[riz92]

Hi Jimmy2012,

This is the log from the notepad OTMoveIT3:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\kybrd_1.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\Arj.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\Avp1.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\AvpMgr.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\CAB.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\FSSync.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\FsDrvPlg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HCCMP.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HashCont.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HashMD5.PPL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\IWGen.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\Inflate.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\L_llio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\MDMAP.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\MKavIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\MailMsg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\MemModSc.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\MemScan.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\NTFSstrm.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\PrUtil.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\Quantum.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\ScanningProcess.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\TempFile.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\UnLZX.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\UnStored.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\UniArc.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\WDiskIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\avlib.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\btimages.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\dmap.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\dtreg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\iChkSA.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\ichk2.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kave.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\lha.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\mdb.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\minizip.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\msoe.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\nfio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prKernel.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prLoader.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prseqio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\rar.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\sfdb.PPL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\thpimpl.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kosglue-7.0.25.0.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF9AD7.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\fla279.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_d04.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_n97eipGOWC2woaD0fD6O scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_398.dat scheduled to be deleted on reboot.
Windows Temp folder emptied

At the moment I am monitoring the performance of my computer. Will let you know tomorrow the outcome.

Appreciate your help.
Thank You

[Advertisements]

Hello riz92,

At the moment I am monitoring the performance of my computer. Will let you know tomorrow the outcome.

Ok

[Jimmy2012]

Hello riz92,

At the moment I am monitoring the performance of my computer. Will let you know tomorrow the outcome.

Ok

[riz92]

Hi Jimmy2012,

So far after one day of monitoring my computer I do not see the problem. My computer now is running smoothly.
Thank your for your help with all the instructions given through out the troubleshooting process.

[riz92]

Spoke too soon. Internet connection slowing down considerably after noon. This is latest netstat log report
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP sri:epmap sri:0 LISTENING
TCP sri:microsoft-ds sri:0 LISTENING
TCP sri:2804 sri:0 LISTENING
TCP sri:netbios-ssn sri:0 LISTENING
TCP sri:1209 84.53.178.74:http CLOSE_WAIT
TCP sri:1763 ntdd2519.fm.netbenefit.co.uk:http ESTABLISHED
TCP sri:1764 ntdd2519.fm.netbenefit.co.uk:http ESTABLISHED
TCP sri:3190 sanmarcos.ezoshosting.com:http CLOSE_WAIT
TCP sri:3192 sanmarcos.ezoshosting.com:http CLOSE_WAIT
TCP sri:3196 sanmarcos.ezoshosting.com:http CLOSE_WAIT
TCP sri:3232 ew-in-f127.google.com:http CLOSE_WAIT
TCP sri:3236 216.89.80.21:http TIME_WAIT
TCP sri:3249 sanmarcos.ezoshosting.com:http ESTABLISHED
TCP sri:3251 216.89.80.21:http ESTABLISHED
TCP sri:3253 a88-221-114-181.deploy.akamaitechnologies.com:http ESTABLISHED
TCP sri:3255 a88-221-114-181.deploy.akamaitechnologies.com:http ESTABLISHED
TCP sri:3257 a88-221-114-181.deploy.akamaitechnologies.com:http CLOSE_WAIT
TCP sri:3259 a88-221-114-181.deploy.akamaitechnologies.com:http CLOSE_WAIT
TCP sri:3261 a88-221-114-181.deploy.akamaitechnologies.com:http ESTABLISHED
TCP sri:3263 a88-221-114-181.deploy.akamaitechnologies.com:http ESTABLISHED
TCP sri:3265 *.112.2o7.net:http ESTABLISHED
TCP sri:3268 ey-in-f147.google.com:http CLOSE_WAIT
TCP sri:3270 *.112.2o7.net:http ESTABLISHED
TCP sri:3274 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3276 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3281 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3282 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3283 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3300 ey-in-f147.google.com:http CLOSE_WAIT
TCP sri:3302 ey-in-f147.google.com:http CLOSE_WAIT
TCP sri:3312 193.38.108.198:https ESTABLISHED
TCP sri:3313 193.38.108.198:https ESTABLISHED
TCP sri:3314 193.38.108.198:https ESTABLISHED
TCP sri:3315 193.38.108.198:https ESTABLISHED
TCP sri:3316 ssl.vip.scd.yahoo.com:https ESTABLISHED
TCP sri:3317 ssl.vip.scd.yahoo.com:https ESTABLISHED
TCP sri:3321 sanmarcos.ezoshosting.com:http ESTABLISHED
TCP sri:3325 mg1b.mail.vip.mud.yahoo.com:http ESTABLISHED
TCP sri:3329 sanmarcos.ezoshosting.com:http ESTABLISHED
TCP sri:1030 sri:0 LISTENING
TCP sri:1072 localhost:1073 ESTABLISHED
TCP sri:1073 localhost:1072 ESTABLISHED
TCP sri:1075 localhost:1076 ESTABLISHED
TCP sri:1076 localhost:1075 ESTABLISHED
TCP sri:3188 localhost:10350 ESTABLISHED
TCP sri:3191 localhost:10350 ESTABLISHED
TCP sri:3195 localhost:10350 ESTABLISHED
TCP sri:3231 localhost:10350 ESTABLISHED
TCP sri:3233 localhost:10350 ESTABLISHED
TCP sri:3240 localhost:10350 ESTABLISHED
TCP sri:3248 localhost:10350 ESTABLISHED
TCP sri:3252 localhost:10350 FIN_WAIT_2
TCP sri:3254 localhost:10350 FIN_WAIT_2
TCP sri:3256 localhost:10350 FIN_WAIT_2
TCP sri:3258 localhost:10350 FIN_WAIT_2
TCP sri:3260 localhost:10350 ESTABLISHED
TCP sri:3262 localhost:10350 ESTABLISHED
TCP sri:3264 localhost:10350 FIN_WAIT_2
TCP sri:3267 localhost:10350 ESTABLISHED
TCP sri:3269 localhost:10350 ESTABLISHED
TCP sri:3273 localhost:10350 TIME_WAIT
TCP sri:3275 localhost:10350 TIME_WAIT
TCP sri:3277 localhost:10350 TIME_WAIT
TCP sri:3278 localhost:10350 CLOSE_WAIT
TCP sri:3279 localhost:10350 TIME_WAIT
TCP sri:3280 localhost:10350 TIME_WAIT
TCP sri:3284 localhost:10350 ESTABLISHED
TCP sri:3287 localhost:10350 ESTABLISHED
TCP sri:3288 localhost:10350 ESTABLISHED
TCP sri:3292 localhost:10350 ESTABLISHED
TCP sri:3299 localhost:10350 ESTABLISHED
TCP sri:3301 localhost:10350 ESTABLISHED
TCP sri:3307 localhost:10350 TIME_WAIT
TCP sri:3320 localhost:10350 ESTABLISHED
TCP sri:3324 localhost:10350 ESTABLISHED
TCP sri:3328 localhost:10350 ESTABLISHED
TCP sri:5152 sri:0 LISTENING
TCP sri:5152 localhost:1380 CLOSE_WAIT
TCP sri:10350 sri:0 LISTENING
TCP sri:10350 localhost:3187 TIME_WAIT
TCP sri:10350 localhost:3188 ESTABLISHED
TCP sri:10350 localhost:3191 ESTABLISHED
TCP sri:10350 localhost:3193 TIME_WAIT
TCP sri:10350 localhost:3195 ESTABLISHED
TCP sri:10350 localhost:3197 TIME_WAIT
TCP sri:10350 localhost:3231 ESTABLISHED
TCP sri:10350 localhost:3233 ESTABLISHED
TCP sri:10350 localhost:3240 ESTABLISHED
TCP sri:10350 localhost:3246 TIME_WAIT
TCP sri:10350 localhost:3248 ESTABLISHED
TCP sri:10350 localhost:3252 CLOSE_WAIT
TCP sri:10350 localhost:3254 CLOSE_WAIT
TCP sri:10350 localhost:3256 CLOSE_WAIT
TCP sri:10350 localhost:3258 CLOSE_WAIT
TCP sri:10350 localhost:3260 ESTABLISHED
TCP sri:10350 localhost:3262 ESTABLISHED
TCP sri:10350 localhost:3264 CLOSE_WAIT
TCP sri:10350 localhost:3267 ESTABLISHED
TCP sri:10350 localhost:3269 ESTABLISHED
TCP sri:10350 localhost:3271 TIME_WAIT
TCP sri:10350 localhost:3284 ESTABLISHED
TCP sri:10350 localhost:3287 ESTABLISHED
TCP sri:10350 localhost:3288 ESTABLISHED
TCP sri:10350 localhost:3292 ESTABLISHED
TCP sri:10350 localhost:3299 ESTABLISHED
TCP sri:10350 localhost:3301 ESTABLISHED
TCP sri:10350 localhost:3303 TIME_WAIT
TCP sri:10350 localhost:3304 TIME_WAIT
TCP sri:10350 localhost:3309 TIME_WAIT
TCP sri:10350 localhost:3320 ESTABLISHED
TCP sri:10350 localhost:3324 ESTABLISHED
TCP sri:10350 localhost:3328 ESTABLISHED
TCP sri:10351 sri:0 LISTENING
TCP sri:10352 sri:0 LISTENING
TCP sri:10353 sri:0 LISTENING
TCP sri:10354 sri:0 LISTENING
UDP sri:microsoft-ds *:*
UDP sri:isakmp *:*
UDP sri:4500 *:*
UDP sri:9999 *:*
UDP sri:ntp *:*
UDP sri:netbios-ns *:*
UDP sri:netbios-dgm *:*
UDP sri:1900 *:*
UDP sri:ntp *:*
UDP sri:1900 *:*
UDP sri:3270 *:*

