[Pepper]

Hello!

I'd really appreciate any help.

I have removed a TON of infections from the computer. Ran updated versions of adaware, spybot, AVG, several online scanners, spywareblaster, ccleaner, cwshredder, ewido. MS Windows antispyware, kaspersky, trojan guard have also been used and then removed from the computer. Also ran The Cleaner (trojans). I don't get any ads and can access the internet without any.

HOWEVER, a number of problems persist. The problems are as follows:

- VERY slow system on startup and when opening any programs. (Ran crapcleaner, defrag, windows fully updated...didn't help)
- User 2 gets "Windows Installer" popups for Microsoft Office sometimes on startup and when using the Windows search function.
- The screen for the system jumps to a very poor quality (all users, including safe) occassionally.
- User 1 could not enable Windows firewall. User 2 could. SO I called Microsoft and they had me uninstall and reinstall SP2. Well, that just made things worse. Firewall doesn't work for either user, and it slowed the computer down even more.
- The mouse freezes on startup occassionally.
- The following item comes up in spybot and adaware but cannot be deleted in those programs. Tried safe mode, different users, delete on restarts. No luck. Spybot popup said that the reason it couldn't be fixed could be that the files are still in use and that it could be fixed after restart. But that didn't work. I also ran regedit and could not delete BTIEIN under any of the users or by changing permissions.

HuntBar: Global settings (Registry key)
HKEY_LOCAL_MACHINE\Software\BTIEIN

No luck with:
http://www.lavasofth...04/02/0302.html

- I get the following listed in msconfig start. Startup is in selective.

checked for user1, not in user2:
squares (Strange font characters) (   ) HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows: Load

unchecked both users:
squares SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
and second identical line

When I unchecked them (to not run on startup) and restarted, the squares returned with checks in addition to the ones I had unchecked. And I got 4 popups (user2) when I would start the computer that windows cannot find/load/run the "squares." I couldn't find the squares with regedit.

"Fixing" the following items in HJT made them disappear from HJT, and the startup popups about the squares disappear. HOWEVER, the squares are still listed in msconfig startup and all the other problems remain. It was disabling the squares in the startup that resulted in the notices about them in the first place and made these items appear in the HJT log.

F3 - REG:win.ini: load=??? ?
F3 - REG:win.ini: run=??? ?
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab


Anyway, basically my main complaint is that the system is soooo soooooo soooo slow. The rest is just part of trying to get to the bottom of it.


Thanks,
Pepper


***

CURRENT HJT LOGS 6/29

USER-2

Logfile of HijackThis v1.99.1
Scan saved at 7:43:07 AM, on 6/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Documents and Settings\User2\Desktop\HijackThis.exe
C:\WINDOWS\System32\imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119401637828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe




***

Screen just switched to very poor quality in middle of running this HJT scan.

USER-1

Logfile of HijackThis v1.99.1
Scan saved at 8:09:49 AM, on 06/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\85edc023096735764b42f7ffe25be521\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119401637828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe


***

RKFILES LOG

C:\WINDOWS

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\oembios.bin: peC2"y)Q
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "PEC2" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "PEC2" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "PEC2" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "PEC2" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "PEC2" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "PEC2" >>c:\win.txt

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "UPX!" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "UPX!" >>c:\start.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "UPX!" >>c:\windows.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "UPX!" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "UPX!" >>c:\start.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "UPX!" >>c:\windows.txt
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "FSG!" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "FSG!" >>c:\start.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "FSG!" >>c:\windows.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "FSG!" >>c:\win.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "FSG!" >>c:\start.txt
C:\WINDOWS\rkfiles.bat: strings.exe -a * |find /I "FSG!" >>c:\win.txt
Finished
bye

Edited by Pepper, 29 June 2005 - 06:16 AM.

[Advertisements]

Hello, and welcome to the GeekstoGo Forums. My name is Jfcap,and I will be helping you clean your system. I would like to start off by apologizing in the delay in our response time. We try not to let posts slip through the cracks, but things do happen due the the ammount of posts on our website, so again I apologize.

Please post a new HiJackThis log of the user account on your computer that has ADMIN settings. If both accounts do, please post the log of the account that is used the most.

Thanks.

[Justin]

Hello, and welcome to the GeekstoGo Forums. My name is Jfcap,and I will be helping you clean your system. I would like to start off by apologizing in the delay in our response time. We try not to let posts slip through the cracks, but things do happen due the the ammount of posts on our website, so again I apologize.

