Skip to main content

Bod99

561 Posts

June 15th, 2006 18:00

Hi

I'm Bod and here to help you with your Hijack This log.

Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

I am currently looking over your log and as I am an undergraduate at Malware Removal University, everything that I post to you must be checked by an expert. There may therefore be a slight delay between posts. I will post back as soon as I can.

Thanks,

Bod

Bod99

561 Posts

June 16th, 2006 18:00

Hi,

I've had a look through your log and I now have some instructions for you to follow.

Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.

Please follow and carry out all the steps in the instructions in the order I've listed them.

Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.

IMPORTANT - Anti Virus Software
It is very important that your computer has an anti-virus software running on your machine and that it is kept up to date.

It looks like you have at least 3 anti-virus systems running (Avast, eTrust and Symantec). It is not a good idea to be running more than one anti-virus system at a time, so choose one of them and make sure it is updated at least weekly, preferably daily. It is OK to carry out manual scans with a second anti-virus system if the first is temporarily disabled.

For more information on anti-virus programs see http://forum.malwareremoval.com/viewtopic.php?p=53#53

Step 1
There are a couple of files on your pc that I want to be scanned.

Please go to http://www.virustotal.com/en/indexf.html, and follow the instructions to upload each of the following files from your pc for a scan.
C:\WINDOWS.0\system32\CROSOF~1.NET\dllhost.exe
C:\WINDOWS.0\A?pPatch\lsass.exe

Notes:
1. The folder for the first of the files won't have the ~ symbol in the name when you are navigating to it, there will be some other text. The important thing to look out for is the .NET ending.
2. The folder for the second of the files won't have the ? symbol in the name when you are navigating to it, there will be another character or characters there using Unicode cyrillic characters or similar.

Step 2
Run Hijack This, click Config... > Misc Tools > Open Uninstall Manager > Save list... and save the text file to your desktop. Close Hijack This.

Please copy / paste the results of each scan and the contents of the Uninstall list into your next reply.

Thanks,

Bod

random72

6 Posts

June 16th, 2006 19:00

Here's the uninstall list from Hijack This. Both of the files you wanted me to scan on VirusTotal came up negative for viruses.
 
If you want to see the results from VirusTotal, let me know and I'll post those as well.
 
Thanks,
 
random72
 
*************************************
 
 
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
BitTornado 0.3.7
BitTorrent 4.4.1
DivX
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
ESPNMotion
eTrust EZ Antivirus
ewido anti-malware
Free Internet Eraser 2.05
Google Earth
HijackThis 1.99.1
iPod for Windows 2005-03-23
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_06
Java Web Start
KhalSetup
LimeWire 4.9.30
LiveUpdate 2.0 (Symantec Corporation)
LiveUpdate Administration Utility
Logitech SetPoint
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office 2003 Web Components
Microsoft Office OneNote 2003
Microsoft Office Outlook 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Publisher 2003
Microsoft Office Visio Professional 2003
Microsoft Office XP Web Components
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (1.5.0.4)
MSN
MSN Messenger 7.5
MSN Search Toolbar
MyDVD
NVIDIA DVD Decoder
Panda ActiveScan
QuickTime
RealPlayer
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
screensaver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
sky1024x768_ss  Screen Saver
Sonic CinePlayer
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spelling Dictionaries For Adobe Reader Package
Symantec AntiVirus
Symantec AntiVirus Quarantine Console Snap-in
Symantec System Center
Symantec System Center
UFile 2005
UFile Updater 2005
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
VIA Rhine-Family Fast Ethernet Adapter
Window Washer
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885354
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver

Bod99

561 Posts

June 17th, 2006 16:00

Hi,

Thanks for the uninstall list.

Unfortunately the entry I was hoping for isn't there, so we need to download an uninstall program.

Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.

Please follow and carry out all the steps in the instructions in the order I've listed them.

Step 1
Disable the Ewido Guard realtime protection feature.

Step 2
Download and run this uninstaller: http://www.outerinfo.com/OiUninstaller.exe

Reboot.

