Newbie help please!!

[dl65]

tony_g........Several things ........Slow loading could well be the work of spyware , adware or even trojans .......
Hijack this was designed to clean out hijackers , however , I have noticed that it does a pretty good job of pointing out trojans as well .
A page hijacker is a pest that changes your home page from what you ewant to something else .
I would consider making sure your pc is clean of spyware and adware ......as FED has suggested.
Please go to ...... http://www.microsoft.com/athome/security/spyware/software/default.mspx   and download Antispyware Beta .....it is free and is fully functional .......( and it works very well )

Run Antispyware and delete what it finds ......

let us know

dl65  

[tony_g]

dl65 i have done as you suggested and downloaded microsoft anti spyware and it found only AT Games (Adware) so i removed it. Restarted computer and set IE  as default browser again but still almost shuts down and loads really slowly. What i'm a bit confused with regarding hijackthis is when i click the programs it recommends or is not sure of and delete them (or fix them) i run another scan and they are still there. Its still running good on firefox but i'm worried in case someone has real time access to my system. Thanks again for your suggestions. BTW in case you wonder about the times of posting i'm in the UK.As a non computer expert  i would also like to know what should be running in task manager to allow normal operation as i seem to have a huge list of things some with mem usage of 20meg, is this normal?
Tony

[tony_g]

Ok i thought i had a breakthrough there but no! I ran Antispyware again this time with a deep scan instead of a quick one and got the following detected:
windows Adtools Adware (2 signatures)
Megasearch Toolbar Settings Modifier
SecondThought. A Trojan (2 signatures)
LinkReplacer Browser Plug-in
Trojan. Startup.Xhrmy  (3 signatures)
PowerReg (3signatures)


I removed all except power reg which i quarantined and restarted computer but still the same
Interestingly when it was scanning a couple of times the computer went into the hard drive shutting down and immediately back on as i experience when IE loads, whether that's of any significance i dont know. I have all the set up discs from when the computer was delivered (dell laptop) and i'm now thinking would a total re-install be worthwhile? If so i dont know where to start- the blue screen is scary to me    

[dl65]

tony_g ......You say ...

"What i'm a bit confused with regarding hijackthis is when i click the programs it recommends or is not sure of and delete them (or fix them) ."

What programs is hijackthis telling you to click on ......
hijackthis is just a removal program . You just put a mark in the square in front of the item number and when you click on fix marked ....those entries are removed .

I sent you a number of entries which you must remove from your system .......So to do this .........have hijackthis open ...and then put a check mark in the box in front of the appropriate item number.........using the list I sent you to identify which item to remove .  ( there are 7 to be marked )  Next click on "fix checked"  now reboot and post the changed log file here for me to look at .

dl65  

[tony_g]

I was doing that in regard to checking the relevant boxes and restarting etc but it kept showing :    O23 - Service: Windows Login (Ex) - Unknown owner - C:\WINDOWS\System32\explored.exe" -service (file missing)
new log file is:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Error Nuker\bin\ErrorNuker.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\tg1\LOCALS~1\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

[tony_g]

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [1] Ô
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{361A4952-E807-4400-BEBD-B4375CED78EF}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

hope this is of some use. Tony.

[dl65]

tony_g......Well , I just went through the latest log and it appears to be clean.
How is the pc running now ?

dl65  

[Fed]

Tony, this is off the cwshredder program splash screen.
--------------
This tool will find and destroy all traces of the
CoolWebSearch (CWS) hijacker on your system. This
includes:

* Redirections to CoolWebSearch related pages
* Redirections when mistyping URLs
* Redirections when visiting Google
* Enormous IE slowdowns when typing
* IE start page/search page changing on reboot
* Sites in the IE Trusted Zone you didn't add
* Popups in Google and Yahoo when searching
* Errors at startup mentioning WIN.INI or IEDLL.EXE
* Unable to access antispyware tools or sites

Click 'Fix' to start removing the infection.
--------------------------

It gets down to, not all tools detect all problems (we wish) so a layered approach is best, updating these tools is also essential because they make new signatures as the bugs appear.

[tony_g]

Fed i'll try that later when im home, thanks mate.  dl65 I ran it again after reboot but still the same.  When i connect to IE the computer (laptop) makes a sound i can only describe as a pool ball dropping onto a table and all whirring from h/d stops for about a second it gradually comes back into play and continues to load very slowly. Could it be a settings thing that has been changed by a virus that is no longer there? Also i tried a system restore last night and i tried as far back as feb 6th and it said i cannot restore to this point although the dates i tried were the bold type, which makes me think this has been affected too  

[dl65]

 tony_g.....Odd , if you had turned off the system restore feature ......you shouldnt have been able to go back ......... The pest may well be in the system restore files .....and when you do a restore you bring them back ....


dl65  

[tony_g]

It does seem odd but i guess if its in there (sys restore) it would stop me going to a known good time. Another little suspect thing i thought of is in the log files it lists IP address(s) starting with 195.92 but when i just looked at my properties from task bar screen icons it lists client IP address as another number beginning with 84.65. Am i the said client and should i delete the files with the other numbers in?

[dl65]

tony_g  .....  It didn't show up as a threat .....but remove it and see .....it shouldnt hurt anything

O17 - HKLM\System\CCS\Services\Tcpip\..\{361A4952-E807-4400-BEBD-B4375CED78EF} : NameServer = 195.92.195.95 195.92.195.94

The following is right from M/S.....

While this is a desirable feature, in some cases it should be temporarily turned off. For example, if the computer is infected with a virus, then it is possible that the virus could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could restore a virus-infected file, or that the on-line scanners would detect the virus in that location.

Once system restore is turned off .......all previous restore points are deleted .

let us know

dl65  

[merlin_2]

go to blackviper.com.....and disable services......or type msconfig....in the run box......do you  have a celeron cpu.??are you on wanadoo ...broadband......or dial up....are you networking this pc.....norton  anti-virus will slow down a pc?try advanced system optimizer.....from major geeks.com or free ram xp.....

[tony_g]

merlin_2 hi. yes i have celeron and broad band wanadoo.not networking. i am running norton but i just uninstalled 05 and left 04 on after doing live update and scan.
What does the msconfig do?  also what will disable services do in blackviper? sorry for the q's but i'm at end my tether and contemplating ripping out the hard drive

[Fed]

Sadly Blackviper has been off the air for some time now, I hope it's only a temporary thing.  
You can search google for cached copies of the old blackviper site & save it to your computer though.