1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Computer infected and moving very slow. HJT log

Discussion in 'Virus & Other Malware Removal' started by Chamber Girl, Feb 8, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Chamber Girl

    Chamber Girl Thread Starter

    Joined:
    Feb 8, 2007
    Messages:
    59
    Recently was bombarded with several viruses all at once and for several days afterwards. They are all (I think) quarantined. But since then my computer is acting very erratic and seems to get slower every day. Not sure if you need it or not but am inserting a hjt log below. Hope someone can help before the computer crashes completely..

    Logfile of HijackThis v1.99.1
    Scan saved at 8:42:32 AM, on 2/8/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\adirss.exe
    C:\WINDOWS\System32\lnwin.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
    O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
    O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\System32\adirss.exe
    O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [Agent] C:\WINDOWS\System32\alsys.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You still have some nasties
    ==============
    Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    · Restart your computer
    · After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    · Instead of Windows loading as normal, the Advanced Options Menu should appear;
    · Select the first option, to run Windows in Safe Mode, then press Enter.
    · Choose your usual account.
    · Open the extracted SDFix folder and double click RunThis.bat to start the script.
    · Type Y to begin the cleanup process.
    · It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    · Press any Key and it will restart the PC.
    · When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    · Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    · Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    ============
    Download Superantispyware

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.
     
  3. Chamber Girl

    Chamber Girl Thread Starter

    Joined:
    Feb 8, 2007
    Messages:
    59
    Below is the SDFix Log and Hijackthis log. I will now be doing the second part of your reply by downloading and running suerantisyware and then will post those findings plus another hijackthis log.


    SDFix: Version 1.63

    Thu 02/08/2007 - 13:33:56.65

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    wincom32

    Path:
    \??\C:\WINDOWS\System32\wincom32.sys

    wincom32 Deleted

    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\DOCUME~1\Tonja\LOCALS~1\Temp\setup.exe - Deleted
    C:\WINDOWS\system32\adirss.exe - Deleted
    C:\WINDOWS\system32\game5.exe - Deleted
    C:\WINDOWS\system32\lnwin.exe - Deleted
    C:\WINDOWS\system32\peers.ini - Deleted
    C:\WINDOWS\system32\wincom32.ini - Deleted
    C:\WINDOWS\system32\zlbw.dll - Deleted



    ADS Check:

    C:\WINDOWS\system32
    No streams found.

    Final Check:

