Blender's dashboard

Hi Robert,

Sorry to hear you are having problems.

Sunbelt Software does not advertise their products in the manner you describe.
It appears you have something going on causing these advert popups. There are many advertising trojans that do this to advertise rogue security products in attempt to scare users into buying them.
I advise you make sure your currently installed security products are up to date with latest definitions and run a full system scan in safe mode. Let the antimalware fix/quarantine what it wants including a reboot if necessary to completly remove offending software.
If that does not help...
You can contact Sunbelt Support at support@sunbeltsoftware.com by email describing your issue and someone will work with you directly to remove the offending software.
It may assist the tech if you also include a screenshot in your email of the advert if you can please.

Thank you & all the best for 2009!

Hi PopsTX & welcome,

Thanks for choosing Sunbelt products.
I suspect something must be re-loading those threats or something newer on the system that we don't detect yet.
Let's see if we can find it.
Once we find the issue we can work together to remove the threats.

I will need a couple logs from you to help me determine your Operating System and what the problems are.

If you have trouble understanding any of the instructions given while we work, please don't hesitate to ask for clarification.

Please download this tool and save it to your desktop:

http://download.bleepingcomputer.com/...

Temporarily disable antimalware programs to prevent its interference with running of OTViewIt.exe.
Some AV products detect this file as suspicious because of the packer used. I assure you it is not dangerous. (it simply makes logs of new files and non default registry entries on your system & makes no changes to system other than generate logs)

Double click OTViewIt.exe to run.
Click "run scan"
When done it will have produced 2 logs in same folder you saved OTViewit.exe to. (should be on desktop)
These logs you can close.
Please send both logs to me. (OTViewIt.txt & Extras.txt)
I would rather you email the logs rather than post because trying to read them in the forums will be difficult. (email below)
In your email please post a link to this thread so I know who's logs they are.
If you have an open Ticket # with Sunbelt Support please put that in email as well so we can keep track.

Don't forget to re-enable antimalware programs when done.
I may ask for more logs and/or file samples later but the above should give us a good start.

Thank you

Tammy Stewart
Sunbelt Software
tammys(AT)sunbelt-software.com (replace (AT) with @ )

"edited to fix broken URL"

Good to hear all is well.

You can clean up the tools we used.

Open Hijackthis.
If it is at the scan screen click "config" then "misc tools" and "backups"
If it starts at the main options screen click "open misc tools options" then "view list of backups"
Click "delete all" and OK the prompt.
Exit Hijackthis.

You can delete RegSEarch.zip and its folder.
Also delete the Norton removal tool you downloaded/used.

Take care & surf safe!

Tammy

Hi TheJoker,

Log looks good.

Normally when you have to use some kind of tool that involves removing services, registry items, some files & folders on Vista it is normally needed to run tool as admin.
One needs admin privs to remove/edit services, drivers, registry, access certain files/folders and install/uninstall most software.

Unless you disabled UAC. Did you?
Disabling UAC will let you do more with less prompts but also may open you to bigger chance of getting infected or having unwanted software installed.

More on UAC here:
http://en.wikipedia.org/wiki/User_Acc...

Everything still running OK?

Hi,

Glad to hear things are going well.
I still see Norton/Symantec stuff in your log.

Norton has a removal tool that will help remove the remains.
You can go to this site:
http://service1.symantec.com/Support/...

Choose the Norton product you had
Next page choose your operating system. (Vista)
Download the tool and save it someplace handy.
Advisable to disable Active Protection for Vipre while running this tool to avoid the alerts Vipre will give you due to registry changes.

Right click the file you just downloaded and choose "run as administrator"
Follow the prompts and reboot when asked.
It may require more than one reboot to complete removal.
Once done re-enable your Vipre & post a fresh Hijackthis log here please.

Let me know how system is running.
If all is well we'll clean up the tools we used & reset system restore to purge old restore points and create a fresh one.

