please help with this infected lapop

Welcome to Majorgeeks!

Since I do not see the typical signs of SysProtect itself, let's remove the other obvious Virtumonde problem which often cause SysProtect to show its ugly head.

Run the below and attach the requested log:

Virtumonde aka Trojan Vundo Removal -

Then attach a new HJT log and tell me how things are looking.

 

No there is some more! In fact I'd would not be surprised if Virtumonde came back. You still have the program that loaded it running (WinAntiVirusPro2006Installer) Although you may be lucky because we ran Bitdefender and it may have deleted the file making it impossible for the program to load at startup.

Look in Add/Remove programs for the below and uninstall if found:
HotBar
SpamBlocker
WinAntiVirusPro2006 (or anything similarly named)

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [NI.UWA6P_0001_N56M1001] "C:\Documents and Settings\Kimberly Brinton\Local Settings\Temporary Internet Files\Content.IE5\L4OE7U3L\WinAntiVirusPro2006Installer[1].exe" -nag
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.7.1.0\SbOEAddOn.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Documents and Settings\Kimberly Brinton\Local Settings\Temp\blank.gif
C:\Documents and Settings\Kimberly Brinton\My Documents\WinAntiVirusPro2006Installer.exe
C:\WINDOWS\SYSTEM32\vtuvw.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

You have an old Sun Java version 4.2 update 3 running. You must download and install the new version (5.0 update 6) and then uninstall all old versions.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes you should try to enable it if it is disabled. But Symantec has a habit of getting broken and not being fixable without a uninstall, reboot, reinstall. So be prepared.

HijackThis creates backups of things it fixes and they go in a backups folder that is in the same folder as hijackthis.exe This is part of the reason we insist on HJT being installed properly. That way we know what is from HJT and what is not. The one on the Desktop may have been because someone had HJT installed incorrectly (on the Desktop) previously.

As for being slow....well Symantec alone can do that. But I'll give a couple things below to remove with HJT that may help.
You could also try getting rid of all the garbage from AOL which is not worth having!

But is Ewido a trial or paid version. If trial then uninstall it. Do that now!

You did not fix the O4 line with WinAntivirus on it. Let's try again but first shutdown Windows Defender.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [NI.UWA6P_0001_N56M1001] "C:\Documents and Settings\Kimberly Brinton\Local Settings\Temporary Internet Files\Content.IE5\L4OE7U3L\WinAntiVirusPro2006Installer[1].exe" -nag
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Do you need the below pop-up reminder of events scheduled using the MS Works Calendar? If not, fix it too!
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

Those are for MS Windows Defender!!! Leave them alone. You need them. Only worry about what I tell you to worry about!

You still have not fixed the below!

O4 - HKLM\..\Run: [NI.UWA6P_0001_N56M1001] "C:\Documents and Settings\Kimberly Brinton\Local Settings\Temporary Internet Files\Content.IE5\L4OE7U3L\WinAntiVirusPro2006Installer[1].exe" -nag

Why do I see both Symantec and McAfee AV programs running? Which AV do you use? Uninstall the on that is not used.

Boot into safe mode, shut down everything you can. Select anything running in the tray and shut them down. (ALL AV programs, AOL stuff, Windows Defender etc). Then run HijackThis and select that O4 line and fix it. While in safe mode, double check the HJT log. Is the line gone or not? If it is, then reboot into normal mode and then get a new HJT log and attach it. If it is not gone, bring up Task Manager (CTRL-SHIFT-ESC) . Write down what's running and come back later and tell me.
Did you shut down Windows Defender last time before trying to fix it? Was Ewido uninstall at the time too?

 

I did not say kill it with Task Manager. I said shut it down. You need to right click on the icon in the tray and actually shutdown/exit the program. You cannot do what you were trying with Task Manager. That is viewed by the program as malware trying to kill it and it just restarts. You must shutdown the program not try to kill the process (and there are more processes running from it anyway).

Does the below file exist? I would think not!
C:\Documents and Settings\Kimberly Brinton\Local Settings\Temporary Internet Files\Content.IE5\L4OE7U3L\WinAntiVirusPro2006Installer[1].exe


For the McAfee stuff, do the below.
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\mcafee.com <--- delete the whole folder

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Uninstall Windows Defender then reboot and try one more time to fix winantiviruspro2006. Do not reinstall Windows Defender unless this O4 line goes way.

I don't know much about AOL's antispyware but I wonder if it is getting in the way of removal! Can you disable it?

Just in case we need manual steps to remove this, please run the below and attach the requested runkeys.txt log:

Using GetRunKey

 

Okay! Also before download and install the below in expectation that we are going to need it to remove this stuck registry key.

Registrar Lite

 

Just uninstall all AOL from Add/Remove programs, however, does she still need AIM (this is AOL's Instant Messanger).


Let's get an installed programs list from HijackThis too so I can see what is installed!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

First uninstall Viewpoint Media Player

Copy the bold text below to notepad. Save it as fixMe.reg to your desktop (yes overwrite the previous one). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [NI.UWA6P_0001_N56M1001] "C:\Documents and Settings\Kimberly Brinton\Local Settings\Temporary Internet Files\Content.IE5\L4OE7U3L\WinAntiVirusPro2006Installer[1].exe" -nag
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1104805404\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104805404\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1104805404\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Common Files\AOL <--- the whole folder

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).
Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

The registry patch got it!

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome!

It really depends on how good you really are with all this stuff. Do you know the difference between the thousands of valid process and the thousands of baddies? Are you confident enough in you ability to not remove valid files.

There are literally tens of thousands of malware issues out there. The READ ME is always a good starting point because it establishes a known reference condition of the PC in question. It does not remove all forms of malware (obviously) just like none of the scanning tools themselves do. But along with the reference point, it collects a bunch of data to be used in the manual fixes to be created.

 

R&D Engineer (EE) but also have a load of programming experience.