Inconsistent Windows Opeation

flgmchbttrnw · #1 26th Aug 2009, 16:22

I have a amd anthlon, it has 512mb of ram, windows XP pro, and Norton, at idle using about 280mb of my ram. I have recently been having trouble with the computer, it has had trouble running in windows and in yahoo mail. Once I get on the internet it works slow but downloads pages and pics pretty well but still not as slow as when moving around desktop etc. I have run malwarebytes anti malware thinking I caught something.
now what I found interesting is that when I had the task manager up with nothing really moving around, under cpu usage it was a flatline 100%! and then there are times when it operates properly, like right now the cpu usage seems normal. Now I confess to not know sh&t about computers, but that isn't right is it? Like now as I move around the internet, the usage varies greatly and rapidly, like you would expect.
Does anyone have any ideas why this is happening intermitently to my computer. Right now it is running well.
I have tried very hard to download and use memtest86+ and finally made a copy on cd,(still zipped) hope that is right, but have not been able to use it to boot, but that is a whole different question.
Any advice about the 100% thing would be greatly appreciated
Doug

**Hybr!d** · #2 27th Aug 2009, 05:44

You need to read this guide and post the log files so the malware team can see what goes on.

**philthomas** · #3 27th Aug 2009, 05:45

I would say that your problem is twofold.
1. your Ram (512mb) is not adequate to run XP Pro
2. Norton is a memory hog
That doesn't mean you haven't picked up some malware along the way, but even a new install would be slow with these specs.

flgmchbttrnw · #4 27th Aug 2009, 06:14

That make since to me.will check on getting some more ram today, they tell me that there are doublesided ram cards. I did follow the advice on evilfantasy"s sticky page and removed some programs, and installed ccleaner. seemed to improve temporarily.
I have discovered that I am getting daemon mail undeliverable,for emails that I never sent, in and from my spam box. I wonder if I am not being used as some sort of hub to bounce spam through and a lot more mail is passing through my computer, and I am only aware of the few that are undeliverable? Any advice on this new development?
Doug

flgmchbttrnw · #5 27th Aug 2009, 10:47

Here is the requested logs:
Malwarebytes:
Malwarebytes' Anti-Malware 1.40
Database version: 2692
Windows 5.1.2600 Service Pack 2

8/25/2009 7:16:17 AM
mbam-log-2009-08-25 (07-16-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202296
Time elapsed: 4 hour(s), 35 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Essentials Codec Pack\mplayerc.exe (Rogue.Installer) -> Quarantined and deleted successfully.

And here is Highjack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:54 AM, on 8/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PRISMSVR.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.10\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1275210071-813497703-1343024091-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Curtis')
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://fubar.com/imgs/ImageUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1249974378349
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7594 bytes

Thanks in advance Doug

flgmchbttrnw · #6 29th Aug 2009, 21:40

Here is a run by avast, suggested by some forum regulars.
My question is why are there so many files that could not be accessed by avast, and what do I do to allow them all to be run through the test?
Have procured a installation CD for windows, but do not want to do a repair install till I know I am free of viruses. Also will do memtest86+ right now.
Thanks Doug

* avast! Report
* This file is generated automatically
*
* Task 'Simple user interface' used
* Started on Saturday, August 29, 2009 5:53:48 PM
* VPS: 090829-0, 08/29/2009
*

Infected files: 0
Total files: 1
Total folders: 0
Total size: 512.0 B

*
* Task stopped: Saturday, August 29, 2009 5:53:53 PM
* Run-time was 5 second(s)
*

*
* avast! Report
* This file is generated automatically
*
* Task 'Simple user interface' used
* Started on Saturday, August 29, 2009 5:54:23 PM
* VPS: 090829-0, 08/29/2009
*

C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\00000082\00000105\0000034c\cltLMS1.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\00000082\00000105\0000034c\cltLMS2.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Common Client\_lck\_AVPAPP_{BB639333-810A-4bf8-85F5-C537857F55FC}0 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Common Client\_lck\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Common Client\_lck\_ISDATAPR_{FF9AC67A-E394-46ae-B150-B3365343F166}G [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Common Client\_lck\_NPC.Tray.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Common Client\_lck\_UI.Host.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Logs\ClientIDS.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Logs\navscan.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Logs\nco2.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Logs\SymNetDrv.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Application Data\LimeWire\mozilla-profile\places.sqlite-journal [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Application Data\LimeWire\mozilla-profile\places.sqlite-stmtjrnl [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Application Data\Mozilla\Firefox\Profiles\mek5pq4s.default\coo kies.sqlite-journal [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Application Data\Mozilla\Firefox\Profiles\mek5pq4s.default\par ent.lock [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Application Data\Mozilla\Firefox\Profiles\mek5pq4s.default\pla ces.sqlite-journal [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Local Settings\Temp\etilqs_YupfGbUPfbiIJfqZEXjl [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Local Settings\Temp\hsperfdata_Jeannie\1740 [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DFE223.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\Local Settings\Temp\~DFE260.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\Jeannie\ntuser.dat.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\pagefile.sys [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\chandir.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\chandir.idx [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\chn.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\chn.idx [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\D0000000.FCS [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\L0000007.FCS [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs.idx [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_die.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_die.idx [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_dnd.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_dnd.idx [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_ext.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_ext.idx [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_rcv.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\prs_rcv.idx [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\storydb.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jeannie\Data\storydb.idx [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\SoftwareDistribution\DataStore\DataStor e.edb [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb .log [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp .edb [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\CatRoot2\edb.log [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\CatRoot2\tmp.edb [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\default [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\default.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\sam [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\SAM.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\security [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\SECURITY.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\software [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\software.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\system [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\system32\config\system.LOG [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\Temp\JET6607.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\Temp\Perflib_Perfdata_140.dat [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\Temp\Perflib_Perfdata_754.dat [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\Temp\Perflib_Perfdata_84.dat [E] The process cannot access the file because it is being used by another process (32)
C:\WINDOWS\Temp\_avast4_\Webshlock.txt [E] The process cannot access the file because it is being used by another process (32)
Infected files: 0
Total files: 55456
Total folders: 4721
Total size: 12.9 GB

*
* Task stopped: Saturday, August 29, 2009 11:12:17 PM
* Run-time was 5 hour(s), 17 minute(s), 54 second(s)
*
Here is the requested logs:
Malwarebytes:
Malwarebytes' Anti-Malware 1.40
Database version: 2692
Windows 5.1.2600 Service Pack 2

8/25/2009 7:16:17 AM
mbam-log-2009-08-25 (07-16-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202296
Time elapsed: 4 hour(s), 35 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Essentials Codec Pack\mplayerc.exe (Rogue.Installer) -> Quarantined and deleted successfully.

And here is Highjack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:54 AM, on 8/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PRISMSVR.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.10\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1275210071-813497703-1343024091-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Curtis')
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://fubar.com/imgs/ImageUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1249974378349
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7594 bytes

Thanks in advance Doug

**Hybr!d** · #7 30th Aug 2009, 03:50

Threads merged, please use one thread per issue, thanks.

**evilfantasy** · #8 31st Aug 2009, 10:21

This doesn't appear to be a malware issue but we can clean up a few things with HijackThis.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Could you get SUPERAntispyware to run?

flgmchbttrnw · #9 31st Aug 2009, 12:52

Thanks I have used that recently too. I tried to reload windows xp and ran into a problem trying to put the passcode in, had to take it Zydeco computer repair, I think that there was some kind of file damage that they will fix for me. I think that I bit off more than I could chew. Came vey close to the hammer method.LOL
Thanks for all your help Guys.
Doug