1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New PC Problems

Discussion in 'Windows XP' started by FrozenDream, Apr 20, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. FrozenDream

    FrozenDream Thread Starter

    Joined:
    Nov 6, 2002
    Messages:
    7
    I am running Win Xp Professional with service pack 1, AMD-K6 3D processor, 400 mhz with 256 Ram.


    The computer is running very werid as of late. IE 6.0 is crashing every 10 mintues or so and I now have to type in the http:// for any website I go to. As well as I can't keep my web home page.

    An top of that WMP 9 is slowing everything down and it keeps skipping, or stops responding and then I can't even use the ctrl-alt-delete function. It seems to be getting worse everyday. I tried some fixes but nothing seems to have made a difference. I was thinking of checking windows update but there is an error eveytime I even go to try to see what is available.

    Can someone please help? Anything would be greatly appreciated.
    Frozen
     
  2. MINz

    MINz

    Joined:
    Apr 19, 2004
    Messages:
    134
    Have you tried to do a system restore to a date you know your system was performing fine?

    MINz
     
  3. Lobos

    Lobos

    Joined:
    Mar 22, 2004
    Messages:
    248
    Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
    Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

    DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise
     
  4. FrozenDream

    FrozenDream Thread Starter

    Joined:
    Nov 6, 2002
    Messages:
    7
    No I have as far as I know the restore has been turned off ever since we bought this machine.
     
  5. FrozenDream

    FrozenDream Thread Starter

    Joined:
    Nov 6, 2002
    Messages:
    7
    Logfile of HijackThis v1.97.7
    Scan saved at 12:38:38 PM, on 4/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\windows\winlogon.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\WINDOWS\webshots.scr
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\WinMX\WinMX.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Documents and Settings\Shawn\Desktop\Shell\Programs\Hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R3 - URLSearchHook: MailTo Class - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\pubplace.dll
    O1 - Hosts: 213.159.117.235 #uto.search.msn.com
    O2 - BHO: (no name) - {9E6BCEAC-9E48-426E-ABD6-2848825509D0} - C:\WINDOWS\System32\ekagfi.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6A166D51-8A65-45FE-B652-627E3EFDA4C2}: NameServer = 216.211.26.14 206.47.150.225
     
  6. MINz

    MINz

    Joined:
    Apr 19, 2004
    Messages:
    134
    Have you checked? All Programs/Accessories/System Tools/System Restore

    I would also take Lobos' advice. Post a Hijack This log.

    MINz
     
  7. FrozenDream

    FrozenDream Thread Starter

    Joined:
    Nov 6, 2002
    Messages:
    7
    System restore is turned off I just checked. A lot of this is new to me, I went from having a computer with win95 to this xp system everything is very different.
    Thank you for telling me where it is.
     
  8. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,851
    First Name:
    James
    Run HJT again and check this for fixing:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://
    homepage.com%[email protected]www.e-finder.cc/search/ (obfuscated)
    O1 - Hosts: 213.159.117.235 #uto.search.msn.com
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=

    You should also run Spybot S&D, Lavasoft Ad-Aware and CWShredder. These programs will hunt the other files down. Reboot and redo another log after you run those programs.
     
  9. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,851
    First Name:
    James
    CWShredder should find the cause of AddCLS, as it's a CoolWebSearch (CWS) variant.
     
  10. MINz

    MINz

    Joined:
    Apr 19, 2004
    Messages:
    134
    If Internet Explorer is causing you troubles you can try this trick for reinstalling IE6.

    First before you try this make sure you do two things:
    1. Be very careful editing the registry.
    2. Make sure you can download IE6.

    Internet Explorer 6.0

    Now try the following:
    1. Launch Regedit. Start/Run/ type regedit
    2. Navigate to the following Reg Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed\Components\{89820200-ECBD-11cf8B85-00AA005B4383}
    3. In the right-hand pane, double-click on the DWORD value IsInstalled and change it from 1 to 0 (doesn't matter if you choose Decimal or Hexadecimal)
    4. Reboot and re-install IE6.

    Good Luck!

    MINz
     
  11. Lobos

    Lobos

    Joined:
    Mar 22, 2004
    Messages:
    248
    you dont need to reinstall ie

    please post another log after following
    tidas4yuna's direction
     
  12. Lobos

    Lobos

    Joined:
    Mar 22, 2004
    Messages:
    248
    ok do this download cws shredder

    http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

    put it into its own folder and not on the desktop and not into the tempfolder
    then run check for update
    hit fix not scan



    Download AdAware 6 181 from here: http://www.lavasoftusa.com/
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    Then......

    Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    Then.........

    Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" and "Let windows remove files in use at next reboot"

    Then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished mark everything for removal and get rid of it.(Right-click the window and choose"select all" from the drop down menu)

    Then
    Download Spybot - Search & Destroy from http://security.kolla.de

    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED

    then run high jack this put a check next to these close all browser then hit fix

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ekagfi.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://
    homepage.com%[email protected]www.e-finder.cc/search/ (obfuscated)
    O1 - Hosts: 213.159.117.235 #uto.search.msn.com
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=

    reboot and delete

    c:\windows\winlogon.exe
    C:\WINDOWS\AddCLS.exe

    then post another log please
     
  13. FrozenDream

    FrozenDream Thread Starter

    Joined:
    Nov 6, 2002
    Messages:
    7
    Thank you everyone for all your help....I reformated my hard drive. We found over 482 spyware and adware on the system geting rid of some proved to be very difficult. I appreciate everyone being patient with me. My Problem is solved for now. lol
    Thanks again
    Shell
     
  14. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,851
    First Name:
    James
    ahh the infamous way to deal with spyware :)

    May I suggest you to download Spyware Blaster. As long as you keep it updated, it will prevent further attacks.
     
  15. FrozenDream

    FrozenDream Thread Starter

    Joined:
    Nov 6, 2002
    Messages:
    7
    thank you I have downloaded spyblaster.... and a few others to help. I have gotten the winlogon exe again though and can't delete it so still working on it.

    Thanks again
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222264

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice