aghoffmann

July 15, 2006

Hi Matt,

I followed your instructions as best as I could, however I ran in to a couple of problems:

â€¢ VundoFix ran fine, but it didnâ€™t find any infected files (file posted below)

â€¢ Ewido locked up several time during the install. However I had already installed and ran the program before I contacted Besttechie. At some point an ewido error was generated. I have posted that ewido.err file below also.

â€¢ I tried running the ewido program that I already had installed in SafeMode, however I never got a â€œdesktopâ€ in Safe mode. All I got was a black screen with the words â€œSafe Modeâ€ showing in all 4 corners of my screen.

â€¢ Upon rebooting after safe mode I got a couple errors, one for Trojan.awax and one for ewido. I did a screen capture and have posted that jpg too.

I currently have â€œCounterSpy, a-squared, spy-bot and Norton Anti-virus installed on the machine. Could these be interfering

Thanks,

Andy

_________________________________________

VundoFix.txt

VundoFix V5.1.3

Running as SYSTEM

from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.2

Scan started at 8:55:30 PM 7/13/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

_____________________________

Ewido.err

//==<ewido anti-spyware 4.0>===================================

Exception code: C0000005 ACCESS_VIOLATION

Fault address: 00000001 <pages range base not found>

Exception Date: 07/09/2006 17:04:59

File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:

EAX:00000001

EBX:00000000

ECX:00000000

EDX:77FC49C0

ESI:00432B17

EDI:00FD6730

CS:EIP:001B:00000001

SS:ESP:0023:052AFE98 EBP:052AFEE4

DS:0023 ES:0023 FS:0038 GS:0000

Flags:00010202

Intel specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module

00000001 052AFEE4 00432B17 00FD6730 00000001 00000000 <pages range base not found>

77F8777E 052AFF48 77F87766 00185540 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll

77F956E5 052AFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll

77E765DA 052AFFEC <frame 052AFFEC not readable>

ImageHelp specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address

00000001 052AFE94 77F95FC9 00FD6730 00000001 00185540 <pages range base not found>

00432B42 052AFEE4 00432B17 00FD6730 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F8777E 052AFF48 77F87766 00185540 00000000 00000000 RtlDebugPrintTimes+1A

77F956E5 052AFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF

77E765DA 052AFFEC 77F950AE 00000000 00000000 6D52C1A0 lstrcmpiW+98

Loaded Modules:

Base Size Module

00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll

77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll

76BF0000 00B000 //==<ewido anti-spyware 4.0>===================================

Exception code: C0000005 ACCESS_VIOLATION

Fault address: 00000020 <pages range base not found>

Exception Date: 07/09/2006 19:26:15

File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:

EAX:00000020

EBX:00000000

ECX:00000000

EDX:77FC49C0

ESI:00432B17

EDI:00FD1AB0

CS:EIP:001B:00000020

SS:ESP:0023:03EBFE98 EBP:03EBFEE4

DS:0023 ES:0023 FS:0038 GS:0000

Flags:00010202

Intel specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module

00000020 03EBFEE4 00432B17 00FD1AB0 00000001 00000000 <pages range base not found>

77F8777E 03EBFF48 77F87766 00186470 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll

77F956E5 03EBFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll

77E765DA 03EBFFEC 77F950AE 00000000 00000000 00000000 0001:000155DA C:\WINDOWS\system32\kernel32.dll

ImageHelp specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address

00000020 03EBFE94 77F95FC9 00FD1AB0 00000001 00186470 <pages range base not found>

00432B42 03EBFEE4 00432B17 00FD1AB0 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F8777E 03EBFF48 77F87766 00186470 00000000 00000000 RtlDebugPrintTimes+1A

77F956E5 03EBFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF

77E765DA 03EBFFEC 77F950AE 00000000 00000000 00000000 lstrcmpiW+98

Loaded Modules:

Base Size Module

00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll

77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll

76BF0000 00B000 //==<ewido anti-spyware 4.0>===================================

Exception code: C0000005 ACCESS_VIOLATION

Fault address: 00000001 <pages range base not found>

Exception Date: 07/10/2006 11:14:49

File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:

EAX:00000001

EBX:00000000

ECX:00000000

EDX:77FC49C0

ESI:00432B17

EDI:00FD6B40

CS:EIP:001B:00000001

SS:ESP:0023:05CAFE98 EBP:05CAFEE4

DS:0023 ES:0023 FS:0038 GS:0000

Flags:00010202

Intel specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module

00000001 05CAFEE4 00432B17 00FD6B40 00000001 00000000 <pages range base not found>

77F8777E 05CAFF48 77F87766 00187180 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll

77F956E5 05CAFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll

77E765DA 05CAFFEC <frame 05CAFFEC not readable>

ImageHelp specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address

00000001 05CAFE94 77F95FC9 00FD6B40 00000001 00187180 <pages range base not found>

00432B42 05CAFEE4 00432B17 00FD6B40 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F8777E 05CAFF48 77F87766 00187180 00000000 00000000 RtlDebugPrintTimes+1A

77F956E5 05CAFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF

77E765DA 05CAFFEC 77F950AE 00000000 00000000 6D52C1A0 lstrcmpiW+98

Loaded Modules:

Base Size Module

00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll

77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll

76BF0000 00B000 5.01.2600.0000 C:\WINDOWS\System32\PSAPI.DLL

10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll

70BD0000 065000 6.00.2800.1106 C:\WINDOWS\system32\SHLWAPI.dll

77C10000 053000 7.00.2600.0000 C:\WINDOWS\system32\msvcrt.dll

77C70000 03E000 5.01.2600.0151 C:\WINDOWS\system32\GDI32.dll

77D40000 086000 5.01.2600.0152 C:\WINDOWS\system32\USER32.dll

77DD0000 08B000 5.01.2600.0000 C:\WINDOWS\system32\ADVAPI32.dll

78000000 06F000 5.01.2600.0135 C:\WINDOWS\system32\RPCRT4.dll

71AB0000 015000 5.01.2600.0000 C:\WINDOWS\System32\WS2_32.dll

71AA0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WS2HELP.dll

76B40000 02C000 5.01.2600.0000 C:\WINDOWS\System32\WINMM.dll

773D0000 7EE000 6.00.2600.0115 C:\WINDOWS\system32\SHELL32.dll

76380000 005000 5.01.2600.0000 C:\WINDOWS\System32\MSIMG32.dll

763B0000 045000 6.00.2600.0000 C:\WINDOWS\system32\comdlg32.dll

71950000 0E4000 6.00.2600.0000 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.dll

771B0000 113000 5.01.2600.0136 C:\WINDOWS\system32\ole32.dll

71AD0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WSOCK32.dll

76D60000 015000 5.01.2600.0002 C:\WINDOWS\System32\iphlpapi.dll

76DE0000 026000 5.01.2600.0000 C:\WINDOWS\System32\netman.dll

76D40000 016000 5.01.2600.0000 C:\WINDOWS\System32\MPRAPI.dll

76E40000 02F000 5.01.2600.0000 C:\WINDOWS\System32\ACTIVEDS.dll

76E10000 024000 //==<ewido anti-spyware 4.0>===================================

Exception code: C0000005 ACCESS_VIOLATION

Fault address: 00000020 <pages range base not found>

Exception Date: 07/13/2006 18:22:36

File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:

EAX:00000020

EBX:00000000

ECX:00000000

EDX:77FC59C0

ESI:00432B17

EDI:00F46BB8

CS:EIP:001B:00000020

SS:ESP:0023:03DCFE98 EBP:03DCFEE4

DS:0023 ES:0023 FS:0038 GS:0000

Flags:00010202

Intel specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module

00000020 03DCFEE4 00432B17 00F46BB8 00000001 00000000 <pages range base not found>

77F87FD4 03DCFF48 77F87FBC 00180CD8 00000000 00000000 0001:00036FD4 C:\WINDOWS\System32\ntdll.dll

77F9613D 03DCFFB4 00000000 77FA88F0 04227630 00000000 0001:0004513D C:\WINDOWS\System32\ntdll.dll

77E7D28E 03DCFFEC 77F95B06 00000000 00000000 00000000 0001:0001C28E C:\WINDOWS\system32\kernel32.dll

ImageHelp specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address

00000020 03DCFE94 77F96A21 00F46BB8 00000001 00180CD8 <pages range base not found>

00432B42 03DCFEE4 00432B17 00F46BB8 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F87FD4 03DCFF48 77F87FBC 00180CD8 00000000 00000000 RtlDebugPrintTimes+1A

