Tuspp.dl, Opppp.dll And Trojan.awax Problems[RESOLVED]


Recommended Posts

I have been having lots of problems with the "Sys-protect", "Winantivirous" family of trojans on another computer. It has rendered the computer basically worthless. The system runs EXTREMELY slow; if I click on an icon it may take several minutes to get a response. I continually get a Norton antivirus pop-up saying it found the Trojan.awax but was unable to fix it. The problem appears to be related to the tuspp.dll and opppp.dll files and winlogon.exe dragging down the performance. I've tried several "anti-spy, anti-malware" type programs which seemed to find and fix lots of problems, but none resolved my primary problem. Nothing seems to be able to remove the dll files listed above.

I found the following article in your forums regarding fixes recommended from a HijackThis log. It addresses the tuspp.dll, but not the opppp.dll. Can I follow the recommendation in that posting or would the fix be specific to my system?

http://www.besttechie.net/forums/index.php...tuspp\.dll

Thanks!

Here is the HijackThis log:

Logfile of HijackThis v1.99.1

Scan saved at 1:26:18 PM, on 7/10/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\Program Files\Canon\MultiPASS4\monitr32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\fxredir.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe

O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Link to post
Share on other sites

After just having mine repaired, I strongly suggest you wait until one of the techs reply. Someone will soon enough. It's a great help to have the experts look at the log and get a second opinion before you delete a bunch of stuff in the HJT log

Mark

Link to post
Share on other sites

Hi,

We can definitely help you, but first you need to apply Windows XP Service Pack 1a. Without this update, you're wide open to re-infection, which defeats the purpose of getting you clean. So download the Service Pack from the link below, so we don't waste time getting you clean just to become re-infected. Click here: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

Apply the update, reboot, and post a fresh Hijack This log.

Link to post
Share on other sites

Hi Matt,

WHEW! I finally got the SP 1a update completed. Some observations on the process that may be of interest. It took over 42 hours to complete the process… I guess that indicates the severity of my infection. Also, I initially tried downloading the update using IE 6.0 and was severely harassed by “WinAntiVirusPro… I gave up on using IE and opened the site in a FireFox browser and didn’t get any harassment. After the installation and reboot I got the Norton’s Antivirus pop-up again saying it found Trojan.Awax but was unable to fix it. I also got a notice saying “something bad happened…†and generated an ewido.err file.

I had planned to apply the XP SP2 update after I got things cleaned up, but now I understand why the update needed to be applied first. I’m curious why you recommended applying SP1a and not SP2?

Thanks,

Andy

Here’s the latest log:

Logfile of HijackThis v1.99.1

Scan saved at 7:10:15 PM, on 7/13/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe

C:\Program Files\Canon\MultiPASS4\monitr32.exe

C:\WINDOWS\System32\fxredir.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe

O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Link to post
Share on other sites

Hi Matt,

I followed your instructions as best as I could, however I ran in to a couple of problems:

• VundoFix ran fine, but it didn’t find any infected files (file posted below)

• Ewido locked up several time during the install. However I had already installed and ran the program before I contacted Besttechie. At some point an ewido error was generated. I have posted that ewido.err file below also.

• I tried running the ewido program that I already had installed in SafeMode, however I never got a “desktop†in Safe mode. All I got was a black screen with the words “Safe Mode†showing in all 4 corners of my screen.

• Upon rebooting after safe mode I got a couple errors, one for Trojan.awax and one for ewido. I did a screen capture and have posted that jpg too.

I currently have “CounterSpy, a-squared, spy-bot and Norton Anti-virus installed on the machine. Could these be interfering

Thanks,

Andy

_________________________________________

VundoFix.txt

VundoFix V5.1.3

Running as SYSTEM

from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.2

Scan started at 8:55:30 PM 7/13/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

_____________________________

Ewido.err

//==<ewido anti-spyware 4.0>===================================

Exception code: C0000005 ACCESS_VIOLATION

Fault address: 00000001 <pages range base not found>

Exception Date: 07/09/2006 17:04:59

File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:

EAX:00000001

EBX:00000000

ECX:00000000

EDX:77FC49C0

ESI:00432B17

EDI:00FD6730

CS:EIP:001B:00000001

SS:ESP:0023:052AFE98 EBP:052AFEE4

DS:0023 ES:0023 FS:0038 GS:0000

Flags:00010202

Intel specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module

00000001 052AFEE4 00432B17 00FD6730 00000001 00000000 <pages range base not found>

77F8777E 052AFF48 77F87766 00185540 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll

77F956E5 052AFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll

77E765DA 052AFFEC <frame 052AFFEC not readable>

ImageHelp specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address

00000001 052AFE94 77F95FC9 00FD6730 00000001 00185540 <pages range base not found>

00432B42 052AFEE4 00432B17 00FD6730 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F8777E 052AFF48 77F87766 00185540 00000000 00000000 RtlDebugPrintTimes+1A

