Internet Slowdown & Possible Hijacking

[wayno1021]

Sorry if this is a long post. I finally finished the initial cleaning process. The HijackThis log, posted below, showed some disturbing results. But first, system and problem information:

System:
Windows XP running on emachines desktop

512mb ram
80GB hard drive, partitioned as follows:
C= 70.9GB (11GB used, 59.8GB free)
D= 3.52GB (1.85GB used, 1.66GB free)

56k dialup internet connection with Netzero

Security:
McAfee Security Suite, includes Anti-Virus, Anti-Spyware, SpamKiller
ZoneAlarm Firewall, Ad-Aware SE, Spybot S&D
I also now have Windows Defender, AVG Anti-Spyware v7.5, ATF-Cleaner, Windows Malicious Software Removal Tool, and HijackThis

Problems:
CPU usage jumps to 100% and stays there as soon as I get online.
In Internet Explorer 7, windows open very slowly, sometimes getting “stuck” for up to a full minute before opening completely. Explorer becomes unresponsive, freezing for a while, then becoming active again. Overall, Explorer is very, very slow.
This all began about 3 weeks ago.

Results of initial cleaning:
Add/Remove Programs: I didn’t find any suspicious programs
Windows Malicious Software Removal Tool: using Extended Scan, it scanned 465,000+ files and found 0 infected files.

Panda ActiveScan: Online scan found the following:

(see ActivescanNP.txt)

I took no action from this scan.

AVG Anti-Spyware scan results:

(see logfile.txt)

AVG eliminated the cookies found by the Panda ActiveScan.

Microsoft Windows Defender results:
Found and removed: PowerRegScheduler

HijackThis log: After running the HijackThis scan, I noticed all the hosts (Kazza, edonkey, etc). I think these are hijacking my computer. Also, I noticed that an installation for Incredimail is still in my computer, even though I thought I had removed it months ago.

(see HTJLog.txt)

My computer is still experiencing the same problems mentioned above. Thanks for any assistance you can offer.

Wayne

[pheonix73]

Judy will be the best one to look at this and give you a definitive answer.As you have already said,Kazaa and edonkey are terrible programs known to put numerous malware on your system.Also did these problems start after you installed IE7?If so,there may be some that will suggest that you go back to IE6,but lets have Judy look at your logs and decide where to go before you start deleting things.

[jholland1964]

I have several questions here...are you also using AOL?
Is the McAfee Security Suite from AOL or is it actually from McAfee?

When you say EXPLORER is slow do you mean Internet Explorer?

You have a rogue program on the computer called Spywarebot. You MUST remove this via Add/Remove.

Did you run AVG Anti-spy in safe mode? The log is not a usual AVG log.
Did you run the ATF-Cleaner in safe mode?

Run HJT again and place checkmarks next to the following entries;
O1 - Hosts: 66.38.215.115 kazza.com
O1 - Hosts: 66.38.215.115 www.kazza.com
O1 - Hosts: 66.38.215.115 kaza.com
O1 - Hosts: 66.38.215.115 www.kaza.com
O1 - Hosts: 66.38.215.115 kaaza.com
O1 - Hosts: 66.38.215.115 www.kaaza.com
O1 - Hosts: 66.38.215.115 kahza.com
O1 - Hosts: 66.38.215.115 www.kahza.com
O1 - Hosts: 66.38.215.115 edonkey.com
O1 - Hosts: 66.38.215.115 www.edonkey.com
O1 - Hosts: 66.38.215.115 emule.com
O1 - Hosts: 66.38.215.115 www.emule.com
O1 - Hosts: 66.38.215.115 suprnova.com
O1 - Hosts: 66.38.215.115 www.suprnova.com
O1 - Hosts: 64.124.166.37 klite.com
O1 - Hosts: 64.124.166.37 www.klite.com
O1 - Hosts: 64.124.166.37 k-lite.com
O1 - Hosts: 64.124.166.37 www.k-lite.com
O1 - Hosts: 64.124.166.37 kazaalite.com
O1 - Hosts: 64.124.166.37 www.kazzalite.com
O1 - Hosts: 64.124.166.37 kazalite.com
O1 - Hosts: 64.124.166.37 www.kazalite.com
O1 - Hosts: 64.124.166.37 kaazalite.com
O1 - Hosts: 64.124.166.37 www.kaazalite.com

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
Once you have placed the checkmarks then click the FIX button.
Exit HJT.
Reboot and run a new HJT scan and post the log here.

