Yet another hijack II?

**amason** · 07-11-2005, 08:28 AM

It looks as if I've experienced my second hijack within the past 2 or 3 years, despite security efforts.

I suspect the problem is elitevju32.exe, which keeps returning despite scans and deletions. The symptom is a window that pops up attempting to open Internet Explorer every 5 minutes or so. I generally use Mozilla Firefox 0.9.2 and occasionally Netscape--IE very rarely.

I have run updated scans of Spybot, Ad Aware SE, CWShredder, Reg Seeker, Clean Up, Norton Anti-virus and Ewido. (I ran Ewido successfully twice, but now it seems to hang up while scanning the registry). Also have downloaded and installed IE Spyad and have Spyware Guard running.

Below is HJT log--any assistance or guidance would be great.

Andy Mason

Logfile of HijackThis v1.99.1
Scan saved at 9:55:19 AM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
D:\Spyware & Adware\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\CallWave\IAM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Navnt\navapw32.exe
D:\Spyware & Adware\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\sysmon32.exe
D:\Spyware & Adware\SpywareGuard\sgbhp.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Spyware & Adware\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevju32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

**Omerr** · 07-11-2005, 09:06 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

**Omerr** · 07-11-2005, 11:24 AM

Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process.

Download ETRemover. Do NOT use it now.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\System32\sysmon32.exe

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevju32.exe

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\System32\sysmon32.exe
C:\windows\system32\elitevju32.exe

Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Please scan again with HijackThis to get a new log.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Now give us a new HijackThis Analyzer log so we can make sure your system is clean.

**amason** · 07-12-2005, 12:22 PM

Omerr--

Many thanks for your assistance.

I've followed your instructions--below are logs from Panda Active Scan and HJT.

Andy Mason

****************************************
Active Scan

Incident Status Location

Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\seeve.exe
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar
Virus:Exploit/iFrame Disinfected C:\Eudora\Trash.mbx[~002015.@x@]
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc11.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc12.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc13.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc14.exe
Virus:Trj/Crypt.E Disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc15.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\hisistheurls.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_pgxkiy.dat
Adware:Adware/WinTools No disinfected C:\WINDOWS\seeve.exe
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe
Virus:Bck/Lithium.101 Disinfected D:\WINDOWS2\SYSTEM\srv_capture.dll

*********************************************

Logfile of HijackThis v1.99.1
Scan saved at 2:16:23 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
D:\Spyware & Adware\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Navnt\navapw32.exe
D:\Spyware & Adware\SpywareGuard\sgmain.exe
D:\Spyware & Adware\SpywareGuard\sgbhp.exe
D:\Spyware & Adware\security suite\ewidoguard.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Spyware & Adware\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/
F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11
O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

*******************************************

**amason** · 07-12-2005, 12:33 PM

Omerr--

I realize you asked for the HJT analyzer log. Here it is. Also, was I supposed to anything with ETRemover other than download it?

Andy

**amason** · 07-12-2005, 12:34 PM

Still forgot the log!

*********************************************
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\Navnt\alertsvc.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:16:23 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\Spyware & Adware\security suite\ewidoctrl.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
D:\Spyware & Adware\SpywareGuard\sgmain.exe
D:\Spyware & Adware\SpywareGuard\sgbhp.exe
D:\Spyware & Adware\security suite\ewidoguard.exe
D:\Spyware & Adware\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/
F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11
O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe

End of KRC HijackThis Analyzer Log.
====================================================================

**Omerr** · 07-12-2005, 12:35 PM

Hey.
I am sorry, I forgot. You should run it in SafeMode. Please do it.

I will take a look in your log ASAP.

**Omerr** · 07-12-2005, 02:02 PM

Hello again. You are very welcome

Please disable SpyWare Guard before continuing with the fix.

Please go to SafeMode.
Go to Add/Remove and remove the following program if it exists:

Elite Toolbar

Delete the following files indicated in RED and folders indicated in BLUE:

C:\WINDOWS\usta33.ini
C:\WINDOWS\thin-143-1-x-x.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\seeve.exe
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\EliteToolBar
C:\Eudora\Trash.mbx
C:\WINDOWS\hisistheurls.exe
C:\WINDOWS\n_pgxkiy.dat
C:\WINDOWS\seeve.exe
C:\WINDOWS\SYSTEM32\c.bat
D:\WINDOWS2\SYSTEM\srv_capture.dll

Please empty your recycle bin.

Restart your PC to normal mode.

Please give us a new Panda ActiveScan log, along with KRC HijackThis Analyzer log.

**amason** · 07-12-2005, 09:37 PM

Omerr--

You state, "You should run it in SafeMode"--are you referring to HJT Analyzer, or to ET Remover?

Andy

MicroBell · 07-13-2005, 02:12 AM

Quote:

Originally Posted by amason

Omerr--

You state, "You should run it in SafeMode"--are you referring to HJT Analyzer, or to ET Remover?

