« previous next »
Pages: [1] 2

Author Topic: This computer is sick questolo  (Read 1332 times)

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« on: January 28, 2007, 05:25:59 PM »
How have you been and hope all is well.
This is my daughters laptop and its very sick. I also can't remove EZ Trust from add and remove program. I had to start in safe mode before just to clean up enough to get windows to boot up in reg mode.

Logfile of HijackThis v1.99.1
Scan saved at 5:17:17 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLServiceHost.exe
C:\Documents and Settings\Matt Erjavec\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [mzqi] C:\Program Files\Common Files\mzqi\mzqim.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirXpert Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
Logged

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #1 on: January 29, 2007, 05:03:49 PM »
BUMP.

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:21:41 AM 1/29/2007

+ Scan result:



C:\Program Files\Common Files\system32.dll/Catcher.dll -> Adware.Maxifiles : Error during cleaning.
C:\Program Files\Common Files\system32.dll/cwebpage.dll -> Adware.Maxifiles : Error during cleaning.
C:\Documents and Settings\Matt Erjavec\Cookies\matt_erjavec@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Matt Erjavec\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Matt Erjavec\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Matt Erjavec\Cookies\matt_erjavec@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Matt Erjavec\Cookies\matt_erjavec@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Matt Erjavec\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
This computer is sick questolo
« Reply #2 on: January 29, 2007, 11:01:10 PM »
Sorry for the delay, I've been terribly busy with personal things

Can you do the following for me
Please Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Afterwards
Download this file - Combofix.exe and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from Combofix

In addition, please post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #3 on: January 30, 2007, 12:40:24 AM »
Ok before I get started on that I can't find Microsoft Anti spyware program. I have spybot seaerch and destroy. Ewidos and I downloaded Windows defender before. They both ouarintined catch.dll

Of course the trojon is not removed however the Microsoft anti spyware program isn't here. Not my computer its my daughters. I did a search and it says its in my documents but I can't see it there at all.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
This computer is sick questolo
« Reply #4 on: January 30, 2007, 12:46:37 AM »
The first hijackthis log you posted showed you definitely had Microsoft Antispyware installed, have you uninstalled it and installed Windows Defender now?

If you sure MAS is removed and you now have Windows Defender
Do the following instead
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Run Combofix and post the logs!
I won't be online much longer tonight, hope to see the logs, or I'll have to catch up to you tomorrow
« Last Edit: January 30, 2007, 12:47:09 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #5 on: January 30, 2007, 01:08:01 AM »
[quote name=\'guestolo\' post=\'280258\' date=\'Jan 29 2007, 11:46 PM\']The first hijackthis log you posted showed you definitely had Microsoft Antispyware installed, have you uninstalled it and installed Windows Defender now?

If you sure MAS is removed and you now have Windows Defender
Do the following instead
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Run Combofix and post the logs!
I won't be online much longer tonight, hope to see the logs, or I'll have to catch up to you tomorrow[/quote]

"Matt Erjavec" - 07-01-30  0:58:16    Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Matt Erjavec\Desktop"

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\download
C:\Program Files\Common Files\windows
C:\Program Files\Cas
C:\Program Files\DNS
C:\Program Files\Ipwins
C:\Program Files\ipwins


(((((((((((((((((((((((((((((((   Files Created from 2006-12-30 to 2007-01-30  ))))))))))))))))))))))))))))))))))
 
