Hey everyone...

I'm connected to a LAN network through my apartment complex (T1 speed) and my 3 roommates and I all have a ethernet hub which we share between our 4 computers. About a month ago my internet started getting really slow (Kazaa, AIM, and Internet Explorer). I had never had any problems with it before. Now it takes a very long time for me to load up any web pages (around 2-3 minutes), even simple ones like Yahoo. The speed time varies throughout the day, for example, in the morning hours it is much faster than any other time of the day. I also get numerous time outs. None of my roommates' computers are affected at all. We've tried switching ethernet cords, but its only my internet that is slow. I've ran Norton Anti-Virus and deleted the viruses that it found. I've also had the network supervisor from my apartment complex come in and try to solve the problem. He changed some configurations in the firewall, and said that my IP address was taking a different route (run script?) than my roommates'. Supposedly he changed it and it was supposed to be faster, but I haven't noticed any improvements with the speed. Any suggestions for how I can figure out what's wrong? Please help, I'm dying over here! Thanks in advance!

Hi Kalenz16 - welcome to CTH. KaZaA huh..well then, it would be a good idea if we had a look at your startups.

Go here (http://www.spywareinfo.com/files/startuplist.zip) and download and run Startup List. It will generate a log file. Copy the log and paste it back into this thread

Here it is. Thanks for your help!


StartupList report, 2/13/2003, 6:14:29 AM
StartupList version: 1.51
Started from : C:\Documents and Settings\Kalen M. Ridenour\Local Settings\Temp\StartupList.EXE
Detected: Windows 2000 SP3 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\wjview.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Kalen M. Ridenour\Local Settings\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Kalen M. Ridenour\Start Menu\Programs\Startup]
Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NeroCheck = C:\WINNT\system32\NeroCheck.exe
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
IDesktop.2.5 = C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDes ktop.exe 1
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Pop-Up Stopper = "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
EbatesMoeMoneyMaker = wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
Windows Explorer = C:\WINNT\System32\explorer.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
WinMX = C:\Program Files\WinMX\WinMX.exe -m
MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
Weather = C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
ctfmon.exe = ctfmon.exe
Mozilla Quick Launch = "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[RdxIE Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/23f8098c984fd2f6b623/netzip/RdxIE6.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C}]
CODEBASE = http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37661.9763425926

[{AD08A333-609E-11D3-950C-008098601567}]
CODEBASE = http://wordreference.com/Install/Spanish%20to%20English.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 6,035 bytes
Report generated in 1.051 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Hi Kalenz16., You have a virus:

C:\WINNT\SYSTEM32\DNTUS26.EXE

Windows Explorer = C:\WINNT\System32\explorer.exe


It looks like W32.Aplore, but to make sure, Go here and run an online scan:

http://housecall.antivirus.com/

Let me know what Housecall finds.

OK, I just ran Housecall and it couldn't find anything. I also downloaded Norton anti-virus updates which I found on the page for the virus you named. Norton couldn't detect the virus, either.

Hi Kalenz16. I don't know why both scans are not showing anything.
This is definitely a virus:
Windows Explorer = C:\WINNT\System32\explorer.exe


A valid Windows explorer.exe is located in C:\WINNT\ which you have: C:\WINNT\Explorer.EXE

Do this,
Click Start > Run > type regedit and click OK
Click the + next to the following keys

HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion

Scroll down and click on the Run folder.
In the right hand window look for:
Windows Explorer = C:\WINNT\System32\explorer.exe
Right click on this entry and click delete.

Collapse the registry tree, close regedit and reboot.

Navigate to C:\WINNT\System32\ and delete explorer.exe

****Make sure you do not delete the explorer.exe located in C:\WINNT\

This file: C:\WINNT\SYSTEM32\DNTUS26.EXE may be valid if
you installed a program that allows you to remotely access this machine.. Have you?

Hey tb525,

OK...I did everything you told me to. When I rebooted I went to search for C:/WINNT/system32/explorer, and I can't find it, which would make sense, since I deleted it, right?

I absolutely DID NOT load any program to remotely access my computer. So is the virus gone now? Could that have been what is causing the slowness of Internet Explorer? I haven't noticed any changes in the speed yet...

Thanks for finding the virus for me, btw!

When you looked for explorer.exe, were you able to view hidden files?

Let's get rid of this also: C:\WINNT\SYSTEM32\DNTUS26.EXE

Click Start > Run > type services.msc and click OK
Scroll through the list and locate DNTUS26.EXE.
Double click on it and first stop it and then disable it.
Boot into safe mode and delete it.

Then go to Add/Remove programs and uninstall EbatesMoeMoneyMaker

After that, Download and run Spybot-S&D

Download Spybot - Search & Destroy

http://beam.to/spybotsd


After installing, go to the Online tab, and search for and install all updates.

Next, go to the Settings tab > File Sets,and uncheck System Internals, Usage Tracking and Tracks.uti. These settings are not needed at the moment and you can always consult the "Help" files if you want to experiment later on.

Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds. (If the scan has found something, the list will show it.)

There are three basic kinds of results:

Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is preselected to be fixed.

Black entries are system internals. If you do not know what they mean, I would suggest that you leave these alone and visit the support forum for more information.

Green entries indicate usage tracks. It can do no harm to remove these.

NOTE: SSD will sometimes not be able to remove all active components in the first 'run'. In that case you will get a dialog asking you to run SSD at next start. Click yes and reboot.
SSD will activate before the system puts these components 'in use', and it will then be able to 'fix' the rest.

OK...

I don't remember being able to look for hidden files when I went to delete explorer.exe. I could have missed them though.

I went to services.msc but I couldn't find the DNTUS26.EXE file listed in the tree, so I couldn't delete it.

I downloaded spybot and ran all the updates, and then did a check for problems. It found a bunch of red listings, and I fixed them all.

I can't tell yet if my internet connection has been affected. Even if it hasn't I appreciate all the nasty stuff you helped me find on my comp and get rid of. Is there more I need to do?? I'll let you know if anything changes. Thanks!

Hi Kalenz16, Did you try to delete DNTUS26.EXE from safe mode?

Also make sure you search for C:\WINNT\System32\explorer.exe
again, looking in hidden files and folders.

*Open any folder and click Tools > Folder Options > View tab.
Place a check in 'Show hidden files and folders'. OK.

This problem seemed to apply to me also. I ran spybot. What is C-Dilla. The program seemed to indicate it might not be best to remove it without an update?