Thanks,

Tammy

Hi,

Log looks good. :)
I expected you to see some results with a couple scans after fixing those 2 HJT entries because of definition updates to Vipre.
Let me know if they keep comming back.
I don't expect they will because we were able to fix the other entries easy enough.
You may see or have seen since a few more registry traces and at least one file trace. (the one you sent me)

Looks like you had some trouble uninstalling Norton & AVG at one time or another.
It appears you are not running any other Norton products so it is just the auto update programs that need to be uninstalled.
One related entry in HJT for AVG as well that should be cleaned up to clean house a little.
Doing this should also help improve system performance because Norton will no longer be looking for updates to a non existant product.

If I am correct in thinking you no longer run Norton, these 2 items can be uninstalled via "programs and features" in your control panel:

LiveUpdate Notice (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)

Reboot when done.

Run Hijackthis (as admin), do system scan and check the following entry if present:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)


Click "fix checked" and OK.
Rescan with Hijackthis (as admin) and post the new log please.
Let me know if Norton uninstalls went OK or if you had troubles.

Thank you,

Tammy

TheJoker:

I believe we have enough info to remove the remaining bits of OpinionSquare.

Click Start> programs> accessories.
Right click on "command prompt" and choose "run as administrator"
OK the UAC prompt.
A "dos" box opens.

Type the following command exactly as you see it & hit enter:

sc delete OpinionSquare

You should get a success message. Let me know if you get an error message.
Exit the command prompt.

Next, Open Hijackthis (run as admin)
Do system scan and check if present the following:

O20 - AppInit_DLLs: C:\Windows\system32\opai.dll

Close all open windows except Hijackthis & hit "fix checked" and OK.
Exit Hijackthis & reboot.

Please post a fresh hijackthis log here.
Let me know how the system is running.

Don't be alarmed if you see a few adware traces in next couple scans.
Likely a result of OpinionSquare/Marketscore items being added to definitions.

Thanks,

Tammy

TheJoker:

Do you remember where you picked up OpinionSquare?
I ask because your install and mine are a bit different. Slight different versions and file locations are different.
I'd like to try & duplicate the install on my test machine if possible.

Thanks,

Tammy

Hi TheJoker,

Thanks for the logs.
I will go over them & reply in a bit with recommendations.

Those 24 items that showed up for Explorer32.Hijacker is most likely a result of registry items added to the defs.
You let VIPRE clean it?
If you open Vipre then click "view" > manage malware> view history.
Pick date of scan that showed items.
Hilight the Explorer32.Hijacker line then click "show details" you should see registry traces.
Take a screenshot while you have the details window open and upload it please. (imageshack is fine)

Thanks,

Tammy

HI TheJoker,

How about in C:\Program files?
Quite possible the directory has already been removed.

Any return of Explorer32.Hijacker?

Go ahead & upload those 2 other files please.(opai.dll & opservice.exe)
We need those files for the definitions.

I'd also like to search in registry for those files.
Download this tool to your desktop & unzip it to its own folder:
http://www.xs4all.nl/~fstaal01/downlo...

Once unzipped right click RegSearch.exe & choose run as administrator and OK the UAC prompt.

In the search for section paste in the following lines:

opservice
opai.dll
OpinionSquare
opsetup

then hit OK.
It will search registry & once done will give you a text output called RegSearch.txt in the RegSearch folder.

You will need to close the text file before exiting RegSearch or program might hang.

Please email RegSearch.txt to me because The forum software may mung up the registry output making it unsafe for me to draw up any needed fixes.
Having it mailed will preserve the "code".

Can you post here also an uninstall list from Hijackthis please.

Run Hijackthis as admin.
If at the main scan screen hit "config" then "misc tools" otherwise click "open misc tools options".
click "open uninstall manager"
click "save list..."
Save the list & post its contents here.

Thanks,

Tammy
coppertop(at)personainternet.com
tammys(at)sunbelt-software.com

Hi TheJoker,

Looks like things are getting better. Looks like Explorer32.Hijacker is gone.

