aghoffmann Posted July 10, 2006 Report Share Posted July 10, 2006 I have been having lots of problems with the "Sys-protect", "Winantivirous" family of trojans on another computer. It has rendered the computer basically worthless. The system runs EXTREMELY slow; if I click on an icon it may take several minutes to get a response. I continually get a Norton antivirus pop-up saying it found the Trojan.awax but was unable to fix it. The problem appears to be related to the tuspp.dll and opppp.dll files and winlogon.exe dragging down the performance. I've tried several "anti-spy, anti-malware" type programs which seemed to find and fix lots of problems, but none resolved my primary problem. Nothing seems to be able to remove the dll files listed above.I found the following article in your forums regarding fixes recommended from a HijackThis log. It addresses the tuspp.dll, but not the opppp.dll. Can I follow the recommendation in that posting or would the fix be specific to my system?http://www.besttechie.net/forums/index.php...tuspp\.dllThanks!Here is the HijackThis log:Logfile of HijackThis v1.99.1Scan saved at 1:26:18 PM, on 7/10/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exeC:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINDOWS\System32\nvsvc32.exeC:\PROGRA~1\Dantz\RETROS~1\retrorun.exeC:\Program Files\Canon\MultiPASS4\monitr32.exeC:\WINDOWS\System32\tcpsvcs.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\System32\fxredir.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\MXOALDR.EXEC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\Common Files\Real\Update_OB\evntsvc.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MemTurbo\MemTurbo.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%sO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exeO4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXEO4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeO4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cabO16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dllO20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Link to post Share on other sites
garmanma Posted July 10, 2006 Report Share Posted July 10, 2006 After just having mine repaired, I strongly suggest you wait until one of the techs reply. Someone will soon enough. It's a great help to have the experts look at the log and get a second opinion before you delete a bunch of stuff in the HJT logMark Link to post Share on other sites
Matt Posted July 12, 2006 Report Share Posted July 12, 2006 Hi,We can definitely help you, but first you need to apply Windows XP Service Pack 1a. Without this update, you're wide open to re-infection, which defeats the purpose of getting you clean. So download the Service Pack from the link below, so we don't waste time getting you clean just to become re-infected. Click here: http://www.microsoft.com/windowsxp/downloa...p1/default.mspxApply the update, reboot, and post a fresh Hijack This log. Link to post Share on other sites
aghoffmann Posted July 14, 2006 Author Report Share Posted July 14, 2006 Hi Matt,WHEW! I finally got the SP 1a update completed. Some observations on the process that may be of interest. It took over 42 hours to complete the process… I guess that indicates the severity of my infection. Also, I initially tried downloading the update using IE 6.0 and was severely harassed by “WinAntiVirusPro… I gave up on using IE and opened the site in a FireFox browser and didn’t get any harassment. After the installation and reboot I got the Norton’s Antivirus pop-up again saying it found Trojan.Awax but was unable to fix it. I also got a notice saying “something bad happened…†and generated an ewido.err file.I had planned to apply the XP SP2 update after I got things cleaned up, but now I understand why the update needed to be applied first. I’m curious why you recommended applying SP1a and not SP2?Thanks, AndyHere’s the latest log:Logfile of HijackThis v1.99.1Scan saved at 7:10:15 PM, on 7/13/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exeC:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINDOWS\System32\nvsvc32.exeC:\PROGRA~1\Dantz\RETROS~1\retrorun.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exeC:\Program Files\Canon\MultiPASS4\monitr32.exeC:\WINDOWS\System32\fxredir.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\MXOALDR.EXEC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\Common Files\Real\Update_OB\evntsvc.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MemTurbo\MemTurbo.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%sO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exeO4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXEO4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeO4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cabO16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dllO20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Link to post Share on other sites
Matt Posted July 14, 2006 Report Share Posted July 14, 2006 I’m curious why you recommended applying SP1a and not SP2? Link to post Share on other sites
aghoffmann Posted July 15, 2006 Author Report Share Posted July 15, 2006 Hi Matt,I followed your instructions as best as I could, however I ran in to a couple of problems:• VundoFix ran fine, but it didn’t find any infected files (file posted below)• Ewido locked up several time during the install. However I had already installed and ran the program before I contacted Besttechie. At some point an ewido error was generated. I have posted that ewido.err file below also.• I tried running the ewido program that I already had installed in SafeMode, however I never got a “desktop†in Safe mode. All I got was a black screen with the words “Safe Mode†showing in all 4 corners of my screen.