95.147:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 47ms, Maximum = 62ms, Average = 51ms

It might also be worth mentioning that when I try to execute Putty, it get an error stating that it couldn't initilise winsock. So, I attempted to reset winsock, and that did nothing to get my programs connected again. I think that there may be a problem with the LSPs being removed with the winsock reset.

 

[Broni]

Your connection is perfectly fine.

when I open a browser and request a URL, I get the browser's error page

What browser?
Did you try different browser?

 

[glitterbomb]

Connection

I did try several browsers, and none of them would connect.
It wasn't until I ran LSPfix that I could connect through a browser.
However, my problem is not solved unfortunately, as the same issues are still present after getting my connection back.

 

[Broni]

Can you give me some more details?