Registry Altered By Hijacker, Can't Search Google [HJT Log]

Thanks Pete I will try hitting the F8 key again to go into safe mode on reboot. I was thinking it was either that or the ESC key, but nothing happened with either of them. Maybe the 3rd times a charm .

oshwyn: I will go ahead and run hijackthis again either in safe mode or normal and see if any of that stuff needs to be fixed.

Yes, I would like advice on turning off those processes that are running that don't need to be.

Thanks to all for the helpful links, also

Angie

 

C:\NORTON~1\NORTON~1\NPROTECT.EXE
Norton protected recycle bin / norton protection.
Creates a duplicate of anything you delete and even if you empty the recycle bin keeps it until you choose to empty norton protection. You cannot see these files, they are protected. Unless you have a bad habit of deleting files by mistake and emptying the recycle bin without checking its contents; then you really do not need this. It wastes disk space and processor cycles and it leaves behind easily recoverable copies of things you thought you had deleted. There should be an option in your norton utility(System works) to disable this , and there should also be an option under right click on recycle bin and choose properties . Either will do.
It also starts a service
Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\NORTON~1\NORTON~1\NPROTECT.EXE
Which you can disable in the service control panel by going to start / run and type services.msc and hit enter .
Locate it and change startup to disabled.


C:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
Norton speed disk is nortons defrag utility.
All defrag utilities use different methods of sorting files. Some sort by name (alphabetically) , some by frequency of use, some by file type some by Operating system, programs and data. And they all use different algorythms to weight different files. In Win98/ME Windows used a defrag utility based on nortons and the defrag utility only ran when you ran it. So as long as you stuck to one, no problem. But XP uses a variant of competitor Executive software's diskeeper http://www.executive.com/downloads/menu.asp
software for disk management and defrag. One of its features is that it runs in the background , just as speed disk is doing here , and does mini defrags and recalculates the layout based on usage while you work when it senses times that nothing is going on (your drive starts flashing when you have left it idle for a minute or two sometimes sooner). Basically the two competitors take turns moving files back and forth.
So you either need to disable speed disk and use windows defrag or disable this feature of windows defrag and use speed disk. Speed disk should be disabled in its settings and in the service control panel services.msc as above Locate and disable the entry.
Service: Speed Disk service - Symantec Corporation - C:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
Or you can disable the windows one with Tweakui from microsoft power toys.
http://www.microsoft.com/windowsxp/pro/downloads/powertoys.asp
Install it and go to start/ programs/ powertoys/ tweakui / general (select this) and over on the right at the bottom is "optimize the hard disk when idle " Uncheck this.


O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\Free Ram XP Pro\FreeRAM XP Pro 1.40.exe" -win
Unless you have a specific program you need to free up ram for, this is a real waste . Basically you are forcing windows to Not use RAM and use slower virtual memory/ swap file on the hard drive when there is still free ram memory which could be utilized by windows. The windows memory manager is excellent. So essentially by using this you are slowing your system down .


I also do not understand why you have both ghost and go back running.
Did you make a ghost image of your install and are using this utility to constantly update the image as well as constantly updating a goback image too?
This strikes me as overkill.
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
Are you also using a maxtor one touch to make a third copy of everything?
Another backup program?
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
Really , you should not have to have any of these running all the time. Just back up important data on a schedule .
(You do realize that your current backups, the system restore , goback and one touch are all probably infected with what you had and if accessed can reinstall it. You should purge any you are not sure are clean and make new backups).But if you feel a need for the security, choose one and use it . Four is way to much.


O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe "
http://www.processlibrary.com/directory/files/ipmon32/
http://www.dslreports.com/faq/1247
This is unnecessary after you have setup your connection initially. It is a feedback tool and a resource hog.
If you need to run it for them to diagnose your problem, you can manually launch it.
Codestuf starter startup manager and process viewer
Is a great free startup manager and process viewer which will let you disable this startup entry and turn it back on if you need to later.(You can also use it on free ram if you want to keep it for some unknown reason).

O4 - HKLM\..\Run: [QD FastAndSafe] C:\Norton SystemWorks 2004\Norton CleanSweep\QDCSFS.exe /startup
What do you have clean sweep set to do automatically? If you are not actually using it, you should probably disable this too .

 

Thanks alot oshwyn for the info on the running processes.

I do use the Norton Protected Recycle Bin. With 7 year old twins playing on the pc from time to time, it has already been a lifesaver!

I disabled the Norton Speed Disk and the Free Ram XP Pro and will also disable the Norton Ghost and Go Back when I'm ready to reboot. (Can't disable the Ghost until I disable Go Back and cant do that without rebooting afterwards. ) I guess I became overly protective of my files several months ago when my pc was hacked and I lost pretty much everything and many of my back-up cds could no longer be read. I'll continue to make back-up cds now that I have a program that will read any disc, and will make new ones now that things are safe again.

I use the Maxtor One-Touch for extra storage for my files. Nothing has been backed up onto it.

The Retrospect Launcher has also been disabled.

I've kept the IP Insight Monitor enabled. Seems like every time I turn around something is wrong with the line and I have to call them and they have to check it. Ah, the joys of living in the middle of nowhere Texas.

I use the Clean Sweep to automatically clean cookies, cache, etc. on start-up so I have kept it also.

You've been a great help!

Thanks also to Pete and Charles. You guys have always been there to help me out.

Angie