Step 3
Delete this folder if found: C:\Program Files\PurityScan

Step 4
Run Ewido. Click Scanner > Complete System Scan, and choose "Remove" then click "OK" for everything found. Beware of false positives, so check each item found before choosing to remove.
At the end of the scan, click "Save Report". I will need you to include this log in your next post. You can re-start the Ewido Guard feature.

Step 5
Run Hijack This, "Scan" and post the log, together with the Ewido log, as a reply to this thread. I'll check it through, and get back to you.

Thanks,

Bod

random72

6 Posts

June 17th, 2006 17:00

Hi Bod,

Thanks for the response. I followed your instructions and here are the results of the two scans. The Ewido one is listed first, followed by Hijack This. 

Thanks for all your help so far.

Random72

******************************************

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:   2:04:49 PM, 17/06/2006
 + Report-Checksum:  127ABC49

 + Scan result:

 HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup
 :mozilla.9:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
 :mozilla.10:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
 :mozilla.11:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
 :mozilla.12:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
 :mozilla.13:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
 :mozilla.25:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.26:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.27:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.29:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.30:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.31:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.32:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.33:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.34:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.35:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
 :mozilla.36:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
 :mozilla.53:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
 :mozilla.61:C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\zdjb658x.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@chicagosuntimes.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@lov.valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@volkswagen.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
 C:\Documents and Settings\Lee\Cookies\lee@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup


::Report End

 

Logfile of HijackThis v1.99.1
Scan saved at 2:15:41 PM, on 17/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS.0\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS.0\system32\ams_ii\iao.exe
C:\WINDOWS.0\system32\MsgSys.EXE
C:\WINDOWS.0\system32\cba\xfr.exe
C:\WINDOWS.0\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS.0\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\WINDOWS.0\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: (no name) - {8BBE2181-990D-0B9E-283C-30AB39D893FD} - C:\WINDOWS.0\system32\kvtvywut.dll (file missing)
O2 - BHO: (no name) - {90EA03D4-95EC-3B38-9D50-56CD6132844A} - C:\WINDOWS.0\system32\ulgkwqwe.dll (file missing)
O2 - BHO: (no name) - {B2947372-653B-EBBE-56F1-0DFB8E09D8E4} - C:\WINDOWS.0\system32\hopdjzbr.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [uaodousw] C:\WINDOWS.0\system32\uaodousw.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS.0\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Aets] "C:\WINDOWS.0\system32\CROSOF~1.NET\dllhost.exe" -vt ndrv
O4 - HKCU\..\Run: [Eeylky] C:\WINDOWS.0\A?pPatch\lsass.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Sonic CinePlayer Quick Launch.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d9aa2d204f9046f4a93c7df0154855ba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d9aa2d204f9046f4a93c7df0154855ba
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128086223809
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} (VPlayer Control) - http://www.sonypictures.com/movies/casinoroyale/vividas/player/vivid_ocx.jpeg
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.0\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS.0\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS.0\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS.0\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS.0\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

 

 

Bod99

561 Posts

June 17th, 2006 21:00

Hi again,

Thanks for the logs, I've now got some more instructions for you.

As always, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.

Please follow and carry out all the steps in the instructions in the order I've listed them.

Step 1
Click Start > Control Panel > Add/Remove Programs.
Allow the list to populate, then click on "Remove" for all of the following programs that appear in the list (not all may be there).
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_06

Do not reboot until you have attempted to remove all of these entries entries that you find.

Step 2
Run Hijack This, don't have any other programs open, and click "Scan".
In the scan results, click on the check box for all of the following lines that are present.
O2 - BHO: (no name) - {8BBE2181-990D-0B9E-283C-30AB39D893FD} - C:\WINDOWS.0\system32\kvtvywut.dll (file missing)
O2 - BHO: (no name) - {90EA03D4-95EC-3B38-9D50-56CD6132844A} - C:\WINDOWS.0\system32\ulgkwqwe.dll (file missing)
O2 - BHO: (no name) - {B2947372-653B-EBBE-56F1-0DFB8E09D8E4} - C:\WINDOWS.0\system32\hopdjzbr.dll (file missing)
O4 - HKLM\..\Run: C:\WINDOWS.0\system32\uaodousw.exe
O4 - HKCU\..\Run: "C:\WINDOWS.0\system32\CROSOF~1.NET\dllhost.exe" -vt ndrv
O4 - HKCU\..\Run: C:\WINDOWS.0\A?pPatch\lsass.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab

Click on "Fix checked".