77F956E5 052AFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF

77E765DA 052AFFEC 77F950AE 00000000 00000000 6D52C1A0 lstrcmpiW+98

Loaded Modules:

Base Size Module

00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll

77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll

76BF0000 00B000 //==<ewido anti-spyware 4.0>===================================

Exception code: C0000005 ACCESS_VIOLATION

Fault address: 00000020 <pages range base not found>

Exception Date: 07/09/2006 19:26:15

File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:

EAX:00000020

EBX:00000000

ECX:00000000

EDX:77FC49C0

ESI:00432B17

EDI:00FD1AB0

CS:EIP:001B:00000020

SS:ESP:0023:03EBFE98 EBP:03EBFEE4

DS:0023 ES:0023 FS:0038 GS:0000

Flags:00010202

Intel specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module

00000020 03EBFEE4 00432B17 00FD1AB0 00000001 00000000 <pages range base not found>

77F8777E 03EBFF48 77F87766 00186470 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll

77F956E5 03EBFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll

77E765DA 03EBFFEC 77F950AE 00000000 00000000 00000000 0001:000155DA C:\WINDOWS\system32\kernel32.dll

ImageHelp specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address

00000020 03EBFE94 77F95FC9 00FD1AB0 00000001 00186470 <pages range base not found>

00432B42 03EBFEE4 00432B17 00FD1AB0 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F8777E 03EBFF48 77F87766 00186470 00000000 00000000 RtlDebugPrintTimes+1A

77F956E5 03EBFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF

77E765DA 03EBFFEC 77F950AE 00000000 00000000 00000000 lstrcmpiW+98

Loaded Modules:

Base Size Module

00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll

77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll

76BF0000 00B000 //==<ewido anti-spyware 4.0>===================================

Exception code: C0000005 ACCESS_VIOLATION

Fault address: 00000001 <pages range base not found>

Exception Date: 07/10/2006 11:14:49

File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:

EAX:00000001

EBX:00000000

ECX:00000000

EDX:77FC49C0

ESI:00432B17

EDI:00FD6B40

CS:EIP:001B:00000001

SS:ESP:0023:05CAFE98 EBP:05CAFEE4

DS:0023 ES:0023 FS:0038 GS:0000

Flags:00010202

Intel specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module

00000001 05CAFEE4 00432B17 00FD6B40 00000001 00000000 <pages range base not found>

77F8777E 05CAFF48 77F87766 00187180 00000000 00000000 0001:0003677E C:\WINDOWS\System32\ntdll.dll

77F956E5 05CAFFB4 00000000 00000000 00000000 00000000 0001:000446E5 C:\WINDOWS\System32\ntdll.dll

77E765DA 05CAFFEC <frame 05CAFFEC not readable>

ImageHelp specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address

00000001 05CAFE94 77F95FC9 00FD6B40 00000001 00187180 <pages range base not found>

00432B42 05CAFEE4 00432B17 00FD6B40 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F8777E 05CAFF48 77F87766 00187180 00000000 00000000 RtlDebugPrintTimes+1A

77F956E5 05CAFFB4 00000000 00000000 00000000 00000000 RtlSetIoCompletionCallback+AF

77E765DA 05CAFFEC 77F950AE 00000000 00000000 6D52C1A0 lstrcmpiW+98

Loaded Modules:

Base Size Module

00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F50000 0A6000 5.01.2600.0114 C:\WINDOWS\System32\ntdll.dll

77E60000 0E0000 5.01.2600.0153 C:\WINDOWS\system32\kernel32.dll

76BF0000 00B000 5.01.2600.0000 C:\WINDOWS\System32\PSAPI.DLL

10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll

70BD0000 065000 6.00.2800.1106 C:\WINDOWS\system32\SHLWAPI.dll

77C10000 053000 7.00.2600.0000 C:\WINDOWS\system32\msvcrt.dll

77C70000 03E000 5.01.2600.0151 C:\WINDOWS\system32\GDI32.dll

77D40000 086000 5.01.2600.0152 C:\WINDOWS\system32\USER32.dll

77DD0000 08B000 5.01.2600.0000 C:\WINDOWS\system32\ADVAPI32.dll

78000000 06F000 5.01.2600.0135 C:\WINDOWS\system32\RPCRT4.dll

71AB0000 015000 5.01.2600.0000 C:\WINDOWS\System32\WS2_32.dll

71AA0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WS2HELP.dll

76B40000 02C000 5.01.2600.0000 C:\WINDOWS\System32\WINMM.dll

773D0000 7EE000 6.00.2600.0115 C:\WINDOWS\system32\SHELL32.dll

76380000 005000 5.01.2600.0000 C:\WINDOWS\System32\MSIMG32.dll

763B0000 045000 6.00.2600.0000 C:\WINDOWS\system32\comdlg32.dll

71950000 0E4000 6.00.2600.0000 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.dll

