3 logs attached - 8 Steps to Virus & Malware Removal

By wombat
Apr 1, 2009
Topic Status:
Not open for further replies.
  1. I've had my PC for nearly five years and haven't had major problems except that it is getting slower...and slower......and slower. Takes about 10-15 minutes to boot, and a considerable amount of time to process if several programs are running at once. I eradicated all unnecessary programs when first bought (i.e. AOL, games, Yahoo, etc, etc.)

    I have to report that since going throug the 8 steps and getting rid of cookies and temp files there is improvement. I use Firefox only for web browsing and do have online banking, passwords, etc. I'll reformat/reinstall the system if need be. I use the computer for web, papers, taxes, music, video editing, image archiving, watch movies--it's pretty much the catch-all. Everything is backed-up on external harddrive. I have never defragmented though I imagine it may be needed.
    Any other info I missed?
    Thank you for any advice you may give.

    edit: oh yes, and programs crash often if I do not allow the comp. enough time to "think." Is that a reiteration of above?

    Attached Files:

  2. swwelsh

    swwelsh Newcomer, in training Posts: 43

    You have two antivirus programs running, I would get rid of Norton, it is a known drag on most systems, but two antivirus products will definitely slow things down and cause problems. If Norton will not uninstall from control panel you can download a program from Norton to remove it completely. I would run a defrag,especially since you mention doing video editing, and run CCleaner if you have not already done it. Your logs look mostly clean, if things don't speed up after all the above, you might want to start looking for a new or newer computer, 5 years is a pretty good lifespan for a pc
  3. touch

    touch Newcomer, in training Posts: 978

    Thank you swwelsh.

    wombat ->

    Download the Norton Removal Tool (SymNRT) to your Desktop.
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
    Once downloaded please close ALL open browsers, also save any work because this may require a restart.

    Go to your desktop and double click on the removal tool and then click Setup.
    Once open Click Next
    Accept the license agreement and click Next
    Type in the letters/numbers that you see into the text box then click Next.
    Then click Next and the tool will start running.
    Once finished restart the PC and run the tool again to ensure everything has been removed.
    Delete Nortonremoval tool from your Desktop.

    Restart


    Then run http://www.mlin.net/StartupCPL.shtml
    and remove any not required startups.

    Attach fresh hijackthis log, and tell how things are running now
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    A little help: we can do some work with the first logs:

    It appears that you might not be doing any maintenance on the system. You have an extraordinary number of Tracking Cookies in Firefox. Be sure SAS was checked to remove them, then:

    Reset Cookies:
    Avira is the better of the two security programs for antivirus. However, it is free. So if you have paid for the Symantec Security Suite, you might want to keep it for now, then change over when the subscription comes due. But uninstall whichever program you do not want to keep.

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

    The following are a group of HP entries that do not need to start on boot. I will instruct you in how to stop it from starting and the following can all be checked in the HJ log:
    Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed boot into Safe Mode:

    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
    ALL HP processes

    IF you decide to remove Avira for now, you will need to:
    Apply> OK Reboot into Normal Mode
    NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again'.Stay in Selective Startup.

    Please note: it appears that you have the Symantec/Norton Security Suite. This costs money. Some don't want to trash a program they paid for, even though another program might be better. So you will need to make that decision.

    When you have finished the above, update and run a new scan with HijackThis and attach the log.

    This thread is for the use of wombat only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.
  5. wombat

    wombat Newcomer, in training Topic Starter

    Thanks for tip welsh and touch. here is fresh hijack log.
    Bobbye, thank you for your extended post on helping me. I'm going to read this now and will report back.

    Bobbye,
    I think that did the biggest improvement. Immediately after msconfig instructions I was able to start web browsing and hitting the Start Menu after a minute.

    Based on what all of you advised, I eliminated Norton. I only had a 60-day trial when I bought the computer, and haven't used it since. Happy to see it go.

    Welsh, I will try defragmenting now. Thanks!
  6. wombat

    wombat Newcomer, in training Topic Starter

    Alright, attached is defrag. log, in case anyone is interested.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Glad to hear you were able to switch out the Norton. Some members want this thrown out right up front. But it is costly and if the payment has gone out then I think it should wait until expiration. You will get better security with Avira.

    I missed an entry in the original HijackThis log- had you remove several of the IE Redirect by HP, but missed this one:
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop

    Basically this means that HP is controlling our homepage.
    O14 - 'Reset Web Settings' hijack/ What is IERESET?
    And I see one entry that either remains or came back:
    O1 - Hosts: 208.81.87.68 fixed.gr

    I have checked the IP and site above and have asked 2 of the more learned members if this is Legit. I am not comfortable with it, so hang tight til I get answer.

    This one doesn't need to start on boot:
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    Defrag is okay- you're running low on hard drive space- 27%. So you might want to check Add/Remove Programs in the Control Panel and uninstall any programs you're not using or don't need.

    Don't rerun HJ yet- wait until I hear about the Host entry.
  8. wombat

    wombat Newcomer, in training Topic Starter

    Hey there,
    Fixed.gr is a bike forum I'm a member of. The set-up reminds me of Techspot actually :) I didn't eliminate it earlier thinking it's harmless. There are about 1000 members and everyone knows each other outside the internetz. But I don't understand why it would start upon booting up.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay, I did a lookup and found that the IP 208.81.87.68 links with fixed.gr.

    You are now saying you can't get this page? I had no problem,- it loads after checking the forum entry to the sign-in page.

    How much RAM do you have installed Control Panel> System> General tab> find RAM number and post here. The problem with this page wasn't mentioned in the original post, but as I told you, 27% of the hard drive free is not a good place to be. This is NOT the RAM but since the system is 5 years old, you might have only had 2256MB of RAM which won't run Windows XP properly.

    I am concerned about this:
    This is the Windows Update AutoUpdate Client

    But there are Virus with same name:
    Backdoor.Clt - Symantec Corporation
    Troj/Cult-B - Sophos

    So we need to verify this process:
    Right click on Start> Explore> Windows System32> there should be ONE wuauclt.exe showing on the right screen.

    Turn off the Auto updates and reboot> run a new HijackThis scan and we'll check to see if these processes are running. If they are, I'll give you another program to run so attach a new log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.