Step 3
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Click My Computer > Tools > View, then put a tick in the "Display the contents of system folders" and "Show hidden files and folders" check boxes. Uncheck
the "Hide protected operating system files (recommended)" option.
Click "Yes" to confirm.
Click "OK".
Navigate to the following folders and files and delete each of them. Some may not be present.
Folders (delete with all contents)
C:\WINDOWS.0\system32\CROSOF~1.NET\
C:\WINDOWS.0\A?pPatch\
C:\Program Files\BitTorrent\

Files
C:\WINDOWS.0\system32\uaodousw.exe

Notes:
1. The folder name for C:\WINDOWS.0\system32\CROSOF~1.NET\ won't have the ~ symbol in the name when you are navigating to it, there will be some other text. The important thing to look out for is the .NET ending.
2. The folder name for C:\WINDOWS.0\A?pPatch\ won't have the ? symbol in the name when you are navigating to it, there will be another character or characters there using Unicode cyrillic characters or similar.

Reboot as normal.

Step 4 - Java Update - This is essential, earlier versions of Java can be exploited
Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install JRE 5.0 Update 7.
Click the link "Download JRE 5.0 Update 7". You will then need to select "Accept License Agreement" and click "Continue". Then click the link "Windows Offline Installation, Multi-language", and save it to your Desktop.
Then go back to your Desktop and double click "jre-1_5_0_07-windows-i586-p.exe" to start the install.
Once you have it installed, click Start > Run, type in "appwiz.cpl" (without the quotes), and click "Enter".
From the list, uninstall "J2SE Runtime Environment 5.0 Update 6".

Step 5
Download ATF Cleaner from http://www.atribune.org/ccount/click.php?id=1

Run ATF Cleaner. Click on the check box to select the following options:
Windows Temp
All Users Temp
Temporary Internet Files
Click "Empty Selected". Exit when finished.

Step 6
Restore your Hosts file
Go to http://www.funkytoad.com/download/hoster.zip and download Hoster, unzip it and run then click on "Restore Microsoft's Original Hosts File". Close when finished.

Step 7
Run Hijack This, "Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.

Thanks,

Bod

random72

6 Posts

June 18th, 2006 04:00

Bod,
 
Everything seemed to go ok with the exception of one folder deletion. While in safe mode I was unable to delete the folder C:\WINDOWS/.0\A?pPatch\ (it was actually AppPatch). When I attempted to delete it, it started to remove it only to stop with an error message stating that some of its contents were in use, therefore it could not be deleted (something to that effect). This happened every time I tried it. Suggestions?
 
Other than that, everything seemed to work fine. The results of the latest Hijack This scan are listed below.
 
Thanks,
 
Random72
 
*****************************
 
Logfile of HijackThis v1.99.1
Scan saved at 1:11:45 AM, on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS.0\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS.0\system32\ams_ii\iao.exe
C:\WINDOWS.0\system32\MsgSys.EXE
C:\WINDOWS.0\system32\cba\xfr.exe
C:\WINDOWS.0\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\WINDOWS.0\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8BBE2181-990D-0B9E-283C-30AB39D893FD} - (no
file)
O2 - BHO: (no name) - {90EA03D4-95EC-3B38-9D50-56CD6132844A} - (no
file)
O2 - BHO: (no name) - {B2947372-653B-EBBE-56F1-0DFB8E09D8E4} - (no
file)
O3 - Toolbar: MSN Search Toolbar -
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar
Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS.0\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ
Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust
EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpywareBot] C:\Program
Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program
Files\Webroot\Washer\wwDisp.exe
O4 - Startup: Sonic CinePlayer Quick Launch.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program
Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN
Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN
Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab -
res://C:\Program Files\MSN Toolbar
Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d9aa2d204f9046f4a93c7
df0154855ba
O8 - Extra context menu item: Open in new foreground tab -
res://C:\Program Files\MSN Toolbar
Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d9aa2d204f9046f4a93c7
df0154855ba
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: ppctlcab -
http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
/muweb_site.cab?1128086223809
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} (VPlayer Control) -
x.jpeg
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime
Environment 1.4.1_02) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.0\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. -
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -
Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel Alert Handler - Intel® Corporation -
C:\WINDOWS.0\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation -
C:\WINDOWS.0\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation -
C:\WINDOWS.0\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation -
C:\WINDOWS.0\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) -
Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates
International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\VetMsg.exe
 