771B0000 113000 5.01.2600.0136 C:\WINDOWS\system32\ole32.dll

71AD0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WSOCK32.dll

76D60000 015000 5.01.2600.0002 C:\WINDOWS\System32\iphlpapi.dll

76DE0000 026000 5.01.2600.0000 C:\WINDOWS\System32\netman.dll

76D40000 016000 5.01.2600.0000 C:\WINDOWS\System32\MPRAPI.dll

76E40000 02F000 5.01.2600.0000 C:\WINDOWS\System32\ACTIVEDS.dll

76E10000 024000 //==<ewido anti-spyware 4.0>===================================

Exception code: C0000005 ACCESS_VIOLATION

Fault address: 00000020 <pages range base not found>

Exception Date: 07/13/2006 18:22:36

File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:

EAX:00000020

EBX:00000000

ECX:00000000

EDX:77FC59C0

ESI:00432B17

EDI:00F46BB8

CS:EIP:001B:00000020

SS:ESP:0023:03DCFE98 EBP:03DCFEE4

DS:0023 ES:0023 FS:0038 GS:0000

Flags:00010202

Intel specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module

00000020 03DCFEE4 00432B17 00F46BB8 00000001 00000000 <pages range base not found>

77F87FD4 03DCFF48 77F87FBC 00180CD8 00000000 00000000 0001:00036FD4 C:\WINDOWS\System32\ntdll.dll

77F9613D 03DCFFB4 00000000 77FA88F0 04227630 00000000 0001:0004513D C:\WINDOWS\System32\ntdll.dll

77E7D28E 03DCFFEC 77F95B06 00000000 00000000 00000000 0001:0001C28E C:\WINDOWS\system32\kernel32.dll

ImageHelp specific method

Call stack:

Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address

00000020 03DCFE94 77F96A21 00F46BB8 00000001 00180CD8 <pages range base not found>

00432B42 03DCFEE4 00432B17 00F46BB8 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F87FD4 03DCFF48 77F87FBC 00180CD8 00000000 00000000 RtlDebugPrintTimes+1A

77F9613D 03DCFFB4 00000000 77FA88F0 04227630 00000000 RtlSetIoCompletionCallback+AF

77E7D28E 03DCFFEC 77F95B06 00000000 00000000 00000000 RegisterWaitForInputIdle+43

Loaded Modules:

Base Size Module

00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe

77F50000 0A7000 5.01.2600.1217 C:\WINDOWS\System32\ntdll.dll

77E60000 0E6000 5.01.2600.1560 C:\WINDOWS\system32\kernel32.dll

76BF0000 00B000 5.01.2600.1106 C:\WINDOWS\System32\PSAPI.DLL

10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll

70A70000 064000 6.00.2800.1106 C:\WINDOWS\system32\SHLWAPI.dll

77C10000 053000 7.00.2600.1106 C:\WINDOWS\system32\msvcrt.dll

7F000000 041000 5.01.2600.1561 C:\WINDOWS\system32\GDI32.dll

77D40000 08C000 5.01.2600.1561 C:\WINDOWS\system32\USER32.dll

77DD0000 08D000 5.01.2600.1106 C:\WINDOWS\system32\ADVAPI32.dll

78000000 087000 5.01.2600.1361 C:\WINDOWS\system32\RPCRT4.dll

71AB0000 015000 5.01.2600.0000 C:\WINDOWS\System32\WS2_32.dll

71AA0000 008000 5.01.2600.0000 C:\WINDOWS\System32\WS2HELP.dll

76B40000 02C000 5.01.2600.1106 C:\WINDOWS\System32\WINMM.dll

773D0000 7F2000 6.00.2800.1233 C:\WINDOWS\system32\SHELL32.dll

76380000 005000 5.01.2600.1106 C:\WINDOWS\System32\MSIMG32.dll

763B0000 045000 6.00.2800.1106 C:\WINDOWS\system32\comdlg32.dll

71950000 0E4000 6.00.2800.1106 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll

771B0000 124000 5.01.2600.1362 C:\WINDOWS\system32\ole32.dll

71AD0000 008000 5.01.2600.0000 //==<ewido anti-spyware 4.0>===================================

Exception code: C0000005

______________________________________

New Hijack This log

Logfile of HijackThis v1.99.1

Scan saved at 5:18:45 PM, on 7/14/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe

C:\Program Files\Canon\MultiPASS4\monitr32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\fxredir.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\WINDOWS\System32\dumprep.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe

O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

______________________________________

Screen capture of error

bootuperror.jpg

Link to post
Share on other sites

Ok - I'm not sure what the error with ewido is, but hopefully once your clean itll work itself out.

Please print out these directions for use if/when you cannot access this page.

Scan with HJT and place a check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19c2f1ca1d2e57085d06/...ip/RdxIE601.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

Then, make sure all browser windows and other applications are closed and click the Fix Checked button.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\opppp.dll

    C:\WINDOWS\system32\tuspp.dll

    C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    C:\WINDOWS\web\related.htm

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Finally, post back with a new HJT log, and the Panda Report.

