HP laptop Pavilion 5140 slowed down

[imidazol97]

http://www.hijackthis.de/logfiles/16...0c70ef377.html

This should be link to logfile

Norton antivirus and internet security was removed from laptop after 60 day trial. Etrust by Computer Associates is on it.

[Ruby]

Welcome to HijackThis.eu @ imidazol97

You may want to post your HijackThis Logs in future, please.
Make sure you set windows to see the hidden files and folders.

1. Please load down the filelist.zip to your desktop.
2. Unzip this file to your desktop (free Zip-Tools)
   
3. Restart your system
4. Doubleclick onto the filelist.bat to run it
5. Your editor program will open
6. Highlight the content, chose copy & paste it to your following posting
7. Please note: we only need the last 30 days of every directory of this file

• Many Thanks to our Moderator Karl83 for creating this new tool.

• Directory of C:\
• Directory of C:\WINDOWS\system32
• Directory of C:\WINDOWS
• Directory of C:\WINDOWS\Prefetch
• Directory of C:\WINDOWS\tasks
• Directory of C:\WINDOWS\Temp
• Directory of C:\DOCUME~1\Name\LOCALS~1\Temp

[imidazol97]

The HiJack This in my first post was in the link, I thought.
Do I need to do another one and post the whole text of HiJackThis?


Below is
Filelist.bat output file. Very good instructions; very easy to use. Thanks.
----- Root -----------------------------
Volume in drive C has no label.
Volume Serial Number is 60D3-F817

Directory of C:\

09/09/2006 09:45 AM 43 filelist.txt
09/09/2006 09:41 AM 882 hpqp.ini
09/09/2006 07:48 AM 39 XP_TV.ini
09/09/2006 07:38 AM 2,145,636,352 hiberfil.sys
09/09/2006 07:38 AM 2,145,386,496 pagefile.sys
08/16/2006 02:12 PM 6,520 caisslog.txt
08/16/2006 12:52 PM 7,953 caavsetup.log

19 File(s) 4,291,340,969 bytes
0 Dir(s) 79,006,953,472 bytes free

----- System ---------------------------
Volume in drive C has no label.
Volume Serial Number is 60D3-F817

Directory of C:\WINDOWS\system32

09/09/2006 07:48 AM 1,158 wpa.dbl
09/09/2006 07:38 AM 48,882 vsconfig.xml
09/03/2006 05:54 PM 2,550 Uninstall.ico
09/03/2006 05:54 PM 1,406 Help.ico
09/03/2006 05:54 PM 30,590 pavas.ico
08/16/2006 12:52 PM 75,280 VetRedir.dll
08/09/2006 03:03 PM 8,325,544 MRT.exe

2067 File(s) 396,207,804 bytes
0 Dir(s) 79,006,826,496 bytes free

----- Prefetch -------------------------
Volume in drive C has no label.
Volume Serial Number is 60D3-F817