77F9613D 03DCFFB4 00000000 77FA88F0 04227630 00000000 RtlSetIoCompletionCallback+AF

77E7D28E 03DCFFEC 77F95B06 00000000 00000000 00000000 RegisterWaitForInputIdle+43

Loaded Modules:

Base Size Module

00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F50000 0A7000 5.01.2600.1217 C:\WINDOWS\System32\ntdll.dll

77E60000 0E6000 5.01.2600.1560 C:\WINDOWS\system32\kernel32.dll

76BF0000 00B000 5.01.2600.1106 C:\WINDOWS\System32\PSAPI.DLL

10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll

70A70000 064000 6.00.2800.1106 C:\WINDOWS\system32\SHLWAPI.dll

77C10000 053000 7.00.2600.1106 C:\WINDOWS\system32\msvcrt.dll

7F000000 041000 5.01.2600.1561 C:\WINDOWS\system32\GDI32.dll

77D40000 08C000 5.01.2600.1561 C:\WINDOWS\system32\USER32.dll

77DD0000 08D000 5.01.2600.1106 C:\WINDOWS\system32\ADVAPI32.dll

78000000 087000 5.01.2600.1361 C:\WINDOWS\system32\RPCRT4.dll

71AB0000 015000 5.01.2600.0000 C:\WINDOWS\System32\WS2_32.dll

71AA0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WS2HELP.dll

76B40000 02C000 5.01.2600.1106 C:\WINDOWS\System32\WINMM.dll

773D0000 7F2000 6.00.2800.1233 C:\WINDOWS\system32\SHELL32.dll

76380000 005000 5.01.2600.1106 C:\WINDOWS\System32\MSIMG32.dll

763B0000 045000 6.00.2800.1106 C:\WINDOWS\system32\comdlg32.dll

71950000 0E4000 6.00.2800.1106 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll

771B0000 124000 5.01.2600.1362 C:\WINDOWS\system32\ole32.dll

71AD0000 008000 5.01.2600.0000 //==<ewido anti-spyware 4.0>===================================

Exception code: C0000005

______________________________________

New Hijack This log

Logfile of HijackThis v1.99.1

Scan saved at 5:18:45 PM, on 7/14/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe

C:\Program Files\Canon\MultiPASS4\monitr32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\fxredir.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\WINDOWS\System32\dumprep.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe

O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

______________________________________

Screen capture of error

July 14, 2006

Hi xxkbxx,

I looked through the "Startup" tab in the System Configuration Utility (aka MSconfig?). I saw several familiar looking files and a couple that I think I could do without, however there were a bunch that I didn't recognize. I don't have any experiece using MSconfig so I don't know how to determine what the unfamiliar files may be doing, or what the ramafication of "disabling" files may be.

The same inexperience applies to the other tabs in the System Configuration Utility window. (General, SYSTEM.INI, WIN.INI, BOOT.INI and Services). These look like things that I shouldn't play around with.

Thanks,

Andy

July 14, 2006

Hi Shanenin,

I don't have any Iomega readers. I also checked the hardware in ControlPanel>System>System Properties>Device Manager and all the devices seem to be operating properly. Hmmm...

Thanks,

Andy

July 14, 2006

Hi Matt,

WHEW! I finally got the SP 1a update completed. Some observations on the process that may be of interest. It took over 42 hours to complete the processâ€¦ I guess that indicates the severity of my infection. Also, I initially tried downloading the update using IE 6.0 and was severely harassed by â€œWinAntiVirusProâ€¦ I gave up on using IE and opened the site in a FireFox browser and didnâ€™t get any harassment. After the installation and reboot I got the Nortonâ€™s Antivirus pop-up again saying it found Trojan.Awax but was unable to fix it. I also got a notice saying â€œsomething bad happenedâ€¦â€ and generated an ewido.err file.

I had planned to apply the XP SP2 update after I got things cleaned up, but now I understand why the update needed to be applied first. Iâ€™m curious why you recommended applying SP1a and not SP2?

Thanks,

Andy

Hereâ€™s the latest log:

Logfile of HijackThis v1.99.1

Scan saved at 7:10:15 PM, on 7/13/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe

C:\Program Files\Canon\MultiPASS4\monitr32.exe

C:\WINDOWS\System32\fxredir.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\Program Files\Internet Explorer\iexplore.exe