For OpinionSquare -- Sounds like it was partly uninstalled.

Do you also have C:\ProgramData\OpinionSquare <--><-->http://www.uploadmalware.com

You will see several upload slots.
In #1 please copy/paste the following:

C:\Windows\system32\opai.dll

In #2 paste in the following:

C:\Windows\system32\opservice.exe

If you have either of the OpinionSquare folders mentioned above, can you zip it up and upload it as well to the above site.

In the "URL where file was requested" box copy/paste in URL from this thread.

Hit "send file" and in a moment or 2 you should get success message.
I will be notified when files arrive.

Thanks,

Tammy

Hi TheJoker,

Thanks for the logs.
The xml logs I am looking for are in your History folder I believe should be here (unlike what I said earlier for Vista)
C:\Users\All Users\AppData\Roaming\Sunbelt\AntiMalware\History

No need for the logs now though or showing hidden files since you provided screenshots.

Question about your HJT log.
Did you install "Opinion Square"?
You do realize it is related to MarketScore adware?

http://www.bleepingcomputer.com/unins...

If it is listed in "programs and features" in your control panel I suggest you uninstall it. I don't think you really want them tracking your internet usage.
Let me know if it uninstalled OK.

Please start Hijackthis (right click > run as administrator> OK UAC prompt)
Run system scan and check ONLY the following:

O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\Windows\system32\msxml71.dll (file missing)

Close all open browser windows and explorer windows and hit "fix checked" and OK.
OK any prompts you may get for removing a BHO & CLSID.
Exit Hijackthis.

Reboot.

Please post a new Hijackthis log (run as admin) and let me know how the system is running.
Let me know how the "Opinion Square" software uninstall went.

There should be a few more registry items removed in the next VIPRE definitions update related to Explorer32.Hijacker.

If it returns again.. we'll do a little more digging.

Thanks,

Tammy

Hi TheJoker,

I work remotely for Sunbelt Software as a malware removal specialist. Alex asked me to pop in here to assist.

If that hijacker keep showing up there must be something re-installing it.

If Normal mode scan shows the threat again can you please do the following:

We need to see what we are getting.
Can you send me the most recent Vipre Logs?
On 2K & XP they will be located here:
C:\Documents and Settings\All Users\Application Data\Sunbelt\AntiMalware\History

On Vista the logs should be here:
C:\users\all users\application data\Sunbelt\AntiMalware\History

Application data folder is hidden so if you have not already you will need to enable system to show hidden files/folders.
How to:

http://www.bleepingcomputer.com/tutor...

To quickly locate the most recent logs click the "view" tab in the "history" folder, arrange icons by> "modified"
Newest are at bottom of folder.
Last 2 or 3 logs should do.

WE also need to see what we are not getting.
Can you also send me a Hijackthis log.

Download & install Hijackthis from here:
http://www.trendsecure.com/portal/en-...
Continue through the setup and have it create a desktop icon for you
Follow all the prompts, click Finish, and have it start HijackThis
Click the "Do a System Scan and Save a Log File" option
Save the log file and then it should open with Notepad
Exit Hijackthis when done.

Please don't be tempted to fix anything just yet. Most of the entries you see are legit/needed for proper system operation.

Send your Hijackthis log file and the Vipre history logs to coppertop(at)personainternet.com (replace (at) with @)
You can cc email to support@sunbeltsoftware.com as well.

Please include URL to this thread in your email.
Please include "Ticket#001-00-250548" in your email as well.

I may ask for more logs and/or file samples later but this should give us a good start.

Thanks,

Tammy

Hi TheJoker & welcome,

Thank you for choosing Sunbelt products.

In addition to what PerryB asked; can you tell us the dll name in question & where exactly on the system it is located?

When the VIPRE scan is done and shows results for Explorer32.Hijacker, hilight the results line then click the "details" button.
It should show the complete path to the file including file name. Post that info here please.

Thank you,

Tammy