Possible Viruses

[honeyk]

@echo off
dir "C:\AA\Local Settings" >> look3.txt
start look3.txt Volume in drive C has no label.
 Volume Serial Number is 8844-14DA

 Directory of C:\AA\Local Settings

2007-12-12  10:10    <DIR>          .
2007-12-12  10:10    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   3,858,227,200 bytes free

 Volume in drive C has no label.
 Volume Serial Number is 8844-14DA

 Directory of C:\AA\Local Settings

2007-12-12  10:10    <DIR>          .
2007-12-12  10:10    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   3,858,120,704 bytes free

[honeyk]

Sorry, scan hasnt finished. I will let it complete without anymore interferance from myself, and then send you a dss log. Honeyk

Scan finished after about 2 1/2hrs. Had a couple more AVAST warning pop up during the scan. If you want me to send the info. on them let me know. DSS log attached Honeyk

[oldman]

Download ComboFix from Here or Here to your Desktop.

Don't run it yet



Open HJT and fix the following lines

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O23 - Service: System Guard(AdwareRemoval) (AdwareRemovalSysGuardService) - Unknown owner - C:\Program Files\EAdwareRemoval\SysGuard.exe

Close all browsers/windows click fix. close HJT



Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Folder::
C:\Program Files\EAdwareRemoval

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.


Note: If after 30 minutes Combofix has not completed, it has hung. Open your Task Manager (right click the clock in your system tray and click the choice Task Manager). Click the "Processes" tab, then, see if you can find any of these processes (click Image Name to order them alphabetically): findstr, find, sed, or swreg.

If so, end them one by one, seeing if ComboFix resumes at each stage.


Open HJT, click open misc tools button, click open uninstall manager, click save list. Copy and paste the list into a notepad and attach to your next reply along with the other 2.

[honeyk]

Honeyk

[oldman]

Open HJT, checkmark the following lines if present

O4 - HKLM\..\Run: [AdwareRemoval_schedules] C:\Program Files\EAdwareRemoval\schedules.exe
O4 - HKLM\..\Run: [AdwareRemoval_tray] C:\Program Files\EAdwareRemoval\tray.exe
O23 - Service: System Guard(AdwareRemoval) (AdwareRemovalSysGuardService) - Unknown owner - C:\Program Files\EAdwareRemoval\SysGuard.exe (file missing)

Close all browsers/windows, click fix. Close HJT.


Click start button, click run

type cmd into the box and hit Enter

type sc stop AdwareRemovalSysGuardService   hit enter
type sc delete AdwareRemovalSysGuardService   hit enter

In windows explorer see if this folder is present, if it is delete and empty the recyle bin

C:\Program Files\EAdwareRemoval



Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\Documents and Settings\user\spydb.dat

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.



When you are done please run cleanup

[honeyk]

Honeyk

[oldman]

Everything back to normal now?

[honeyk]

Seems to be back to normal.Thanks again, "Happy New Year 2008!!"
Honeyk

[oldman]

Happy New Year to you too.

We have to find time to finish what we started. Right now I've got some bugs that just won't go away. (not mine) As soon as that's done we will get back to yours.

A little party pic for you. scroll down

[oldman]

Let's remove CA, then see where we are as far as disk space goes.

First make a new system restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Now back up your registry with ERUNT

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Qurb]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cavrid"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QOELOADER"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eTrust Suite Personal]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VETWIN32Vp5]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VETEBOOT]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VETEFILE]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VETFDDNT]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VET-REC]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VET-FILT]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VETMONNT]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VETMSGNT]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ppctl]

[-HKEY_CLASSES_ROOT\ppctl]

[-HKEY_CLASSES_ROOT\Installer\Products\F8E0B90689E0FB64589F17321D20D248]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ITMRTSVC]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PPCtlPriv]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS make sure it is set in the top box to save to DESKTOP and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

 Use OTMOVEIT to remove these

c:\WINDOWS\SYSTEM32\isafeif.dll
c:\WINDOWS\SYSTEM32\isafprod.dll
c:\WINDOWS\SYSTEM32\vetredir.dll
c:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
c:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
c:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
c:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
c:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
c:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
C:\DOCUMENTS and SETTINGS\ALL USERS\START MENU\PROGRAMS\CA
C:\DOCUMENTS and SETTINGS\ALL USERS\Application Data\CA
C:\Program Files\CA
C:\Program Files\Common Files\Scanner
C:\Program Files\Computer Associates


manually search for these files. Set the search to C:\  You can either delet them if you are sure, or you can type and post the exact file paths and we can use OTMOVEIT.

ppctl.dll
ppdoupdater.exe
pestpatrol5.ini
pestpatrol5.exe
lfinfo.dat
langv5.dat
ppfile.exe
ppinfo.dat
ppsrindex.dat
ppv5updater.exe
ppv5log.txt



Let me know how it goes. Do the steps in order and you should have no problems. 

I'd like to see the OTMOVEIT results.

Also do this, after you are finish the above open mycomputer and right click on the C:\ drive, click properties and tell me how much free space is on the C:\

[honeyk]

File/Folder c:\WINDOWS\SYSTEM32\isafeif.dll not found.
File/Folder c:\WINDOWS\SYSTEM32\isafprod.dll not found.
File/Folder c:\WINDOWS\SYSTEM32\vetredir.dll not found.
File/Folder c:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys not found.
File/Folder c:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys not found.
File/Folder c:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys not found.
File/Folder c:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys not found.
File/Folder c:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys not found.
File/Folder c:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys not found.
File/Folder C:\DOCUMENTS and SETTINGS\ALL USERS\START MENU\PROGRAMS\CA not found.
File/Folder C:\DOCUMENTS and SETTINGS\ALL USERS\Application Data\CA not found.
File/Folder C:\Program Files\CA not found.
File/Folder C:\Program Files\Common Files\Scanner not found.
File/Folder C:\Program Files\Computer Associates not found.
 
Created on 01/06/2008 03:00:26

The free space was 13.5GB after following all your instructions.Thanks again Oldman. Honeyk

[oldman]

Good. Now defrag your computer.

Disconnect froom the internet first.
 click start button, all programs, accessories, system tools, click on the disk defragmenter.

  Set it to c:\ drive and you should pause avast first.