C:\Documents and Settings\Owner>

High number of local host TCP. Is that causing the problem? Thanks in advance..

[Jimmy2012]

Hello riz92,

Is that causing the problem?

I am not really sure why your internet is slowing down like that, it does not look like it has anything to do with malware since your logs coming back look clean. Once we are done here, if you would like you can post a new topic over in the XP forum and see if one of the techs over there can help out with that.




Other then your internet problem, how is your computer, any other problems that you know of?

[riz92]

Hi Jimmy2012,

Beside internet problem I do not see any other problem. If that is the case I will open a new topic in the
XP forum. Thank you for all the help and guidance.

[Jimmy2012]

Hello riz92,
Your logs look clean.
Just a few more things to do.




Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

You are using a old version of Adobe Acrobat Reader, please update it here.








Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Please download OTCleanIt and save it to your Desktop.

• Double-click OTCleanIt.exe
  
• Click the CleanUp! button to begin removing tools used to clean your computer
  
• If you are prompted to Reboot during the cleanup, please select Yes

Please remove any leftover tools used to clean your computer.










The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spywareguard: Is realtime protection from spyware.

2. Spywareblaster: Helps protect against any bad ActiveX from installing on your computer.

3. SuperAntiSpyware: Use this program to help remove any spyware that may have gotten on your computer.

4. FireFox: This is a great alternate browser over Internet Explorer. Firefox is much more secure then Internet Explorer and also has a bulilt in pop up blocker.

5. ATF Cleaner: This program cleans out your temporary files. This is a great tool that can help speed your computer up.

6. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

[riz92]

Hi Jimmy2012,

Have done all steps in your last post. Appreciate your help.
THANKS AGAIN

[Jimmy2012]

Your welcome


Hope you get your internet problem sorted out soon.

[Jimmy2012]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.