[wayno1021]

Answers to your questions:

I do not use AOL. All the AOL programs & features came pre-loaded on the computer. I have never used them.

My McAfee Security Suite is from McAfee. I downloaded and installed it from the McAfee website.

Yes, I mean Internet Explorer 7 operates slowly when online.

I ran AVG Anti-Spy in safe mode, but I might have had some trouble saving the log file. If needed, I suppose I can try that part of the process again.

I also ran the ATF-Cleaner in safe mode as instructed.

I'll follow your posted instructions and post my new HJT scan log as soon as I can.

Thanks so much for your help.

Wayne

[wayno1021]

I did as you asked and remved Spywarebot using the Add/Remove feature in Control Panels. I thought this was Spybot S&D, that is why I didn't remove it earlier.

I also followed your instructions and ran another HJT scan, checked what you told me to and clicked the fix button.

I reboot and ran another HJT scan. Here is the log:

(see HJTLog052207 attached)

[jholland1964]

The reason I asked about AOL and also the McAfee is this...you DO have some AOL entries showing in your log that you need to get rid of...
I asked about McAfee because the AOL Security Center is McAfee based so I wanted to be certain it was just "plain" McAfee and not the AOL version because one of the programs set to run at Start is AOL Spyware Protection.

You need to do go to Add/Remove and look for anything AOL and remove it. Then you need to go to Start, Search, Files and Folders, "C" drive and search for AOL. Delete any files you find.

Then WITH all Browsers CLOSED run HJT again and place checkmarks next to the following items;
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\Owner\LOCALS~1\Temp\ImInstaller\Incred iMail\incredimail_install.exe -startup -product IncrediMail
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
Once you have placed the checkmarks click the FIX button.
Exit HJT.
Reboot in SAFE MODE;
Go to C:\documents and settings\owner\local settings\temp and once in the folder click Edit> Select All. Then hit the delete key to get rid of the entire contents of the folder. Leave the folder itself intact though.
Reboot to normal mode and run a new HJT scan, save the log and post back here and I will have a few clean up steps for you.
Judy

[wayno1021]

While following your instructions, I encountered a problem uninstalling AOL. I was able to remove all of the AOL programs in the Add/Remove utility, but the "main" AOL program took forever! I sat there, watching a screen, blank except for the AOL logo and the word "Uninstalling..." for an hour and a half before I gave up. I hit Ctrl-Alt-Delete and stopped the unistall process, only to find after rebooting my computer, that it had been deleted.

I did discover, when I searched for AOL components, that I was able to delete everything except for:
AOL Companion (in Program Files) and waol (also in program files)

I ran an HJT scan, but the following entries were not in the list:

03 - Toolbar:AOL Toolbar
04 - HKLM\..\Run: [AOL Spyware Protection]
023 - Service: AOL Connectivity Service (AOL ACS)

I checked all the other items you indicated and clicked the FIX button.
Then I rebooted to SAFE MODE and emptied the contents of the following folder:
C:\documents and settings\owner\local settings\temp
I left the folder intact as instructed.

Then I rebooted to normal mode and ran a new HJT scan. The scan is attached below:

(see: HJTLog052407.txt)

Note: during this entire process, my CPU was running at 100%, even though I was not connected to the internet (I had unplugged the telephone line).
Wayne

[jholland1964]

Wayne, I don't see much in the log that I feel would be causing your problems...you say this all began 3 weeks ago, can you think of something you did, installed, uninstalled, updated, etc., three weeks ago?
By the way, turn off the Spybot S & D Tea Timer.