NEED HELP COMPUTER RUNNING SLOOOOOOOOOOW

Question

IM RUNNING A ROUTER AND I D/L AN ANTI VIRUS PROGRAM AND EVER SINCE MY COMPUTER IS RUNNING LIKE I HAVE DIAL UP WHEN IM ONLINE I HAVE CABLE HOOK UP.ONE OF THE COMPUTER TECHS AT WIFES WORK SAID THIS IS COMMON THAT WHEN I D/L THE ANTI VIRUS PROGRAM IT WROTE SOMETHING IN MY COMPUTER THAT IS CAUSING THIS AND THE SELL PROGRAMS THAT WILL GO IN AND GET RID OF THIS BUT I DONT KNOW WHAT TO GET CAN ANYONE HELP

Midnight Star · Answer

pullinghair,

Let's start with this...

bigdreinla,

Download mwav.exe from MicroWorld, then:

1. Double-click the mwav.exe icon to run it ( it'll self extract).
2. Click " Scan".
3. When it completes, post back the results from the 'Virus log information' pane.

Let's see what's running on that system; post up a HiJackThis log for analysis.

Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:

1. Click " Scan"
2. Click " Save log"

Notepad will pop-up with a copy of your system long, then:

1. " Edit | Select all"
2. " Edit | Copy"

Next, let's " Reply" back to this post, then:

1. Right-click on the message body.
2. Select " Paste"

Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).

Mike.

Starness · Answer

Hi :) I hope you don't mind, I took your advice and I ran the hijackthis scan, Can you please check it and tell me what I need to get rid of? thanks very much!! this 'C:\winnt\system32\KzQhEzm.exe' has been a big problem, if I try to close in manually in task manager it clones itself over and over until my computer has to be shut down :/   Logfile of HijackThis v1.99.0 Scan saved at 1:32:14 AM, on 2/12/2005 Platform: Windows XP  (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINNT\system32\cisvc.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINNT\System32\svchost.exe C:\WINNT\wanmpsvc.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\DELL\AccessDirect\dadapp.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\WINNT\System32\RUNDLL32.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\WINNT\System32\vmss\vmss.exe C:\winnt\system32\KzQhEzm.exe C:\WINNT\System32undll32.exe C:\Program Files\America Online 8.0\aol.exe C:\Program Files\America Online 8.0\waol.exe C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINNT\explorer.exe C:\Program Files\Adware Away\AdAway.exe C:\unzipped\hijackthis\HijackThis.exe C:\winnt\system32\KzQhEzm.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32/left.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {3DAC420C-BC46-4ABB-8756-64550DF12948} - C:\WINNT\System32\ywnlc.dll (file missing) O2 - BHO: (no name) - {9CA19F24-7D98-1565-B328-2917236D2199} - C:\WINNT\System32\qzizvyt.dll O2 - BHO: (no name) - {A98CAF24-50AB-2051-9E18-193A135D0CA9} - C:\WINNT\System32\qzizvyt.dll O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\LaunchRA.exe -boot O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [34F9Q@A3SCCKQN] C:\WINNT\SYSTEM32\QXNR9U0Y.EXE O4 - HKLM\..\Run: [AOL Desktop Plus] C:\Program Files\Desktop Plus\Desktop Plus.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [cotnkzgowwcx] C:\WINNT\System32\hkbusg.exe O4 - HKLM\..\Run: [ab5d9bc11892] C:\WINNT\System32\deskmon2.exe O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [rgloh] C:\WINNTgloh.exe O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QBRSR] C:\WINNT\QuickBrowser.exe O4 - HKLM\..\Run: [vsgih] C:\WINNT\irwuftj.exe O4 - HKLM\..\Run: [Ehqwd] C:\WINNT\Qzyeaz.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [AutoLoaderpz5q1JPSaJIX] 'C:\WINNT\System32
cxhts.exe' /HideUninstall /PC='AM.WILD' O4 - HKLM\..\Run: [XtTb.exe] C:\WINNT\XtTb.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [ssqb.exe] C:\WINNT\ssqb.exe O4 - HKLM\..\Run: [VSOCheckTask] 'c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe' /checktask O4 - HKLM\..\Run: [VirusScan Online] 'c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe' O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe O4 - HKLM\..\Run: [BPT] 'C:\Program Files\Bpt\bpt.exe' O4 - HKLM\..\Run: [p4mW37S] chamoprp.exe O4 - HKLM\..\Run: [KzQhEzm.exe] c:\winnt\system32\KzQhEzm.exe O4 - HKLM\..\Run: [2yK3tAD] C:\winnt\system32\2yK3tAD.exe O4 - HKLM\..\Run: [gcasServ] 'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe' O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe O4 - HKLM\..\RunOnce: [AAW] 'C:\PROGRA~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE' '+b1' O4 - HKCU\..\Run: [Y356RXe6l] capsam.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS
ppdf32.dll O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/cab/installer_EMARKETMKR.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://downloads.aaa1screensavers.com/download/rist-aug-acx21.exe O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4F646CB6-1988-45D9-9C99-D732FC5D7D6C}: NameServer = 205.188.146.145 O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

100mph · Answer

WOW! How do you start your computer with 40 (!) applications running in background? Fantastic!

