Several problems

[dl65]

guiness.....ok .....then we are making some progress then.....Please delete the entries
( double click and Value click ) they are not good........You are safe to delete anything which Antispyware identifies ........ Your hijackthis log revealed that you had ( and may possibly still have ) 3 trojans and 2 viruses ......

So here's something else to try ......
click "Start " , "Control Panel" , then make sure it is being displayed in "Classic view " then click "Folder Options"  ....when folder options opens ...click the view tab ......and scroll down until you see the folder called Hidden files and folders ......now put a tick in the small circle in front of "Show hidden files and folders " click apply and ok ......... Exit control panel .
Now lets shut down and reboot into the safe made ......
( repeatedly tap the F8 key as soon as you reboot ) you will be given options as to how you wish to start ...choose SAFE mode ......when it boots up in safe mode ...your display will look completely differant .....and you will not have access to the net .....
Now run your scans again .........Virus scan , then Antispyware ( Beta ) , Ad-Aware if you have it , SpyBot if you have it .   Delete anything the scans find ........when finished ....shut down and reboot .......now it will start in normal mode ......  when back up in normal mode and connected to the net....try several of the links you have in your fovourites folder to see if they are working ....

Let us know

dl65  

[guiness]

Spybot - Search && Destroy process list report, 3/4/2005 2:27:40 PM

PID:    0 (   0) [System]
PID:    4 (   0) System
PID:  216 (1432) C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
PID:  484 (   4) \SystemRoot\System32\smss.exe
PID:  536 ( 484) csrss.exe
PID:  560 ( 484) \??\C:\WINDOWS\system32\winlogon.exe
PID:  604 ( 560) C:\WINDOWS\system32\services.exe
PID:  616 ( 560) C:\WINDOWS\system32\lsass.exe
PID:  768 ( 604) C:\WINDOWS\system32\svchost.exe
PID:  840 ( 604) svchost.exe
PID:  976 ( 604) C:\WINDOWS\System32\svchost.exe
PID: 1032 ( 604) svchost.exe
PID: 1100 (1432) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 1108 (1432) C:\Program Files\AIM\aim.exe
PID: 1172 ( 604) svchost.exe
PID: 1432 (1412) C:\WINDOWS\Explorer.EXE

[guiness]

Spybot - Search && Destroy browser pages report, 3/4/2005 2:14:19 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
 C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
 http://srch-qus10.hpwis.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
 http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
 http://qus10.hpwis.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
 http://srch-qus10.hpwis.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchAssistant
 http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
 http://searchmiracle.com/sp.php
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
 %SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
 http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
 http://qus10.hpwis.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
 http://srch-qus10.hpwis.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
 http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
 http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

[guiness]

I ran Registry First Aid and deleted over 1000 entries.  I also ran Antivirus again but it still detected nothing.  I ran a different one and it found 3 Trojans.  Deleted the infected files.  I played it safe and deleted the programs.
Everything is much better.  Pages load faster, IE hasn't shut down, all the graphics are showing up. The only problem is it still says there is not enough memory.  I have 1G RAM and only 600MB available.  I don't know what happened to the rest but that should be more than enough.  And the problem with memory started with all the other ones I was having.  So, once again, any suggestions.  Thanks for all the help.

[dl65]

guiness.....glad to hear that things are working better.
You should probably run registry first aid once a week.
Here's something else to look at ........click start .....then run ....now type in the box ....... dxdiag  and click ok .....when the new window opens , make sure its the system tab and look down were it lists the memory ...what does it show ?

let us know

dl65

[guiness]

Hi,  after I rebooted my computer I ran Spybot again and found another Trojan.  I'm going to start in safe mode again and do everything over.  It was the same Trojan as one before, just in a different file.  Also, after running dxdiag, it says I have 960MB RAM.  I looked under system tool...then system information, it says I have 1024MB installed, 513 available.  That can't be good.  It may take awhile but, I'll get it fixed with ya'lls help.  Thanks

[dl65]

 guiness....What is the name of this elusive trojan?
Something else I negected to have you do was to empty the temp internet files , the cookie files and the history files.   to do that click on tools in your browser , then select internet options , then the general tab , click delete cookies , delete files and  clear history ....then click apply and ok

Let us know

dl65  

[guiness]

The name of the Trojan is TR/VB.SR.  I have deleted it form 3 different files.  I have already deleted the temp files, cookies and all that.  I thought I had my homepage blocked against hijackers, but apparently I don't.  It keeps getting changed.  Any good program for that?

Thanks

[guiness]

I just tried to load a program I've used before and got this error message:  16 Bit Windows Subsystem
C:\Windows\System32\Autoexec.NT. The System file is not suitable for running MS-DOS and Microsoft Windows applications.

How concerned should I be?

[guiness]

I'm pretty sure my IE6 files are corrupt.  Unfortunately I don't have my XP installation disc here or I would just reinstall it.  I tried to run an IE Fix program but it needs the CD.  It corrected some of it.  I don't get blank pages any more and it does'nt say I don't have enough memory.  However, the loaded page only stays up for about 3 seconds.

[dl65]

guiness......Hi .....If your home page is still being changed , there's a very good chance that we overlooked something when we removed the things using hijackthis........perhaps you could run a new scan as it is today and post it for us to look at ........
I think you can download IE 6 ......... , but I'm not sure I would do that yet .

dl65  

[guiness]

Here is the new log  

Logfile of HijackThis v1.99.1
Scan saved at 12:51:21 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.829\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://msn.com
R1 - HKCU\Softhe new log

[guiness]

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int174159.exe -auto
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [system] C:\WINDOWS\system32\letsroll.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunOnce: [PhotoshopAlbumUninstallRebootRequired] cmd /c del "C:\WINDOWS\system32\drivers\PFCNeedUnInstallBoot.tmp"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094660909415
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

[guiness]

Disregard the very last entry of R1 on the first page, my mistake.

[merlin_2]

T o jump in on this post.......spyware is rampant on your pc..>>use spyweeper..>>>to clean it...>>.http://webroot.com/downloads/?WRSID=9515a892e56d03e80281761ce8699a54

and use free-ram xp from majorgeeks to improve ram use...i could got into the tech..crap..but i wont..i will let the software help you.........>.info>http://www.webattack.com/Freeware/security/fwantispy.html