Bod99

561 Posts

June 18th, 2006 17:00

Hi,

Thanks for the log.

C:\WINDOWS/.0\AppPatch is a legitimate Windows folder, that's why you couldn't delete it.

I've now got some more instructions. There's some O2 lines in the Hijack This log that haven't gone away, so we'll try fixing them once more. We'll also double check the C:\WINDOWS/.0\A?pPatch\ folder isn't there. Hopefully one of the earlier steps got it.

Step 1
Run Hijack This, don't have any other programs open, and click " Scan".
In the scan results, click on the check box for all of the following lines that are present.
O2 - BHO: (no name) - {8BBE2181-990D-0B9E-283C-30AB39D893FD} - (no file)
O2 - BHO: (no name) - {90EA03D4-95EC-3B38-9D50-56CD6132844A} - (no file)
O2 - BHO: (no name) - {B2947372-653B-EBBE-56F1-0DFB8E09D8E4} - (no file)
Click on " Fix checked".

Step 2
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Click My Computer > Tools > View, then put a tick in the " Display the contents of system folders" and " Show hidden files and folders" check boxes. Uncheck the " Hide protected operating system files (recommended)" option. These should still be set from the previous set of instructions.
Click " Yes" to confirm.
Click " OK".
When you've got Explorer open, navigate to the c:\Windows.0\ folder, click View > Details, then click on the column header " Name" to put the files in alphabetical order.
Scroll down the list of folders in the right hand pane, if C:\WINDOWS.0\A?pPatch\ is still there, it'll be the last folder starting with " A".
If it's there, delete it. As I said earlier, C:\WINDOWS/.0\AppPatch is a negitimate Windows folder, so don't try to delete that one.

Reboot as normal.

Step 3
Run Hijack This, " Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.

Also, have you got more than one Windows installation in the same partition of your hard disk? The WINDOWS.0 notation is an indication of this, but I'd like to be sure that there isn't something weird going on here.

Thanks,

Bod

random72

6 Posts

June 19th, 2006 03:00

Hi,
 
Here's the latest scan result. The A?aPatch folder wasn't there, so I was unable to delete it.
Also, to answer your question, I do have two Windows installations in the same partition of my hard disk.
 
Thanks,
 
random72
 
**********************
 
Logfile of HijackThis v1.99.1
Scan saved at 12:10:43 AM, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS.0\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS.0\system32\ams_ii\iao.exe
C:\WINDOWS.0\system32\MsgSys.EXE
C:\WINDOWS.0\system32\cba\xfr.exe
C:\WINDOWS.0\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\WINDOWS.0\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8BBE2181-990D-0B9E-283C-30AB39D893FD} - (no
file)
O2 - BHO: (no name) - {90EA03D4-95EC-3B38-9D50-56CD6132844A} - (no
file)
O2 - BHO: (no name) - {B2947372-653B-EBBE-56F1-0DFB8E09D8E4} - (no
file)
O3 - Toolbar: MSN Search Toolbar -
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar
Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS.0\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ
Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust
EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpywareBot] C:\Program
Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program
Files\Webroot\Washer\wwDisp.exe
O4 - Startup: Sonic CinePlayer Quick Launch.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program
Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN
Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN
Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab -
res://C:\Program Files\MSN Toolbar
Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d9aa2d204f9046f4a93c7
df0154855ba
O8 - Extra context menu item: Open in new foreground tab -
res://C:\Program Files\MSN Toolbar
Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d9aa2d204f9046f4a93c7
df0154855ba
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: ppctlcab -
http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
/muweb_site.cab?1128086223809
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} (VPlayer Control) -
x.jpeg
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime
Environment 1.4.1_02) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.0\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. -
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -
Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel Alert Handler - Intel® Corporation -
C:\WINDOWS.0\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation -
C:\WINDOWS.0\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation -
C:\WINDOWS.0\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation -
C:\WINDOWS.0\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) -
Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates
International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\VetMsg.exe
 

