Please help AGAIN!!!!!

lauren86 · #1 (**permalink**) 14-06-2006, 08:27 PM

Hi,
This is the third time I've had to ask for help on here!!! I just don't know what to do. I've had my laptop for about 6 months, and its running so slowly and everything keeps stopping responding!!! I have to wait about five or ten minutes before I can press start!!!! All I use my laptop for is uni work, msn and checking my mail. My brother has access to it too but I don't know what we're doing to it to make it so slow!!!!

I've run an adaware scan, ewido and AVG. All of them detected something, but I've destroyed them all now and it hasnt made a difference. I am also getting lots of pop-ups since I ran the scans.

Any help would be much appreciated.
Thank you

Here is my hyjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 20:23:05, on 14/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\SZBREWLX\hijackthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141858597119
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.co...x/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Neal · #2 (**permalink**) 14-06-2006, 10:09 PM

Hi,

Where are the popups from? Nothing in your log to indicate popups.

http://www.kaspersky.com/virusscanner

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
o Scan Options:
- Scan Archives
- Scan Mail Bases
* Click OK
*Now under select a target to scan:
o Select My Computer
* This program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.

lauren86 · #3 (**permalink**) 17-06-2006, 08:57 PM

hi, the scan said my laptop isnt infected. its just running so slowly, keeps stopping responding, and takes forever to close the windows when i've got programs running!! the pop-ups have been about washing machines, cars etc! There arent loads, but there are more than i usually have!

Thanks for your help

Neal · #4 (**permalink**) 18-06-2006, 12:07 AM

Washing machines??

Do you still have CCleaner? Might need to do some cleaning useing the windows tab only.

In case you don't...

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

lauren86 · #5 (**permalink**) 20-06-2006, 07:44 PM

Thanks for this

Ad-Aware SE Personal
Adobe Reader 7.0.7
Agere Systems AC'97 Modem
AVG Free Edition
BT Openzone QuickTour
CCleaner (remove only)
Digital Camera
ewido anti-malware
ffdshow
HijackThis 1.99.1
Icatch(IV) Camera Driver
Ink
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 6
Kaspersky On-line Scanner
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
MSN Messenger 7.5
Panda ActiveScan
Realtek AC'97 Audio
S3 S3Chromo
S3 S3Config3D
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
S3 S3TrayPlus
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SmartCamera Ver 2.1
Ulead Photo Express 4.0 SE
UniChrome Pro IGP Display Driver and Utilities
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB893086

Lauren :-)

Neal · #6 (**permalink**) 20-06-2006, 09:23 PM

Well still nothing to indicate popups, run Ewido from safe mode and post the log.

Safe Mode:

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Also...

Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

* Click Download Now to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply along with a fresh HJT log.

lauren86 · #7 (**permalink**) 21-06-2006, 06:15 PM

Thanks

********
17:18: | Start of Session, 21 June 2006 |
17:18: Spy Sweeper started
17:18: Sweep initiated using definitions version 703
17:19: Starting Memory Sweep
17:26: Memory Sweep Complete, Elapsed Time: 00:06:51
17:26: Starting Registry Sweep
17:26: Found Adware: command
17:26: HKLM\system\currentcontrolset\services\cmdservice\ (5 subtraces) (ID = 958670)
17:26: HKLM\system\currentcontrolset\enum\root\legacy_cmd service\0000\ (6 subtraces) (ID = 1016064)
17:26: HKLM\system\currentcontrolset\enum\root\legacy_cmd service\ (8 subtraces) (ID = 1016072)
17:26: Found Adware: findthewebsiteyouneed hijack
17:26: HKU\S-1-5-21-3018332914-1052143815-2092372733-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
17:26: Found Adware: systemprocess
17:26: HKU\S-1-5-21-3018332914-1052143815-2092372733-1006\software\system process\ (1 subtraces) (ID = 860389)
17:26: HKU\S-1-5-21-3018332914-1052143815-2092372733-1006\software\system process\ || lastptime (ID = 860390)
17:26: Registry Sweep Complete, Elapsed Time:00:00:26
17:26: Starting Cookie Sweep
17:26: Found Spy Cookie: atlas dmt cookie
17:26: lauren@atdmt[1].txt (ID = 2253)
17:26: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:26: Starting File Sweep
18:07: n3iywapr.vbs (ID = 185675)
18:08: File Sweep Complete, Elapsed Time: 00:41:37
18:08: Full Sweep has completed. Elapsed time 00:49:24
18:08: Traces Found: 28
18:12: Removal process initiated
18:13: Quarantining All Traces: command
18:13: Quarantining All Traces: findthewebsiteyouneed hijack
18:13: Quarantining All Traces: systemprocess
18:13: Quarantining All Traces: atlas dmt cookie
18:13: Removal process completed. Elapsed time 00:01:07
********
17:15: | Start of Session, 21 June 2006 |
17:15: Spy Sweeper started
17:16: Your spyware definitions have been updated.
17:18: | End of Session, 21 June 2006 |

its not so much the pop ups that are bothering me, its how slow my laptop is and how everything stops responding all the time!!! Thank you :-)

Neal · #8 (**permalink**) 21-06-2006, 11:59 PM

No difference huh?

Ewido from safe mode please as explained above.

Also do this...

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down and look to see if you have a service called command service or cmd service.

Let me know if it is there.

lauren86 · #9 (**permalink**) 22-06-2006, 02:20 PM

hey, sorry! I did Ewido in safe mode yesterday but forgot to post the log. I did a full system scan and it found 6 infections. Did a quick scan today. Here's the log:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 14:08:30, 22/06/2006
+ Report-Checksum: B9945F31

+ Scan result:

C:\Documents and Settings\Lauren\Cookies\lauren@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@adviva[1].txt -> TrackingCookie.Adviva : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wfkyglazwlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wfl4godpsgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wfl4uhcpago.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wjl4qiazsco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wjl4uodpmap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wjlismdpeeq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wjlisod5sbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wjmyehdpmfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@e-2dj6wjmyoncjiep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

::Report End

There is no service called command service or cmd service?!?!

Thank you!!

Neal · #10 (**permalink**) 22-06-2006, 08:42 PM

Well, don't know where to turn now. No signs of anything causeing popups but running adaware SE and windows defender at the same time could cause a conflict and slow down and now we have added spysweeper into the mix also, so you have those three programs running at the same time. Is Ewido running in the background or has the subscription expired.

Please download MWav eScan to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.

I need you to run MWav by double-clicking on mwav.exe
Put a check next to the below items before scanning:

Memory
Startup Folders
Drive - All Local Drives
Folder - then click "browse" to change the directory to C: (default is C:\Windows)
Registry
System Folders
Services
Include Sub-Directory
Scan All Files

Please make sure ALL of these are checked, then press the Scan button.

*NOTE* MWav may pause and appear to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". Once the scan is complete, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely big so there is no way to post the whole log. I just need the infected items list from that window.