Several problems

[guiness]

Thanks,  I tried to use Spysweep and it locks up on my system.  It does find alot of things my other one doesn't but I can't delete them.

[dl65]

guiness........Is the log you posted from the same pc ?  I'm seeing things that didnt appear on the first one .....
Have you been adding programs ? I also note that the trojans are still there . How many differant antivirus programs are you using .......( you should really only have one ) .......Could you list the spyware removers you are using right now and how many of them are registered ...as opposed to trial versions ....
Why dont I see antispyware .....listed ?
why dont I see registry first aid listed ?
I'm seeing Symantec showing up ....are you using some symantec app?
Unfortunately ......if you are adding or deleting apps its difficult to track whats going on .

let us know

dl65  

[dl65]

guiness......Ok ,  lets try this again........
before we mark for removal , I would like you to set the 4 search URLs in configuration to ......
http://www.msn.com
you can change to whatever once we get this clean ......

Mark for removal......the following:
All R0 entries
All R1 entries
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int174159.exe -auto
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [system] C:\WINDOWS\system32\letsroll.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll

ok ...click fix checked ...... Now reboot and go looking for ...... C:\WINDOWS\ALCXMNTR.EXE    when you find it delete it.

Now run hijackthis again and post the log ....We need to see it before you add anything .

dl65  

[guiness]

dl65    Yes it is the same PC and no I'm not adding programs.  Well, I did add Registry First Aid and the Microsoft Antispyware and they are still there.  I have one AntiVirus program.  I have Adware6 and Spybot but they are not detecting any spyware. They are both trial versions.  Someone from the forum suggested SpySweeper.  It detected a ton of them but it locks up and I can't delete them. I don't use any Symantec programs. I'm at work now and can't do anything till tomorrow morning when I get home.  Once again, thanks for all your help.

[guiness]

Logfile of HijackThis v1.99.1
Scan saved at 8:27:42 AM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX01.359\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094660909415
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

[dl65]

guiness ....Wow this sucker is sure stubborn......

one more time ....

Mark for removal

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Mark for removal    

No reboot and see how things are .

dl65  

[guiness]

Logfile of HijackThis v1.99.1
Scan saved at 12:52:33 PM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.828\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094660909415
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

[dl65]

 guiness......So how is the pc running ?

As far as I can see , the hijacker has been removed .....

Run registry first aid again as well as Antispyware and see if it finds anything .........and then try spysweeper again ........( is it a trial version or the full version ?)
Do you have software installed from bulletproof software ?  it keeps showing up ........as a bad entry .....

dl65  

[guiness]

PC runs great.  All the pages load, no more memory problems.  Thank you very much.  I have never been infected like that before.  Spysweeper is a trial version but it detects 4x more than the other two.  What do you recommend as an Antivirus?  The one I have does not run in the background like Nortons did.  I don't think it will prevent a virus before it happens.    I'll do what you suggest and let you know if I find any problems.  Do you know a program where I can retrieve deleted files.  I think I jumped the gun and started deleting things before I knew what was going on.  Again, thank you very much.  

[guiness]

I used to have bps antivirus and spyware removal but it was deleted.  There are alot of things still on the computer that know longer exist.  Another is one of the programs where the first Trojan was found. I deleted the program but when I do a virus scan, it is the first program that is scanned.

[dl65]

guiness......Glad to hear things are back to normal.....
As far as what do I use ..........

Anti- virus ......I use Norton 2004 .......It has never let me down ......I will update to Norton 2005 when my subscription expires . ( Norton is a bit of a resource hog ...but it does the job ) I have it set to do a full scan everyday .......

Spyware scanners .......
Ad-Aware SE professional  ......I run it at least 3 times a week ....... always check for updates.

Antispyware ( Beta ) ......I have it set to autorun each day ....... and I like it because it auto updates .....

Registry First Aid ........I run it at least once a week .......And always if I delete some program ........

SpyBot Search and Destroy ........again at least once a week ........always check for updates .

SpySweeper from Webroot ........ Run it once a week.

System Mechanic 5 Pro ......... Run it once a week ......
I like this app because it has many very good features in it .....( not recomended for new users ......because there is the potential of throwing out things you require)
It has a very good defragger built into it ......as well as a seperate memory defrag and recover feature .

I also have my browser set to delete cookies , temp internet files and history each time I close the browser.

You mentioned you have things on the pc that you no longer use ....do a search and remove any empty folders or any bits and pieces you find related to those apps......
Learn how to use the search feature in the registry .......because there are numberous entries in there that you probably no longer require .......Registry First Aid finds a lot , not all .

The secret is once ......you get it running smoothly ....dont ignore the regular maintainence ......
Games have a bad habit of clogging up your system , particularly if your into on-line games .....

dl65  

[guiness]

Thanks.  I have all except System Mechanic 5.  I'll look into getting that.  Unfortunately,  I let someone borrow an extra computer and when I got it back, it was in the seriously infected state.  They had all the resources, just didn't bother to use them.  Now that it is back to normal, I intend for it to stay that way.  Once more, thanks for all of your help.  I know where to come if I have any questions in the future.