Directory of C:\WINDOWS\Prefetch

09/09/2006 09:45 AM 11,082 FIND.EXE-0EC32F1E.pf
09/09/2006 09:45 AM 11,936 CMD.EXE-087B4001.pf
09/09/2006 09:44 AM 15,188 VERCLSID.EXE-3667BD89.pf
09/09/2006 09:41 AM 49,740 LOGONUI.EXE-0AF22957.pf
09/09/2006 09:41 AM 14,082 HPQWA_UI.EXE-0D19E353.pf
09/09/2006 08:03 AM 40,170 UPDCLIENT.EXE-215FC96B.pf
09/09/2006 07:49 AM 72,546 AUTODOWN.EXE-2542C21C.pf
09/09/2006 07:49 AM 96,192 IEXPLORE.EXE-27122324.pf
09/09/2006 07:48 AM 28,912 RUNDLL32.EXE-12D665D9.pf
09/09/2006 07:48 AM 105,918 HPQIMZONE.EXE-038F0838.pf
09/09/2006 07:48 AM 15,956 HPQTOA~1.EXE-39311BAA.pf
09/09/2006 07:48 AM 22,316 BTSTAC~1.EXE-2BF86A68.pf
09/09/2006 07:48 AM 75,794 EHREC.EXE-3B4F59C8.pf
09/09/2006 07:48 AM 13,086 REGEDIT.EXE-1B606482.pf
09/09/2006 07:48 AM 45,174 HPQTHB08.EXE-060DCF16.pf
09/09/2006 07:48 AM 2,860 BTTRAY.EXE-02B509CD.pf
09/09/2006 07:48 AM 8,362 HPWUSCHD2.EXE-02F6D2DD.pf
09/09/2006 07:48 AM 17,516 ATIPTAXX.EXE-18FE8D8B.pf
09/09/2006 07:48 AM 80,738 EXPLORER.EXE-082F38A9.pf
09/09/2006 07:48 AM 29,756 WMIPRVSE.EXE-28F301A9.pf
09/09/2006 07:48 AM 21,104 USERINIT.EXE-30B18140.pf
09/09/2006 07:48 AM 19,610 ATI2EVXX.EXE-19D16EB9.pf
09/09/2006 07:48 AM 31,798 WGATRAY.EXE-0ED38BED.pf
09/09/2006 07:40 AM 813,444 NTOSBOOT-B00DFAAD.pf
09/08/2006 08:53 PM 10,116 EHMSAS.EXE-181DA6C9.pf
09/08/2006 08:53 PM 13,734 INSTALL.DLL-1C3EBFA1.pf
09/08/2006 08:53 PM 13,874 SYNTPENH.EXE-315D3ABC.pf
09/08/2006 08:53 PM 8,838 JUSCHED.EXE-2ABC3D1B.pf
09/08/2006 02:26 PM 45,152 WUAUCLT.EXE-399A8E72.pf
09/08/2006 02:26 PM 26,022 IMAPI.EXE-0BF740A4.pf
09/08/2006 12:10 PM 334,676 Layout.ini
09/08/2006 06:49 AM 64,776 MPAS-D.EXE-2F969366.pf
09/08/2006 06:49 AM 14,038 MPSIGSTUB.EXE-1375F3BC.pf
09/08/2006 06:46 AM 9,108 CAFIX.EXE-0CD74A73.pf
09/08/2006 06:46 AM 7,668 VETMSG.EXE-37B5ACF0.pf
09/08/2006 06:46 AM 8,684 WSCNTFY.EXE-1B24F5EB.pf
09/07/2006 10:12 PM 33,524 PPTVIEW.EXE-37E57088.pf
09/07/2006 10:10 PM 55,976 WMPLAYER.EXE-18DDEFA6.pf
09/07/2006 08:25 PM 74,214 GOOGLEEARTH.EXE-038E3B0E.pf
09/07/2006 05:07 PM 8,386 JASCUPDATE.EXE-031FF3BD.pf
09/07/2006 05:07 PM 72,534 PAINT SHOP PRO 9.EXE-2FA9821C.pf
09/07/2006 03:21 PM 18,092 SVCHOST.EXE-3530F672.pf
09/07/2006 03:16 PM 54,662 RUNDLL32.EXE-2CD85FD3.pf
09/07/2006 03:16 PM 15,422 DRWTSN32.EXE-2B4B52AC.pf
09/07/2006 03:16 PM 29,722 DWWIN.EXE-30875ADC.pf
09/07/2006 03:13 PM 9,510 GLB1A2B.EXE-1B18BAD7.pf
09/07/2006 03:13 PM 11,542 UNWISE.EXE-0CC8F2FE.pf
09/07/2006 03:13 PM 13,862 UNINSTALL.EXE-39A240EC.pf
09/07/2006 03:13 PM 15,144 UNWISE.EXE-25C0F8FB.pf
09/07/2006 03:13 PM 11,268 DIGSTREAM.EXE-030580CF.pf
09/07/2006 10:24 AM 14,106 NOTEPAD.EXE-336351A9.pf
09/07/2006 10:24 AM 68,476 HIJACKTHIS.EXE-0A6C201D.pf
09/07/2006 10:00 AM 23,798 MPCMDRUN.EXE-1F9D1CA1.pf
09/06/2006 09:22 PM 20,752 QPSERVICE.EXE-11ED45D5.pf
09/06/2006 09:22 PM 12,286 DUMPREP.EXE-1B46F901.pf
09/06/2006 09:22 PM 8,042 CPQSET.EXE-2B4136E6.pf
09/06/2006 07:02 PM 170,630 HELPSVC.EXE-2878DDA2.pf
09/06/2006 03:23 PM 15,648 HP WIRELESS ASSISTANT.EXE-16269BEA.pf
09/06/2006 03:23 PM 22,074 MSMSGS.EXE-2B6052DE.pf
09/06/2006 03:23 PM 31,912 ZLCLIENT.EXE-1C550EB2.pf
09/06/2006 03:23 PM 31,228 MSASCUI.EXE-08BEC8D8.pf
09/06/2006 03:23 PM 13,068 RECGUARD.EXE-3990548D.pf
09/06/2006 03:23 PM 25,032 EABSERVR.EXE-2CF8D629.pf
09/06/2006 01:50 PM 19,812 WORDPAD.EXE-24533991.pf
09/06/2006 07:55 AM 1,668 JUCHECK.EXE-197A10BB.pf
09/06/2006 07:55 AM 8,402 JAVA.EXE-2427EF62.pf
09/05/2006 07:08 PM 14,070 MPSIGSTUB.EXE-16ADBBF9.pf
09/05/2006 07:06 PM 16,076 ALG.EXE-0F138680.pf
09/05/2006 07:06 PM 24,048 DLLHOST.EXE-5353C76C.pf
09/05/2006 07:06 PM 13,108 MCRDSVC.EXE-0560ADD0.pf
09/05/2006 07:06 PM 15,142 HPQWMIEX.EXE-1982D280.pf
09/05/2006 05:51 PM 60,866 DFRGNTFS.EXE-269967DF.pf
09/05/2006 05:51 PM 15,102 DEFRAG.EXE-273F131E.pf
09/05/2006 11:49 AM 74,160 ACRORD32.EXE-20C463C1.pf
09/04/2006 05:08 PM 17,132 CAVTRAY.EXE-26688D6D.pf
09/04/2006 05:08 PM 6,906 ATIPRBXX.EXE-28AA41C0.pf
09/04/2006 12:33 PM 17,924 EHTRAY.EXE-02EFC9BD.pf
09/04/2006 12:07 PM 10,738 LOGON.SCR-151EFAEA.pf
09/03/2006 09:55 PM 31,268 NARRATOR.EXE-07D10D8F.pf
09/03/2006 09:55 PM 19,248 UTILMAN.EXE-0985F07B.pf
09/03/2006 05:55 PM 12,324 RUNONCE.EXE-2803F297.pf
09/03/2006 05:55 PM 13,300 REGSVR32.EXE-25EEFE2F.pf
09/03/2006 04:14 PM 26,880 HELPHOST.EXE-247D2792.pf
09/03/2006 04:14 PM 58,016 HELPCTR.EXE-3862B6F5.pf
09/03/2006 04:14 PM 5,132 IPAQDETECTION.EXE-10680EE7.pf
09/03/2006 03:44 PM 19,764 IPCONFIG.EXE-2395F30B.pf
09/03/2006 03:44 PM 11,344 PING.EXE-31216D26.pf
09/03/2006 03:41 PM 36,368 HH.EXE-2D1A70B3.pf
09/03/2006 03:38 PM 122,820 CLEANMGR.EXE-1F86EA8E.pf
09/02/2006 03:21 PM 12,646 RUNDLL32.EXE-17D8A516.pf
09/02/2006 01:01 PM 30,454 CLEANUP.EXE-1B0F5664.pf
09/01/2006 03:38 PM 80,522 SPYBOTSD.EXE-1344276B.pf
09/01/2006 03:29 PM 32,564 MMC.EXE-1EF9AA05.pf
09/01/2006 11:05 AM 13,226 CAISSDT.EXE-1931E921.pf
94 File(s) 3,921,906 bytes
0 Dir(s) 79,006,834,688 bytes free

