Help - trying to remove BraveSentry etc

**jholland1964** · 05-15-2007, 11:14 PM

GULP.....
I am not going to say anything...but....
just a couple more fixes to do .....hopefully...

First of all go to Start, Run. Type msconfig.
When the System Configuration Utility opens go to the Services Tab.
Look for this;
AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsezu.exe
Take the checkmark out. Click Ok and close Sytem Configuration Utility

Run HiJackThis and place checkmarks next to the following entries;

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab

O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsezu.exe

Once you have placed the checkmarks then click the FIX button.
Exit HJT.
Don't Reboot.

THEN go to;
C:\WINDOWS\system32\dsezu.exe
Delete that file noted in RED.

Reboot.
Keep your fingers crossed....
Run a new HJT scan and post that new log.

Judy

**StckFigure** · 05-15-2007, 11:23 PM

So close?! Surely not! What will I do without having to fix things!?

Oh, there we go. I got through the first steps. Then: Cannot delete dsezu.exe; It is being used by another person or program. Close any programs that might be using the file and try again.

**StckFigure** · 05-15-2007, 11:28 PM

Because I couldn't delete dsezu.exe, I don't know whether I should reboot or not (because of the big bold don't reboot!) So I'm waiting to find out if I should go ahead and reboot anyway and try again and then run HJT, reboot and run HJT without trying again, run HJT without rebooting... etc.

**jholland1964** · 05-15-2007, 11:40 PM

Ok, try again...and this time Reboot in SAFE MODE and do the same thing, not the HJT just the look for and delete part...I don't know about you but I am "sweating bullets" here!

**StckFigure** · 05-15-2007, 11:51 PM

It deleted! New HJT scan coming up!

And as for sweating bullets... it's not even your computer! lol. I'M definitely excited... and... is that optimistic? Yes, I think it is!

Here's to hoping.

**StckFigure** · 05-15-2007, 11:57 PM

Surely we're close now! I don't think I see the entries I checked off before!

Logfile of HijackThis v1.99.1
Scan saved at 11:55:14 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Documents and Settings\Owner\Desktop\hjkths1991.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFast Schedule] C:\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIMACE] MACE.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173467735984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/act...cheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**StckFigure** · 05-16-2007, 12:28 AM

Shut down for the night... got another round of shutting-down updates... 6 of 'em again. We'll see if it gets through them all tonight. I'm less worried about these now, but still figure it's worth noting.

**jholland1964** · 05-16-2007, 12:40 AM

We are almost there! I "think"...I HOPE!

Turn OFF that Auto-Update. You can do them manually, just remember to check every so often.
I have mine turned off.
Turn them off this way;
Go to Start, Control Panel, Administrative Tools, Services.
Double Click on Automatic Updates and set it to Disable.
click OK. and close out Administrative Tools.

Here is a link on how to configure services and speed up the computer

Now just a bit more clean up and I think you can try going online...
Empty all the quarantine files on the programs you have run...if you can remember them all.
Then download a couple more little programs....
First one is
RegCleaner
This will get rid of all the "extras" that are left sitting there you don't need anymore. I usually don't mess with the registry myself...I am always somewhat leery but this will make a backup of items removed and hold it for a month. If you find something isn't working quite right you can use the backup...I have never had to use it.

Easy to use. Open the program;
Click Tools; Registry Clean Up, Do Them All.
It will then scan your computer and produce a list of unneeded/invalid items.
Once the list comes up, doesn't take too long either, the go to Select, Select All. and click the Remove Selected button on the lower right corner. Invalid entries will be removed and backup will be made..
Exit the program.

AFTER you use RegCleaner then you should FINALLY set a new, CLEAN Restore Point on the computer!!!

Right Click My Computer.
Choose Properties.
Click the System Restore Tab.
Place a checkmark in Turn Off System Restore.
Click ok. You will get a message warning you that you are about to turn it off and will lose all restore points and are you sure you want to do this...or something worded like that.

Click...Hell Yes...that probably isn't there...click Ok or Yes. System Restore will shut down.
Wait a minute and then do the reverse and turn it back on!
You should have a new, CLEAN restore point.

*Next one is SpywareBlaster, if you don't have it, can't recall

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. This one is a MUST!!!!
Restrict the actions of potentially unwanted sites in Internet Explorer and Firefox.

Next program to download is Mike Lin's StartUp Control Panel
allows you to disable, delete and even undelete, programs configured to startup along with Windows. SUPER easy to use. I have used it for years.
With this you can stop auto starts for....
UpdReg...which is a Reminder to register Creative Labs SoundBlaster Live! cards
QuickTime Task... System Tray access to Apple's "Quick Time"
TkBellExe... Application Scheduler installed along with RealOne Player, not required
THGuard... Resident memory scanning for Trojan Hunter
Adobe Gamma... Adjusts monitor colours
All of the above can easily be run manually and are not required to operate the computer.

Finally....you need to defrag the computer. Here is a super, duper program recommended here by ~TL in his Some of My Favorite Utilities!
AUSLogics Defrag
As ~TL says, "One of the easiest and speediest disk defragmentation tools I have used to this date. Give this free tool a shot, you won't be sorry!" Believe me, you will love it! Use it in place of the built in defrag. You do need to defrag because of all the junk we have moved, removed and moved around.

Gee, I hope this baby will go online clean and free! Use the RegCleaner and System Restore before going online, then give it a shot!
Please let me know how everything works ...
Judy

**StckFigure** · 05-16-2007, 10:32 AM

Clarification things:

1) The service associated with deszu.exe or whatever it was -- the one that starts AEF with a bunch of random letters -- is still THERE, just disabled. That's fine, right?
2) I don't remember which of the many programs it was, but one of the more recent ones made a quarantine folder inside a new folder called QooBox. It has registry backups and C drive backups. That's fine to delete, too, right?
3) Norton is unhappy... I get a yellow bubble message saying "Virus protection is turned off. Windows Automatic Updates is off." I've ignored this message

Unfortunately, I have to run off to a meeting right now, and I'm only up through RegClean, but I'll be back at it in a couple hours and, if the stars are aligned properly, online with that computer soon after!

**StckFigure** · 05-16-2007, 10:36 AM

Oh, just another quick thought while I'm thinking about it... is it worth running ATF-Cleaner in there somewhere, or is emptying the Recycle Bin good enough? (I don't know if ATF writes over the files or just 'deletes' like the bin does)

Thread: Help - trying to remove BraveSentry etc

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions