OK that will be much safer.

Mike

Hello All -- Especially Mike,

I've restored the system via a full backup of 10/3/08 or thereabouts. No Google Redirect Detected so my problems started within about 30 days of the backup. I've compeleted the first scan using MBAM and SAS with logs from HJT. Please review the attached logs and advise the next steps.

Thanks in advance.........Gary

Attached Files

	mbam-log-2008-12-03 (19-14-15).txt (977 Bytes, 1 views)
	SUPERAntiSpyware Scan Log - 12-03-2008 - 20-32-52.log (2.1 KB, 1 views)
	hijackthis.log (9.0 KB, 1 views)

Hi

All looks good. You picked a time before the infection.

You have residues of Norton below .

HJT Scan only and remove these below.

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

Then do the Norton Cleanup post above again.

And just to be sure do the Combofix and SDFix posts also.

If they come up clean then do the updates.

Mike

Okay Mike...Eliminated the HJT items. Just to be sure please issue the Norton removal instructions again. This is where things went deep south before. I want to be sure I understand what is next. Also, not sure what SDFix is,,,can you clarfy?

Gary

Hi Gary

Sorry late getting back been busy at work and out of office a lot the past 3 days.

OK reference to SDFix was for another person. So forget that for now.

After all we have done and after restoring it behooves me to ask that you scan once more to be sure.

1. Update combofix run and post log.
2. Update mbam run and post log.
3. Update SAS run and post log.
Last new HJT log.

I think you are OK but lets be sure. Take your time scan when you go to work bed or etc.

Mike

Hi Mike,

Ran everything....appears to be clean. Here are the logs for your review.

Gary

Attached Files

	hijackthis.log (8.7 KB, 0 views)
	ComboFix.txt (14.9 KB, 1 views)
	SUPERAntiSpyware Scan Log - 12-05-2008 - 07-18-31.log (465 Bytes, 1 views)
	mbam-log-2008-12-05 (06-00-33).txt (852 Bytes, 1 views)

Great job. Keep clean!

Thread closing-------------------------------------------------------------------
Please download OTCleanIt http://download.bleepingcomputer.com.../OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

If prompted to Reboot click Yes.
OTCleanit will delete itself when finished, if not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
-------------------------------------------------------------------------------------
The issues found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

If they find something they can not clean then get back to us.

Additionally run CCleaner.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html

A Disk scan and Defrag are in order.

Mike

Mike,

All steps completed from you last post except for Hostman. Your link did not work.

What is your recommendation for an Antivirus program and Firewall? I was thinking of using Avira for AV and Zonealarm for firewall.

Thanks for all your help. After I get your thoughts on the above I'll create a complete backup and then follow your maintenance recommendations.

Gary

Gary honestly I think the best free, and it is as good as most paid, is Comodo.

The free Suite contains both http://www.personalfirewall.comodo.com/index.html

I don't even like ZA!

Your choice tho!

Hostman http://www.abelhadigital.com/

Mike

Hi Mike.....Removed ZoneAlarm and AVG, installed Comodo and Hostsman. I think I'm good. I want to thank you for sticking with me through all of this and I want to express my appreciation to all the tech experts that take their time to help lowly PC users like myself.

I guess we can close this thread now.

Bye.

Hi Gary

Yes I think we are clean of Malware. But for full performance an cleanliness you might want consider doing this post.

http://www.techspot.com/vb/post692855-17.html

Same but not as bad for AVG.

D/L and run AVG Cleanup tool http://www.avg.com/filedir/util/avg_...avgremover.exe

Next:
Start-Search-Files and Folders. In location set to search your Local Hard Drive (usually C:\ ) or All Local Drives.

Select Advanced Search Options and set to search subfolders and hidden files.

Now paste

Grisoft;avg7;avg8

into the search box and click Search Now. Delete all it finds! Empty Recycle bin.

Run AutoRuns click the Everything Tab look down the column Publisher for anything not Microsoft delete any line referencing Grisoft avg7 and avg8
----------------------------------------------------------------------------------------------------------------------------------
If you are paranoid do the following also.

D/L Regseeker http://www.hoverdesk.net/freeware.htm

Run it and select "Find in Registry" the following 1 at a time.
grisoft
avg7
avg8

Then in Regseeker select Clean Registry and do a general Reg clean before rebooting.

And finally you will be clean of AVG.

Mike

Well Mike.....I followed the procedure for cleaning Zonealarm, including the clean registry steps. Rebooted okay then decided.....why not use RegSeeker to clean Norton and Symatec because I thought SYMMSICleanup.reg was what crashed my system.

Guess what, just using ReSeeker to clean Norton and Symantec crashed my system again! So whatever registy keys I deleted for Norton and Symantec caused the train wreck originally and again last night.

No problem though, I had made a full backkup prior to cleaning zonealarm so restored the system and no damage done. I plan to clean zonealarm again and then move on to cleaning AVG unless you have some other thoughts.

I will await you reply first though.

Gary

You have a handle on this. You have the backups.

Clean the AVG and ZA.

Get a new image if you tackle the Norton/Symantec.

If you do any more then just remove norton.

I am almost 99% positive it is the Symantec that is doing it but you likely have enough of it gone to not cause a problem.

Good luck,

Need me,

I'll be here!

Mike

Understood. I'll proceed but I think I'll leave Norton alone for now. BTW, do you know Robert Smith? His father is the city attornery for Lexington. Robert is my son-in-law.

Thanks for all the help!

Gary

Know of them. RB is father.

Mike