Midnight Star · Answer

Starness,   Let's see what we can do...   starness, If you haven't ran HouseCall lately, let's go back to www.trendmicro.com, download the latest definitions, and run it.   Download, unzip to your desktop CWShredder and run it, then:   1.  Click ' Check For Update'       ( If an update isn't available, skip to step #4.)   2.  Click ' Click here to Download the upate'. 3.  When the new version has been downloaded, click ' Save'. 4.  Click ' Fix ->'   Go to Add/Remove programs and remove(uninstall) the following, if present:       SEP     Viewpoint Manager   The above could appear anywhere within the entry. Be careful not to remove any personal or system software.   Run HiJackThis then:   1.  Click ' Config...' 2.  Click ' Misc Tools' 3.  Click ' Open Process manager'   -   Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:       C:\WINNT\System32\vmss\vmss.exe     C:\winnt\system32\KzQhEzm.exe   Now double-check and make sure that only those item(s) above are highlighted, then click ' Kill process'. Now, click ' Refresh', check again, and repeat this step if any remain.   Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:   regsvr32  /u  qzizvyt.dll regsvr32  /u  sep.dll regsvr32  /u  esyn.dll   It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing. Run HiJackThis and click ' Scan', then check(tick) the following, if present:   R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32/left.html   O2 - BHO: (no name) - {3DAC420C-BC46-4ABB-8756-64550DF12948} - C:\WINNT\System32\ywnlc.dll (file missing) O2 - BHO: (no name) - {9CA19F24-7D98-1565-B328-2917236D2199} - C:\WINNT\System32\qzizvyt.dll O2 - BHO: (no name) - {A98CAF24-50AB-2051-9E18-193A135D0CA9} - C:\WINNT\System32\qzizvyt.dll O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll   O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)   O4 - HKLM\..\Run: [34F9Q@A3SCCKQN> C:\WINNT\SYSTEM32\QXNR9U0Y.EXE O4 - HKLM\..\Run: [cotnkzgowwcx> C:\WINNT\System32\hkbusg.exe O4 - HKLM\..\Run: [ab5d9bc11892> C:\WINNT\System32\deskmon2.exe O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB> rundll32.exe E6F1873B.DLL,D9EBC318C O4 - HKLM\..\Run: [98D0CE0C16B1> rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [rgloh> C:\WINNTgloh.exe O4 - HKLM\..\Run: [vsgih> C:\WINNT\irwuftj.exe O4 - HKLM\..\Run: [Ehqwd> C:\WINNT\Qzyeaz.exe O4 - HKLM\..\Run: [AutoLoaderpz5q1JPSaJIX> 'C:\WINNT\System32
cxhts.exe' /HideUninstall /PC='AM.WILD'  O4 - HKLM\..\Run: [XtTb.exe> C:\WINNT\XtTb.exe O4 - HKLM\..\Run: [ssqb.exe> C:\WINNT\ssqb.exe O4 - HKLM\..\Run: [vmss> C:\WINNT\System32\vmss\vmss.exe O4 - HKLM\..\Run: [p4mW37S> chamoprp.exe O4 - HKLM\..\Run: [KzQhEzm.exe> c:\winnt\system32\KzQhEzm.exe O4 - HKLM\..\Run: [2yK3tAD> C:\winnt\system32\2yK3tAD.exe O4 - HKCU\..\Run: [Y356RXe6l> capsam.exe   O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/cab/installer_EMARKETMKR.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab   Now, with all windows closed except HiJackThis, click ' Fix checked'.   Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:   folders...       C:\WINNT\System32\vmss     C:\Program Files\SEP     C:\Program Files\eSyndicate     files...       C:\winnt\system32\KzQhEzm.exe     C:\WINNT\System32\qzizvyt.dll     C:\WINNT\SYSTEM32\QXNR9U0Y.EXE     C:\WINNT\System32\hkbusg.exe     C:\WINNT\System32\deskmon2.exe     C:\WINNTgloh.exe     C:\WINNT\irwuftj.exe     C:\WINNT\Qzyeaz.exe     C:\WINNT\System32
cxhts.exe     C:\WINNT\XtTb.exe     C:\WINNT\ssqb.exe     C:\winnt\system32\2yK3tAD.exe   -   Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from ' Safe Mode'.   Post back a new log, and let me know how everything goes.   -   Mike.