----- Windows --------------------------
Volume in drive C has no label.
Volume Serial Number is 60D3-F817

Directory of C:\WINDOWS

09/09/2006 09:41 AM 5,932 ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt
09/09/2006 07:39 AM 0 0.log
09/09/2006 07:38 AM 2,082,361 WindowsUpdate.log
09/09/2006 07:38 AM 2,048 bootstat.dat
09/09/2006 07:12 AM 32,634 SchedLgU.Txt
09/08/2006 08:47 PM 204,055 setupapi.log
09/07/2006 10:20 PM 48 wiaservc.log
09/07/2006 10:20 PM 216 wiadebug.log
09/03/2006 05:55 PM 32 pavsig.txt
09/03/2006 03:38 PM 351,167 setupact.log
09/01/2006 08:57 AM 1,487,664 ntbtlog.txt
08/26/2006 11:34 AM 82,582 MedCtrOC.log
08/26/2006 11:34 AM 32,547 ehOCGen.log
08/26/2006 11:34 AM 116,618 ntdtcsetup.log
08/26/2006 11:34 AM 260,699 tsoc.log
08/26/2006 11:34 AM 28,040 tabletoc.log
08/26/2006 11:34 AM 659,450 iis6.log
08/26/2006 11:34 AM 1,374 imsins.log
08/26/2006 11:34 AM 30,840 ocmsn.log
08/26/2006 11:34 AM 193,310 comsetup.log
08/26/2006 11:34 AM 15,522 KB904942.log
08/26/2006 11:34 AM 111,254 netfxocm.log
08/26/2006 11:34 AM 276,930 ocgen.log
08/26/2006 11:34 AM 66,568 plusoc.log
08/26/2006 11:34 AM 28,013 msgsocm.log
08/26/2006 11:34 AM 548,158 FaxSetup.log
08/26/2006 11:34 AM 179,070 msmqinst.log
08/26/2006 11:34 AM 28,428 updspapi.log
08/26/2006 11:34 AM 1,374 imsins.BAK
08/26/2006 11:34 AM 9,473 KB896344.log
08/16/2006 12:52 PM 103,952 UnVet32.exe
08/16/2006 12:52 PM 112,144 AVShlExt.dll
08/16/2006 09:07 AM 231 SYSTEM.INI
08/13/2006 10:57 AM 1,977 medblker.Log
08/13/2006 10:57 AM 9,092 spupdsvc.log
08/13/2006 10:30 AM 7,486 KB919803.log
08/13/2006 10:30 AM 6,525 KB912024.log
08/12/2006 07:37 AM 15,821 KB920214.log
08/12/2006 07:37 AM 15,809 KB922616.log
08/12/2006 07:37 AM 16,205 KB921398.log
08/12/2006 07:37 AM 32,909 KB918899.log
08/12/2006 07:37 AM 12,088 KB920670.log
08/12/2006 07:36 AM 12,268 KB917422.log
08/12/2006 07:36 AM 15,224 KB920683.log
08/08/2006 06:54 PM 11,400 KB921883.log
08/08/2006 09:45 AM 29,407 wmsetup.log
08/04/2006 05:03 PM 206 wininit.ini
08/04/2006 05:00 PM 157 wininit.tmp

209 File(s) 41,702,115 bytes
0 Dir(s) 79,006,826,496 bytes free

----- Tasks ----------------------------
Volume in drive C has no label.
Volume Serial Number is 60D3-F817

Directory of C:\WINDOWS\tasks

09/09/2006 07:41 AM 330 MP Scheduled Scan.job
09/09/2006 07:38 AM 6 SA.DAT
08/10/2004 11:00 AM 65 desktop.ini
3 File(s) 401 bytes
0 Dir(s) 79,006,830,592 bytes free

----- Temp -----------------------------
Volume in drive C has no label.
Volume Serial Number is 60D3-F817