• Upon rebooting after safe mode I got a couple errors, one for Trojan.awax and one for ewido. I did a screen capture and have posted that jpg too.I currently have “CounterSpy, a-squared, spy-bot and Norton Anti-virus installed on the machine. Could these be interferingThanks, Andy_________________________________________VundoFix.txtVundoFix V5.1.3Running as SYSTEMfrom c:\windows\system32\VundoFix.exeChecking Java version...Java version is 1.4.2.2Scan started at 8:55:30 PM 7/13/2006Listing files found while scanning....No infected files were found.Beginning removal..._____________________________Ewido.err//==<ewido anti-spyware 4.0>===================================Exception code: C0000005 ACCESS_VIOLATIONFault address: 00000001 <pages range base not found>Exception Date: 07/09/2006 17:04:59File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmpRegisters:EAX:00000001EBX:00000000ECX:00000000EDX:77FC49C0ESI:00432B17EDI:00FD6730CS:EIP:001B:00000001SS:ESP:0023:052AFE98 EBP:052AFEE4DS:0023 ES:0023 FS:0038 GS:0000Flags:00010202Intel specific methodCall stack:Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module00000001 052AFEE4 00432B17 00FD6730 00000001 00000000 <pages range base not found>77F8777E 052AFF48 77F87766 00185540 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll77F956E5 052AFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll77E765DA 052AFFEC <frame 052AFFEC not readable>ImageHelp specific methodCall stack:Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address00000001 052AFE94 77F95FC9 00FD6730 00000001 00185540 <pages range base not found>00432B42 052AFEE4 00432B17 00FD6730 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe77F8777E 052AFF48 77F87766 00185540 00000000 00000000 RtlDebugPrintTimes+1A77F956E5 052AFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF77E765DA 052AFFEC 77F950AE 00000000 00000000 6D52C1A0 lstrcmpiW+98Loaded Modules:Base Size Module00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll76BF0000 00B000 //==<ewido anti-spyware 4.0>===================================Exception code: C0000005 ACCESS_VIOLATIONFault address: 00000020 <pages range base not found>Exception Date: 07/09/2006 19:26:15File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmpRegisters:EAX:00000020EBX:00000000ECX:00000000EDX:77FC49C0ESI:00432B17EDI:00FD1AB0CS:EIP:001B:00000020SS:ESP:0023:03EBFE98 EBP:03EBFEE4DS:0023 ES:0023 FS:0038 GS:0000Flags:00010202Intel specific methodCall stack:Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module00000020 03EBFEE4 00432B17 00FD1AB0 00000001 00000000 <pages range base not found>77F8777E 03EBFF48 77F87766 00186470 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll77F956E5 03EBFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll77E765DA 03EBFFEC 77F950AE 00000000 00000000 00000000 0001:000155DA C:\WINDOWS\system32\kernel32.dllImageHelp specific methodCall stack:Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address00000020 03EBFE94 77F95FC9 00FD1AB0 00000001 00186470 <pages range base not found>00432B42 03EBFEE4 00432B17 00FD1AB0 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe77F8777E 03EBFF48 77F87766 00186470 00000000 00000000 RtlDebugPrintTimes+1A77F956E5 03EBFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF77E765DA 03EBFFEC 77F950AE 00000000 00000000 00000000 lstrcmpiW+98Loaded Modules:Base Size Module00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll76BF0000 00B000 //==<ewido anti-spyware 4.0>===================================Exception code: C0000005 ACCESS_VIOLATIONFault address: 00000001 <pages range base not found>Exception Date: 07/10/2006 11:14:49File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmpRegisters:EAX:00000001EBX:00000000ECX:00000000EDX:77FC49C0ESI:00432B17EDI:00FD6B40CS:EIP:001B:00000001SS:ESP:0023:05CAFE98 EBP:05CAFEE4DS:0023 ES:0023 FS:0038 GS:0000Flags:00010202Intel specific methodCall stack:Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module00000001 05CAFEE4 00432B17 00FD6B40 00000001 00000000 <pages range base not found>77F8777E 05CAFF48 77F87766 00187180 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll77F956E5 05CAFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll77E765DA 05CAFFEC <frame 05CAFFEC not readable>ImageHelp specific methodCall stack:Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address00000001 05CAFE94 77F95FC9 00FD6B40 00000001 00187180 <pages range base not found>00432B42 05CAFEE4 00432B17 00FD6B40 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe77F8777E 05CAFF48 77F87766 00187180 00000000 00000000 RtlDebugPrintTimes+1A77F956E5 05CAFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF77E765DA 05CAFFEC 77F950AE 00000000 00000000 6D52C1A0 lstrcmpiW+98Loaded Modules:Base Size Module00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll76BF0000 00B000 5.01.2600.0000 C:\WINDOWS\System32\PSAPI.DLL10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll70BD0000 065000 6.00.2800.1106 C:\WINDOWS\system32\SHLWAPI.dll77C10000 053000 7.00.2600.0000 C:\WINDOWS\system32\msvcrt.dll77C70000 03E000 5.01.2600.0151 C:\WINDOWS\system32\GDI32.dll77D40000 086000 5.01.2600.0152 C:\WINDOWS\system32\USER32.dll77DD0000 08B000 5.01.2600.0000 C:\WINDOWS\system32\ADVAPI32.dll78000000 06F000 5.01.2600.0135 C:\WINDOWS\system32\RPCRT4.dll71AB0000 015000 5.01.2600.0000 C:\WINDOWS\System32\WS2_32.dll71AA0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WS2HELP.dll76B40000 02C000 5.01.2600.0000 C:\WINDOWS\System32\WINMM.dll773D0000 7EE000 6.00.2600.0115 C:\WINDOWS\system32\SHELL32.dll76380000 005000 5.01.2600.0000 C:\WINDOWS\System32\MSIMG32.dll763B0000 045000 6.00.2600.0000 C:\WINDOWS\system32\comdlg32.dll71950000 0E4000 6.00.2600.0000 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.dll771B0000 113000 5.01.2600.0136 C:\WINDOWS\system32\ole32.dll71AD0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WSOCK32.dll76D60000 015000 5.01.2600.0002 C:\WINDOWS\System32\iphlpapi.dll76DE0000 026000 5.01.2600.0000 C:\WINDOWS\System32\netman.dll76D40000 016000 5.01.2600.0000 C:\WINDOWS\System32\MPRAPI.dll76E40000 02F000 5.01.2600.0000 C:\WINDOWS\System32\ACTIVEDS.dll76E10000 024000 //==<ewido anti-spyware 4.0>===================================Exception code: C0000005 ACCESS_VIOLATIONFault address: 00000020 <pages range base not found>Exception Date: 07/13/2006 18:22:36File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmpRegisters:EAX:00000020EBX:00000000ECX:00000000EDX:77FC59C0ESI:00432B17EDI:00F46BB8CS:EIP:001B:00000020SS:ESP:0023:03DCFE98 EBP:03DCFEE4DS:0023 ES:0023 FS:0038 GS:0000Flags:00010202Intel specific methodCall stack:Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module00000020 03DCFEE4 00432B17 00F46BB8 00000001 00000000 <pages range base not found>77F87FD4 03DCFF48 77F87FBC 00180CD8 00000000 00000000 0001:00036FD4 C:\WINDOWS\System32\ntdll.dll77F9613D 03DCFFB4 00000000 77FA88F0 04227630 00000000 0001:0004513D C:\WINDOWS\System32\ntdll.dll77E7D28E 