Matt

Link to post
Share on other sites

Hi Matt,

That was sure a fast turn around at your end. Thanks. Things are much slower at my end still. Seems like after the ATF scan things really slowed down. Her are my observation and notes:

• The HJT “Fix†went smoothly. After the fix I got 8 “CounterSpy†notices saying that something was fooling around with IE. I allowed it.
• Killbox went well too, and yes I did get the message “Pending File Rename Operations…Registery Data has been Removed by External Processâ€.
• I had to restart it manually afterwards
• I initially tried downloading ATF with an IE browser, but it opened with a blank screen with the title “about:blankâ€, and seemed to freeze, so I downloaded using FireFox.
• AFT seemed to run fine.
• Based on the above experience I initially tried running Panda ActiveScan from a FireFox browser, but I got a notice that it only worked using IE 5 or later.
• I opened an IE browser and got the “about:blank†page again. I then pasted in the link and eventually got to the Panda page. I was unmercifully harassed by the WinAntiVirus and SysProtect pop-ups. Things started really slowing down at this point.
• After the Panda scan I opened My Documents to get to where I could run HJT and things seemed to lock up. I tried a couple of times. Eventually needing to hit the reset button cause nothing responded. What seemed to work after restarting a second time was disconnecting the network cable so I wasn’t connected to the Internet.
• After that I was able to run HJT.

Below are the Panda and HJT logs

Thanks,

Andy

________________________________

Latest HJT log

Logfile of HijackThis v1.99.1

Scan saved at 4:10:07 PM, on 7/15/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\fxredir.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe

O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

_________________________________________

Panda Report

Incident Status Location

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Program Files\SysProtect Free\FRec.dll

Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USYP_0001_N85M2606NetInstaller.exe

Adware:adware/dyfuca Not disinfected c:\windows\STWSI

Potentially unwanted tool:application/winantivirus2006 Not disinfected c:\documents and settings\all users\application data\WinAntiVirus Pro 2006

Adware:adware/limeshop Not disinfected Windows Registry

Spyware:spyware/virtumonde Not disinfected Windows Registry

Potentially unwanted tool:application/sysprotect Not disinfected hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.microsofteup.112.2o7.net/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[searchportal.information.com/]

Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.tucows.com/]

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy\Cookies\[email protected][1].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andy\Cookies\andy@zedo[1].txt

Virus:W32/Disemboweler Disinfected Personal Folders\Inbox\***11317130 ***1302015032649\ACTMOVIE.EXE

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\35E93FDA-9E66-4B24-B751-223610\62331321-A76D-4731-9E16-1A3063

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\35E93FDA-9E66-4B24-B751-223610\65EEAF63-7639-4A65-8F0C-A1C5B6

Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF3F3369-85A0-419D-B2D0-96C77A\58D00DD5-F1D5-4FD4-8C71-24DCE6

Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF3F3369-85A0-419D-B2D0-96C77A\718AE7B9-3150-4FB9-A4BA-FB9294

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\01GPI3O5\QDow_AS2[1].cab

Link to post
Share on other sites

Alright, we're going to try something else.

Please disable CounterSpy, as it may hinder in fixing of some HijackThis entries. You can re-enable it after you're clean.

To disable CounterSpy:

  • Right Click on the CounterSpy Icon located in your system tray.
  • With your mouse, hover over Active Protection Status (This should be enabled)
  • A menu will slide out, then right click on Disable Active Protection

Once your log is clean please re-enable CounterSpy.

Please scan with HJT and place a check next to the following items:

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Enable show hidden files and folders:

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK

Find and delete the following files:

C:\WINDOWS\System32\opppp.dll

C:\WINDOWS\SYSTEM32\tuspp.dll

Find and delete the following folders:

c:\windows\STWSI\

c:\documents and settings\all users\application data\WinAntiVirus Pro 2006\

Reboot your computer normally.

Please double-click Killbox.exe to run it.

  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\SysProtect Free\FRec.dll

    c:\windows\downloaded program files\USYP_0001_N85M2606NetInstaller.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Run another panda scan and save the report.

Post back with a new HJT log, and the new panda report.

Matt

Link to post
Share on other sites

Matt,

Here are the latest Panda Scan and HJT logs

It seems like we are making progress until I open Internet Explorer, then all the nasties start hammering away. I even saw a few new ones this time: “Vertical Response†and “The Shield Pro 2006†along with the standard WinAntiVirusPro, SysProtect and Trojan.Awax. Here are my observations on this round:

• The nasty dlls, opppp and tuspp, seen impervious to all our efforts

• I notice that the CPU usage (as viewed through Task Manager, Performance tab) is ALWAYS at 100% even when I have no applications open… winlogon.exe seems to always be running as a process… any ideas?

