Bytes sent more then bytes received, hjt log provided

evenflow_669 · #1 (**permalink**) 01-05-2006, 06:24 AM

Hi,

The bytes sent seem to be at least triple or more than the bytes received. I've run adaware, spybot, my version of VET, and a program called cleansweeper. Adaware and spybot picked up some stuff but it's still running slow. I've also run these in safe mode.
Below is my hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 6:40:28 AM, on 1/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\isafe.exe
C:\WINDOWS\System32\hffsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Andy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - C:\search\search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: XP-Google - {aad080d5-9287-40ed-bdec-2cbed012baaa} - http://groups.google.com/groups?hl=e...blic.windowsxp (file missing)
O9 - Extra 'Tools' menuitem: XP-Google - {aad080d5-9287-40ed-bdec-2cbed012baaa} - http://groups.google.com/groups?hl=e...blic.windowsxp (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110285343099
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E84D7C8D-D1CC-4D57-A333-90F6599433AD}: NameServer = 203.23.237.66 203.23.236.66
O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - C:\WINDOWS\system32\licjgeoa.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - c:\program files\isafe.exe
O23 - Service: Hide Files and Folders (HideFilesAndFolders_S) - Unknown owner - C:\WINDOWS\System32\hffsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - c:\program files\VetMsg.exe

This has happened before but I seemed to fix it last time. I also used cwshredder last time. Any help would be greatly appreciated.

Kind Regards,

Andy.

VopThis · #2 (**permalink**) 01-05-2006, 12:58 PM

You are not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and/or potential lost backup issues.

It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.

Create a new folder in your C: Drive.
Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and move the HijackThis.exe file into it.
Run HJT from there (and revise your shortcut accordingly).

Read over the following directions. Ask if anything appears unclear to you.

Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - C:\WINDOWS\system32\licjgeoa.dll (file missing)

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

C:\WINDOWS\VirtualDNS.dll

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

evenflow_669 · #3 (**permalink**) 02-05-2006, 12:30 PM

Hi vopthis,

Thank you for replying to my thread and helping me.

I did exactly what you said and here is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:26:30 PM, on 2/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\isafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\hffsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - C:\search\search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: XP-Google - {aad080d5-9287-40ed-bdec-2cbed012baaa} - http://groups.google.com/groups?hl=e...blic.windowsxp (file missing)
O9 - Extra 'Tools' menuitem: XP-Google - {aad080d5-9287-40ed-bdec-2cbed012baaa} - http://groups.google.com/groups?hl=e...blic.windowsxp (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110285343099
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - c:\program files\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hide Files and Folders (HideFilesAndFolders_S) - Unknown owner - C:\WINDOWS\System32\hffsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - c:\program files\VetMsg.exe

I noticed a few lines have disappeared such as the O6 and the 021 lines but my bytes are still more than my bytes received, thus causing a very slow internet connection. Oh, and C:\WINDOWS\VirtualDNS.dll was not present to delete.

Kind Regards,

Andy.

VopThis · #4 (**permalink**) 02-05-2006, 02:04 PM

Please do an online scan (scan only tool) with Kaspersky WebScanner

[Internet Explorer required]
Go to Kaspersky website: www.kaspersky.com/virusscanner and click on the Kaspersky Online Scanner BUTTON/BOX.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

You might also want to run this scan as an added check:

[Internet Explorer required]
Place a shortcut to Panda ActiveScan on your desktop (FREE Version is mostly a scan only tool) .

Run the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post a Panda log back here, if anything is reported.

evenflow_669 · #5 (**permalink**) 04-05-2006, 02:41 PM

Hi Vopthis,

I ran bother Kaspersky and Panda ActiveScan. Both picked up malicious objects etc. I haven't cleaned anything up yet. Waiting for you to look at the reports which I have attached.

Thanks alot mate,

Andy.

VopThis · #6 (**permalink**) 04-05-2006, 04:40 PM

1) Please download the Killbox.
Unzip it to the desktop and run it.

2) Select "Delete on Reboot".
3) Then Click the "All Files" button.

4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\Andy\Desktop\AVICodecPackPlus21.exe
C:\Documents and Settings\Andy\My Documents\Downloads\Programs\BSINSTALL.exe
C:\HJT\ccsetup128.exe
C:\My Documents\burn4free_setup.exe
C:\My Documents\mirc616.exe
C:\Program Files\BearShare\Installer\BSINSTALL.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\anj714og.ini
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\__delete_on_reboot__taskdir.dl l
c:\windows\system32taskdir.exe
c:\windows\uniq
c:\program files\common files\WhenU
c:\program files\TrustIn Bar
C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\mfi492gq.default\coo kies.txt
C:\Documents and Settings\Andy\Cookies\andy@ad.sensismediasmart.com[1].txt
C:\Documents and Settings\Andy\Desktop\AVICodecPackPlus21.exe
C:\Documents and Settings\Linda\Cookies\linda@ad.sensismediasmart.c om[1].txt
C:\Documents and Settings\Linda\Cookies\linda@belnk[1].txt
C:\Documents and Settings\Linda\Cookies\linda@dist.belnk[2].txt
C:\Documents and Settings\Linda\Cookies\linda@go[1].txt
C:\Documents and Settings\Linda\Cookies\linda@www.advnt01[2].txt
C:\Program Files\MyEmoticons\uninstall.exe

5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next.

The items sitting in this FOLDER can be removed as a final step later on in the fix process:
C:\System Volume Information\_restore

Meanwhile, please ensure that you have run SpyBot and Ad-Aware as per these READ FIRST Procedures found here:

Read This First - IMPORTANT Instructions

Please re-run Kaspersky and Panda to identify what items may still be remaining, if any. Let us know what remaining issues you may still have.