03DCFFEC 77F95B06 00000000 00000000 00000000 0001:0001C28E C:\WINDOWS\system32\kernel32.dllImageHelp specific methodCall stack:Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address00000020 03DCFE94 77F96A21 00F46BB8 00000001 00180CD8 <pages range base not found>00432B42 03DCFEE4 00432B17 00F46BB8 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe77F87FD4 03DCFF48 77F87FBC 00180CD8 00000000 00000000 RtlDebugPrintTimes+1A77F9613D 03DCFFB4 00000000 77FA88F0 04227630 00000000 RtlSetIoCompletionCallback+AF77E7D28E 03DCFFEC 77F95B06 00000000 00000000 00000000 RegisterWaitForInputIdle+43Loaded Modules:Base Size Module00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe77F50000 0A7000 5.01.2600.1217 C:\WINDOWS\System32\ntdll.dll77E60000 0E6000 5.01.2600.1560 C:\WINDOWS\system32\kernel32.dll76BF0000 00B000 5.01.2600.1106 C:\WINDOWS\System32\PSAPI.DLL10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll70A70000 064000 6.00.2800.1106 C:\WINDOWS\system32\SHLWAPI.dll77C10000 053000 7.00.2600.1106 C:\WINDOWS\system32\msvcrt.dll7F000000 041000 5.01.2600.1561 C:\WINDOWS\system32\GDI32.dll77D40000 08C000 5.01.2600.1561 C:\WINDOWS\system32\USER32.dll77DD0000 08D000 5.01.2600.1106 C:\WINDOWS\system32\ADVAPI32.dll78000000 087000 5.01.2600.1361 C:\WINDOWS\system32\RPCRT4.dll71AB0000 015000 5.01.2600.0000 C:\WINDOWS\System32\WS2_32.dll71AA0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WS2HELP.dll76B40000 02C000 5.01.2600.1106 C:\WINDOWS\System32\WINMM.dll773D0000 7F2000 6.00.2800.1233 C:\WINDOWS\system32\SHELL32.dll76380000 005000 5.01.2600.1106 C:\WINDOWS\System32\MSIMG32.dll763B0000 045000 6.00.2800.1106 C:\WINDOWS\system32\comdlg32.dll71950000 0E4000 6.00.2800.1106 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll771B0000 124000 5.01.2600.1362 C:\WINDOWS\system32\ole32.dll71AD0000 008000 5.01.2600.0000 //==<ewido anti-spyware 4.0>===================================Exception code: C0000005______________________________________New Hijack This logLogfile of HijackThis v1.99.1Scan saved at 5:18:45 PM, on 7/14/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exeC:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINDOWS\System32\nvsvc32.exeC:\PROGRA~1\Dantz\RETROS~1\retrorun.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exeC:\Program Files\Canon\MultiPASS4\monitr32.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\fxredir.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\MXOALDR.EXEC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeC:\Program Files\Common Files\Real\Update_OB\evntsvc.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MemTurbo\MemTurbo.exeC:\WINDOWS\System32\dumprep.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%sO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exeO4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXEO4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeO4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cabO16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dllO20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe______________________________________Screen capture of error Link to post Share on other sites
Matt Posted July 15, 2006 Report Share Posted July 15, 2006 Ok - I'm not sure what the error with ewido is, but hopefully once your clean itll work itself out.Please print out these directions for use if/when you cannot access this page.Scan with HJT and place a check next to the following items:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%sO2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dllO8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htmO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cabO16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cabO20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dllO20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dllThen, make sure all browser windows and other applications are closed and click the Fix Checked button.Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINDOWS\System32\opppp.dllC:\WINDOWS\system32\tuspp.dllC:\Program Files\LimeShop\System\Temp\limeshop_script0.htmC:\WINDOWS\web\related.htm[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan reportFinally, post back with a new HJT log, and the Panda Report.Matt Link to post Share on other sites
aghoffmann Posted July 16, 2006 Author Report Share Posted July 16, 2006 Hi Matt,That was sure a fast turn around at your end. Thanks. Things are much slower at my end still. Seems like after the ATF scan things really slowed down. Her are my observation and notes:• The HJT “Fix†went smoothly. After the fix I got 8 “CounterSpy†notices saying that something was fooling around with IE. I allowed it.• Killbox went well too, and yes I did get the message “Pending File Rename Operations…Registery Data has been Removed by External Processâ€.• I had to restart it manually afterwards• I initially tried downloading ATF with an IE browser, but it opened with a blank screen with the title “about:blankâ€, and seemed to freeze, so I downloaded using FireFox.• AFT seemed to run fine.• Based on the above experience I initially tried running Panda ActiveScan from a FireFox browser, but I got a notice that it only worked using IE 5 or later. • I opened an IE browser and got the “about:blank†page again. I then pasted in the link and eventually got to the Panda page. I was unmercifully harassed by the WinAntiVirus and SysProtect pop-ups. Things started really slowing down at this point.• After the Panda scan I opened My Documents to get to where I could run HJT and things seemed to lock up. I tried a couple of times. Eventually needing to hit the reset button cause nothing responded. What seemed to work after restarting a second time was disconnecting the network cable so I wasn’t connected to the Internet.• After that I was able to run HJT.Below are the Panda and HJT logsThanks, Andy________________________________Latest HJT logLogfile of HijackThis v1.99.1Scan saved at 4:10:07 PM, on 7/15/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINDOWS\System32\nvsvc32.exeC:\PROGRA~1\Dantz\RETROS~1\retrorun.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\fxredir.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\MXOALDR.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\Common Files\Real\Update_OB\evntsvc.exeC:\WINDOWS\explorer.