Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Internet Connection Problem. Possibly caused by malware? [RESOLVED]


  • This topic is locked This topic is locked

#16
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you tell SUPERAntiSpyware to remove all the entries it found?

That's not normal. Restart the computer again and make sure it's not taking that long this time.

You can run the spyware scan again to see if it finds anything. I see something suspicious from the SUPERAntiSpyware scan though.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it.
  • 0

Advertisements


#17
AccidentalClick

AccidentalClick

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 132 posts
Did you tell SUPERAntiSpyware to remove all the entries it found?

Yes, I did.

That's not normal. Restart the computer again and make sure it's not taking that long this time.

It actually occurs sometimes. But usually only if I've done something that required me to reboot the system.

You can run the spyware scan again to see if it finds anything. I see something suspicious from the SUPERAntiSpyware scan though.

:) What is it? Should I run both? Or just my original? Should I do this before running SmitfraudFix?

EDIT: SUPERAntiSpyware didn't find any "threats" this time. Now running my original Anti-Spyware.

Edited by AccidentalClick, 19 July 2008 - 09:35 PM.

  • 0

#18
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just run the original scanner that caught it initially. You may run it first and then run SmitfraudFix, which I hope will detect something if there is anything else remaining.
  • 0

#19
AccidentalClick

AccidentalClick

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 132 posts
Hm... The original still seems to detect Grokster. Perhaps I should uninstall my current P2P program and see if it helps?

In anycase, I'll run SmitfraudFix now.
  • 0

#20
AccidentalClick

AccidentalClick

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 132 posts
Er... Problem.

At first, it says "Access is denied". But then, one of those "Windows needs your permission to continue" messages. I press continue and it works. I press 1 and enter. However, I get more Access is denied messages and then it closes, with to nothing happening.

Running it as Administrator doesn't work, as it states a process.exe file is missing. (I can find a Process.exe one)


EDIT: Upon reading up on Grokster again...

"Grokster can severely degrade network performance and consume vast amounts of storage."

Could this mean it could actually cause connection problems and internet speed? Because even with my new modem, my internet connection has cut off twice without notice.

Edited by AccidentalClick, 19 July 2008 - 10:48 PM.

  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Get rid of all your file sharing programs. We don't recommend using them as they can contribute to malware infection and other problems. See if that will remove Grokster after you run another scan.

For SmitfraudFix, try running it in Safe Mode.
  • 0

#22
AccidentalClick

AccidentalClick

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 132 posts
OK, I've uninstall a few programs (my P2P program is one of them), and I'm re-run my scan. It's odd though. Why does one identify it as spyware, yet the other doesn't?

As for SmitfraudFix, how do I run it in Safe Mode?
  • 0

#23
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Not all programs were created with the same detections. One may detect it as spyware, while another may not.

Disregard SmitfraudFix for now. Let's use another tool instead.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Restart your computer and boot into Safe Mode. If you don't know how, go to http://www.bleepingc...tutorial61.html

Run the smitRem.exe tool you downloaded earlier. There should be a folder called smitrem created on your desktop. Open it and double-click on the RunThis.bat file. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Post that log in your next reply.
  • 0

#24
AccidentalClick

AccidentalClick

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 132 posts
OK, should I delete SmitfraudFix for now?

Here's the report from my Anti-Spyware. Grokster's still there, and it thinks some of SmitfraudFix is spyware.

Grokster Registry hkey_classes_root \magnet Quarantine
ProcKill Application C:\Users\Game Master\AppData\Local\Mozilla\Firefox\Profiles\4ptvsmxv.default\Cache\633285D9d01|SmitfraudFix\Process.exe Quarantine
ProcKill Application C:\Users\Game Master\Desktop\SmitfraudFix\Process.exe Quarantine
ProcKill Application C:\Users\Game Master\Documents\SmitfraudFix.zip|SmitfraudFix\Process.exe Quarantine

Just wondering, what does hkey_classes_root \magnet mean anyways?

Downloading smitRem now.

Also, what are ehtray.exe and ehmsas.exe?

Edited by AccidentalClick, 20 July 2008 - 02:20 PM.

  • 0

#25
AccidentalClick

AccidentalClick

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 132 posts
smitRem © log file
version 3.2

by noahdfear


Microsoft Windows [Version 6.0.6001]
"IE"="7.0000"
The current date is: 20/07/2008
The current time is: 16:38:02.74

Running from
C:\Users\Game Master\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001
"IconServiceLib"="IconCodecService.dll"
"DdeSendTimeout"=dword:00000000
"DesktopHeapLogging"=dword:00000001
"GDIProcessHandleQuota"=dword:00002710
"ShutdownWarningDialogTimeout"=dword:ffffffff
"USERPostMessageLimit"=dword:00002710
"USERProcessHandleQuota"=dword:00002710
@="mnmsrvc"
"DeviceNotSelectedTimeout"="15"
"Spooler"="yes"
"TransmissionRetryTimeout"="90"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1188 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN! :)
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, you may remove SmitfraudFix.

Can you manually go into the registry and verify if that entry exists?
hkey_classes_root\magnet

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Go to hkey_classes_root and delete magnet.

That entry is a piece of malware installed by Limewire.
  • 0

#27
AccidentalClick

AccidentalClick

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 132 posts
Limewire? Never used that before...

Anyways, I see ".magnet" and "Magnet". Which one should be deleted?

And one thing bothers me... After running smitRem, I keep on getting this message telling me to press Control + Alt + Delete in order to log in. Know why this happens and how to prevent it?
  • 0

#28
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Are they both directly under hkey_classes_root? Remove both of them.

For magnet (without the period in front), right click on it and choose export. Save it on your desktop and then attach that file here. Do the same thing for the .magnet.
  • 0

#29
AccidentalClick

AccidentalClick

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 132 posts
OK, then.

Firstly, can I delete/uninstall smitRem and SUPERAntiSpyware?

Secondly, should I delete all quarantined items (including Grokster)?

Thirdly, what can cause a connection to be cut suddenly? My ISP says the problem isn't the wall jack or phone line, and was most likely caused by the modem. However, with my new modem, it still cuts off.

Um... A problem though. Exporting them has them saved as ".reg" files, and they can't be attached uploaded to here.
  • 0

#30
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may remove smitRem....it's ok to keep SUPERAntiSpyware as it can be used as your spyware scanner.

Yes, delete all the quarantined items.

The internet connection issue can be malware or hardware related. Since they replaced the modem and it's still having problems, we will see if we can find something wrong in Windows. Do you use a router also? If so, can you try connecting directly to the modem to see if it still disconnects?

For the .reg files, rename them to .txt and you should be able to upload them here. Otherwise, right click on them and choose Edit. Copy and paste the contents of those files here.

OK, for the internet, if you want, try running the below to see if it fixes the issue:

Download WinsockFix at http://www.greyknigh.../WinsockFix.zip and unzip it. Then double-click on WinsockFix.exe to run it. Click on the Fix button. Keep in mind that this will reset your internet connection settings. If there was any manual configuration you needed to make in Windows, you might need to redo them again. Otherwise, it should just reset the settings back to the default.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP