There must be a system conflict somewhere

[BeeCeeBee]

Hi everyone.

I had an earlier thread that was closed over issues that have been resolved but the problem remains. I began after I had to reinstall everything with a rescue disc that completely wiped the hard drive and reinstalled XP I then added all critical updates.

My problem is simple but finding the cause is not. I am using IE7 on XP. Getting pages to open in even a reasonable time is impossible. For example it takes 15 seconds to open basic Google as a home page and almost 45 seconds to get from there to here as a fully loaded page. I can navigate through here and most sites pretty quickly once there but if I click on a link or even go to a different bookmarked page I get the same slow browser speed. A lot of the time seems to be used searching for the page. In all other respects the PC actually a 3 year old Toshiba laptop, is working fine.

In order to save time I am going to list what I know not to be the problem or solution.

• There is no malware or virus based upon 3 different malware scans (2 suggested here) and at various times 4 different virus scans.
  
• I tried both Firefox and Safari and got the same results. I have uninstalled both.
  
• It acts the same way in safe mode
  
• I have reset IE7
  
• I have played with startup programs and applications per various suggestions with no improvement but probably missed something important that I just didn’t understand.
  
• I can download a program at very acceptable speed. For example the The ATF Cleaner downloaded quickly once I actually got to the download page.
  

Fixing this has now become a crusade and I am far to old for crusades. Any suggestions will be gratefully received. Thanks

PS current Hijack this log below.

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\ZoomingHook.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\hkcmd.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\WINDOWS\msagent\AgentSvr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.254/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [sVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL

O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 6987 bytes

[Guest Wolfeymole]

What I can't understand Barry is that you formatted then filled the machine full of junk again like party poker, spybot and other stuff.

 

Did you look at our recommendations for security software?

[BeeCeeBee]

Yes and No Bob. The answer is I had no reason to when I loaded them they worked fine for a long time. (although PP did just do a big update.) I did not even know this site existed before and had no reason to look. If I knew that my car was going to die after I started it I would call a mechanic. Before my prior disaster I had a perfecly (from my point of view)operating laptop. Spybot was a program that seemed to be ok. It is not running now and Part Poker has been uninstalled. Believe me had I known this was going to happen I would have found you sooner.

[RandyL]

It seems that you are still infected or your internet connectiion is being leeched. Many poker programs are known to do this. They use your computer to act as a server. P2P and torrents will also leech a connection.

 

I suggest formatting and re-installing again. At this point everything should work great. Then install those types of programs again one by one. The culprit will surely rear it's ugly head.

 

Then you will understand the second half of our position of these types of programs.

 

I also see that you have next to nothing for security programs. All I see is AVG which is not good enough. Where is your spyware protection? Are you running a firewall? It's really hard to tell since I expected to see much more in the HJT log.

[Guest Wolfeymole]

We'll ask you once again to run the malware tools listed here.

 

http://extremetechsupport.com/forum/28774-post13.html

[BeeCeeBee]

Sorry, I am running the normal windows firewall and a router firewall (netopia) set at medium as anything higher will block internet traffic and limit to local network. I was using Spybot with teatimer but disabled it. Probably should uninstall? I have Kept the SUPERantispyware but it has found nothing.

[RandyL]

Why is there a proxy over ride on this computer?

[BeeCeeBee]

I will run all the malware tools again now.

[BeeCeeBee]

OK I ran everything again and did get a result but I may have blown it. The malware found nothing but a few cookies (5) the ESET scan found 3 trojans. Apparently it removed 1 and reported an error in deleting the other 2. In trying to copy and paste I inadvertantly lost the information. However they all related to something called Recyclers C:/Windows/RECYCLERS ???

 

I ran the same scan again and nothing came up. I have restarted but do see any change.

 

Regarding Randy's Question I have no idea why there is a proxy over ride or even what it does.

 

Also I had a to do list when I re-formatted etc. After reinstalling my broadband service I updated windows and probably installed IE7 at that time. The disc must have had IE6.