 
2007-01-30 00:47   <DIR>   d--------   C:\WINDOWS\pss
2007-01-29 10:56   <DIR>   d--------   C:\Program Files\Windows Defender
2007-01-29 10:52   <DIR>   d--------   C:\WINDOWS\LastGood
2007-01-29 07:24   <DIR>   d--------   C:\DOCUME~1\Guest\Application Data\AVG7
2007-01-28 20:54   <DIR>   d--------   C:\DOCUME~1\MATTER~1\Application Data\acccore
2007-01-28 20:53   <DIR>   d--------   C:\Program Files\Common Files\Nullsoft
2007-01-28 20:53   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2007-01-28 20:52   <DIR>   d--------   C:\Program Files\Common Files\aolshare
2007-01-28 20:52   <DIR>   d--------   C:\Program Files\AIM6
2007-01-28 20:51   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\Application Data\AOL Downloads
2007-01-28 19:36   <DIR>   d--------   C:\DOCUME~1\MATTER~1\Application Data\AVG7
2007-01-28 19:35   816,672   --a------   C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-28 19:35   4,960   --a------   C:\WINDOWS\system32\drivers\avgtdi.sys
2007-01-28 19:35   4,224   --a------   C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-28 19:35   3,968   --a------   C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-28 19:35   28,416   --a------   C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-28 19:35   18,240   --a------   C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-28 19:35   <DIR>   d--------   C:\Program Files\Grisoft
2007-01-28 19:35   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-28 19:35   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-28 19:35   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-01-24 23:19   <DIR>   d--------   C:\Program Files\MySpace
2007-01-24 23:19   <DIR>   d--------   C:\DOCUME~1\MATTER~1\Application Data\MySpace
2007-01-19 09:30   <DIR>   d--------   C:\DOCUME~1\Patrick\Application Data\CyberLink
2007-01-12 17:06   <DIR>   d--------   C:\WINDOWS\ie7updates


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-29 10:55   --------   d--------   C:\Program Files\microsoft antispyware
2007-01-29 09:12   --------   d--------   C:\Program Files\aim
2007-01-28 21:17   --------   d--------   C:\Program Files\java
2007-01-28 20:53   --------   d--------   C:\Program Files\Common Files\aol
2007-01-28 20:51   --------   d--------   C:\DOCUME~1\MATTER~1\Application Data\mozilla
2007-01-28 19:33   --------   d---s----   C:\DOCUME~1\MATTER~1\Application Data\microsoft
2007-01-28 15:16   --------   d--------   C:\Program Files\mozilla firefox
2006-12-07 17:02   2174976   --a------   C:\WINDOWS\system32\wmvcore.dll
2006-11-08 00:06   679424   --a------   C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03   6049280   ---------   C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03   50688   ---------   C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03   458752   ---------   C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03   413696   --a------   C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03   231424   --a------   C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03   180736   ---------   C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03   156160   --a------   C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27   382976   --a------   C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27   229376   --a------   C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26   71680   --a------   C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26   55296   --a------   C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26   54784   --a------   C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26   43008   --a------   C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26   152064   --a------   C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26   13312   --a------   C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26   123904   --a------   C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25   161792   --a------   C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14   1245696   --a------   C:\WINDOWS\system32\msxml4.dll
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"mzqi"="C:\\Program Files\\Common Files\\mzqi\\mzqim.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"exp"="C:\\WINDOWS\\System32\\exp"
"Dinst"="C:\\WINDOWS\\dinst.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1138158998\\ee\\AOLHostManager.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"gwtoqaqf.exe"="C:\\WINDOWS\\system\\gwtoqaqf.exe"
"upgrade.exe"="C:\\WINDOWS\\system\\\\upgrade.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService   REG_MULTI_SZ      AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV
NetworkService   REG_MULTI_SZ      DnsCache
rpcss   REG_MULTI_SZ      RpcSs
imgsvc   REG_MULTI_SZ      StiSvc
termsvcs   REG_MULTI_SZ      TermService
HTTPFilter   REG_MULTI_SZ      HTTPFilter
DcomLaunch   REG_MULTI_SZ      DcomLaunchTermService

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_WINDEFEND


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Matt Erjavec.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-30  0:59:41
Logged

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #6 on: January 30, 2007, 01:23:16 AM »
Logfile of HijackThis v1.99.1
Scan saved at 1:18:19 AM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt Erjavec\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [mzqi] C:\Program Files\Common Files\mzqi\mzqim.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Weather.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirXpert Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Logged

