Regedit Problem

[alpenarchitek]

I'm having the same problems w/ regedit and cmd exe files. I wasn't aware of the problem until I was attempting to reload Trend Micro Internet Security 2009 and tech support asked me to start/run/regedit. When nothing happened I began to research. I've followed this and other threads and have downloaded and run everything noted in "8-steps" and Combofix. Things seem to be better, but I thought someone should take a look at the log files. I can't seem to locate the log file from SuperAntiSpyware.

 

[kimsland]

Please uninstall Norton SystemWorks fully
Then run the Norton Removal tool
Then restart

Then re-open Malwarebytes and run another full scan
Regarding Superantispyware log, just do another scan, and save the log

Then restart

And provide a new HJT log as well (restart is required before scanning with HJT again)

Actually run IE Reset before the restart as well : https://www.techspot.com/vb/post682762-2.html

 

[alpenarchitek]

Tried the Add/Remove in Control Panel. Won't remove. Norton SW seems to be missing a key in the registry. Using the Norton Removal Tool and it seems to be hung up, but still running. Any suggestions?

 

[kimsland]

Lots of info here on how to uninstall this horrible product: http://service1.symantec.com/support/nsw.nsf/docid/2001101612274407

 

[alpenarchitek]

Norton products uninstalled. All scans completed. Log files attached.
Thanks for the help.

 

[kimsland]

Norton is still there so try running this tool again: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
You also have Trend Micro Internet Security running so check Add\Remove Programs to uninstall that too
Spyware Doctor was listed as well (as a missing entry) so uninstall that too
Ad-aware is starting up as well, please uninstall that too
You may as well uninstall SUPERAntiSpyware whilst you're at it
Registry Defense is starting with Windows, personally I'd say uninstall too

Restart (probably a couple of times with all the above)

Run IE Reset: https://www.techspot.com/vb/post682762-2.html (as there's a few strange settings presently being used)

Install Avira free AntiVirus

Then startup Malwarebyres again, update it, and run a full scan (make sure Avira is actively protecting as per default) Remove anything found

Restart

Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
ComboFix will also restart your computer (eventually) and then (eventually) create a log

Save this log file to be attached to a new reply

Restart

Then do another scan with HJT
Locate any entry that has "file missing" at the end of that specific entry (there may be a few)
Tick the boxes on those entries ("file missing" or even "not found")
Then select Fix
Close HJT

Restart

Then do another scan with HJT (scan and log file) and attach this to a new reply



Pretty sure at that stage your computer will be running well

 

[alpenarchitek]

Thanks for the "to do list". I will get busy shortly. I do have a couple questions. Trend Micro is my AV software. Is this a problem? I had to uninstall Avira AV to reinstall Trend Micro after an upgrade. Do you recommend Avira over Trend Micro? Is Ad-Aware a problem? Registry Defense was a download recommended by "CNet" for registry issues. Didn't do a thing for my situation. They offer a 100% satifaction guarantee. I will be requesting a refund.

 

[kimsland]

Well yes to all I said

But regarding specifically Trend

Trend Micro is not exactly "Mico" it has many startups and many system files running, usually (well always) causing considerable slowness on a users system
Now if you have just paid up your subscription to Trend, you may actually want to keep it, but if your version of Trend is nearing expiry I would remove it

Basically all Internet Securities are just way over the top these days. You just need a good (and Avira is the best) Antivirus. Not all this other included stuff. Internet Security software packages just started going over the top, about 2 years ago, and since then, all of them run slow. (or cause slowness) Trend IS and even the Antivirus on its own, being one of those.

 

[alpenarchitek]

Thank you for the information. All tasks completed. Attached logs for review. Thank you again for all your help.

 

[kimsland]

Ok from all of that here are the issues:

S2 NAV Auto-Protect;NAV Auto-Protect;c:\progra~1\NORTON~1\navapsvc.exe --> c:\progra~1\NORTON~1\navapsvc.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;sas.r4.attbi.com;<local>;*.local

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.buyeragentrockies.com
O15 - Trusted Zone: http://www.homedepot.com
O15 - Trusted Zone: http://www.kuhnsbros.com
O15 - Trusted Zone: .turbotax.com[/url]
O15 - Trusted Zone: .usps.com[/url]

Here is the fix:

1.

1. Click on the link [URL="http://www.cexx.org/LSPFix.exe"][B][COLOR="Blue"]HERE [/COLOR][/B][/URL]to download LSPFix to your desktop.
2) Once the exe file is on your desktop, double-click on it to open
3) In the left hand column, you should see the NWPROVAU.DLL file listed. Click on it to highlight, then click the arrow in the middle of the screen that points to the right

This will move the filename to the right-hand column labeled Remove

NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

4) Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry. Close the LSPFix program now.

2.

Run IE Reset to default all Internet settings and remove all those zones
Info [URL="https://www.techspot.com/vb/post682762-2.html"]H E R E[/URL]

3.

[URL="ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe"]Norton Removal tool[/URL]

Restart

4.
Provide a new HJT log as an attachment

 

[alpenarchitek]

New HJT log attached.

 

[alpenarchitek]

Did you get a chance to review the newest HJT log?
Have we achieved success in removal of everything?
Thanks.

 

[kimsland]

I cannot see any Malware in your HJT log
Did you run IE Reset though, because there are many extra entries (that are not Malware) in your IE settings

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• When shown the disclaimer, Select "2"

(Note: 1 space after ComboFix in that uninstall command)

Clear & Reset System Restore's Cache

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

 

[alpenarchitek]

Ran another IE Reset.
Uninstalled Combofix.
Reset System Restore point.
Ran HJT, attached latest log.

How's it looking?

 

[kimsland]

Please re-open HijackThis and place a tick next to the following entries
Close all\any Internet browsers, then select Fix

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;sas.r4.attbi.com;<local>;*.local
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)

Restart

 

[alpenarchitek]

Completed above.
Attached new HJT log file.

Thank you.

 

[kimsland]

This one still remains:

O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)

You may have missed it?

Anyway, other than that missing entry (which really doesn't matter) I cannot see any Malware in your log

 

[alpenarchitek]

No, I haven't been missing this string. I've run HJT, ticked its box and selected fix, only to find nothing happened. Any other suggestions?

 

[kimsland]

Re-install Spyware Doctor
Restart
Uninstall Spyware Doctor
Restart

Or just leave it, as file missing

 

[alpenarchitek]

Tried reinstall and uninstall of Spyware Doctor a couple of times, but the string still exists in the HJT log. Any other suggestions? If not, we can close this thread. Thanks again for all your help.

 

[kimsland]

Start->Run-> services.msc

Maximize the Services Window that opens
Scroll down the list to locate: PC Tools Spyware Doctor (may be listed as SDhelper, I don't know)
Double click on this entry
Change the Startup to disabled
Apply ok Close

Restart, and check HJT again

By the way, I'm pretty sure it's located here in Registry (start->run->regedit)
‘HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services’
But it's not advised to edit the registry without some experience and knowledge
ie PC Tools Firewall (as an example) Should be removed from network connections first

Another option is to try Revo Uninstaller

 

[alpenarchitek]

That took care of it. Thanks again for all your help.