please help me!!!

Question

hello, well.....here is my problem....a week ago I began having massive pop-ups on my computer and decieded that it would be a good idea to reinstall windows to correct the prob.  After reinstalling, I cut on my computer and still found that my computer was going extremely slow....and couldn't get on the internet hardly at all!!  So I decided to attempt to reinstall windows again but my comp wouldn't boot from the cd at which point dell technical support said that my cd-rom drive was broken....and they sent me a new one!!  Well....I put the new drive in....reinstalled windows.....and everything worked fine for a day!!!  And then it happened again.....my computer was basically unusable becasue of popups and how slow it was running!!  I managed to download spyware doctor which has helped my condition to the point where I can get on the internet....but still is really slow!!  And I still recieve a weird pop-up when I cut on my comp. of a hippo!!  My processor always runs at 100% and my processor fan sounds like it is going to take off!!  Some processes that are running and I can't end are gjeqef.exe....services.exe....and weirdly windowmedia.exe which runs the hardest!!!  All of these i have tryed to end but all just pop right back up!!!  Spyware doctor also scans everytime i cut on my computer and says that i have  Transp/Ceres and Twain-tech....and even though i tell it to fix it....it's always there when i cut on my comp!!  Well....i'm extremely tired of messing with my computer so any advice or help would be appreciated more than you could ever imagine!!   Thanks

Midnight Star · Answer

jbfowler,

For starters, let's try this...

Go to www.trendmicro.com, and then:

1. Click " Free Online Scan".
2. Click " Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:

1. Click " Scan"
2. Click " Save log"

Notepad will pop-up with a copy of your system long, then:

1. " Edit | Select all"
2. " Edit | Copy"

Next, let's " Reply" back to this post, then:

1. Right-click on the message body.
2. Select " Paste"

Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).

Mike.

jbfowler · Answer

thanks for trying to help me!! The trendmicro scan would not work on my comp....but i did get the hijackthis to work and this is what i received!! thanks

Logfile of HijackThis v1.99.0
Scan saved at 8:50:24 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\winfirewall.exe
C:\WINDOWS\System32\scvhostingg.exe
C:\crash.exe
C:\WINDOWS\System32\lssrv.exe
C:\windows\system32\gjeqef.exe
C:\WINDOWS\System32\windowsmedia.exe
C:\WINDOWS\System32\aol.exe
C:\WINDOWS\System32\mslsass.exe
C:\WINDOWS\System32\aolmsgr.exe
C:\WINDOWS\System32\svlsass.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\windows\system32\calc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msmsgv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\aol.exe
C:\Documents and Settings\Justin\Local Settings\Temp\Temporary Directory 10 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [lameshit] C:\crash.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [gjeqef] c:\windows\system32\gjeqef.exe
O4 - HKLM\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\Run: [WinSYs startup] windowsmedia.exe
O4 - HKLM\..\Run: [starter] scvhostingg.exe
O4 - HKLM\..\Run: [Windows Autolauncher] aol.exe
O4 - HKLM\..\Run: [Microsoft LSASS Service] mslsass.exe
O4 - HKLM\..\Run: [Aol CLient STarter] aolmsgr.exe
O4 - HKLM\..\Run: [Microsoft SVHOST32 Service] svlsass.exe
O4 - HKLM\..\Run: [Windows32 Messenger Service] msmsgv.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [WinSYs startup] windowsmedia.exe
O4 - HKLM\..\RunServices: [Windows Services] windowsfix.exe
O4 - HKLM\..\RunServices: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunServices: [Microsoft SVHOST32 Service] svlsass.exe
O4 - HKLM\..\RunServices: [starter] scvhostingg.exe
O4 - HKLM\..\RunServices: [Windows Autolauncher] aol.exe
O4 - HKLM\..\RunServices: [Microsoft LSASS Service] mslsass.exe
O4 - HKLM\..\RunServices: [Aol CLient STarter] aolmsgr.exe
O4 - HKLM\..\RunServices: [Windows32 Messenger Service] msmsgv.exe
O4 - HKLM\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunOnce: [starter] scvhostingg.exe
O4 - HKCU\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [starter] scvhostingg.exe
O4 - HKCU\..\Run: [Windows Autolauncher] aol.exe
O4 - HKCU\..\Run: [Aol CLient STarter] aolmsgr.exe
O4 - HKCU\..\Run: [Microsoft LSASS Service] mslsass.exe
O4 - HKCU\..\Run: [Microsoft SVHOST32 Service] svlsass.exe
O4 - HKCU\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\RunOnce: [starter] scvhostingg.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/alien.cab
O21 - SSODL: mtklefa - {06245560-E6F9-4ADB-B782-C362DB0387BD} - C:\WINDOWS\System32\algtct32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Midnight Star · Answer

jbfowler, I'm surprised that system is still standing ... :) - one quick question: Are you using AOL as your internet service provider? - Mike.

Midnight Star · Answer

jbfowler,

Let's see what we can do...

Go to Add/Remove programs and remove(uninstall) the following, if present:

Web Related

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

Next, Open a command prompt by:

1. Clicking " Start", then " Run...".
2. Enter " cmd" ( without the quotes).
3. Enter " services.msc" ( without the quotes).

-

Now, locate and ' stop' the following services, if present:

lssrv.exe
windowsmedia.exe
windowsfix.exe
winfirewall.exe
svlsass.exe
scvhostingg.exe
aol.exe
mslsass.exe
aolmsgr.exe
msmsgv.exe

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.