Starness · Answer

Mike, I did everything you said except for the part about 'locating and deleting the following files' Im not sure where or how I should locate them, I've run about 3 scans in the past 2 days with different prgrams and it seems everytime I run a scan theres the same amount of spyware and what not, Will it just keep coming back so fast? Thanks so much I really appreciate your help! :D   Logfile of HijackThis v1.99.0Scan saved at 6:20:56 PM, on 2/12/2005Platform: Windows XP  (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exec:\PROGRA~1\mcafee.com\vso\mcvsrte.exeC:\WINNT\System32\svchost.exeC:\WINNT\wanmpsvc.exec:\PROGRA~1\mcafee.com\vso\mcshield.exeC:\WINNT\Explorer.EXEC:\Program Files\DELL\AccessDirect\dadapp.exeC:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exeC:\WINNT\System32\ezSP_Px.exeC:\WINNT\System32\deskmon2.exeC:\WINNT\System32undll32.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\PROGRA~1\mcafee.com\vso\mcvsshld.exeC:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Bpt\bpt.exeC:\WINNT\System32\chamoprp.exec:\progra~1\mcafee.com\vso\mcvsescn.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\WINNT\System32\capsam.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXEC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\America Online 8.0\aol.exeC:\Program Files\America Online 8.0\waol.exec:\Program Files\interMute\SpySubtract\SpySub.exeC:\Documents and Settings\Steve P. Ballaro\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exeO4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\LaunchRA.exe -bootO4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXEO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exeO4 - HKLM\..\Run: [AOL Desktop Plus] C:\Program Files\Desktop Plus\Desktop Plus.exeO4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [cotnkzgowwcx] C:\WINNT\System32\hkbusg.exeO4 - HKLM\..\Run: [ab5d9bc11892] C:\WINNT\System32\deskmon2.exeO4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [AutoLoaderpz5q1JPSaJIX] 'C:\WINNT\System32
cxhts.exe' /HideUninstall /PC='AM.WILD'O4 - HKLM\..\Run: [VSOCheckTask] 'c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe' /checktaskO4 - HKLM\..\Run: [VirusScan Online] 'c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe'O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [BPT] 'C:\Program Files\Bpt\bpt.exe'O4 - HKLM\..\Run: [p4mW37S] chamoprp.exeO4 - HKLM\..\Run: [gcasServ] 'C:\Program Files\Microsoft AntiSpyware\gcasServ.exe'O4 - HKCU\..\Run: [PopUpStopperFreeEdition] 'C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE'O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dllO12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS
ppdf32.dllO16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{4F646CB6-1988-45D9-9C99-D732FC5D7D6C}: NameServer = 205.188.146.145O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exeO23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exeO23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exeO23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Midnight Star · Answer

Starness, How many systems do you have at that location? Mike.

Starness · Answer

What do you mean by systems?

Midnight Star · Answer

Starness,   If you have more than one computer where your posting from - we could leave the one we're trying to fix in 'Safe Mode', and see if we can clean it up that way, then post anything back that i'd need to see with another computer. Then, when we're done, try rebooting the infected system back into normal mode.   My first guess is we'll need to go in and manually edit those problems out of the registry.   -   Mike.

Starness · Answer

Mike, I do have another computer, The thing is, it is very unstable (basically I have to tape the ac adapter extremely tight to the machine or it shuts off, other than that its a perfect pretty new lap top :/) but thats a different story, It may shut off a few times but it's internet ready, So yes that would work fine. :D   Thanks!

PULLINGHAIR · Answer

Logfile of HijackThis v1.99.0
Scan saved at 1:44:55 AM, on 2/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\FIREWALL\PAVFIRES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\APVXDWIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\PAVPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\MY EBOOKS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"
O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

WELL MIDNIGHT STAR I HOPE THIS HELPS YOU IN TELLING WHATS WRONG WITH THIS D*** COMPUTER

Midnight Star · Answer

Starness,   Then it must be running windows ... :smileyvery-happy:  It's been a few days, so post back a fresh hjt log and let me see what we've got to work with.   -   Mike.

Midnight Star · Answer

pullinghair,   We need to get a new thread started for you, to keep this getting too confusing. Have you tried defragging and optimizing your harddrive lately?   Mike.

PULLINGHAIR · Answer

YES SURE HAVE DID ON BOTH COMPUTERS I DELETED SOME THINGS ON THAT LIST I POSTED TO YOU AND IT WORKED A LITTLE BIT BUT ITS STILL SLOW SO WHATS THE NEXT STEP WITH STARTING A NEW THREAD...  CHRIS

Virus & Spyware

NEED HELP COMPUTER RUNNING SLOOOOOOOOOOW

Was this post helpful?