 

I just get the feeling that whatever happened happened then or when I was downloading thie #$%& AVG>

 

As for leeching I tried looking for unaccounted for network activity while I was doing nothing and all I could find was a minimal amount of activity on the little icon. I opened the network connection status, the task manager and noticed that it was very minimal. I opened the connection to my router (through IE7 I guess) and noticed that each time there waas a little activity the page refreshed.

 

I really want to get rid of AVG what I do not know is whether I should keep it running while I either redownload Avast or get Avira. Or should I just wait until this is all sorted?

[Goku]

I generally do not condone the use of internet optimizers but seeing that your problem is limited to browsing the internet, I think you must give it a try.

 

Download TCP Optimizer from here. The program is quite basic but if you still need help using it, then you can use the FAQ available here. Perform the required changes and reboot the computer when prompted. Try again and see if there is any difference or not.

 

I really want to get rid of AVG what I do not know is whether I should keep it running while I either redownload Avast or get Avira. Or should I just wait until this is all sorted?

Download the latest version of Avira from here and install it over AVG. After you have installed it, reboot the computer and remove AVG. Next, run a full system scan with Avira, after updating it with the latest virus definition files, and post back the results.

 

Hope that helps. :)

 

-- Goku

[BeeCeeBee]

Hi Goku

Tried optimizer. Nothing happened.

 

3 questions'

1. Could Randy's reference to a proxy over ride have anything to do with this?? If so how should I change it,

2. Where are these RECYCLER files? I could not find anything using internet explorer and search came up with nothing.

3. Is there any point in uninstalling IE7 considering that firefox etc. were no better when installed?

 

Thanks

[Goku]

I will try my best to answer your questions:

 

1. I am a complete novice at networking and do not understand the terms Randy talks of. Therefore, I don't think I am the right person to ask advice from regarding this question.

 

2. The Recycler folder is usually the folder which contains copy of the files deleted from the hard drive. Some copies may still remain even if the Recycle Bin is emptied. This information might come in handy if you are to check the traces of the files deleted on the system and the user who authorized the action.

 

3. No, there is no point to uninstall Internet Explorer 7 if you are using it to browse the internet. However, it does seem sensible to install Firefox or any other browser of your choice if you prefer it over Internet Explorer or just want better security.

 

I will review your problem and get back to you as soon as possible. Hope that helps. :)

 

-- Goku

[Seth]

This is a long shot, but run HijackThis and choose Scan Only. Now put a check on the these two items:

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local

 

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab

 

Now click "Fix Checked" and restart the computer when complete.

 

If that doesn't help, then I would take Randy's suggestion to format and reinstall XP again. When complete, don't install AVG, but rather Avira. Once that's done, don't install anything else, but rather report back with how the internet is performing.

[BeeCeeBee]

OK AVG is Gone and Avira is in. I scanned and it found what may be DrMediaBack D. Found in System Value Inf A0002924.exe and Quaranteened.

 

Also wartned that 3 files could not be opened.

 

This is a paste of what seems relevent to me

 

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{95C8BA23-7DEC-40CD-A7C2-1ABB11423E47}\RP8\A0002924.exe

[0] Archive type: HIDDEN

--> FIL\\\?\C:\System Volume Information\_restore{95C8BA23-7DEC-40CD-A7C2-1ABB11423E47}\RP8\A0002924.exe

[DETECTION] Contains recognition pattern of the DR/MediaBack.D dropper

[NOTE] The file was moved to '4920ae0f.qua'!

C:\WINDOWS\system32\drivers\sptd.sys

[WARNING] The file could not be opened!

 

It seems to me that the problem relates to actually finding the website. Once it is found the page seems to open fairly quickly with more complicated sites a bit slower to add pics etc. Even this page which is bookmarked and obviously used often takes forever to find.

 

I can go through this site pretty quickly once I am here.

 

I keep looking at all those registry entries relating to IE and wonder if they are fighting each other. Does any of that make sense??

[Seth]

I just left you a post.

[BeeCeeBee]

Thanks would have missed it. Ill try and let you know.

[BeeCeeBee]

Well you said it was a long shot. Maybe a slight difference but Maybe Im just counting faster. Before I start all over again (and I'm sick of this today so not now) I know that it will install the same older version of Norton. I updated it and used it briefly but If I was going to pay for an AV program it wouldn't be that one. Are there basic instructions for getting rid of all that without messing up. Obviously other than uninstall. Maybe by deleting related files I messed things up.

 

Also I assume that it had IÊ6 installed. I know I downloaded 7 plus service packs etc. Are we all sure that uninstalling IE7 wont help??

 

I would imagine I should scan the portable hard drive with Avira before I reinstall any documents or email files.

 

I feel like a little kid about to throw a temper tantrum because I really do not want to do this.

 

oh well!!

[Guest Wolfeymole]

Barry

 

We are getting nowhere fast because you are not doing what we are asking of you.

 

Please do as Randy suggested.

[Seth]

Once the installation of XP is complete, remove Norton with the following tool, then install Avira:

 

Download Norton Removal Tool 2009.0.0.41 - A program that can remove some Norton software from your computer - Softpedia

[BeeCeeBee]

Good Morning

Clearly you were right.

 

I have reformatted reinstalled etc. I have also installed Avira and did a scan with the bundled norton disabled. I then removed norton using the above tool. I have done nothing else. Reinstalled my router of course or I would not be here.

 

I am now using IE6. I have not done any critical updates as yet. To the extent that the poor Irish broadband allows I having no problems at all.

 

 

The following are things that I must do and safely.

1. Reinstall Office direct from original discs.

2. Put the bulk of my documents back into the Computer. They are now on portable hard drive.

3. Set up Outlook express and import old email from portable HD.

 

There are no malware programs installed. I have the .exe files on portable but do know whether I should use them or download fresh if at all.

 

Should I allow updates which I assume will include IE7 and SP3?

[Goku]

Hello Bee. I think you should install updates as they cannot definitely wreck more harm than the Malware itself. Now, that you are up and running you might want to create your own custom recovery disks as it can be an awful work to go through again if you have to reinstall sometime again. If you need help regarding that, then the other techs will be more than glad to help you.

 

The *.exe files are safe or unsafe depending on what program they belong to. We cannot guess what is safe or not unless you give us the name of the applications. I would only recommend that you use your common sense and install only that which is necessary. Anything other than that can be installed when the need arises.

 

Glad you got it resolved. :)

 

-- Goku

[BeeCeeBee]

MANY THANKS!!!

 

:):):):):) etc.

 

Thank you all!! I would like to create a recovery disc(s) and would be grateful if you can direct me where to look or who to ask.

 

I have decided to stay away from any .exe files on portable and just use Wolfey's security recommendations and download from scratch.

 

I would like to go back to Party Poker with the following observations.

1. I am not a gambler and you are not encouraging me to become one. Just harmless fun at what they call micro tables.

2. I know there are many disreputable sited out there but I am convinced this one isn't.

3. I just need to know if there is a safe way to do this. Right now I am just leaving it alone until I know I am safe and until I get recovery discs made.

 

Again thanks for your help and for putting up with me.

 

Barry :D

[Goku]

The instructions for making recovery disks differ from manufacturer to manufacturer. First of all, we need to know what is the make and model number of your PC? That will help us obtain the precise instructions required for making the restore discs on your system.

 

I don't know much about Poker but as I said before, there might be safer alternatives out there. A brief search on one of my trusted game creators, brought out these results. Just choose whichever game suits you best and hopefully you will like it.

 

Hope that helps.

 

-- Goku

[BeeCeeBee]

Thanks Goku.

 

I have a Toshiba Laptop Equium M40X - 189

 

I am putting poker on the long finger until I have every safety advantage I can get.

[Goku]

I seem to have found the appropriate instructions. Here you go.

 

How to Create a Toshiba Product Recovery CD/DVD

 

If you plan to install the version of Party Poker you previously had, then I would advise strongly against it. No amount of security software can protect you if you are bent on infecting yourself and installing Party Poker seems like a sure shot way to achieve this. Again, do not install the version of Party Poker you previously hard as it might lead all your efforts to nothing.

 

-- Goku