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #7 on: January 30, 2007, 08:39:19 AM »
Well, I see Microsoft Antispyware is still in here. But when I go to programs to look for it its not there. The only way I found anything on it was in SEARCH. Question? Can I delete all the folders from there on it to remove it.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
This computer is sick questolo
« Reply #8 on: January 30, 2007, 08:51:43 AM »
Look in this folder for an uninstaller
C:\Program Files\microsoft antispyware

Can you find and delete the following files if they exist
C:\WINDOWS\System32\exp <-file
C:\WINDOWS\dinst.exe <-file
C:\WINDOWS\system\gwtoqaqf.exe <-file
C:\WINDOWS\system\upgrade.exe <-file
And this folder
C:\Program Files\Common Files\mzqi <-folder

If Microsoft Antispyware is no longer installed
You can delete this folder
C:\Program Files\microsoft antispyware

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 
Code: [Select]
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"mzqi"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"exp"=-
"Dinst"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"gwtoqaqf.exe"=-
"upgrade.exe"=-

Close down all open windows, including this one
Double click on fix.reg and allow to add/merge to the registry at the prompt
Reboot the computer

These sections of the Combofix log let's me know you have disabled entries on startup
Mr. Bell, you know I prefer to see everything running on startup, why is it you always have entries disabled  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1138158998\\ee\\AOLHostManager.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

Is EZ AntiVirus still installed?
Is Norton Antivirus still installed?

Post a fresh hijackthis log and let me know how things are running
« Last Edit: January 30, 2007, 08:52:49 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #9 on: January 30, 2007, 09:58:01 AM »
This is my daughters lap top. I didn't disable a thing on this go around:) But later after we take care of this mess I would like to know what I can disable on my computer. When I'm gaming my CPU usage is using a lot of resources and I feel it interfers with my gaming but maybe I'm wrong. Feel free to tell me if I am.

Anyway here is the new hijackthis log. I went in and ticked everything ON:)

Logfile of HijackThis v1.99.1
Scan saved at 9:50:01 AM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Matt Erjavec\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138158998\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Weather.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirXpert Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

As far as I can tell I deleted EZ Antivirus yesterday since it was out of date anyway and although there were some folders for Nortons it is no longer active on this computer
« Last Edit: January 30, 2007, 10:02:07 AM by Mr Bell »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
This computer is sick questolo
« Reply #10 on: January 30, 2007, 10:38:04 AM »
Do you know what version of Norton's you had installed?

Also, if  Viewpoint Manager is in add/remove programs I would uninstall it
You may have more than one entry, it gets installed unknowing at most times with AOL


Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
If EZ Antivirus is uninstalled, you can delete this folder if found
C:\Program Files\CA

Post a fresh log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #11 on: January 30, 2007, 11:43:50 AM »
Ideleted all AOL except AOL explorer


Logfile of HijackThis v1.99.1
Scan saved at 11:25:03 AM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLHostManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Matt Erjavec\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138158998\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Weather.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirXpert Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Logged

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #12 on: January 30, 2007, 12:07:10 PM »
And what is this:

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
This computer is sick questolo
« Reply #13 on: January 30, 2007, 02:07:52 PM »
Quote
And what is this:

O4 - HKLM\..\Run: [REGSHAVE]C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

taken from a startup site
Quote
Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly
Quote
Ideleted all AOL except AOL explorer
AIM itself isn't bad if she uses it?

What about this question Mr. Bell
Quote
Do you know what version of Norton's you had installed?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #14 on: January 30, 2007, 03:52:00 PM »
We do not know what version of Nortons. This computer was given to her by a friend like two years ago. My guess is it was just an anti virus scan (not system works). And she doesn't use AIM.

Fire Fox still won't execute at all. Error message to microsoft come up everytime.

That she uses, because she said IE won't let her on myspace.com


And she is right. IE will not let us sign on to myspace. It just returns to the log in page every time.
« Last Edit: January 30, 2007, 03:56:00 PM by Mr Bell »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
This computer is sick questolo
« Reply #15 on: January 30, 2007, 04:09:38 PM »
Quote
Fire Fox still won't execute at all. Error message to microsoft come up everytime.
I never knew that was a problem

I see this in your combofix log
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Matt Erjavec.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

It appears Norton's didn't uninstall properly and there are still remnants
for now, can you go to START>>Programs>>Accessories>>System tools>>Scheduled tasks
Right click each of those scheduled tasks and and uncheck the Enabled button and apply it

I can't link to the manual uninstall of older Norton AV products at the moment the site was busy
I'll try later

Can you try the following
Ensure that firefox is closed
Open task manager and make sure firefox.exe isn't running, if it is, end process on it
Go to start>>Run>>Copy paste this too the open field in bold below

firefox -safe-mode

Hit OK
Continue in safe mode if prompted

Does firefox startup?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
This computer is sick questolo
« Reply #16 on: January 30, 2007, 04:17:27 PM »
Here's the links to uninstall utilities for Norton AV products
I'm not sure which steps you should follow, but you may have to do all to ensure it is completely gone
How to uninstall Norton AntiVirus 2004/2005/2006 [color=\"blue\"](note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)[/color]
How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition
How to uninstall Norton AntiVirus 2000/2001/2002
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #17 on: January 30, 2007, 05:12:03 PM »
First removal tool did the trick I think. Did the 2nd one also. Not the third.

Firefox will not load into safe mode at all. Should I just remove it and re-download it?

And how do I take this Matt Erjrvec off this computer?
« Last Edit: January 30, 2007, 06:04:37 PM by Mr Bell »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
This computer is sick questolo
« Reply #18 on: January 30, 2007, 06:09:28 PM »
You may want to try a clean install of firefox

These steps may help
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Navigate to the following folder
C:\Documents and Settings\Matt Erjavec\Application Data\Mozilla\Firefox\Profiles\xxxxxxx.default

Find bookmarks.html
Copy>>paste it too desktop
Uninstall Firefox from add/remove programs

Reboot the computer
Delete the following folders
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox <-folder
C:\Documents and Settings\Matt Erjavec\Application Data\Mozilla\Firefox <-folder
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox <-folder
C:\Documents and Settings\Matt Erjavec\Local Settings\Application Data\Mozilla\Firefox <-folder
C:\Documents and Settings\<any other profile>\Application Data\Mozilla\Firefox <-folder
C:\Documents and Settings\<any other profile>\Local Settings\Application Data\Mozilla\Firefox <-folder
C:\Program Files\Mozilla Firefox <-folder

Afterwards, go here and get the latest version of Firefox
http://www.mozilla.com/en-US/firefox/

While installing, you can import bookmarks from File on desktop (bookmarks.html) you saved earlier

Do you have any other users on this computer?
« Last Edit: January 30, 2007, 06:16:52 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Mr Bell

  • Sr. Member
  • ****
  • Posts: 300
  • Karma: +0/-0
    • View Profile
This computer is sick questolo
« Reply #19 on: January 30, 2007, 08:32:12 PM »
For some reason when I deleted Firefox it deleted my daughter off as a user. I had to do a system restore. Today I made a restore point at 1:45. Her status as a user was restored. I thought I lost everything on her and was in deep doo doo:)

Then I deleted firefox again (add and remove) The only other folder I found was  C:\Program Files\Mozilla Firefox <-folder

So back to deleting Matt and making sure Alex is reset as a administer. Be right back after I re- down load fire fox

? bookmarks.html On desk top ?
« Last Edit: January 30, 2007, 08:36:22 PM by Mr Bell »
Logged
Pages: [1] 2
« previous next »