Virus Help!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rinkside7

Thread Starter
Joined
Jan 15, 2004
Messages
59
Have run all the antivirus programs around...stubby c is embedded..could someone tell my how to send a hijackthis file for one of the pros to review...thanks for any help!! Trish
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Click here to download Hijack This: http://thespykiller.co.uk/files/hijackthis_sfx.exe

Let it extract to C:\Program Files

Close out any open browsers
Launch the program
Hit "do a system scan only"
When that finishes, hit "save log"
The log will open in Notepad
Copy & paste that log into this thread

Do not fix anything yet
 

rinkside7

Thread Starter
Joined
Jan 15, 2004
Messages
59
Logfile of HijackThis v1.99.1
Scan saved at 4:33:01 PM, on 7/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ
ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ
ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ
ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ
ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/sea
rch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\rc2tpnb9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csear
chplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application
Data\Mozilla\Profiles\default\rc2tpnb9.slt\prefs.js)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-
17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE
/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR]
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -
atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program
Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [VetAlert]
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVRID.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711]
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\ISafe.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE
DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online
7.0c\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-
000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xsca
n53.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class)
- http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime
Environment 1.4.1_02) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-
Spyware Scanner) -
http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
83,263
You've got Grisoft AVG and ETrust EZ Antivirus both installed and running at the same time, which is not good. You need to use one or the other and not both.

My advice would be to continue using ETrust EZ Antivirus and either uninstall or disable Grisoft AVG. You can disable AVG(if you choose not to uninstall it) by going into the startup list and unchecking all the listings that start with "avg".

----------------------------------------------------------------

Click Start - Run, type in SYSEDIT, then click OK. Bring the WIN.INI file to the front. At the top of the file in the [windows] section, you will see "load=" and "run=" entries. Type a semi-colon in front of them so they look like

;load=
;run=


then click File - Save - File - Exit.

This will prevent Windows from reading these commands during startup.

----------------------------------------------------------------

Click Start - Run, type in MSCONFIG, then click OK - Startup(tab). Remove the checkmark from 891711.exe, click Apply - OK, then reboot.

This is a Windows critical update that has given a lot of people a problem, so the recommended advice is to disable it in the startup list and prevent it from running in the background.

----------------------------------------------------------------

After you've done the above, run another scan and post a new log.

I'm not an expert with these logs, so someone else with more experience will likely jump in and assist you.

----------------------------------------------------------------
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Flav is correct about the 2 anti-virus programs running.

What location is the infection being found?
 

rinkside7

Thread Starter
Joined
Jan 15, 2004
Messages
59
ok...seems like virus is gone....I deleted the avg files, so now I just have EZ Trust running...but apparently when I deleted avg..I screwed up the registry...just spent 20 minutes trying to open windows... a file that windows needed to operate was deleted (by me!!!)....used boot disk and cd & windows started...will I have this problem when I restart again?

Logfile of HijackThis v1.99.1
Scan saved at 9:52:18 AM, on 7/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ
ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ
ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ
ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ
ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/sea
rch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\rc2tpnb9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csear
chplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application
Data\Mozilla\Profiles\default\rc2tpnb9.slt\prefs.js)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-
17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -
atboottime
O4 - HKLM\..\Run: [VetAlert]
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVRID.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\ISafe.exe
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online
7.0c\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-
000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xsca
n53.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class)
- http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime
Environment 1.4.1_02) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-
Spyware Scanner) -
http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
 

rinkside7

Thread Starter
Joined
Jan 15, 2004
Messages
59
Forgot to mention that I did disable the windows update from startup utility....
thanks for all the help!!
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
83,263
Unchecking the "avg" entries in the MSCONFIG "Startup" tab or uninstalling Grisoft AVG would not have screwed up the registry, so I don't know what you did.

What do you mean by "when I deleted avg"?

----------------------------------------------------------------
 

rinkside7

Thread Starter
Joined
Jan 15, 2004
Messages
59
I uninstalled the program from add/remove programs....I probably did a stupid thing though....there was an option for removing everything from "vault" I wasn't sure, but went ahead and checked that....maybe that did something...I am going to go ahead and try restarting my computer...should I make any changes in that Hijack this file???...If you don't hear from me again soon....I am lost in "computer hell"....thanks...Trish
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
83,263
If you're uninstalling AVG, you want to get rid of everything that's associated with it, so removing everything from vault was okay.

---------------------------------------------------------------

Before you post a new log here, select the "Word Wrap" option in Notepad so it'll copy-and-paste the log here correctly.

---------------------------------------------------------------

Open the WIN.INI file, then type in a semi-colon in front of the "load" and "run" entries under the [windows] heading so they'll look like this:

;load=
;run=


Click File - Save - File - Exit afterwards, then reboot. Do that before you post a new log.

----------------------------------------------------------------

We need to get the startup list trimmed down of unnecessary running programs.

----------------------------------------------------------------
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
83,263
Click Start - Run, type in SYSEDIT, then click OK.

or

Click Start - Find - Files And Folders, select the C: drive to look in, type in WIN.INI, then click Find Now.

Typing a semi-colon in front of a command in this file prevents Windows from reading it during startup.

----------------------------------------------------------------
 

rinkside7

Thread Starter
Joined
Jan 15, 2004
Messages
59
Hope this is correct...when I typed in sysedit.....4 or 5 boxes popped up on top of each other....I made the changes...but don't think it saved properly....and I hope the highjack this file is ok....i saved it from word.....

Logfile of HijackThis v1.99.1
Scan saved at 3:17:22 PM, on 7/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\DESKTOP\GOTOMYPC.EXE
C:\WINDOWS\TEMP\G2_314\G2VIEWER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rc2tpnb9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rc2tpnb9.slt\prefs.js)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0c\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
83,263
I forgot to tell you that 4 - 5 files will appear, so you have to bring the selected one to the front to edit it. Anyway, the

F1 - win.ini: run=hpfsched

entry is gone from the log, so you apparently did it right.

---------------------------------------------------------------

Let's get the startup list trimmed down. Click Start - Run, type in MSCONFIG, then click OK - Startup(tab). Remove the checkmark from:

loadpowerprofile(both entries)

qttask.exe

findfast.exe

osa.exe


While you're there, make sure there is a checkmark in:

ScanRegistry

because it's one of the required one that needs to run in the background, and I don't see it in the startup list.

Once you're done, click Apply - OK, but don't reboot yet.

Click Start - Find - Files And Folders, select the C: drive to look in, type in Qttask.exe, then click Find Now. When the Qttask.exe file appears, right-click it, then click Delete - Yes.

Now you can reboot.

---------------------------------------------------------------

Post a new log after you're done.

---------------------------------------------------------------
 

rinkside7

Thread Starter
Joined
Jan 15, 2004
Messages
59
OK...here goes....and btw...thanks for hanging with me to get this resolved....

Logfile of HijackThis v1.99.1
Scan saved at 3:38:43 PM, on 7/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\WINDOWS\Application
Data\Mozilla\Profiles\default\rc2tpnb9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"
); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rc2tpnb9.slt\prefs.js)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -
C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0c\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM
FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM
FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -
http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top