3 logs attached - 8 Steps to Virus & Malware Removal

[wombat]

I've had my PC for nearly five years and haven't had major problems except that it is getting slower...and slower......and slower. Takes about 10-15 minutes to boot, and a considerable amount of time to process if several programs are running at once. I eradicated all unnecessary programs when first bought (I.e. AOL, games, Yahoo, etc, etc.)

I have to report that since going throug the 8 steps and getting rid of cookies and temp files there is improvement. I use Firefox only for web browsing and do have online banking, passwords, etc. I'll reformat/reinstall the system if need be. I use the computer for web, papers, taxes, music, video editing, image archiving, watch movies--it's pretty much the catch-all. Everything is backed-up on external harddrive. I have never defragmented though I imagine it may be needed.
Any other info I missed?
Thank you for any advice you may give.

edit: oh yes, and programs crash often if I do not allow the comp. enough time to "think." Is that a reiteration of above?

 

[swwelsh]

You have two antivirus programs running, I would get rid of Norton, it is a known drag on most systems, but two antivirus products will definitely slow things down and cause problems. If Norton will not uninstall from control panel you can download a program from Norton to remove it completely. I would run a defrag,especially since you mention doing video editing, and run CCleaner if you have not already done it. Your logs look mostly clean, if things don't speed up after all the above, you might want to start looking for a new or newer computer, 5 years is a pretty good lifespan for a pc

 

[touch]

Thank you swwelsh.

wombat ->

Download the Norton Removal Tool (SymNRT) to your Desktop.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.
Delete Nortonremoval tool from your Desktop.

Restart


Then run http://www.mlin.net/StartupCPL.shtml
and remove any not required startups.

Attach fresh hijackthis log, and tell how things are running now

 

[Bobbye]

A little help: we can do some work with the first logs:

It appears that you might not be doing any maintenance on the system. You have an extraordinary number of Tracking Cookies in Firefox. Be sure SAS was checked to remove them, then:

Reset Cookies:

For Firefox> Tools> Options> Privacy section> Cookies> CHECK 'accept Cookies'> UNCHECK 'accept third party Cookies'> Set interval to keep Cookies 'until I remove them'> Close
Put these add-on on Firefox:
AdBlock Pkus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/

For Internet Explorer: Tools> Internet Options> Privacy tab> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> UNCHECK 'accept third party Cookies"> Apply> OK

Avira is the better of the two security programs for antivirus. However, it is free. So if you have paid for the Symantec Security Suite, you might want to keep it for now, then change over when the subscription comes due. But uninstall whichever program you do not want to keep.

Remove bad HijackThis entries
• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O1 - Hosts: 208.81.87.68 fixed.gr

The following are a group of HP entries that do not need to start on boot. I will instruct you in how to stop it from starting and the following can all be checked in the HJ log:

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed boot into Safe Mode:

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
ALL HP processes

IF you decide to remove Avira for now, you will need to:

UNCHECK all Avira processes on the Startup menu. And you will need to disable the Startup type in the Services(023):
Start> Run>services.msc> right click on each> Properties:
Avira AntiVir Scheduler (AntiVirSchedulerService) -change startup type to Disabled
Avira AntiVir Guard (AntiVirService) - Change Startup Type to Disabled
Close

Then: Control Panel> Add/Remove Programs> Uninstall Avira

Apply> OK Reboot into Normal Mode
NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again'.Stay in Selective Startup.

Please note: it appears that you have the Symantec/Norton Security Suite. This costs money. Some don't want to trash a program they paid for, even though another program might be better. So you will need to make that decision.

When you have finished the above, update and run a new scan with HijackThis and attach the log.

This thread is for the use of wombat only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

 

[wombat]

Thank you swwelsh.

wombat ->

Delete Nortonremoval tool from your Desktop.

Restart

Then run start up.cpl
and remove any not required startups.

Attach fresh hijackthis log, and tell how things are running now

Thanks for tip welsh and touch. here is fresh hijack log.
Bobbye, thank you for your extended post on helping me. I'm going to read this now and will report back.

Bobbye,
I think that did the biggest improvement. Immediately after msconfig instructions I was able to start web browsing and hitting the Start Menu after a minute.

Based on what all of you advised, I eliminated Norton. I only had a 60-day trial when I bought the computer, and haven't used it since. Happy to see it go.

Welsh, I will try defragmenting now. Thanks!

 

[wombat]

Alright, attached is defrag. log, in case anyone is interested.

 

[Bobbye]

Glad to hear you were able to switch out the Norton. Some members want this thrown out right up front. But it is costly and if the payment has gone out then I think it should wait until expiration. You will get better security with Avira.

I missed an entry in the original HijackThis log- had you remove several of the IE Redirect by HP, but missed this one:
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop

Basically this means that HP is controlling our homepage.
O14 - 'Reset Web Settings' hijack/ What is IERESET?

In this section HijackThis checks the file "iereset.inf" for changes which might indicate a hijack. When you click on "Reset Web settings" on the Programs tab of Internet options, IE restores the default values for home page, search page and a few other items from the registry files stored in "iereset.int" file. This file is located in inf folder in your system folder. Some OEM's create their own custom URL's for this file. (Read HP here)

And I see one entry that either remains or came back:
O1 - Hosts: 208.81.87.68 fixed.gr

I have checked the IP and site above and have asked 2 of the more learned members if this is Legit. I am not comfortable with it, so hang tight til I get answer.

This one doesn't need to start on boot:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Filename: MSConfig.exe /auto
Program Title: Microsoft System Configuration
Rating: Not Required at Startup - Application Launcher, Microsoft Office Application Not Required at Startup - Application Launcher, Microsoft Office Application
Comments: Built into Windows 98, 98SE, ME, and XP is a special tool called the "Microsoft System Configuration Utility" or simply "MSCONFIG." Designed to help you troubleshoot problems with your computer, MSCONFIG can also be used to ensure that your computer boots faster and crashes less.

Defrag is okay- you're running low on hard drive space- 27%. So you might want to check Add/Remove Programs in the Control Panel and uninstall any programs you're not using or don't need.

Don't rerun HJ yet- wait until I hear about the Host entry.

 

[wombat]

Hey there,
Fixed.gr is a bike forum I'm a member of. The set-up reminds me of Techspot actually I didn't eliminate it earlier thinking it's harmless. There are about 1000 members and everyone knows each other outside the internetz. But I don't understand why it would start upon booting up.

 

[Bobbye]

Okay, I did a lookup and found that the IP 208.81.87.68 links with fixed.gr.

You are now saying you can't get this page? I had no problem,- it loads after checking the forum entry to the sign-in page.

How much RAM do you have installed Control Panel> System> General tab> find RAM number and post here. The problem with this page wasn't mentioned in the original post, but as I told you, 27% of the hard drive free is not a good place to be. This is NOT the RAM but since the system is 5 years old, you might have only had 2256MB of RAM which won't run Windows XP properly.

I am concerned about this:

2 showing:
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe

This is the Windows Update AutoUpdate Client

But there are Virus with same name:
Backdoor.Clt - Symantec Corporation
Troj/Cult-B - Sophos

So we need to verify this process:
Right click on Start> Explore> Windows System32> there should be ONE wuauclt.exe showing on the right screen.

Turn off the Auto updates and reboot> run a new HijackThis scan and we'll check to see if these processes are running. If they are, I'll give you another program to run so attach a new log.