Run HiJackThis then:

1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"

-

Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:

C:\WINDOWS\System32\winfirewall.exe
C:\WINDOWS\System32\scvhostingg.exe
C:\crash.exe
C:\WINDOWS\System32\lssrv.exe
C:\windows\system32\gjeqef.exe
C:\WINDOWS\System32\windowsmedia.exe
C:\WINDOWS\System32\aol.exe
C:\WINDOWS\System32\mslsass.exe
C:\WINDOWS\System32\aolmsgr.exe
C:\WINDOWS\System32\svlsass.exe
C:\WINDOWS\System32\msmsgv.exe

Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done ' cleaning' off your system, we're going to ' flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the " Backups" folder, for HiJackThis, if present.

Run HiJackThis and click " Scan", then check(tick) the following, if present:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [lameshit] C:\crash.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [gjeqef] c:\windows\system32\gjeqef.exe
O4 - HKLM\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\Run: [WinSYs startup] windowsmedia.exe
O4 - HKLM\..\Run: [starter] scvhostingg.exe
O4 - HKLM\..\Run: [Windows Autolauncher] aol.exe
O4 - HKLM\..\Run: [Microsoft LSASS Service] mslsass.exe
O4 - HKLM\..\Run: [Aol CLient STarter] aolmsgr.exe
O4 - HKLM\..\Run: [Microsoft SVHOST32 Service] svlsass.exe
O4 - HKLM\..\Run: [Windows32 Messenger Service] msmsgv.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [WinSYs startup] windowsmedia.exe
O4 - HKLM\..\RunServices: [Windows Services] windowsfix.exe
O4 - HKLM\..\RunServices: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunServices: [Microsoft SVHOST32 Service] svlsass.exe
O4 - HKLM\..\RunServices: [starter] scvhostingg.exe
O4 - HKLM\..\RunServices: [Windows Autolauncher] aol.exe
O4 - HKLM\..\RunServices: [Microsoft LSASS Service] mslsass.exe
O4 - HKLM\..\RunServices: [Aol CLient STarter] aolmsgr.exe
O4 - HKLM\..\RunServices: [Windows32 Messenger Service] msmsgv.exe
O4 - HKLM\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunOnce: [starter] scvhostingg.exe
O4 - HKCU\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [starter] scvhostingg.exe
O4 - HKCU\..\Run: [Windows Autolauncher] aol.exe
O4 - HKCU\..\Run: [Aol CLient STarter] aolmsgr.exe
O4 - HKCU\..\Run: [Microsoft LSASS Service] mslsass.exe
O4 - HKCU\..\Run: [Microsoft SVHOST32 Service] svlsass.exe
O4 - HKCU\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\RunOnce: [starter] scvhostingg.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/alien.cab

O21 - SSODL: mtklefa - {06245560-E6F9-4ADB-B782-C362DB0387BD} - C:\WINDOWS\System32\algtct32.dll (file missing)

O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Now, with all windows closed except HiJackThis, click " Fix checked".

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\System32\winfirewall.exe
C:\WINDOWS\System32\scvhostingg.exe
C:\crash.exe
C:\WINDOWS\System32\lssrv.exe
C:\windows\system32\gjeqef.exe
C:\WINDOWS\System32\windowsmedia.exe
C:\WINDOWS\System32\aol.exe
C:\WINDOWS\System32\mslsass.exe
C:\WINDOWS\System32\aolmsgr.exe
C:\WINDOWS\System32\svlsass.exe
C:\WINDOWS\System32\msmsgv.exe

Search for...

lssrv.exe
winfirewall.exe
windowsmedia.exe
scvhostingg.exe
aol.exe
mslsass.exe
aolmsgr.exe
svlsass.exe
msmsgv.exe
windowsfix.exe

...using " Start | Search...".

Don't reboot just yet, and post back a new log.

-

Mike.

jbfowler · Answer

hello!!  Nah....i don't use AOL as my internet provider....do i have any hope of fixing my computer??  Thanks for your help so far by the way!!  I REALLY appreciate it!!

Midnight Star · Answer

jbfowler,

Also, if your not using an anti-virus program, let's get one on your computer. It's free to download and use:

http://free.grisoft.com/doc/2/lng/us/tpl/v5

If your not using a firewall, let's get one on your system,this is also free:

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

-

Mike.

jbfowler · Answer

hello again!! I completed every step that you told me but my computer is still running at 100% but the svchost.exe is running at like 95-98....and the hijackthis program would not allow us to delete it when we opened the process feature. Thanks for the help....if u know how to get rid of this please help!! Thanks a lot!! here is my latest log

Logfile of HijackThis v1.99.0
Scan saved at 2:02:50 AM, on 1/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Midnight Star · Answer

jbfowler,

We can get rid of svchost.exe; that's a required system process. Let's see if we can try running running the trendmicro scan again, then get the rest of this off your system. If not, let me know and we'll get you then program we need to clean your system up the rest of the way.

Go to www.trendmicro.com, and then:

1. Click " Free Online Scan".
2. Click " Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u Ceres.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

Run HiJackThis and click " Scan", then check(tick) the following, if present:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll

Now, with all windows closed except HiJackThis, click " Fix checked".

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\Ceres.dll

Post back a new log.

-

Mike.

Virus & Spyware

Was this post helpful?