Please post a new HiJackThis log of the user account on your computer that has ADMIN settings. If both accounts do, please post the log of the account that is used the most.

Thanks.

[Pepper]

HI Justin. It's great to hear from you!

Both users are "computer administrator". However, the safe mode options are "user 1" and "administrator".

Here is the HJT for User 1. (Terribly slow and super slow to open the browser)


Logfile of HijackThis v1.99.1
Scan saved at 7:56:52 PM, on 06/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Documents and Settings\User1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119401637828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe

[Justin]

Your HiJackThis log looks clean, are you still seeing any new problems?

[Pepper]

All the problems described in the first post above remain. The system is sooo sooo slow. It is terribly slow to startup desktop, to open any programs, and to open a browser in particular takes forever. Spybot and adaware show BTIEIN but cannot fix it, and there are the strange items on startup. The screen also switches to poor quality.

[Justin]

Ok, lets look for a few things in Add/Remove programs

Open up Control Panel
Click on Add/Remove Programs

Look for any of the following, if found please remove them

MSIETS
Internet 404
Tools for Internet Explorer
Search Toolbar
Web Search Toolbar
Win-Tools Easy Installer

Please let me know which files you delete, if any. And if that does not fix the problem, we will go in an manually delete the file.

[Pepper]

Hi Justin! None of those items were there. However, plenty of stuff that might be suspicious were listed, but it's not like I would know what belongs there anyway.

[Justin]

Hello,

Look for these files, some of them are duplicated of what I listed above, but some are not.

Uninstall HuntBar.btiein from "Add/Remove Programs" in the Windows® Control Panel. Look for entries called 'MSIETS', 'Internet 404', 'Tools for Internet Explorer', 'Search Toolbar'.


Please follow the instructions below if you would like to remove HuntBar.btiein manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If HuntBar.btiein remains on your system after stepping through the removal instructions, please double-check by stepping through them again.Please note that things could get worse if the wrong item is accidentally delete from your registry. It is reccomended that you create a backup of your registry before ANY editing of the registry1. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
2. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {63B78BC1-A711-4D46-AD2F-C581AC420D41}, if it exists.
3. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {63B78BC1-A711-4D46-AD2F-C581AC420D41}, if it exists.
4. Exit the registry editor.
5. Restart your computer.
6. Start Windows Explorer and delete:
%SystemDir%\btiein.dll
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Let me know how the above goes.

Edited by Jfcap, 01 July 2005 - 01:20 PM.

[Pepper]

MS-C wordfinder
CGI-lid
Content Delivery Module
Flash Track
IE Host R3
InternetOffers
Kazaa
MS B Help
MS IE assistant
MS.C help
SafeCast Shared Components
Search Ms.C
TContext
Your Ms.C assistant

[Justin]

Hello, please see the revised instructions above. I editted them, but you must have seen my first reply =).

I will look over these programs and tell you which are not good.

[Pepper]

"but you must have seen my first reply =)."

Yup, I'm quick.

Items 2 and 3 are not there, nor is there a btiein listed in the system32 folder. BTIEIN is, however, listed when I use regedit.

Edited by Pepper, 01 July 2005 - 01:39 PM.

[Justin]

Please delete the following files:

IE Host R3
InternetOffers
Kazaa - This program is a P2P program, and puts you at high risk of downloading some type of spyware or malware.

Edited by Jfcap, 01 July 2005 - 01:42 PM.

[Justin]

"but you must have seen my first reply =)."

Yup, I'm quick. 

Items 2 and 3 are not there, nor is there a btiein listed in the system32 folder.  BTIEIN is, however, listed when I use regedit.

Ok, so which did you delete? Things are getting complicated, because we are both working on different steps. I will wait for you to remove the programs and tell me what you did in the registry before we move on.

[Pepper]

IE Host and InternetOffers gave me an error that they were already uninstalled. But, removed them from Add/remove programs. For Kazaa when I click change/remove I get the install shiled wizard and then the following error:
Error number: 0x80040702 Failed to load dll: SetRegAcl Setup will now terminate

[Justin]

IE Host and InternetOffers gave me an error that they were already uninstalled.  But, removed them from Add/remove programs.  For Kazaa when I click change/remove I get the install shiled wizard and then the following error:
Error number:  0x80040702  Failed to load dll: SetRegAcl  Setup will now terminate

If you look in program files, do you see Kazaa? If not, then it should be gone.