• I disabled Counter Spy with no problems

• The HJT Fix went smoothly, though those darn persistent dlls, opppp and tuspp, are still there.

• I already had hidden files and folders visible. When I tried deleting the dlls in Safe Mode I got an error notice: “Cannot delete: It is being used by another program or person. Close any programs that might be using the file and try againâ€. According to Task Manager, no “applications†were running, but lots of “processes†were going… including our nasty dlls

• Deletion of the two folders worked.

• When I rebooted after “Safe Mode†I got several pop-up: MPService application Error, and Ewido notice that Malware was detected, tuspp.dll (I cleaned and quarantined), Norton Antivirous finding Trojan.awax (tuspp.dll), Implementing the NT Services errors. Also CounterSpy updated its files. I subsequently deactivated CounterSpy again.

• When the Norton Antivirus window opens notifying about the Trojan.awax, I click OK to get rid of it, but it just toggles between two nearly identical windows. One saying that the file was detected, and one saying that it could not be removed. However it never closes, I have to use Task Manager to get rid of it.

• After running Killbox I did not get any messages this time and it did reboot automatically this time.

• Panda requires that IE be used which appears to make us vulnerable to all the nasties. I mentioned earlier that I get the about:blank as the IE Home. I this because we’ve deleted the homepage definition?

• I had to start Panda several times. I found when I try to close the browser windows opened by the hijackers, ALL the browser windows close, so I eventually had to run Panda with the other browsers windows open.

Are these observations helpful, or can you tell as much from the logs.

I sure appreciate your patience and persistence!!

Thanks

Andy

_________________________________

New Panda Report

Incident Status Location

Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UWA6P_0001_N73M0604NetInstaller.exe

Adware:adware/limeshop Not disinfected Windows Registry

Potentially unwanted tool:application/winantivirus2006 Not disinfected hkey_current_user\software\WinAntiVirus Pro 2006

Spyware:spyware/virtumonde Not disinfected Windows Registry

Potentially unwanted tool:application/sysprotect Not disinfected hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\!KillBox\FRec.dll

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\!KillBox\USYP_0001_N85M2606NetInstaller.exe

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.microsofteup.112.2o7.net/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[searchportal.information.com/]

Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt[.tucows.com/]

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Andy\Cookies\andy@hitbox[1].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andy\Cookies\[email protected][2].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andy\Cookies\andy@zedo[1].txt

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\35E93FDA-9E66-4B24-B751-223610\62331321-A76D-4731-9E16-1A3063

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\35E93FDA-9E66-4B24-B751-223610\65EEAF63-7639-4A65-8F0C-A1C5B6

Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF3F3369-85A0-419D-B2D0-96C77A\58D00DD5-F1D5-4FD4-8C71-24DCE6

Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Andy\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF3F3369-85A0-419D-B2D0-96C77A\718AE7B9-3150-4FB9-A4BA-FB9294

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Andy\Local Settings\Temp\ICD1.tmp\USYP_0001_N85M2606NetInstaller.exe

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\05EN4LQN\QDow_AS2[1].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\05EN4LQN\QDow_AS2[2].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[1].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[2].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[3].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[4].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\27WV34XW\QDow_AS2[5].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\833B64TH\QDow_AS2[1].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\833B64TH\QDow_AS2[2].cab

Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\8DUZ4DEJ\QDow_AS2[1].cab

_______________________________

New HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 4:19:11 PM, on 7/16/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\fxredir.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe

O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Link to post
Share on other sites
Are these observations helpful, or can you tell as much from the logs.
Yes! Very Helpful! :)

Alright, time to take out the big guns. We'll get it this time.

Please print out these directions for use if/when you cannot access this page.

Download CWShredder Here to its own folder.

Update CWShredder

  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Reboot your computer into normal windows

Please scan with HJT and place a check next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Andy/My%20Documents/LocalHome.htm

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\opppp.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll

O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll

O20 - Winlogon Notify: tuspp - C:\WINDOWS\SYSTEM32\tuspp.dll

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

C:\WINDOWS\System32\opppp.dll

C:\WINDOWS\system32\tuspp.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Matt

Link to post
Share on other sites

Matt,

YAHOO!! We’re making progress now!

Observations:

• CWShredder opened fine and the update said we were running the most current version

• Had trouble opening in Safe Mode. At one point something about a file ccapp.? flashed by, any ideas

• Never got a “real†Safe mode screen, just a black screen with “Safe Mode†written in each corner. I finally ran CWShreadder as a “New Application†from Task Manager which did come up in the black SafeMode screen…

• CWshredder found no problems, so I didn’t have anything to agree with.

• I ran HJT to check the appropriate items, however the two references to the opppp.dll were not listed. Hmmm something must have worked!!!

• Avenger ran smoothly and after it ran things REALLY sped up!

Post cleaning observations

• The CPU is no longer maxed a 100%, however it does spike a lot going from 1-3% jumping to 50 to 70%, every couple of seconds with no applications running… Is there still some nasty there?

