Blind Dragon said:Download and Run Norman Removal Tool
- Download Norman Malware Cleaner to your desktop
- Restart your computer into safe mode by tapping F8 before windows loads and selecting Safe Mode.
- Double-click the Norman Icon on your desktop (Vista users Right click and select run as administrator)
- Agree to the EULA
- Leave the settings the way they are unless you have more than a C:\ and D:\ then you can those areas to the top section
- Select Start Scan
- The log will be saved to your desktop as NFix_currentdate.log, Attach it here
1) Click on Start, Settings, Control Panel
2) Double click on Add/Remove Programs
3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.
* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way
4) Reboot your Computer and run HijackThis and attach the log
File::
C:\WINDOWS\system32\ISECUR~1.CPL
C:\WINDOWS\system32\skujcpwe.exe
C:\WINDOWS\system32\iSecurity.cpl
C:\Documents and Settings\All Users\Application Data\ahyvapsd.dll
C:\DOCUME~1\Mat\LOCALS~1\Temp\DELDIR0.exe
C:\WINDOWS\vyzsvsbg.exe
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8311E8F-E459-4D22-89B4-CB9DCF10A425}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"skujcpwe"=-
"iSecurity applet"="iSecurity.cpl" [2008-03-30 18:08 125440 C:\WINDOWS\system32\iSecurity.cpl]
"ahyvapsd"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DELDIR0.EXE"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"6T1E1ueXNd"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"iSecurity"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyg32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvvwX]
File::
C:\WINDOWS\system32\noqkvfse.dll
C:\WINDOWS\system32\cemrxeqd.dll
C:\WINDOWS\system32\zdpdbxsr.exe
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3EC135BF-AAD6-D3A1-A843-0B3699F1E5F2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5447ADBC-9AD8-2D30-46C4-0979F3630B69}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zdpdbxsr"=-
"iSecurity applet"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyg32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywvvwX]
Blind Dragon said:Disable Teatimer
- Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
- Open Spybot S&D
- Click on Mode at the top and make sure that Advanced is checked
- Expand the Tools tab in the left pane
- Single click on the Resident Icon also in the left pane
- Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
- Close spybot
CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
Blind Dragon said:You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Use Windows Explorer to navigate to and delete the following files:
Files:
C:\WINDOWS\winjyg32 <-This file only
C:\WINDOWS\yaywvvwX <-This file only
C:\WINDOWS\system32\noqkvfse.dll <-This file only
C:\WINDOWS\system32\cemrxeqd.dll <-This file only
C:\WINDOWS\system32\zdpdbxsr.exe <-This file only
Restart your computer into normal mode
Run a new scan with Hijackthis and attach the log
kritius said:You still have Norton on your system
Norton Removal Tool
Follow all the steps on the site to remove it.
Blind Dragon said:you don't need to search for any files to remove norton. click on the link and it says:
Choose your product:
* I have a Norton product that was purchased from my Internet Service Provider (ISP)
* I have Norton 360
* I have a Norton 2008 product
* I have a Norton 2007 product
* I have a Norton 2006 product
* I have a Norton 2005 or 2004 product
* I have a Norton 2003 product
* I have Norton Ghost or Norton Save & Restore
* I have pcAnywhere or WinFax
Just go to the removal tool link provided above, then select your product and it will be removed for you.
Update your Java Runtime Environment
- First try going to Start -> Control Panel -> double click Java
- Select the Update Tab at the top of the Java console
- Click the Check for Updates button at the bottom
- If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
- After it installs the newest version Go back to Control Panel -> Add/remove programs
- Uninstall any older versions of Java
Also I don't see a firewall in your log
You aren't running Firewall Software. Please download and install one of these first!
Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm