Few Issues

First off, this isn't my PC. This is a laptop that my mother uses for work at times when she has to go on the road or work the weekend from home. Besides right now this PC has never been in my hands but it does need to be fixed.

Orig. Problem:

1st Thing- Task Manager will NOT open. When I hit Ctrl+Alt+Delete nothing will happen, so I'll hit it again and it will open briefly for about 2 seconds then close. I believe this may have something to do with #2 and #3.

2nd Thing- CPU is being used by some unknown program. I know this because I DL'd Speedfan and had it opened and watched the CPU usage spike up to 100% down to 34% back up to 78% back down to 4% and etc. It was doing this as I wasn't doing anything, just having the program open. I wanted to check out the CPU usage because the system was getting extremely slow just opening and closing basic programs like Word/Powerpoint etc. Also the CPU fan would speed up when nobody was using the machine.

3rd Thing- Spy Sweeper is picking up a program called Time Manager but can not remove it. The exact file name is TimeManager.exe, could this program be causing #1 and #2? I haven't heard anything about it, and upon trying to do the Control Panel -> Add/Remove Software it's not showing up on the list, or a basic search for all files and folders. I've gone and took a peek at the registry briefly but came to realize that it would be like looking for a needle in a hay stack without really knowing the location.

Steps I have taken:

http://securityresponse.symantec.co...ytob.ih@mm.html

Started to follow the steps to remove it from the system...now I'm stuck here...

http://securityresponse.symantec.co...istry.keys.html

When I went to click on "UnHookExec.inf" expecting to be an option to DL the file, there wasn't. Right clicked on it and saved it to my desktop then put it on the infected PC. However, when I right click and then choose to install nothing happens and I still can't edit the registry.

**Would also like to add that I can't boot up into safe mode. Even though I am putting in the correct username/password it won't accept it. Just had to restart the notebook and log into windows. And that's where I am now.

After doing some reading I come across to try an online virus scanner because the ones installed on the system won't work.

So I go for Panda and while it's in the process of installing and scanning my IE has an error and closes.

Seems that everyway I try to get around this worm to get rid of it, it shuts me down!

**Update**

I've gone here:

http://windowsxp.mvps.org/ToolsQuit.htm

And was able to open and change the copies...but my question is, what next? I mean, I need to edit the orignals, not the copies.

Hijackthis Log:

I haven't looked this over yet, going to now, but wanted to post it quick.

Logfile of HijackThis v1.99.1
Scan saved at 2:56:25 PM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\TimeManager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ALAN~1.BCU\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nzcity.co.nz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nzcity.co.nz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Action International Demobar - {E7E38969-E0F4-4d47-869E-74B9387C7E33} - C:\Program Files\Action International DemoBar\tbu4\toolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Hot_Tarts_nz] C:\Program Files\Video1\Dialers\Hot_Tarts_nz\Hot_Tarts_nz.exe /dontdial
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Time Manager] TimeManager.exe
O4 - HKLM\..\RunServices: [Time Manager] TimeManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Action International Demobar search - res://C:\Program Files\Action International DemoBar\tbu4\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwla.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA3} (WDCapture Class) - https://wip3.webdialogs.com/components/WDATL64.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1868e819c0ebd5bc0a16/...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://actioncoaching.webex.com/client/v_e...ent/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.smugmug.com/photos/activex/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcusa.local
O17 - HKLM\Software\..\Telephony: DomainName = bcusa.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{934A8C22-FB9B-4ACA-81B0-45F019CBBB24}: NameServer = 205.171.3.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6DAAA2C-0A40-4388-AF6A-6A4EC347B12F}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcusa.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iTunes MusicService - Unknown owner - C:\WINDOWS\usbbay.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe


O4 - HKLM\..\Run: [Time Manager] TimeManager.exe
O4 - HKLM\..\RunServices: [Time Manager] TimeManager.exe

Is my issue, yet I can't get into the registry or anything else to change it.

 

Do not post HJT logs inline, someone will tell you when the log file is needed, then you post it as an attatchment!!!!

You have a spyware/virus issue, it looks like!! You need to bounce over to the "Spyware Specific" forum...those guys are scary smart!!

But...I STRONGLY ecourage you to read and follow the below thread word for word, and don't skip anything...then ask for help from the spyware forum...otherwise they will tell you the same thing I just told you!! Unfortunately the instructions are lengthy and time consuming...but 9 times out of ten, it resolve MANY problems without them having to repeat themselves NUMEROUS times!!

Here is the thread...

http://forums.majorgeeks.com/showthread.php?t=35407

By the way...I was trying to sound rude or like you were in trouble, so I apologize ahead of time if that is the way you took it!!!!

AND......Welcome to Major Geeks

 

Thanks, I just posted it because this is the third forum I've gone to. And in the other ones they requested it so thought I'd just kill time.

Thus far I've been told to do things that won't open because of it. If it was my PC I'd just do a clean sweep of the HD and do a fresh install of Windows.

 

No problem, I understand where you are coming from!!!

I still recommend that you follow the instructions in the thread I gave you to the best of your ability!! Then ask for help in the spyware forum!!

Otherwise...they will tell you the EXACT same thing I told you...which will be to read that thread first and then ask for help if you are still in the same situation, after following those instructions!!!!

If you do encounter some things that don't work right...take note of them and when you do finally ask for help...then also explain the things you had trouble with!! This way you can say you've already done everything you were told to do and they can help you onto the next step!!

Good Luck
Roger