• I noticed that winlogon.exe is still an active process, but it is not dominating the CPU usage… we must have the real thing back. The process that seems to be spiking the CPU performance is the SunProtectionServer.exe… is that part of CounterSpy? Should it take so much resources?

• I tried running in Safe Mode after this round and it booted up into SafeMode fine.

• Rebooted in Normal Made and for the first time in a long time I didn’t get any pop-ups blasting me!

• I was going to open an Internet Explorer browser and see if I got attacked, but I thought I should probably wait till you had a chance to check over the logs before I opened that door again.

What’s next?

• I’ve had Norton AV running for years, I’ve used SpyBot and a-squared, for a long time too. Recently when thing started getting REALLY bad I discovered and added AdAware, CounterSpy and Ewido. Are these overkill? Do they work well together? Anything else I should have on board?

• Should I delete the backup.zip in the C:\avenger\ subdirectory?

• Should I enable CounterSpy?

• Are we ready to install SP2? Windows “Automatic Updates†keeps telling me I have 2 updated to install… one of which I know is SP2

Here are the files from this round:

THANKS!

Andy

____________________________________

Avenger.txt:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\fegtbywq

*******************

Script file located at: \??\C:\WINDOWS\mwfiktxg.txt

Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\opppp.dll not found!

Deletion of file C:\WINDOWS\System32\opppp.dll failed!

Could not process line:

C:\WINDOWS\System32\opppp.dll

Status: 0xc0000034

File C:\WINDOWS\system32\tuspp.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

__________________________________________

Hi JackThis Log

Logfile of HijackThis v1.99.1

Scan saved at 10:04:09 PM, on 7/17/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Canon\MultiPASS4\monitr32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\fxredir.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe

C:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exe

C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe

O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: tuspp - tuspp.dll (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Link to post
Share on other sites

Alright! Jusy some tidying up to do now! :thumbsup:

Please scan with HJT and place a check next to the following items:

O2 - BHO: (no name) - {BDF90A20-C0DA-4FAE-95A2-AAA4D4D32B08} - C:\WINDOWS\system32\tuspp.dll (file missing)

O20 - Winlogon Notify: tuspp - tuspp.dll (file missing)

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

The process that seems to be spiking the CPU performance is the SunProtectionServer.exe… is that part of CounterSpy?
Yes it is.
I’ve had Norton AV running for years, I’ve used SpyBot and a-squared, for a long time too. Recently when thing started getting REALLY bad I discovered and added AdAware, CounterSpy and Ewido. Are these overkill? Do they work well together? Anything else I should have on board?
While Norton isn't the greatest security software, it is better than nothing. No, what you have is not overkill. Once I am sure you are completely clean, I will post some software I like to suggest to people to help them stay malware-free. :)
Should I delete the backup.zip in the C:\avenger\ subdirectory?
If you wish. It's dormant and the files within it are not active. And as things seem to be fine, it doesn't look like we'll need those backups. However I must point out one thing. If you notice, things were not working until we used Avenger. This is because Avenger is one of the most powerful applications in the anti-malware community. That is why I was hesitant to use it with you. Because it is so powerful, if misused, it can destroy your system. I would reccomend that you remove it from your computer to prrevent any accadental misues.
Should I enable CounterSpy?
Not yet.
Are we ready to install SP2?
Not yet.

Try running Ewido now, in normal mode. Then, post back the Ewido Report and a new HJT log.

Matt

Link to post
Share on other sites

Hi Matt,

We’re still chipping away!!

A few observations

• At your suggestion I went to remove Avenger. I deleted the downloaded .zip file, however when I went to Add/Remove programs I could not find an entry for “Avengerâ€. Is there a special uninstall program somewhere?

• A couple other cleanup programs to add to the list of programs I listed in my posting yesterday. I downloaded the limited version of “Avastâ€; there is a Home version too, which I didn’t use. I also downloaded several Iomatic programs: System Medic, Registry Medic and Ram Medic. How do these fit into the mix? Several of the downloaded trial versions of these and the other programs I listed earlier expire soon. I plan to purchase the full version, but probably can’t afford ALL the ones I’ve tried. I’ll await your recommendation.

• You mentioned that Norton’s AV isn’t the greatest security software. My ISP recommended F-Secure because Norton is know to cause problems with my internet connection. How does F-Secure rate?

• When I opened Ewido to run it, the “Resident Shield†as inactive. I activated it. Was that OK?

• After running Ewido I clicked on the “fix†button. It gave me a message that a File can’t be quarantined because it is embedded in an archive. I chose the option to quarantine the whole archive. (The file was one of the SysProtect files).

• I was surprised that Ewido found as many more nasties as it did!

• FYI… for an example of how much better things are going already, Ewido only took a few hours to run, compared to literally a couple of days to run the first time. (CounterSpy took just 20 minutes shy of
3 days
to run the first time!!!)