Bod99

561 Posts

June 19th, 2006 16:00

Hi again,

Thanks for the log. Those O2 lines are persistent, aren't they!

It may be that a couple of programs you have running are stopping these being fixed, so we'll disable them as a temporary measure and try again.

Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.

Step 1
Right-click the Ewido system tray icon (a yellow e) and uncheck "real time protection".

Run Windows Defender
Click Tools > General Settings
Scroll down and uncheck "Turn on real-time protection (recommended)".
Click "Save"

After the Hijack This fix is complete it is very important that you enable real-time protection again for both Ewido and Defender.

Step 2
Run Hijack This, don't have any other programs open, and click "Scan".
In the scan results, click on the check box for all of the following lines that are present.
O2 - BHO: (no name) - {8BBE2181-990D-0B9E-283C-30AB39D893FD} - (no file)
O2 - BHO: (no name) - {90EA03D4-95EC-3B38-9D50-56CD6132844A} - (no file)
O2 - BHO: (no name) - {B2947372-653B-EBBE-56F1-0DFB8E09D8E4} - (no file)
O4 - HKLM\..\Run: C:\Program Files\SpywareBot\SpywareBot.exe -boot
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

Click on "Fix checked".

Step 3
Remember to enable real-time protection again for both Ewido and Defender!

Step 4
Run Hijack This, "Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.

Thanks,

Bod

Message Edited by Bod99 on 06-19-200602:39 PM

random72

6 Posts

June 19th, 2006 22:00

Hi,
 
Here it is, and it seems the 02 lines are still there. The other ones appear to be gone, however.
 
Thanks,
 
random72
 
*******************************************
 
Logfile of HijackThis v1.99.1
Scan saved at 7:11:34 PM, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS.0\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS.0\system32\ams_ii\iao.exe
C:\WINDOWS.0\system32\MsgSys.EXE
C:\WINDOWS.0\system32\cba\xfr.exe
C:\WINDOWS.0\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\WINDOWS.0\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {8BBE2181-990D-0B9E-283C-30AB39D893FD} - (no file)
O2 - BHO: (no name) - {90EA03D4-95EC-3B38-9D50-56CD6132844A} - (no file)
O2 - BHO: (no name) - {B2947372-653B-EBBE-56F1-0DFB8E09D8E4} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS.0\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: Sonic CinePlayer Quick Launch.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d9aa2d204f9046f4a93c7df0154855ba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d9aa2d204f9046f4a93c7df0154855ba
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128086223809
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} (VPlayer Control) - http://www.sonypictures.com/movies/casinoroyale/vividas/player/vivid_ocx.jpeg
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS.0\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS.0\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS.0\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS.0\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS.0\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
 

Bod99

561 Posts

June 20th, 2006 07:00

Hi,

OK, thanks for the log. Do any of the parts of Symantec that you are still running include a feature to prevent "unauthorised" changes to your system?

If so, run the last set of instructions again with that disabled as well as Ewido and Defender.

Thanks,

Bod

Bod99

561 Posts

July 6th, 2006 20:00

Hi,

It's now been at least 7 days since your last post. I am presuming now that your problem has been solved and this topic is now inactive.

I will keep tabs on this post for another 7 days from this date, after which if you need help you should start a new topic.

If you should wish to reply before the 7 days has passed then simply please post a fresh HJT log before proceeding further.

Thanks,

Bod

Was this post helpful?

View All

No Events found!

Top