Bogged down big time. Help!

My kids have managed to bog down the computer. I am sure we're probably loaded with viruses or such. I have done search and destroy, adware, and virus scan. Not helping. Can someone read a hijackthis log and walk me through it? I have done this once before on a different computer but it's been a while and could use the step by step version. Thanks for your help!

 

Welcome

It sounds like you have done some of the necessary steps
We ask that you first try to do ALL the rest of theTUTORIAL listed below.

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone will help you. Everyone is quite busy, as you can see by the number of posts, so hang in there.
Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Ok I have pretty much spent the day downloading and running scans and following the list of things to do. I don't know that I have made much headway. I have had to rerun scans because they freeze up in the middle. when they do indicate problems they say they can not correct them. I thought I had made a copy of the list of failed fixes to send to you but somehow that disappeared so I tried to run the scan again but now the scan just freezes up on me. I'm still getting an enormous amount of pop-ups and we're running very very slow. I seem to be having problems pulling up web mail. I've run and deleted all threats from the adware scans. I did manage to complete a Avast virus scan but it came back that I didn't have any viruses. Doubt that! My kids really did a number on this machine this time. I will try to re-run the scans so I can give you a more descriptive result, if I can complete one before freezing, but I wanted to just let you know where I was with the process. If you want me to send you a hijack log I can do that. let me know what you want me to do next. I'll keep trying on this end. If I come up with anything informative I will add on.
Thanks

 

I know this is all very frustrating so let's see what you have.
Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Here's the attached log. I'm sure it's not pretty. Let me know what I should do next. Thanks again for your help and patience.

 

Give me a little time I will have a fix for you this morning.

 

Many people do choose to keep programs like Limewire and use them. Any P2P program represents some level of danger and some (as indicated in the link I gave you) add some additional garabage to your system.
Limewire has been a suspect P2P program for a while. I suggest to get rid of it but it is ultimately you choice. I will put in fixes to get rid of it, ignore them if you decide not to. Here is a link about it.
Limewire

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now physically disconnect yourself from the internet by unplugging your cable or connection from the wall. Do not reconnect until instructed.

Please look in Add or Remove Programs for the following and Uninstall them if found:

Limewire
weatherbug
E2g or E2Go

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u Helper101.dll
then click OK. If a dialog box confirming this action appears, click OK.
Do the same thing with the following:
regsvr32 /u IeBHOs.dll
regsvr32 /u lbbho.dll
regsvr32 /u MSW.dll
regsvr32 /u ixchpsdn.dll
regsvr32 /u AUNBHO.dll

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

winupdt.exe
Weather.EXE
??ool32.exe (don't confuse with spool32.exe)
pruttct.exe
LimeWire.exe
sysmonnt.exe (I am putting in a fix for this file. Do not do it or any other fixes for this file if the following is true: FkWare version of SysMon or other third party Sysmon Applications)

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: - {39B515C4-0D29-4904-AEDF-C09AAC68DBB6} - C:\WINDOWS\lbbho.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {4B6EB0BD-5405-0AD8-2F93-0595BFD6DF90} - C:\WINDOWS\System32\ixchpsdn.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Usw] C:\WINDOWS\System32\??ool32.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\System32\pruttct.exe
O4 - HKCU\..\RunOnce: [pruttct] C:\WINDOWS\System32\pruttct.exe
O4 - Global Startup: LimeWire 4.2.3.lnk = C:\Program Files\LimeWire\LimeWire 4.2.3\LimeWire.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c13\aim.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\WINDOWS\System32\winupdt.exe
C:\PROGRA~1\AWS--->The Folder
C:\WINDOWS\System32\??ool32.exe (don't confuse with spool32.exe)
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\pruttct.exe
C:\Program Files\LimeWire---The Folder
C:\WINDOWS\Helper101.dll
C:\Program Files\E2G--->The Folder
C:\WINDOWS\lbbho.dll
C:\Documents and Settings\All Users\Application Data\msw--->The Folder
C:\WINDOWS\System32\ixchpsdn.dll
C:\WINDOWS\System32\AUNBHO.dll

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now reconnect to the internet with cable or plug into the wall connection.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Sandra

I think that sysmonnt.exe is a BAD file.

 

I would suggest with all the host entries to set it back to default.

Download HOSTER and open it, select Restore Original Hosts > Press OK and then exit program.

 

Hey Hey, back in business. Everything seems to be working pretty smooth. I appreciate all your help. I even talked my girls into getting rid of LimeWire. Hopefully we will be clean for a while now. Again, THANK YOU, THANK YOU!

 

Did you download HOSTER as I requested to reset your host file?

 

Sandra

Your Welcome

Do what BJ said to do. Also submit another HJT log so we can verify you are clean

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

Once everything seems OK be sure to turn System restore back on.

 

Yes I used Hoster. Seemed to work well. I am attaching the new log, let me know if you see anything else I should do. Thanks again for all your help and have a great week!

 

Hi, nice clean log Anyway, just wanted to let you know that my niece keeps picking up all kinds of malware from AOL. I have the messenger only that I D/L'd as stand alone and don't seem to have problems, but I inserted one of their disks a few years back and it rendered my PC about useless and I vowed to never use their software again. I have to go over there at least once a week and clean her system and I have deduced that the garbage is coming from AOL, so last time I told her that I wasn't going to keep this up if she is going to keep using it Just my opinion so take it how you may.

 

RayDunne, I love your Icon! Are you speaking of the AOL service or just the AIM for instant messaging. I think if I suggested that my girls (all teenagers) stop IMing they would think I was cutting off their right arm. Is their any safe guards or ways to protect the computer while IMing? I have already warned them NEVER to click on a link when IMing.

 

Hi, thanx on the avatar, you can get it too, click User CP in upper left of MG page and go to Edit Avatar on left bank of links, there are some other cool ones too. On the AOL subject, I am speaking of the suite software that is on the disks they pepper us with or the full D/L of software from net. As I mentioned in my post, you can D/L the messenger as a stand alone app. and I haven't experienced any trouble with it. I have no experience with their internet service, so I can't offer any help there, but my neice doesn't use that, so that is not what is getting her into trouble. As for IMing in general, especially with teenage girls, I am really scared for you. Some really scary stuff goes on in there, I know firsthand, I've been there and there is really no way to control it at least none that I know of Good luck I hope the best for your girls, if they are responsible and honest you should be OK. My boys aren't quite there yet, but when they are, you can bet I'll be watching them with that stuff. We have good relationships so far so as long as I can keep that up, we shuld be OK. I can't stress enough how scary these chat programs are. My marraige has been in jeapordy twice over them already and we are "adults"

 

Sandra

You look clean. Be sure to do what I said in #12 to prevent malware. It is very importannt.

Use Firefox as your browser.