Antivirus 2009

[Texaus]

Hello again. Different machine, same problem with antivirus 2009. I ran malwarebytes and SAS on Friday then took a break, didn't get around to hijackthis and posting logs until today. I have removed norton360 with norton removal tool and installed Avira today too.

Another question: This pc is in selective startup with several unknow things unchecked on startup tab. Does this make it so hijack this log is not showing you everything? I just want to make sure i am giving you the full picture.

Thanks!

 

[10cc]

Why did you remove Norton 360? I have had Norton 360 for 3 years with no problems. They have a very good on line technical back up service which should be able to sort your problem.

 

[tystanwick]

In regards to your HJT logs not displaying properly, HJT will only scan start-ups and services that are running. Put the PC into normal startup then run a HJT scan again and post the new log file here please.

Norton 360 is a bloated program IMHO. I'd always advise a lighter program to a home user.

Will check again once a new HJT log is in.

 

[Texaus]

Thanks tystanwick! I agree, Norton seems to slow things down as much as any malware. This is my bro-in-laws's pc, so that was first thing I ditched. I'm attaching new hijack this log. This log is after running Avira for the firsat time (it found more stuff Norton360 didn't) and pc is in normal startup.

 

[tystanwick]

HJT log looks clean!

One last reccomendation: Remove Spyware doctor. It has a real-time anti-virus engine in it that will end up conflicting with Avira....BSOD waiting to happen. Not to mention removing it should give the PC more speed. Would also remove that "MAX Registry Cleaner" junkware. I've never been a fan of those automatic reg fixing programs. They seem to do more harm then good.

 

[Bobbye]

I ma reviewing the logs now. The first log was fine as far as display is concerned. It was done in Normal Mode and full contents appears to be displayed.

A note about Norton: some people are misunderstanding the antivirus referral in the first step. We do NOT require you to uninstall the antivirus program you have. If you have paid for this or it is included in a suite such a Norton 360, we suggest you might want to consider another AV, free standing, without the bloat of suites such as Norton.

Regarding this:

This pc is in selective startup with several unknow things unchecked on startup tab.

Virtually every software program outs itself on startup. The ONLY processes that need to be on Startup are: antivirus program, firewall if you have a third party firewall and touchpad if using a laptop. Nothing else!

Once the Startup menu is changed through the msconfig utility, you must remain in Selective Startup to retain the changes. A nag message comes up on the first reboot after making any changes and it can be ignored and closed after checking 'don't show this message again.'. Remain in Selective Startup.

All of my systems go in Selective Startup on Day 2 after I've stopped the junk from loading!

 

[Bobbye]

removing duplicate post:L Moderator please remove.

 

[Bobbye]

Continuing with log reviews:

Please reopen HijackThis to 'do system scan only'. Check each of the following if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Close all Windows except HijackThis and click on "Fix Checked".

I'd like you to UPDATE and rescan with Malwarebytes again.

Follow that with SDFix:
Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Attach SDFix kog, new Malwarebytes log.
Rescan with HJT and include new log.
Do a full system scan with Avira and include log.

 

[Texaus]

Thanks Bobbye! Here are the logs after doing everything you asked...

 

[Bobbye]

Good job!
Re: the Avira scan: PerAvira support:

I keep getting a virus detection for APPL/KillApp.a .
The offending file is A0013693.exe which is located in a restore point. Can this program be safely ignored similar to APPL/KillApplicat.a ?

Yes, you can choose to ignore that program in a similar way.

When we finish the cleaning, I'll have you drop all the old restore points and set a new clean one.

Looks good to me! If you aren't having any remaining problems:

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Please empty the Recycle Bin when through.
To prevent the tracking Cookies in the future:
Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Just to be on the safe side: Right click on Start> Explore> Programs> make sure Antivirus 2009 folder is gone. If it is not> right click> Delete> then empty the Bin.

TIP 1: Leave everything UNCHECKED on the Startup menu except the AV, third party firewall, touchpad for laptop. Open each program (including the printer) manually when and if needed.

TIP 2: Create a shortcut for System Restore: right click on the SR exe file> Send to Desktop to create a shortcut. Unlock the Taskbar and drag the shortcut into the Quick Launch Toolbar. Re-lock. Beats the long trip to access the process and serves as a reminder to set your own restore points occasionally.

Let me know if you need more help.

Edit: Symantec Password Manager is running:
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

Is that being used? If not, do this: Open IE> Tools> Manage Add-ons> find the above (tgctlsr.cab or asa or ss or sa or sa_cabs. Look in both sections by changing the dialogue box to both add-ons currently being used and add-ons previously used> click to highlight> Disable.