    Remaining Services:
    ------------------



    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
    C:\Program Files\Free Offers from Freeze.com\Thumbs.db
    C:\Program Files\Stamps.com Internet Postage\images\Thumbs.db
    C:\Old Data\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
    C:\Documents and Settings\Tonja\NetHood\ftp.tyan.com\Desktop.ini
    C:\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
    C:\Old Data\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
    C:\usb\adminchk.dll
    C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
    C:\usb\AEEnable.exe
    C:\usb\RemADI.exe
    C:\hiberfil.sys
    C:\Old Data\logo.sys
    C:\Old Data\MyFiles\~WRL0001.tmp
    C:\Old Data\WIN95\Application Data\Microsoft\Word\~WRL0004.tmp
    C:\Old Data\WIN95\Application Data\Microsoft\Word\~WRL0040.tmp
    C:\Old Data\WIN95\Application Data\Microsoft\Word\~WRL0005.tmp
    C:\Old Data\WIN95\Application Data\Microsoft\Word\~WRL1742.tmp
    C:\Old Data\WIN95\Application Data\Microsoft\Word\~WRL1678.tmp
    C:\Old Data\WIN95\Application Data\Microsoft\Word\~WRL0657.tmp
    C:\Old Data\WIN95\Application Data\Microsoft\Word\~WRL3755.tmp
    C:\Old Data\WIN95\Application Data\Microsoft\Word\~WRL2734.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0044.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRL3196.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRL0740.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1558.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1851.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0067.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0497.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3786.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0249.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0438.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2122.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2419.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3262.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3571.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2520.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2852.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3227.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3773.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0834.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3516.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0515.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0840.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0463.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1687.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2828.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2146.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0057.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0385.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1249.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2397.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0862.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1300.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2288.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3569.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1448.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1238.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1793.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0601.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2914.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3954.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2830.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3112.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2536.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0063.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1753.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1758.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0286.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2892.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2925.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0270.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3238.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3593.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0856.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1940.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2713.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0761.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2561.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3885.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3105.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3397.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0757.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2374.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRL0791.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0302.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD2665.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0436.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3859.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1945.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0694.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1255.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0514.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0444.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3331.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3854.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD0084.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD3853.tmp
    C:\Documents and Settings\Tonja\Local Settings\Temp\~WRD1276.tmp
    C:\Documents and Settings\Tonja\My Documents\~WRL3064.tmp
    C:\Documents and Settings\Tonja\My Documents\~WRL3224.tmp
    C:\Documents and Settings\Tonja\My Documents\~WRL0003.tmp
    C:\Documents and Settings\Tonja\My Documents\Capital Campaign\Phase II\Forms\Pledge Forms\~WRL0371.tmp
    C:\Documents and Settings\Tonja\My Documents\Capital Campaign\Phase II\Forms\Pledge Forms\~WRL0113.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0003.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0004.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0468.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0005.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1911.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1822.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0417.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL2974.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1368.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL2430.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0007.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL3374.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0538.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1282.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL3652.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1832.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL3789.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1046.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1626.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL3235.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0782.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL3646.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL3864.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL2469.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL3031.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1349.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL1108.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0006.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL0860.tmp
    C:\Documents and Settings\Tonja\Application Data\Microsoft\Word\~WRL3408.tmp

    Finished

    Logfile of HijackThis v1.99.1
    Scan saved at 1:50:37 PM, on 2/8/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis[2]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
    O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Do this also

    DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

    Use the clear files and Unnecessary files buttons – I do not recommend
    using the Duplicates files button
    as many dupes are there on purpose.

    Not all files will delete – that is normal.

    In the unnecessary button I check the top 4 entries
     
  5. Chamber Girl

    Chamber Girl Thread Starter

    Joined:
    Feb 8, 2007
    Messages:
    59
    Below is new HJT log after running Superantisyware . Will now download and run per your instruction, the Easycleaner. You did not mention what to do after that, so will let you know when finishd with running cleaner.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:42:21 PM, on 2/8/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
    O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You didn't post the SuperAnti log but....

    Things look good how are they?
     
  7. Chamber Girl

    Chamber Girl Thread Starter

    Joined:
    Feb 8, 2007
    Messages:
    59
    You didn't say too, but below is new hjt log after last download and cleaning.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:56:59 PM, on 2/8/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis[2]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
    O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  9. Chamber Girl

    Chamber Girl Thread Starter

    Joined:
    Feb 8, 2007
    Messages:
    59
    oops, sorry for not posting Superanitspyware info. I know it found over 80 items that it quarantined and/or repaired. Things seem to be running a little quicker up to this point but have not really had an opportunity to use or do anything except the things you needed.
    How do things look now?
     
  10. Chamber Girl

    Chamber Girl Thread Starter

    Joined:
    Feb 8, 2007
    Messages:
    59
    Great! :D
    Hope it continues to run smoothly.

    Thanks so much for all you help and will try to figure out how to mark it as solved.
     
  11. Chamber Girl

    Chamber Girl Thread Starter

    Joined:
    Feb 8, 2007
    Messages:
    59
    Just finished cleaning my computer of many viruses and malware which you guys helped me with. Now am receiving these 2 error messages (see below). Message #1 pops up first and then is followed by Message #2

    Message #1:

    "hpqthb08.exe-strong name Validation Failed which says, (Strong name validation failed for assembly C:\Program Files\HP\digital imaging\bin\hpqthb08.exe The file may have been tampered with or it was partially signed but not fully signed with correct private key )"

    Followed by Message #2:

    hpqth08.exe Common Language runtime Debugging Services. Click OK to Terminate or Cancel to Debug
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/542291

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice