I did the 8 steps and need your advice

[semiblue090]

Hi, I hope I do this right and thanks for being here.
I have a compaq presario c762nr notebook everything original
I also have:
Norton
Avast
Superantispyware
Malwarebytes' Anti-Malware
Ad-Aware
Spybot
HijackThis
CCleaner
I have done all the steps in the post.... 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

I was getting:
rundll errors at start up
my typing was having issues
I was getting full page pop ups a lot
under tools it was checking itself to work offline
under internet options it was setting cookies to low
Since I have done all the steps everything seems to be going good..*fingers crossed*
I saw the virtumonde and zlob in the list..
also do I need to redo my whole lappy or should I just change pass words or is this more a annoying ad virus?
Thanks a million for your help And I am attaching my logs...I hope I did them right

 

[Bobbye]

First thing you need to deal with is that you are running two antivirus programs. That shouldn't be done. I have grouped the entries for Symantec and Avast for you. Decide which you want to keep and the entries for the others will need to be removed and the program uninstalled:

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries for the antivirus program that you do not want to keep:
For Avast:

C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

For Symantec:

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Check the following to fix:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

Stop these two Real Time programs:

C:\Users\A\Downloads\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

Now close all windows other than HiJackThis, then click *Fix Checked.*Close HiJackThis and reboot into Safe Mode:
Start> Run> Type in 'msconfig' without quotes> enter> Selective Startup> Startup tab> UNCHECL the processes for the antivirus program you do not want to keep.> UNCHECK Spybot and Malwarebytes> Apply> OK

Start> Run> type in services.msc> find each of the Services for the antivirus program that you do not want to keep. On each of those Services> right click> Properties> change the Startup Type to Disabled..
when through> Reboot into Normal Mode.

Scan with HijackThis again and post the log.

Reminder: you have two antivirus programs. You will keep one and remove the other. We will uninstall the program you don't want to keep next go round. For the antovorus program you WANT to keep, leave all the process and Services as they are now.

Thank you for following the malware cleaning process and attaching all the logs as requested.

 

[Bobbye]

To add:
Open Internet explorer> Tools> Internet Options> Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> Check 'Allow first party Cookies'> Check 'Block third party Cookies'> Check 'Allow per session Cookies> Apply> OK.

This will keep some of the trash off.

 

[semiblue090]

Thanks Bobbye..I will do this first thing tomorrow..I just wanted you to know that I'm not slacking..and I will post back to you as soon as I have done it all. I got tied up this afternoon..my sons car is having security issues too..lol

If i get rid of symantec do I still use nortons firewall or windows? Sorry for the extra questions.

Thank you so much for your help.

 

[Bobbye]

f i get rid of symantec do I still use nortons firewall or windows? Sorry for the extra questions.

There is a Norton Removal Tool that will help with the complete uninstallation:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

For now, use the Windows Firewall. If you decide on a better one, you can install it after we're through with the cleaning.
Recommended Free Firewall:
Comodo: http://www.personalfirewall.comodo.com/
Zonealarm: http://www.zonealarm.com/store/content/catalog/products/zonealarm_free_firewall.jsp

 

[semiblue090]

Hi ya'
here is the HJT log after I did what was on the list...I chose to remove all the symantec things and give avast a try..i hope it's good..
I have not used the Norton removal tool yet..
Also I have the AT&T (I use ameritech) online protection that has nortons..do I need to do anything with that?
Thanks

 

[Bobbye]

Also I have the AT&T (I use ameritech) online protection that has nortons..do I need to do anything with that?

Yes, you need to stop it. Avast is the antivirus program now and you have the BitDefender firewall. You are already well covered with spyware/adware programs. Speaking of> I don't think you need to run Malwarebytes all the time- same for SuperAntispyware and HijackThis. The one program I would suggest is SpywareBlaster as it is a deterrent:
http://www.javacoolsoftware.com/spywareblaster.html

Before we begin, download the Norton removal Tool and Save it to your Desktop. Don't run it yet.

Reopen HijackThis and check the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost

I am usually not comfortable with redirects. You have 3 entries all going to the same page- 2 under R01 and one under R0:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=laptop.

...goes to the following:
http://compaq-laptop.aol.com/

If you set these up intentionally, leave them. IF you did not, remove them.

Old Java files to remove:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll

Symantec services to remove, then Disable:

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

Control Panel> Add/Remove Programs> Uninstall any other Java then v6u7.
Close all open Windows. Click *Fix Checked* in HijackThis, then reboot into Safe Mode:

Use Start> Run> msconfig as before to UNCHECK all Symantec/Norton process on Start menu
Use Start> Run> services.msc to Disable ALL the 023 Symantec Services.

Reboot into Normal Mode. The nag message will come up again- close after checking 'don't show this message again'.
Double click and run the Norton Removal Tool from the Desktop

When you get that done, you can remove the cleaning tools and the old restore points:
*OTCleanit! by Oldtimer*
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

 

[semiblue090]

hi

I have done the steps except the norton tool that you said wait on..and spyware blaster..
how do I know if I have malwarebytes and superanti spyware set to not run?

I didn't know I had bitdefender how do I know it's working..and does it work with vista
or should I install comodo or zonealarm? do you have a prefrence?

 

[Bobbye]

how do I know if I have malwarebytes and superanti spyware set to not run?

Start> Run> tyoe in 'msconfig' without quotes> enter> Selective Startuo> Startup tab. Both Malwarebytes and SuperAntispyware should be UNCHECKED.

You should also go into each program on the programs list. Look for the configuration tab- it should have the option to 'run at 'startup'. UNCHECK that,

As for BitDefender:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

Sorry, I goofed on this!: BitDefender Online Scanner is a fully functional antivirus product, featuring all required elements for antivirus scanning and cleaning. And bdoscandel.exe is the uninstaller for BitDefender Online Scanner. It is located at %WinDir% directory. Look in Add/Remove Programs. If there, uninstall. And have these 2 processes removed. Do a search for bdoscandel.exe in your computer and right click> delete the file.

So you will need to remove these processes. Sorry, I was thinking Firewall and I was wrong.

Suggest getting the Comodo Firewall here:
http://www.personalfirewall.comodo.com/

You most likely did an online scan using BitDefender and it stayed on the system.

Go ahead with the Norton uninstall and the install of SpywareBlaster.

 

[semiblue090]

Hi bobbye, :wave:

Ok I'll try to go in order of the list here is what I have done..
msconfig...malware and superanti spyware aren't on the list to uncheck..so I guess they aren't running

BitDefender isn't in add/remove I put it in search and it only shows up in the HJT log files that I saved in notepad

Used the norton removal tool..so that completed

comodo is installed and it recommended letting it scan so I did it found 1 item
TrojWare.win32.Downloader c:\windows\system32\adobe\shockwave 11\symcheckupstub.exe I let comodo remove it

spyware blaster is installed I need to do the settings... are there any particular settings I should use?

You give good instructions...i really appreciate your time and help
I'll check back for whats next...

 

[Bobbye]

comodo is installed and it recommended letting it scan so I did it found 1 item
TrojWare.win32.Downloader c:\windows\system32\adobe\shockwave 11\symcheckupstub.exe I let comodo remove it

Well, now I am confused. You had Symantec and Avast antivirus. You removed Symantec and I thought kept Avast. The Comodo firewall was recommended to you.

Did you download the Comodo antivirus program by mistake? http://antivirus.comodo.com/
Instead of the firewall? http://www.personalfirewall.comodo.com/

Because firewalls don't "get rid of malware"! IF you did, not you have 2 antivirus programs again and no firewall!

 

[semiblue090]

Sorry I guess that would be confussing..I loaded the firewall..it is running in clean pc mode...it think it scanned because it was new and was making sure nothing was there before it finished installing..because after it scanned it then said install finished..the little icon on my task bar on the right says comodo firewall pro when i hold my curser on it.