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MemTurbo\MemTurbo.exeC:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exeC:\Program Files\Messenger\msmsgs.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exeO4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXEO4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeO4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cabO16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dllO20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe_________________________________________Panda ReportIncident Status Location Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Program Files\SysProtect Free\FRec.dll Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USYP_0001_N85M2606NetInstaller.exe Adware:adware/dyfuca Not disinfected c:\windows\STWSI Potentially unwanted tool:application/winantivirus2006 Not disinfected c:\documents and settings\all users\application data\WinAntiVirus Pro 2006 Adware:adware/limeshop Not disinfected Windows Registry Spyware:spyware/virtumonde Not disinfected Windows Registry Potentially unwanted tool:application/sysprotect Not disinfected hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.microsofteup.112.2o7.net/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[searchportal.information.com/] Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.tucows.com/] Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy\Cookies\[email protected][1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andy\Cookies\andy@zedo[1].txt Virus:W32/Disemboweler Disinfected Personal Folders\Inbox\***11317130 ***1302015032649\ACTMOVIE.EXE Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\35E93FDA-9E66-4B24-B751-223610\62331321-A76D-4731-9E16-1A3063 Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\35E93FDA-9E66-4B24-B751-223610\65EEAF63-7639-4A65-8F0C-A1C5B6 Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF3F3369-85A0-419D-B2D0-96C77A\58D00DD5-F1D5-4FD4-8C71-24DCE6 Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF3F3369-85A0-419D-B2D0-96C77A\718AE7B9-3150-4FB9-A4BA-FB9294 Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\01GPI3O5\QDow_AS2[1].cab Link to post Share on other sites
Matt Posted July 16, 2006 Report Share Posted July 16, 2006 Alright, we're going to try something else.Please disable CounterSpy, as it may hinder in fixing of some HijackThis entries. You can re-enable it after you're clean.To disable CounterSpy:Right Click on the CounterSpy Icon located in your system tray.With your mouse, hover over Active Protection Status (This should be enabled)A menu will slide out, then right click on Disable Active ProtectionOnce your log is clean please re-enable CounterSpy.Please scan with HJT and place a check next to the following items:O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dllO16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cabO20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dllO20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dllThen, make sure all browser windows and other applications are closed, and click the Fix Checked button.Boot into Safe Mode:Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Enable show hidden files and folders:* Click Start.* Open My Computer.* Select the Tools menu and click Folder Options.* Select the View Tab.* Under the Hidden files and folders heading select Show hidden files and folders.* Uncheck the Hide protected operating system files (recommended) option.* Click Yes to confirm.* Click OKFind and delete the following files:C:\WINDOWS\System32\opppp.dllC:\WINDOWS\SYSTEM32\tuspp.dllFind and delete the following folders:c:\windows\STWSI\c:\documents and settings\all users\application data\WinAntiVirus Pro 2006\Reboot your computer normally.Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\Program Files\SysProtect Free\FRec.dllc:\windows\downloaded program files\USYP_0001_N85M2606NetInstaller.exe[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Run another panda scan and save the report.Post back with a new HJT log, and the new panda report.Matt Link to post Share on other sites
aghoffmann Posted July 17, 2006 Author Report Share Posted July 17, 2006 Matt,Here are the latest Panda Scan and HJT logsIt seems like we are making progress until I open Internet Explorer, then all the nasties start hammering away. I even saw a few new ones this time: “Vertical Response†and “The Shield Pro 2006†along with the standard WinAntiVirusPro, SysProtect and Trojan.Awax. Here are my observations on this round:• The nasty dlls, opppp and tuspp, seen impervious to all our efforts• I notice that the CPU usage (as viewed through Task Manager, Performance tab) is ALWAYS at 100% even when I have no applications open… winlogon.exe seems to always be running as a process… any ideas?• I disabled Counter Spy with no problems• The HJT Fix went smoothly, though those darn persistent dlls, opppp and tuspp, are still there.• I already had hidden files and folders visible. When I tried deleting the dlls in Safe Mode I got an error notice: “Cannot delete: It is being used by another program or person. Close any programs that might be using the file and try againâ€. According to Task Manager, no “applications†were running, but lots of “processes†were going… including our nasty dlls• Deletion of the two folders worked.• When I rebooted after “Safe Mode†I got several pop-up: MPService application Error, and Ewido notice that Malware was detected, tuspp.dll (I cleaned and quarantined), Norton Antivirous finding Trojan.awax (tuspp.dll), Implementing the NT Services errors. Also CounterSpy updated its files. I subsequently deactivated CounterSpy again.• When the Norton Antivirus window opens notifying about the Trojan.awax, I click OK to get rid of it, but it just toggles between two nearly identical windows. One saying that the file was detected, and one saying that it could not be removed. However it never closes, I have to use Task Manager to get rid of it.• After running Killbox I did not get any messages this time and it did reboot automatically this time.• Panda requires that IE be used which appears to make us vulnerable to all the nasties. I mentioned earlier that I get the about:blank as the IE Home. I this because we’ve deleted the homepage definition?• I had to start Panda several times. I found when I try to close the browser windows opened by the hijackers, ALL the browser windows close, so I eventually had to run Panda with the other browsers windows open.Are these observations helpful, or can you tell as much from the logs.I sure appreciate your patience and persistence!!Thanks Andy_________________________________New Panda ReportIncident Status Location Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UWA6P_0001_N73M0604NetInstaller.exe Adware:adware/limeshop Not disinfected Windows Registry Potentially unwanted tool:application/winantivirus2006 Not disinfected hkey_current_user\software\WinAntiVirus Pro 2006 Spyware:spyware/virtumonde Not disinfected Windows Registry Potentially unwanted tool:application/sysprotect Not disinfected hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\!KillBox\FRec.dll Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\!KillBox\USYP_0001_N85M2606NetInstaller.exe Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.microsofteup.112.2o7.net/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[searchportal.information.com/] Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.tucows.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Andy\Cookies\andy@hitbox[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy\Cookies\[email protected][2].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andy\Cookies\andy@zedo[1].txt Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\35E93FDA-9E66-4B24-B751-223610\62331321-A76D-4731-9E16-1A3063 Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\35E93FDA-9E66-4B24-B751-223610\65EEAF63-7639-4A65-8F0C-A1C5B6 Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF3F3369-85A0-419D-B2D0-96C77A\58D00DD5-F1D5-4FD4-8C71-24DCE6 Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF3F3369-85A0-419D-B2D0-96C77A\718AE7B9-3150-4FB9-A4BA-FB9294 Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Temp\ICD1.tmp\USYP_0001_N85M2606NetInstaller.exe Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\05EN4LQN\QDow_AS2[1].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\05EN4LQN\QDow_AS2[2].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[1].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[2].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[3].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[4].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[5].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\833B64TH\QDow_AS2[1].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\833B64TH\QDow_AS2[2].cab Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\8DUZ4DEJ\QDow_AS2[1].cab _______________________________New HJT log:Logfile of HijackThis v1.99.1Scan saved at 4:19:11 PM, on 7/16/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINDOWS\System32\nvsvc32.exeC:\PROGRA~1\Dantz\RETROS~1\retrorun.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\System32\fxredir.exeC:\WINDOWS\System32\wuauclt.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\MXOALDR.EXEC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\Common Files\Real\Update_OB\evntsvc.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MemTurbo\MemTurbo.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htmO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exeO4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXEO4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeO4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dllO20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dllO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Link to post Share on other sites
Matt Posted July 17, 2006 Report Share Posted July 17, 2006 Are these observations helpful, or can you tell as much from the logs. Yes! Very Helpful! Alright, time to take out the big guns. We'll get it this time.Please print out these directions for use if/when you cannot access this page.Download CWShredder Here to its own folder.Update CWShredderOpen CWShredder and click I AGREEClick Check For UpdateClose CWShredderBoot into Safe Mode:Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windowsPlease scan with HJT and place a check next to the following items:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htmO2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dllO20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dllO20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dllThen, make sure all browser windows and other applications are closed, and click the Fix Checked button.1. Please download The Avenger by Swandog46 to your Desktop.Click on Avenger.zip to open the fileExtract avenger.exe to your desktop2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):Files to delete:C:\WINDOWS\System32\opppp.dllC:\WINDOWS\system32\tuspp.dllNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.3. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually".Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted.4. The Avenger will automatically do the following:It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)On reboot, it will briefly open a black command window on your desktop, this is normal.After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/ReplyMatt Link to post Share on other sites
aghoffmann Posted July 18, 2006 Author Report Share Posted July 18, 2006 Matt,YAHOO!! We’re making progress now!Observations:• CWShredder opened fine and the update said we were running the most current version• Had trouble opening in Safe Mode. At one point something about a file ccapp.? flashed by, any ideas• Never got a “real†Safe mode screen, just a black screen with “Safe Mode†written in each corner. I finally ran CWShreadder as a “New Application†from Task Manager which did come up in the black SafeMode screen…• CWshredder found no problems, so I didn’t have anything to agree with.• I ran HJT to check the appropriate items, however the two references to the opppp.dll were not listed. Hmmm something must have worked!!!• Avenger ran smoothly and after it ran things REALLY sped up!Post cleaning observations• The CPU is no longer maxed a 100%, however it does spike a lot going from 1-3% jumping to 50 to 70%, every couple of seconds with no applications running… Is there still some nasty there?• I noticed that winlogon.exe is still an active process, but it is not dominating the CPU usage… we must have the real thing back. The process that seems to be spiking the CPU performance is the SunProtectionServer.exe… is that part of CounterSpy? Should it take so much resources?