• Another thing I try to do on a regular basis is Defragment my drive. I’ve been told that the Windows defragmenter isn’t that great. I’ve also use Norton’s “Speed Diskâ€. Do you know of other programs that work better? I realize this isn’t a Malware issue, but thought I’d ask cause it affects system performance and I plan to defrag as soon as I get "clean".

• I opened a FireFox browser just now and started typing in the URL for BestTechie. As I typed a list of previously entered sites came up so I clicked on the listing for Besttechie.net. It took me to another site... do we still have something going on? I tried it again and it worked fine.

Thanks,

Andy

Here are the new logs:

___________________________

Ewido Report

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 6:34:56 PM 7/18/2006

+ Scan result:

C:\!KillBox\USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).

C:\Documents and Settings\Andy\Local Settings\Temp\ICD1.tmp\USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).

C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\8HEJ4HI3\SysProtectScannerInstall[1].cab/USYP_0001_N85M2606NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N85M0307NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).

C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\QH8B6PML\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).

C:\WINDOWS\system32\crrffybp.dll -> Logger.VBStat.c : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M0604NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Ignored.

:mozilla.17:C:\RECYCLER\NPROTECT\05653057.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.19:C:\RECYCLER\NPROTECT\05653038.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.19:C:\RECYCLER\NPROTECT\05653067.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.19:C:\RECYCLER\NPROTECT\05660169.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.21:C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.21:C:\RECYCLER\NPROTECT\05660191.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.21:C:\RECYCLER\NPROTECT\05660207.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.21:C:\RECYCLER\NPROTECT\05660935.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.22:C:\RECYCLER\NPROTECT\05660212.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.22:C:\RECYCLER\NPROTECT\05660217.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.22:C:\RECYCLER\NPROTECT\05660932.MOZ -> TrackingCookie.2o7 : Cleaned.

:mozilla.18:C:\RECYCLER\NPROTECT\05653057.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.20:C:\RECYCLER\NPROTECT\05653038.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.20:C:\RECYCLER\NPROTECT\05653067.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.20:C:\RECYCLER\NPROTECT\05660169.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.22:C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\dxvm3tsr.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.

:mozilla.22:C:\RECYCLER\NPROTECT\05660191.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.22:C:\RECYCLER\NPROTECT\05660207.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.22:C:\RECYCLER\NPROTECT\05660935.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.23:C:\RECYCLER\NPROTECT\05660212.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.23:C:\RECYCLER\NPROTECT\05660217.MOZ -> TrackingCookie.Atdmt : Cleaned.

:mozilla.23:C:\RECYCLER\NPROTECT\05660932.MOZ -> TrackingCookie.Atdmt : Cleaned.

C:\Documents and Settings\Andy\Cookies\andy@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.

C:\Documents and Settings\Andy\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.

C:\RECYCLER\NPROTECT\05660701 -> TrackingCookie.Hitbox : Cleaned.

C:\Documents and Settings\Andy\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.

C:\RECYCLER\NPROTECT\05660715 -> TrackingCookie.Zedo : Cleaned.

::Report end

_______________________________________

HJT log

Logfile of HijackThis v1.99.1

Scan saved at 6:40:51 PM, on 7/18/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe

C:\Program Files\Canon\MultiPASS4\monitr32.exe

C:\WINDOWS\System32\fxredir.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\WINDOWS\MXOALDR.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MemTurbo\MemTurbo.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Andy\My Documents\Downloads\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe

O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Andy
Link to post
Share on other sites
I deleted the downloaded .zip file, however when I went to Add/Remove programs I could not find an entry for “Avengerâ€. Is there a special uninstall program somewhere?
To remove, you can just delete avenger.exe from wherever you unzipped it onto your computer.
I downloaded the limited version of “Avastâ€
This is actually bad. You never want more than one Anti-Virus running on a single system. They will conflict and actually give you less protection.
I also downloaded several Iomatic programs: System Medic, Registry Medic and Ram Medic. How do these fit into the mix?
I've never used those programs before. I tend to shy away from Registry tools because often they can make mistakes and kill a system. As for a Ram tool, i'd reccomend RAMSmart by AllBeGone. It is a very good tool, and works very well.
My ISP recommended F-Secure because Norton is know to cause problems with my internet connection. How does F-Secure rate?
F-Secure is very good. The best paid Anti-Virus software is probably NOD32. If youre looking into a free AV, I'd suggest AVG Free. It's what I use, and is very good. But remember, NEVER have more than one AV running on your system! If you choose to use one of these, or someting else, remember to uninstall your current one.
When I opened Ewido to run it, the “Resident Shield†as inactive. I activated it. Was that OK?
It won't harm anything. If you'd like, you can activate it.
After running Ewido I clicked on the “fix†button. It gave me a message that a File can’t be quarantined because it is embedded in an archive. I chose the option to quarantine the whole archive. (The file was one of the SysProtect files).
That's fine, Ewido did it's job :)

I'm glad to hear your system is running much better!