 

[Bobbye]

Please read the discussion here of 'Clean PC Mode':

http://www.wilderssecurity.com/showthread.php?t=198027

And the Comodo description here:

http://www.personalfirewall.comodo.com/whycomodofirewall.html

Firewalls don't clean malware. They 'listen' at ports, blocking access to some, by unidentified scanners. I don't like the way they mislead saying

Includes A-VSMART prevention technology (Anti Virus, Spyware, Malware, Rootkit and Trojan) that prevents harmful applications from getting installed on your system

This is done by blocking the ports, not cleaning. So know what you have and it's abilities. The reviews of this 'new' process isn't overwhelming, so don't be mislead by the hype.

I am attempted to ask you to run another HijackThis scan and see is that process is indeed gone! But I'll leave that up to you. You should at least be running better and clean by now.

 

[semiblue090]

Ok I read those..it will take me a few times of reading them to get it..I'm a little slow about some of this computer stuff.
For comodo.. I left it set to clean pc because that's where it was originally set. Should I change it to safe mode?
In the clean pc mode I have been getting the pop ups asking me if I wanted to allow things..which were programs I use so I allowed them..I guess it was learning.

I will be glad to run a hijackThis scan..no problem..except can I do it in safe mode?

I don't know what I did..just go ahead and yell at me.. I'm sorry

but, I can only use my computer in safe mode..it just happened..I can't even turn it off..it says I don't have premission to shut down computer...grrrrr
I tried to use ulead gif animator and ii says "windows cannot access the specified device, path or file. You may not have the apporpriate permissions to access the item.
I have used the power button to shut down and restart a couple of times and I get the same thing. But in safe mode everything is working fine.

I just ran the hijackthis and attached it..

Edited to add...
#1 I unistalled comodo and everything seemed to be working ok. I am reinstalling it now.
#2 I reinstalled comodo and everything seems to be working fine

let me know what else I need to do to be safe...do you need any scans or anything? Or should all be ok now?

 

[Bobbye]

In the clean pc mode I have been getting the pop ups asking me if I wanted to allow things..which were programs I use so I allowed them..I guess it was learning.

All firewalls need to be configured, Some programs in you computer do need to be allowed internet access. Other do no unless you specifically request some action that requires internet action. If you are ever unsure, "Don't allow" the access! From a safety point of view, that's golden rule.

I reinstalled comodo and everything seems to be working fine

Most probably the firewall was preventing something for accessing that needed to. Check out the instruction for running the PC Clean Mode. Might be that you shouldn't run all the time.

I see that Avast is loading:

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

But I don't see the program listed on your programs list. It was listed as

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

Please check and be sure it's still showing installed. I want you to have a fully functioning AV program.

The BitDefender processes are still loading: Have HijackRemove them

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9

There is a new entry you need to remove. It's for the ask.com search. It's not a desirable program and is considered adware. You may have gotten it with a download:

O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

I know you know the drill by now- close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode
Use Start> Run> Msconfig> selective Startup to UNCHECK the AskBar if there> Apply> OK.
Check Aldd/Removel Programs and uninstall the AskBar if there..
Do a search on your system for BitDefender and bdoscandel. If you find an files or folders, do a right click> Delete on each.
Reboot into Normal Mode and enjoy your computer!

You've done a good job. Hopefully you are running faster now. There are still a few processes loading at startup you can do without so let us know if you slow down. It has been a pleasure working with you.

 

[semiblue090]

Thank you so much for all your help. I will try to be much safer from now on. I really do appreciate it very much...

I'm pretty sure Avast is running right..the little icon says "On acess scanner 7 providers total, 6 running" and when I click on it....it says "the provider is currently running".
If I happen to slow down I will come back. I'm sometimes a little impatient and don't think they make a computer fast enough..lol
But I seem to be running great now!!!!

Thanks again and have a great Saturday.

 

[Bobbye]

You're welcome. Just make sure Avast is updating.