• I tried running in Safe Mode after this round and it booted up into SafeMode fine.• Rebooted in Normal Made and for the first time in a long time I didn’t get any pop-ups blasting me!• I was going to open an Internet Explorer browser and see if I got attacked, but I thought I should probably wait till you had a chance to check over the logs before I opened that door again.What’s next?• I’ve had Norton AV running for years, I’ve used SpyBot and a-squared, for a long time too. Recently when thing started getting REALLY bad I discovered and added AdAware, CounterSpy and Ewido. Are these overkill? Do they work well together? Anything else I should have on board?• Should I delete the backup.zip in the C:\avenger\ subdirectory?• Should I enable CounterSpy?• Are we ready to install SP2? Windows “Automatic Updates†keeps telling me I have 2 updated to install… one of which I know is SP2Here are the files from this round:THANKS!Andy____________________________________Avenger.txt:Logfile of The Avenger version 1, by Swandog46Running from registry key:\Registry\Machine\System\CurrentControlSet\Services\fegtbywq*******************Script file located at: \??\C:\WINDOWS\mwfiktxg.txtScript file opened successfully.Script file read successfullyBackups directory opened successfully at C:\Avenger*******************Beginning to process script file:File C:\WINDOWS\System32\opppp.dll not found!Deletion of file C:\WINDOWS\System32\opppp.dll failed!Could not process line:C:\WINDOWS\System32\opppp.dllStatus: 0xc0000034File C:\WINDOWS\system32\tuspp.dll deleted successfully.Completed script processing.*******************Finished! Terminate.__________________________________________Hi JackThis LogLogfile of HijackThis v1.99.1Scan saved at 10:04:09 PM, on 7/17/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINDOWS\System32\nvsvc32.exeC:\PROGRA~1\Dantz\RETROS~1\retrorun.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Canon\MultiPASS4\monitr32.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\fxredir.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\MXOALDR.EXEC:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeC:\Program Files\Common Files\Real\Update_OB\evntsvc.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MemTurbo\MemTurbo.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exeC:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exeC:\Program Files\Symantec\LiveUpdate\AUpdate.exeC:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEC:\Program Files\Messenger\msmsgs.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll (file missing)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exeO4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXEO4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: tuspp - tuspp.dll (file missing)O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Link to post Share on other sites
Matt Posted July 18, 2006 Report Share Posted July 18, 2006 Alright! Jusy some tidying up to do now! Please scan with HJT and place a check next to the following items:O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll (file missing)O20 - Winlogon Notify: tuspp - tuspp.dll (file missing)Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.The process that seems to be spiking the CPU performance is the SunProtectionServer.exe… is that part of CounterSpy? Yes it is.I’ve had Norton AV running for years, I’ve used SpyBot and a-squared, for a long time too. Recently when thing started getting REALLY bad I discovered and added AdAware, CounterSpy and Ewido. Are these overkill? Do they work well together? Anything else I should have on board? While Norton isn't the greatest security software, it is better than nothing. No, what you have is not overkill. Once I am sure you are completely clean, I will post some software I like to suggest to people to help them stay malware-free. Should I delete the backup.zip in the C:\avenger\ subdirectory?If you wish. It's dormant and the files within it are not active. And as things seem to be fine, it doesn't look like we'll need those backups. However I must point out one thing. If you notice, things were not working until we used Avenger. This is because Avenger is one of the most powerful applications in the anti-malware community. That is why I was hesitant to use it with you. Because it is so powerful, if misused, it can destroy your system. I would reccomend that you remove it from your computer to prrevent any accadental misues.Should I enable CounterSpy? Not yet.Are we ready to install SP2? Not yet.Try running Ewido now, in normal mode. Then, post back the Ewido Report and a new HJT log.Matt Link to post Share on other sites
aghoffmann Posted July 19, 2006 Author Report Share Posted July 19, 2006 (edited) Hi Matt,We’re still chipping away!!A few observations• At your suggestion I went to remove Avenger. I deleted the downloaded .zip file, however when I went to Add/Remove programs I could not find an entry for “Avengerâ€. Is there a special uninstall program somewhere?• A couple other cleanup programs to add to the list of programs I listed in my posting yesterday. I downloaded the limited version of “Avastâ€; there is a Home version too, which I didn’t use. I also downloaded several Iomatic programs: System Medic, Registry Medic and Ram Medic. How do these fit into the mix? Several of the downloaded trial versions of these and the other programs I listed earlier expire soon. I plan to purchase the full version, but probably can’t afford ALL the ones I’ve tried. I’ll await your recommendation.• You mentioned that Norton’s AV isn’t the greatest security software. My ISP recommended F-Secure because Norton is know to cause problems with my internet connection. How does F-Secure rate?• When I opened Ewido to run it, the “Resident Shield†as inactive. I activated it. Was that OK?• After running Ewido I clicked on the “fix†button. It gave me a message that a File can’t be quarantined because it is embedded in an archive. I chose the option to quarantine the whole archive. (The file was one of the SysProtect files).• I was surprised that Ewido found as many more nasties as it did!