Andy

ET Remover. Then reboot and post those logs

**amason** · 07-13-2005, 07:58 AM

Omerr & Microbell--

Thanks--below are ActiveScan and HJT Analyzer logs after running ETRemover.

Andy

***************************************

Incident Status Location

Adware:Adware/EliteBar No disinfected Windows Registry

*********************************************

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\Navnt\alertsvc.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:52:26 AM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\Spyware & Adware\security suite\ewidoctrl.exe
D:\Spyware & Adware\security suite\ewidoguard.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
D:\Spyware & Adware\SpywareGuard\sgmain.exe
D:\Spyware & Adware\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/
F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe

End of KRC HijackThis Analyzer Log.
====================================================================

**Omerr** · 07-13-2005, 02:03 PM

Hello again.
Your log seems clean, congratulations! Are there any further problems now? If not, you should be set to go. If there ARE any problems, skip the next instructions and let me know about your problems so we can solve them out!

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

**amason** · 07-15-2005, 07:16 AM

Omerr--

Things seem OK at this end also. Great job--many thanks! You folks are performing a very worthwhile service.

Andy Mason

07-11-2005, 08:28 AM	#1 (permalink)
amason I helped the forums. Join Date: Jul 2004 Posts: 30 OS: Windows XP	Yet another hijack II? It looks as if I've experienced my second hijack within the past 2 or 3 years, despite security efforts. I suspect the problem is elitevju32.exe, which keeps returning despite scans and deletions. The symptom is a window that pops up attempting to open Internet Explorer every 5 minutes or so. I generally use Mozilla Firefox 0.9.2 and occasionally Netscape--IE very rarely. I have run updated scans of Spybot, Ad Aware SE, CWShredder, Reg Seeker, Clean Up, Norton Anti-virus and Ewido. (I ran Ewido successfully twice, but now it seems to hang up while scanning the registry). Also have downloaded and installed IE Spyad and have Spyware Guard running. Below is HJT log--any assistance or guidance would be great. Andy Mason Logfile of HijackThis v1.99.1 Scan saved at 9:55:19 AM, on 7/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe D:\Spyware & Adware\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\Navnt\navapsvc.exe C:\PROGRA~1\Navnt\npssvc.exe C:\Program Files\CallWave\IAM.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Navnt\navapw32.exe D:\Spyware & Adware\SpywareGuard\sgmain.exe C:\WINDOWS\System32\sysmon32.exe D:\Spyware & Adware\SpywareGuard\sgbhp.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\Navnt\alertsvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe D:\Spyware & Adware\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevju32.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

07-11-2005, 09:06 AM	#2 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. __________________ I am here in order to help you.

07-11-2005, 11:24 AM	#3 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello and welcome to TSF Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process. Download ETRemover. Do NOT use it now. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time). C:\WINDOWS\System32\sysmon32.exe Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevju32.exe *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED if they still exist: C:\WINDOWS\System32\sysmon32.exe C:\windows\system32\elitevju32.exe Reboot your system in Normal Mode. Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log. Please scan again with HijackThis to get a new log. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Now give us a new HijackThis Analyzer log so we can make sure your system is clean. __________________ I am here in order to help you.

07-12-2005, 12:35 PM	#7 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hey. I am sorry, I forgot. You should run it in SafeMode. Please do it. I will take a look in your log ASAP. __________________ I am here in order to help you.

07-12-2005, 02:02 PM	#8 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello again. You are very welcome Please disable SpyWare Guard before continuing with the fix. Please go to SafeMode. Go to Add/Remove and remove the following program if it exists: Elite Toolbar Delete the following files indicated in RED and folders indicated in BLUE: C:\WINDOWS\usta33.ini C:\WINDOWS\thin-143-1-x-x.exe C:\WINDOWS\unstall.exe C:\WINDOWS\seeve.exe C:\WINDOWS\whCC-GIANT.exe C:\WINDOWS\EliteToolBar C:\Eudora\Trash.mbx C:\WINDOWS\hisistheurls.exe C:\WINDOWS\n_pgxkiy.dat C:\WINDOWS\seeve.exe C:\WINDOWS\SYSTEM32\c.bat D:\WINDOWS2\SYSTEM\srv_capture.dll Please empty your recycle bin. Restart your PC to normal mode. Please give us a new Panda ActiveScan log, along with KRC HijackThis Analyzer log. __________________ I am here in order to help you.

07-12-2005, 12:22 PM	#4 (permalink)
amason I helped the forums. Join Date: Jul 2004 Posts: 30 OS: Windows XP	Omerr-- Many thanks for your assistance. I've followed your instructions--below are logs from Panda Active Scan and HJT. Andy Mason ************************************** Active Scan Incident Status Location Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe Adware:Adware/WinTools No disinfected C:\WINDOWS\seeve.exe Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar Virus:Exploit/iFrame Disinfected C:\Eudora\Trash.mbx[~002015.@x@] Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc11.exe Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc12.exe Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc13.exe Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc14.exe Virus:Trj/Crypt.E Disinfected C:\RECYCLER\S-1-5-21-1148689247-1633081774-3228334493-1006\Dc15.exe Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp Adware:Adware/WinTools No disinfected C:\WINDOWS\hisistheurls.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_pgxkiy.dat Adware:Adware/WinTools No disinfected C:\WINDOWS\seeve.exe Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe Virus:Bck/Lithium.101 Disinfected D:\WINDOWS2\SYSTEM\srv_capture.dll ***************************************** Logfile of HijackThis v1.99.1 Scan saved at 2:16:23 PM, on 7/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe D:\Spyware & Adware\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\WINDOWS\System32\hkcmd.exe C:\PROGRA~1\Navnt\navapsvc.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\Navnt\npssvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CallWave\IAM.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Navnt\navapw32.exe D:\Spyware & Adware\SpywareGuard\sgmain.exe D:\Spyware & Adware\SpywareGuard\sgbhp.exe D:\Spyware & Adware\security suite\ewidoguard.exe C:\PROGRA~1\Navnt\alertsvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Spyware & Adware\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/ F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11 O17 - HKLM\System\CS3\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11 O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe *****************************************

07-12-2005, 12:33 PM	#5 (permalink)
amason I helped the forums. Join Date: Jul 2004 Posts: 30 OS: Windows XP	Omerr-- I realize you asked for the HJT analyzer log. Here it is. Also, was I supposed to anything with ETRemover other than download it? Andy

07-12-2005, 12:34 PM	#6 (permalink)
amason I helped the forums. Join Date: Jul 2004 Posts: 30 OS: Windows XP	Still forgot the log! ******************************************* ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs Security Programs Detected** C:\PROGRA~1\Navnt\navapsvc.exe C:\PROGRA~1\Navnt\npssvc.exe C:\Program Files\Navnt\navapw32.exe C:\PROGRA~1\Navnt\alertsvc.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 2:16:23 PM, on 7/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\Spyware & Adware\security suite\ewidoctrl.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe D:\Spyware & Adware\SpywareGuard\sgmain.exe D:\Spyware & Adware\SpywareGuard\sgbhp.exe D:\Spyware & Adware\security suite\ewidoguard.exe D:\Spyware & Adware\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/ F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11 O17 - HKLM\System\CS3\Services\Tcpip\..\{54F70E34-AE9B-4B30-AD0B-4EA3EA7301D5}: NameServer = 207.251.194.54 207.251.201.11 O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe End of KRC HijackThis Analyzer Log. ====================================================================

07-12-2005, 09:37 PM	#9 (permalink)
amason I helped the forums. Join Date: Jul 2004 Posts: 30 OS: Windows XP	Omerr-- You state, "You should run it in SafeMode"--are you referring to HJT Analyzer, or to ET Remover? Andy

07-13-2005, 07:58 AM	#11 (permalink)
amason I helped the forums. Join Date: Jul 2004 Posts: 30 OS: Windows XP	Omerr & Microbell-- Thanks--below are ActiveScan and HJT Analyzer logs after running ETRemover. Andy ************************************* Incident Status Location Adware:Adware/EliteBar No disinfected Windows Registry ***************************************** ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs Security Programs Detected** C:\PROGRA~1\Navnt\navapsvc.exe C:\PROGRA~1\Navnt\npssvc.exe C:\Program Files\Navnt\navapw32.exe C:\PROGRA~1\Navnt\alertsvc.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:52:26 AM, on 7/13/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\Spyware & Adware\security suite\ewidoctrl.exe D:\Spyware & Adware\security suite\ewidoguard.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe D:\Spyware & Adware\SpywareGuard\sgmain.exe D:\Spyware & Adware\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timesunion.com/ F3 - REG:win.ini: load= c:\quickenw\BILLMNDW.EXE O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - Startup: SpywareGuard.lnk = D:\Spyware & Adware\SpywareGuard\sgmain.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: ewido security suite control - ewido networks - D:\Spyware & Adware\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Spyware & Adware\security suite\ewidoguard.exe End of KRC HijackThis Analyzer Log. ====================================================================

07-13-2005, 02:03 PM	#12 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello again. Your log seems clean, congratulations! Are there any further problems now? If not, you should be set to go. If there ARE any problems, skip the next instructions and let me know about your problems so we can solve them out! Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. __________________ I am here in order to help you.

07-15-2005, 07:16 AM	#13 (permalink)
amason I helped the forums. Join Date: Jul 2004 Posts: 30 OS: Windows XP	Omerr-- Things seem OK at this end also. Great job--many thanks! You folks are performing a very worthwhile service. Andy Mason