Directory of C:\DOCUME~1\Fred\LOCALS~1\Temp

09/09/2006 07:58 AM 38,656 jusched.log
09/09/2006 07:48 AM 16,384 ~DFC5A2.tmp
09/08/2006 03:18 PM 13,312 java_install_reg.log
09/08/2006 06:49 AM 63,114 MpSigStub.log
09/07/2006 10:12 PM 0 PPV4C.tmp
09/07/2006 10:11 PM 0 PPV4B.tmp
09/07/2006 10:11 PM 0 PPV4A.tmp
09/07/2006 10:10 PM 0 PPV49.tmp
09/07/2006 05:07 PM 3 Twain001.Mtx
09/06/2006 08:10 AM 939 jupdate1.5.0.xml
09/05/2006 06:13 PM 2,048,000 Acr11.tmp
09/05/2006 11:50 AM 0 AcrF.tmp
09/05/2006 11:49 AM 179 Acr3.tmp
09/05/2006 11:49 AM 426 Acr5.tmp
09/04/2006 07:50 PM 0 TWAIN.LOG
09/03/2006 04:15 PM 707,348 IMTC.xml
09/03/2006 04:15 PM 426 IMTB.xml
09/03/2006 04:15 PM 1,994 IMTA.xml
08/30/2006 02:48 PM 707,348 IMT11.xml
08/30/2006 02:48 PM 426 IMT10.xml
08/30/2006 02:48 PM 1,994 IMTF.xml
08/27/2006 09:17 PM 20,224 MPC2.tmp
08/23/2006 04:52 PM 5,505,024 nos36.tmp
08/23/2006 04:51 PM 416 nosget_start_HP.html
08/23/2006 04:45 PM 188 GTDown.log
08/23/2006 04:44 PM 7,814,144 sp33139.exe
08/22/2006 08:44 PM 707,348 IMT5.xml
08/22/2006 08:44 PM 426 IMT4.xml
08/22/2006 08:44 PM 1,994 IMT3.xml
08/21/2006 01:44 PM 3,786,007 SymNRT 8-21-2006 13h43m33s.log
08/16/2006 12:51 PM 4,533 plf2.tmp
08/16/2006 09:02 AM 4,533 plf1.tmp
08/15/2006 07:05 PM 398 SYMDEL.bat
08/15/2006 07:04 PM 8,447,892 Norton Internet Security 2006 8-15-2006 18h59m25s.log
08/15/2006 07:04 PM 6,029 SYMEVENT.LOG
08/15/2006 07:03 PM 4,114 SNDunin.log
08/15/2006 07:03 PM 2,848 IDSinst.LOG
08/15/2006 07:01 PM 1,685 CLTDIST.log
08/15/2006 06:59 PM 124 AVRES_OPTRF_LiveUpdate.dat
08/12/2006 08:08 PM 94,885 Google_Earth_3.0.0762_060812-200847_1.dmp
08/08/2006 09:45 AM 717 control.xml
08/06/2006 08:39 PM 20,230 MPC1.tmp

75 File(s) 35,740,894 bytes
0 Dir(s) 79,006,826,496 bytes free

[Ruby]

Hello imidazol97

You will want to copy the text from this post and save it as a text file (*.txt) or print it because you will be working offline (in safemode) to resolve your problem and not have access to this forum.

Follow these STEPS.

STEP 1
Make sure you set windows to see the hidden files and folders.

STEP 2

1. Download mwavscan (It is free), if you don't have a zip-tool we suggest zipgenius (It is free).
2. You MUST Unzip mwavscan to 'C:\bases' (case sensitive, any other folder and it won't work properly)
3. After installing some systems automatically start up the program, if this happens close it, you don't want to run it now.
4. Open 'My Computer'
5. Double click on 'C:'
6. Double click on the folder 'bases'
7. Now in that root folder look for 'kavupd.exe' and double click on it. (We are updating mwavscan to the latest definitions.)
8. NOTE: Occasionally users receive an error that 'signatures are more then 30 days old'. If you receive this keep trying to run kavupd.exe, it means the definition server is busy, but you will eventually get through.

STEP 3

1. Now turn off your computer and remove the network cable/phone line from your machine.
2. Reboot your computer into Safe Mode

STEP 4

1. Open 'My Computer'
2. Double click on 'C:'
3. Double click on the folder 'bases'
4. Double click on 'mwavscan.com'
5. Now close all other windows, browsers, and programs other then Mwavscan before continuing
6. Checkmark: Memory, StartUp-Folders, Drives, All Local Drives, Registry and INI Files, System Folders, Services
7. Now select 'Scan All Files'
8. Finally, click on 'Scan Clean' (The program will take several hours to run)
9. When the scan is complete, click 'View Log' and Save it!

STEP 5

1. Reconnect your network cable/phone line
2. Reboot your system into normal mode.

STEP 6

1. Open 'My Computer'
2. Double click on 'C:'
3. Double click on the folder 'bases'
4. Find the log file in the directory.
5. Open it with an editor (Notepad will do fine)
6. Look for the files which are tagged as "virus" or "infected"
7. Copy&paste all these files tagged as "virus" or "infected" in a new document and save to your desktop

STEP 7
Run Hijackthis again and have it save a new log file.

