Computer very slow...

I was a little unsure if maybe I should have posted on Internet and Outlook Express. But I am also having problems with my OS so I though I should post here. I will TRY to make this a short story...It started Sunday morning when I tried open up I (at the time I knew nothing of how spyware worked, but I have since removed Incredimail and Kazaa). It took a very long time to open up. I then tried to go onto the Internet. This also took a long time for my homepage to come up. At the time, when I tried to open Outlook Express I thought that it too was not working. I would wait for a couple of minutes and then press Ctrl+Alt+Delete and it would tell me the program was "not responding" and then I would shut down the program (this happened with any of the programs using the internet, including Spybot and AdAware updates). What I finally figured out was that if I just waited long enough and didn't press Ctrl+Alt+Delete the program would EVENTUALLY come around. During this time quite a few of my desktop programs were acting strange. I would click on them and nothing would happen. I couldn't empty my recycle bin - it would stop responding. Here is what I have done so far.

1. Pressed Ctrl+Alt+Delete and only ran the necessary programs.
2. Ran msconfig and stopped all unecessary programs from startup.
3. Ran AVG 6.0 and checked for viruses (none found).
4. Ran Spybot and Adaware and deleted all found files.
5. Downloaded and ran Trojan Remover.
6. Ran Scandisk.
7. Defragged.
8. Ran hijackthis and had someone guide me thru removal.
9. I eventually did get an update for Spybot and AdAware. Spybot said I was clean and AdAware found new ones (which I deleted, but saved the log).

Once strange note - this was in my hijackthis scan
"06-HKCU\Software\Policies|Microsoft\Internet Explorer\Toolbars\Restrictions Present" I was told to remove this and have tried 3 times, but it is still in there. I don't know if this means anything...Also when I click once on my Internet icon from my desktop - before my homepage comes up, a second one starts and looks for my homepage (?)

I really don't know what any of this means, but I would GREATLY appreciate and be forever grateful for all and any help.

Thanks
Kim


I have plenty of disc space and 512ram.

 

I would say something is still there. First run CWShedder, then post a HijackThis on here so it can be looked at.
The links are below.

 

CWShredder v1.56.3 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: Home

Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (9820 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2364 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -
Logfile of HijackThis v1.97.7
Scan saved at 9:10:31 PM, on 25/04/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\KIM'S FOLDER\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS06
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scotiaonline.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [HoChiMinhTrailSetup.exe] C:\MYDOCU~1\DOWNLO~1\VIETNA~1.EXE /r
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.5145023148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: DigiChat Applet - http://host2.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = golden.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = golden.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 199.166.210.2,199.166.210.5


Also, I don't know if this has anything to do with my problem, but I have read that newdot.net can do alot of damage. I know for certain that I have seen this name in windows explorer and that I have deleted it.

Thanks,
Kim

 

Sorry - little bit of confusion on my part. I have now Ran CWShredder and it tells me it found nothing and that I am clean.

Kim

 

Newdot.net can do some damage, especially if you just delete the folder to get rid of it. One of it's files is put into your winsock or is part of your internet connection. You need to get and run LSPfix.Exe
Would you take a look into your registry? Go to Start\Run, type in Regedit and press Enter. Navigate to this key in the left pane.
HKEY_CLASSES_ROOT\txtfile\shell\open\command
Look in the right pane, and you will see [default], make sure it says "C:\WINDOWS\NOTEPAD.EXE %1" there next to it..
I only ask this as I did not see the original HijackThis log, and I do not see anything starting up that would put the control panel restriction back, but there is a piece of malware that will alter the above so that when you open a text file, it changes things back.
It would not be a bad idea to go to Housecall for a second opinion for a virus scan, the link is below.

 

After doing the things markp62 suggested, scan again and fix these.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS06
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scotiaonline.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico


Unless there's a reason for this to run on startup, fix this also.

O4 - HKLM\..\Run: [HoChiMinhTrailSetup.exe] C:\MYDOCU~1\DOWNLO~1\VIETNA~1.EXE /r

From start>programs select Spybot>advanced mode, click the immunize button and see if there is a check in the lock IE control panel box. If so uncheck it and fix this entry too.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

Uninstall information for new.net.

I also suggest you do a scan with RAV.

Run disk cleanup. I do it like this. Start>run and type cleanmgr /sageset:1 hit enter. Check all boxes and OK out. Start>run and type cleanmgr /sagerun:1 hit enter. Open the applog folder in C:\Windows, select all and delete.

 

I followed all of the above in both posts:

- Downloaded and ran LSPfix.
- Went into Registry - does say "C:\WINDOWS\NOTEPAD.EXE %1 ".
- When I tried to scan with Housecall my server kept dropping the connection.
- Ran hijackthis and completed fixes.
- Checked with Spybot and there was not a check in the IE control panel box - so I didn't try to fix 06 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present.
(when I first clicked on immunize in Spybot it said "WARNING "o bad products already blocked. 506 additional protections possible. Please immunize ". I did not do this, but should I and does it mean anything?
- Downloaded and ran uninstall6_22.exe from newdot.net.
- Did an online scan with Rav - it gave me an option to "auto clean" which I did not check. Only found 1 thing - C:\windows\motive\bell canada\mccinstall.ini IRC/generic*->suspicious.
- Ran diskcleanup and deleted all items in C:\windows\applog.

Nothing has changed.

Any more ideas?

Thanks,
Kim

 

Because of the lack of information I was able to find on that file, I just got off the phone with Sympatico Tech. Support. They felt the file was suspicious also, because;

1. It's located in the windows folder
2. The subfolder name is bell canada

They said that any folder names should be Sympatico or Bell Sympatico. Inquired about their thoughts on first moving the motive folder to another location and reboot to see if problems arise and deleting in the case of no problems. They felt that was sound advice and that at worst, internet service software/connection would need to be restored.(that's if you just deleted it, rather than moving first, and lost connectivity or functionality) Also stated that a phone call to them would be all that's needed??

I should have said to fix the O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present entry regardless. Looking into the immunize box was only to see if it was checked. Whether or not you use the immunize feature is completely up to you. It installs a HOSTS file which blocks access to and from many undesirable sites and protects from drive-by installs of alot of spyware.

I recommend moving the motive folder out of the windows folder, scanning with HJT again and fixing the 06 entry, reboot, do another HJT scan and post the log. If no ill effects from moving the folder, say after an hour or so, delete it.

 

Dave:

I have tried to fix the 06 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restirctions present entry numerous times - after I check the box beside it - click on fix - reboot - it is still anyways there ... Also, did you want me to move the whole Motive folder or just the suspicious file? In the motive folder there are a couple of things I think have to do with Access Manager with Bell Sympatico. I did move just the file, but let me know and I can move the whole folder.

Thanks,
Kim

 

I suppose just the file is sufficient. I'd like to have a copy of that file too. If you don't mind sending, PM me for email addy. Have you fixed that 06 entry since all of the latest cleanups?

 

Just tried fixing the 06 entry about 2 minutes ago. Still there


Kim

 

Are you able to access the internet options from the tools button on your browser? If not navigate to HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions. Right click the NoBrowserOptions (assuming that's the string name) and select modify. If in effect the value will be 1. Change to 00 00 00 00. Close regedit, log off and back on, check IE Options again.

 

Dave:

Thank you for all you help so far ... hope you are not losing patience with me yet

I just read your last post and I'm sorry, but I'm not following you.
I am able to access internet options from the tools button on my browser. BUT I don't have a clue how to navigate to where you wanted me to go

Kim

P.S. I just came back on the internet now and my server kept dropping my connection while my browser took forever to open to my homepage. I moved the suspicious file back to where it was originally - rebooted - and then my browser opened up

 

Quite alright, I'm not losing patience. To navigate to that place, go to start>run and type regedit. Click the + signs to open each key, starting with HKEY_CURRENT_USER. When you get to the 'restrictions' key click on it and you will see a string in the right pane which identifys a NoSomethingOption with a value of 1. May look like 01 00 00 00 or 0x00000001. Right click the string, choose modify and change to zero. Or you could right click the restrictions key and delete.

Glad you only moved the file! So much for tech support, huh?!

Is your comp acting any better?

 

Just checked that file Kim. Nothing suspicious about it.

 

Thats wonderful

When I went to HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions

The right hand panel said:

(Default) (no value set)
No Addre... 0x00000000 (0)
No links 0x00000000 (0)
No toolBar 0x00000000 (0)
No Toolb... 0x00000000 (0)

Can I just delete the restrictions key in the left pane or would that serve any purpose?

Thanks,
Kim

 

Actually the fact that they are all set to zero means they are not creating any restictions. But yes, you could delete the restictions key. It would be interesting to see if it gets put back by something. HijackThis should have removed the key. I've never seen it not. Matter of fact I put restrictions on my other PC earlier just to make sure it would fully remove the key, and it did.

 

I tried several times to get it to remove (before and after I knew what I was doing!). I deleted the restrictions key and look -




Logfile of HijackThis v1.97.7
Scan saved at 7:30:56 PM, on 26/04/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\KIM'S FOLDER\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.5145023148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: DigiChat Applet - http://host2.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = golden.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = golden.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 199.166.210.2,199.166.210.5


So I managed to get it removed, but my computer is still the same


Kim

 

The restriction is now gone, good deal!
Now let's check into why it is slow. Right click on My Computer and select Properties. Click on the Performance tab. You will see things listed as Memory, Resources, etc. Down below all that, if it says anything other than "Your system is configured for optimal performance ", please post what it says.
Please click on the Device Manager tab, do you see any yellow ! or ?.
Also go to Start\Programs\Accessories\System Tools\System Information [Msinfo32.Exe is the filename for this program]. When that opens, go to the Toolbar at Tools\Automatic Skip Driver Agent. If a windows pops up saying "There are no current ASD critical operation failures on this machine ", that is good. If anything else appears, please post it.

 

Please recheck anything you have disabled since the problem started and restart the PC then make and post another log.

Also describe the problems again and what were the things you fixed with hijackthis before posted here ?