One of the things I try to do on a regular basis is Defragment my drive. I’ve been told that the Windows defragmenter isn’t that great.
Actually, Window's defragger isn't bad. It's what I use. I haven't played around much with other apps like that.

Anyway, Congrats! Your log is clean! :thumbsup:

You can go ahead and enable CounterSpy and download the latest windows updates.

If you have any more questions before we close this up, feel free to ask! :)

The following is a list of free tools and utilities that I like to suggest to people; many you already have. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Firefox- Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is good as well.
  2. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  3. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  4. SpywareBlaster - Great prevention tool to keep malware from installing on your system.
  5. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  6. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  7. ATF Cleaner - Cleans temporary files from web browsers, and much more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  8. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  9. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this guide on safer computing.

If you would like, you can post any comments, suggestions, or feedback to our Comments and Suggestions Area.

Matt

Link to post
Share on other sites

Hi Matt,

Thanks for all your help; thing are going much smoother. As I continue to update and clean up I’m coming up with a few more questions.

• I have updated Windows and activated Automatic Updates. Seems every time I reboot there are a few more updates. I figure that is because some updates are dependent on earlier updates being completed.

• I was gong through Add/Remove Programs deleting old unused programs and discovered that SysProtect 1.3.148.0 is still listed. There is also a listing for SysProtect in the START>Programs menu. In the Start>Programs>SysProtect submenu there is an “uninstall†program. I didn’t dare click that one. How should those items be dealt with?

• I noticed the Ewido seemed to be one of the primary tools you used for detecting malware. How does that fit into the list of tools you recommend? I realize its not free as the programs you listed. I like free, but I also don’t mind paying for good tools. Would Ewido compliment the list? Is it considered an “Anti-virus†and thus shouldn’t be used with other AV programs?

• How often should the programs like SpyBot and AdAware (and Ewido) be run? Some of the programs can be scheduled for automatically scanning, what is a good interval?

• The IE-SpyAd program that lists over 5000 sites. Is that
JUST
for Internet Explore? Is there an equivalent for FireFox? If I use FireFox, do I need it?

Thanks,

Andy

Edited by Andy
Link to post
Share on other sites
I was gong through Add/Remove Programs deleting old unused programs and discovered that SysProtect 1.3.148.0 is still listed. There is also a listing for SysProtect in the START>Programs menu. In the Start>Programs>SysProtect submenu there is an “uninstall†program. I didn’t dare click that one. How should those items be dealt with?
You can remove it via Add/Remove Programs.
I noticed the Ewido seemed to be one of the primary tools you used for detecting malware. How does that fit into the list of tools you recommend? I realize its not free as the programs you listed. I like free, but I also don’t mind paying for good tools. Would Ewido compliment the list? Is it considered an “Anti-virus†and thus shouldn’t be used with other AV programs?
Ewido is a fantastic tool. Its one of the best Anti-Malware tools out there. Ewido can compliment just about any security setup. It doesnt fall under AV, (its catagorized as "anti-malware" so its safe to have, along with your current AV.

If you are interested, another commercial program that is excellent is Webroot SpySweeper. It is not free, but is very powerful, like Ewido. If you don't mind paying, I'd reccomend them both, along with what you already have.

How often should the programs like SpyBot and AdAware (and Ewido) be run? Some of the programs can be scheduled for automatically scanning, what is a good interval?
This is really personal opinion. Some people run them once a week, others once a day. I actually don't run scans on any sort of schedule, mostly because I'm fairly certain when my system is clean. Others, however, may fell differently. Its based on you and your habits. If you do a lot of downloading, P2P activity, surfing, going to questionable sites, you may want to scan frequently. If you don't fall under that, you may feel that you don't need to run a scan as often.
The IE-SpyAd program that lists over 5000 sites. Is that JUST for Internet Explore? Is there an equivalent for FireFox? If I use FireFox, do I need it?

IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. So, its protection is only valid in IE (which is really the only place it is needed). However, even if you do use firefox, its still a good idea to have, as people often have to use IE for those pages that just dont work in FF. You'll eventually use IE sometimes, so its good to have that added protection.

Matt

Link to post
Share on other sites

Matt,

Things are looking good. The computer is working better than it has in a long time. It was litterally unusable when I finally discovered Besttechie.net. I was ready to format C and start over.

It has truly been a pleasure working with you on this. I'm impressed with your fast responses, patience with all my questions and thoroughness in getting the job done.

I have also learned a great deal from working with you.

You guys are truly the Super Heroes of Cyber Space, and the evils you fight are every bit as nasty as any conjured up by Hollywood... except the jerks you deal with are real. I really don't understand the mind of people that would intentionally cause such grief and expense for folks.

You certainly provide a valuable service. I think I could probably keep finding questions “’till the cows come home”, but I think we can call this Topic Closed

MANY THANKS,

Andy

Edited by Andy
Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.