Step 8

Post every file of mwavscan by looking for "infected" and "tagged as" to this thread:

It looks like this:

File C:\WINDOWS\sssasasb32.exe infected by "Trojan-Downloader.Win32.Agent.ig" Virus. Action Taken

File C:\Documents and Settings\Name\Local Settings\Application Data\Wildtangent\0F.dat tagged as not-a-virus:AdWare.WildTangent.b. No Action Taken.

Also post the total results:

=>Total Number of Files Scanned:
=>Total Number of Virus(es) Found:
=>Total Number of Disinfected Files:
=>Total Number of Files Renamed:
=>Total Number of Deleted Files:
=>Total Number of Errors:
***** Scanning complete. *****

Finally, post the new Hijackthis logfile!

[imidazol97]

MWAVE SCAN

Mon Sep 11 11:27:51 2006 => ***** Scanning complete. *****

Mon Sep 11 11:27:51 2006 => Total Number of Files Scanned: 97517
Mon Sep 11 11:27:51 2006 => Total Number of Virus(es) Found: 6
Mon Sep 11 11:27:51 2006 => Total Number of Disinfected Files: 0
Mon Sep 11 11:27:51 2006 => Total Number of Files Renamed: 1
Mon Sep 11 11:27:51 2006 => Total Number of Deleted Files: 3
Mon Sep 11 11:27:51 2006 => Total Number of Errors: 2
Mon Sep 11 11:27:51 2006 => Time Elapsed: 02:46:52
Mon Sep 11 11:27:51 2006 => Virus Database Date: 2006/09/11
Mon Sep 11 11:27:51 2006 => Virus Database Count: 222392


Mon Sep 11 08:47:29 2006 => File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27B834BE.cla infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.

Mon Sep 11 08:47:29 2006 => File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\29535EF9.anr infected by "Trojan-Downloader.Win32.Ani.c" Virus. Action Taken: File Deleted.

Mon Sep 11 08:47:29 2006 => File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\297158D9.anr infected by "Trojan-Downloader.Win32.Ani.c" Virus. Action Taken: File Deleted.

Mon Sep 11 08:47:30 2006 => File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71FB4A2E.htm infected by "Trojan-Clicker.HTML.Agent.a" Virus. Action Taken: File Deleted.

Mon Sep 11 10:18:47 2006 => File C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe tagged as not-a-virusownloader.Win32.DigStream. No Action Taken.

Mon Sep 11 10:55:58 2006 => File C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP259\A0020813.exe tagged as not-a-virusownloader.Win32.DigStream. No Action Taken.


HIJACK THIS FILE
Logfile of HijackThis v1.99.1
Scan saved at 4:46:41 PM, on 9/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fred\Desktop\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.donet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=lapt op
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1150685931443
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b3.../java/RntX.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ruby]

You have done it very good @ Imidazol97

So let's go on...

Please load down a Trial version of CounterSpy.
Update the program online.
Now turn off your computer and remove the network cable/phone line from your machine.
Reboot your computer into Safe Mode
Scan your system with CounterSpy in Safe Mode.

Let the program remove everything it finds:
Options > remove
- when the Scan is finished you can decide for:
*Ignore
*Remove
*Quarantine
Please chose Remove and restart your system.

Save the logfile.

-> Post the CounterSpy logfile, please.

Thank you.

[imidazol97]

I did the CounterSpy scan. There was no box to check to get logfile--maybe I missed it! I did make a notepad file of the only things it found. It only found cookies...

Spyware Scan Details
Start Date: 9/12/2006 6:56:39 AM
End Date: 9/12/2006 9:05:05 AM
Total Time: 2 hrs 8 mins 26 secs

Detected spyware

Cookie: Advertising.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\fred\cookies\fred@advertising[1].txt


Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\fred\cookies\fred@atdmt[2].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\fred\cookies\fred@doubleclick[1].txt


Cookie: Travelocity.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\fred\cookies\fred@travelocity[2].txt

[Ruby]

Hello Imidazol97

Since CounterSpy doesn't delete all malwares with only one scan, please reboot your system, take a new scan with CounterSpy, remove again all malware. Save the logfile. Reboot your system. Repeat the scan.... as long as anything is found.

Please post all these logfiles of CounterSpy.

Run HijackThis again, have it save another new log and post it too.