• FYI… for an example of how much better things are going already, Ewido only took a few hours to run, compared to literally a couple of days to run the first time. (CounterSpy took just 20 minutes shy of 3 days to run the first time!!!)• Another thing I try to do on a regular basis is Defragment my drive. I’ve been told that the Windows defragmenter isn’t that great. I’ve also use Norton’s “Speed Diskâ€. Do you know of other programs that work better? I realize this isn’t a Malware issue, but thought I’d ask cause it affects system performance and I plan to defrag as soon as I get "clean".• I opened a FireFox browser just now and started typing in the URL for BestTechie. As I typed a list of previously entered sites came up so I clicked on the listing for Besttechie.net. It took me to another site... do we still have something going on? I tried it again and it worked fine.Thanks,AndyHere are the new logs:___________________________Ewido Report---------------------------------------------------------ewido anti-spyware - Scan Report--------------------------------------------------------- + Created at: 6:34:56 PM 7/18/2006 + Scan result: C:\!KillBox\USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).C:\Documents and Settings\Andy\Local Settings\Temp\ICD1.tmp\USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\8HEJ4HI3\SysProtectScannerInstall[1].cab/USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\QH8B6PML\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).C:\WINDOWS\system32\crrffybp.dll -> Logger.VBStat.c : Cleaned with backup (quarantined).C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M0604NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Ignored.:mozilla.17:C:\RECYCLER\NPROTECT\05653057.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.19:C:\RECYCLER\NPROTECT\05653038.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.19:C:\RECYCLER\NPROTECT\05653067.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.19:C:\RECYCLER\NPROTECT\05660169.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.21:C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.:mozilla.21:C:\RECYCLER\NPROTECT\05660191.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.21:C:\RECYCLER\NPROTECT\05660207.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.21:C:\RECYCLER\NPROTECT\05660935.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.22:C:\RECYCLER\NPROTECT\05660212.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.22:C:\RECYCLER\NPROTECT\05660217.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.22:C:\RECYCLER\NPROTECT\05660932.MOZ -> TrackingCookie.2o7 : Cleaned.:mozilla.18:C:\RECYCLER\NPROTECT\05653057.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.20:C:\RECYCLER\NPROTECT\05653038.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.20:C:\RECYCLER\NPROTECT\05653067.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.20:C:\RECYCLER\NPROTECT\05660169.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.22:C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.:mozilla.22:C:\RECYCLER\NPROTECT\05660191.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.22:C:\RECYCLER\NPROTECT\05660207.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.22:C:\RECYCLER\NPROTECT\05660935.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.23:C:\RECYCLER\NPROTECT\05660212.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.23:C:\RECYCLER\NPROTECT\05660217.MOZ -> TrackingCookie.Atdmt : Cleaned.:mozilla.23:C:\RECYCLER\NPROTECT\05660932.MOZ -> TrackingCookie.Atdmt : Cleaned.C:\Documents and Settings\Andy\Cookies\andy@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.C:\Documents and Settings\Andy\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.C:\RECYCLER\NPROTECT\05660701 -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Andy\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.C:\RECYCLER\NPROTECT\05660715 -> TrackingCookie.Zedo : Cleaned.::Report end_______________________________________HJT logLogfile of HijackThis v1.99.1Scan saved at 6:40:51 PM, on 7/18/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINDOWS\System32\nvsvc32.exeC:\PROGRA~1\Dantz\RETROS~1\retrorun.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exeC:\Program Files\Canon\MultiPASS4\monitr32.exeC:\WINDOWS\System32\fxredir.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\MXOALDR.EXEC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeC:\Program Files\Common Files\Real\Update_OB\evntsvc.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MemTurbo\MemTurbo.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exeO4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXEO4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exeO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Edited July 19, 2006 by Andy Link to post Share on other sites
Matt Posted July 19, 2006 Report Share Posted July 19, 2006 I deleted the downloaded .zip file, however when I went to Add/Remove programs I could not find an entry for “Avengerâ€. Is there a special uninstall program somewhere? To remove, you can just delete avenger.exe from wherever you unzipped it onto your computer.I downloaded the limited version of “Avast†This is actually bad. You never want more than one Anti-Virus running on a single system. They will conflict and actually give you less protection.I also downloaded several Iomatic programs: System Medic, Registry Medic and Ram Medic. How do these fit into the mix? I've never used those programs before. I tend to shy away from Registry tools because often they can make mistakes and kill a system. As for a Ram tool, i'd reccomend RAMSmart by AllBeGone. It is a very good tool, and works very well.My ISP recommended F-Secure because Norton is know to cause problems with my internet connection. How does F-Secure rate? F-Secure is very good. The best paid Anti-Virus software is probably NOD32. If youre looking into a free AV, I'd suggest AVG Free. It's what I use, and is very good. But remember, NEVER have more than one AV running on your system! If you choose to use one of these, or someting else, remember to uninstall your current one.When I opened Ewido to run it, the “Resident Shield†as inactive. I activated it. Was that OK?It won't harm anything. If you'd like, you can activate it.After running Ewido I clicked on the “fix†button. It gave me a message that a File can’t be quarantined because it is embedded in an archive. I chose the option to quarantine the whole archive. (The file was one of the SysProtect files). That's fine, Ewido did it's job I'm glad to hear your system is running much better!One of the things I try to do on a regular basis is Defragment my drive. I’ve been told that the Windows defragmenter isn’t that great. Actually, Window's defragger isn't bad. It's what I use. I haven't played around much with other apps like that.Anyway, Congrats! Your log is clean! You can go ahead and enable CounterSpy and download the latest windows updates.If you have any more questions before we close this up, feel free to ask! The following is a list of free tools and utilities that I like to suggest to people; many you already have. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Firefox- Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is good as well.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.SpywareBlaster - Great prevention tool to keep malware from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.ATF Cleaner - Cleans temporary files from web browsers, and much more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this guide on safer computing.If you would like, you can post any comments, suggestions, or feedback to our Comments and Suggestions Area.Matt Link to post Share on other sites
aghoffmann Posted July 19, 2006 Author Report Share Posted July 19, 2006 (edited) Hi Matt,Thanks for all your help; thing are going much smoother. As I continue to update and clean up I’m coming up with a few more questions.• I have updated Windows and activated Automatic Updates. Seems every time I reboot there are a few more updates. I figure that is because some updates are dependent on earlier updates being completed.• I was gong through Add/Remove Programs deleting old unused programs and discovered that SysProtect 1.3.148.0 is still listed. There is also a listing for SysProtect in the START>Programs menu. In the Start>Programs>SysProtect submenu there is an “uninstall†program. I didn’t dare click that one. How should those items be dealt with?• I noticed the Ewido seemed to be one of the primary tools you used for detecting malware. How does that fit into the list of tools you recommend? I realize its not free as the programs you listed. I like free, but I also don’t mind paying for good tools. Would Ewido compliment the list? Is it considered an “Anti-virus†and thus shouldn’t be used with other AV programs?• How often should the programs like SpyBot and AdAware (and Ewido) be run? Some of the programs can be scheduled for automatically scanning, what is a good interval?• The IE-SpyAd program that lists over 5000 sites. Is that JUST for Internet Explore? Is there an equivalent for FireFox? If I use FireFox, do I need it?Thanks, Andy Edited July 20, 2006 by Andy Link to post Share on other sites
Matt Posted July 20, 2006 Report Share Posted July 20, 2006 I was gong through Add/Remove Programs deleting old unused programs and discovered that SysProtect 1.3.148.0 is still listed. There is also a listing for SysProtect in the START>Programs menu. In the Start>Programs>SysProtect submenu there is an “uninstall†program. I didn’t dare click that one. How should those items be dealt with? You can remove it via Add/Remove Programs.I noticed the Ewido seemed to be one of the primary tools you used for detecting malware. How does that fit into the list of tools you recommend? I realize its not free as the programs you listed. I like free, but I also don’t mind paying for good tools. Would Ewido compliment the list? Is it considered an “Anti-virus†and thus shouldn’t be used with other AV programs? Ewido is a fantastic tool. Its one of the best Anti-Malware tools out there. Ewido can compliment just about any security setup. It doesnt fall under AV, (its catagorized as "anti-malware" so its safe to have, along with your current AV.If you are interested, another commercial program that is excellent is Webroot SpySweeper. It is not free, but is very powerful, like Ewido. If you don't mind paying, I'd reccomend them both, along with what you already have.How often should the programs like SpyBot and AdAware (and Ewido) be run? Some of the programs can be scheduled for automatically scanning, what is a good interval? This is really personal opinion. Some people run them once a week, others once a day. I actually don't run scans on any sort of schedule, mostly because I'm fairly certain when my system is clean. Others, however, may fell differently. Its based on you and your habits. If you do a lot of downloading, P2P activity, surfing, going to questionable sites, you may want to scan frequently. If you don't fall under that, you may feel that you don't need to run a scan as often.The IE-SpyAd program that lists over 5000 sites. Is that JUST for Internet Explore? Is there an equivalent for FireFox? If I use FireFox, do I need it?IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. So, its protection is only valid in IE (which is really the only place it is needed). However, even if you do use firefox, its still a good idea to have, as people often have to use IE for those pages that just dont work in FF. You'll eventually use IE sometimes, so its good to have that added protection.Matt Link to post Share on other sites
aghoffmann Posted July 21, 2006 Author Report Share Posted July 21, 2006 (edited) Matt,Things are looking good. The computer is working better than it has in a long time. It was litterally unusable when I finally discovered Besttechie.net. I was ready to format C and start over.It has truly been a pleasure working with you on this. I'm impressed with your fast responses, patience with all my questions and thoroughness in getting the job done.I have also learned a great deal from working with you.You guys are truly the Super Heroes of Cyber Space, and the evils you fight are every bit as nasty as any conjured up by Hollywood... except the jerks you deal with are real. I really don't understand the mind of people that would intentionally cause such grief and expense for folks.You certainly provide a valuable service. I think I could probably keep finding questions “’till the cows come home”, but I think we can call this Topic ClosedMANY THANKS,Andy Edited July 21, 2006 by Andy Link to post Share on other sites
Matt Posted July 21, 2006 Report Share Posted July 21, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts