Norton spoof resulted in constant spyware

Well, here I am again. A person, who shall remain nameless, saw a popup saying something like "OH MY GOD! YOUR COMPUTER NOW IS BEING INFECTED BY MALWARE AND SPYWARE. CLICK HERE IMMEDIATELTY TO FIX! LOVE, NORTON." They click, just like before (see my May 23, 2009 thread: http://forums.majorgeeks.com/showthread.php?t=190352), and I'm again working to fix.

Current question: How much longer should I give MGTools to finish?
I'm going through the READ & RUN ME FIRST. Malware Removal Guide. I'm running MGtools. For the past few hours, MGTools has been stuck on "Running processdll.exe to find loaded DLLs". How much longer should I give MGTools to finish?

 

I'm not receiving any MGTools error messages. As for .NET, not only do I have it installed, I have:

Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1

installed. I don't know whether I need all those. Also, it looks like .NET Framework 4 is out. Would it help MGTools if I delete any of these .NET files?

 

I attached the logs I have so far. RootRepeal error was "Eorror-Invalid PE image found!" and RootRepeal got stuck on my G:/FlipShare Data/previews/, so I only ran RootRepeal on the C: directory.

I renamed MGTools to magpie.exe and ran again. Sorry, I now remember that I did get errors the last time I ran MG Tools. The error I got then (and now got running magpie.exe) is:


ProcessDll.exe - Common Language Runtime Debugging Services
Application has generated an exception that could not be handled
Process id=0x12ac (4780), Thread id=0x17a8 (6056)
Click OK to terminate the application.
click CANCEL to debug the application.

Should I click OK or CANCEL?

 

Another person had a similar problem. Per chaslang 03-09-08, 22:47 "What should I do next? Just attach the 3 requested logs. MGlogs.zip will sill exist even if Processdll.exe did not run properly."
(See http://forums.majorgeeks.com/archive/index.php/t-153822.html)

Here is what I now have for MGlogs.zip.

P.S. I Uninstall ALL old Sun Java versions, but missed the instruction part about get updated. I don't have any java version installed at the moment. Also, when we're done, I was thinking of reinstalling my Norton becuase my Add/Remove list showed it installed on December 26, 2010, the date this problem started. I installed Norton 360 v 4.0 well before that date, so I figure the bugs did something to Norton.

I renamed MGTools to magpie.exe and ran again. Sorry, I now remember that I did get errors the last time I ran MG Tools. The error I got then (and now got running magpie.exe) is:


ProcessDll.exe - Common Language Runtime Debugging Services
Application has generated an exception that could not be handled
Process id=0x12ac (4780), Thread id=0x17a8 (6056)
Click OK to terminate the application.
click CANCEL to debug the application.

Should I click OK or CANCEL?

 

Hi Kestrel13!

I acted before I saw your above 17:25 message:

1. I removed, and then reinstalled Norton 360 v. 4.0
2. I then installed the latest version of Sun Java
3. I then ran F-Secure (free online scanner) detailed scan and went out for a few hours. F-Secure found:

Gen.Trojan.Heur.Lp - SPYWARE (Gen:Trojan.Heur.LP) was found in: system
CATONLINEW2K.DLL - Malware (Gen.Trojan.Heur.LP.ymTfaSaqBBI) was found in: C:\WINDOWS\DPWNLOADED PROG RAM FILES\CATONLINEW3K.DLL

4. F-Secure was able to clean Gen.Trojan.Heur.Lp
5. F-Secure was NOT able to clean CATONLINEW2K.DLL

Then I saw your 17:25 message above and

6. I exited all browser sessions including the one I was reading in right now:
7. I then disable Norton 360.
8. I then ran C:\MGtools\analyse.exe by double clicking on it.
9. I then selected Scan
9A. NOTE: The option "Do a system scan only" was not presented to me
10. I then selected the following lines:

* O2 - BHO: (no name) - AutorunsDisabled - (no file)
* O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
* O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - (no file)

10A. NOTE: O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file) was not present after the scan.
11. I then selected "Fix Checked" to fix the 3 selected items. The screen within the Trend Micro Hijackthis frame went completely white.
12. I then ran "Scan again"
13. The following file was not deleted: O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - (no file)
14. I selected it, selected Fix Checked, and the screen within the Trend Micro Hijackthis frame went completely white.
15. I exited HJT
16. I re-enable Norton 360.
17. I attached the fsonlinescanner_report2010-12-27.html to this message

What problems remain?
1. CATONLINEW2K.DLL - Malware
2. MGtools could not fix: O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - (no file)

 

Ameritrade was installed a while ago but I don't really use it anymore. As for the last issue, should I be concerned about not being able to delete O18 - Protocol: symres?

 

I ran through the final steps. Thanks Kestrel13! and chaslang for all your help.

 

OK, here I am again. :banghead This same person was using my computer today and clicked on a link that brought up the banner message "Caution! Your computer contains a variety of suspicious programs. Your System requires immediate checking! The system will perform a fast and free check your PC for malicious programs. OK. Cancel." (see attached)

After seeming me spend two days cleaning up the prior mess (see first post in this thread), the person selected Start, Turn Off Computer instead of selecting OK in response to the banner. Several terminate program options appeared and the shut down took much longer than normal.

I ran a quick scan via F-Secure and there were no issues. Is there any easy way for me to tell whether spyware or malware was installed on my computer? (I really don't want to spend another two days going through the READ & RUN ME FIRST. Malware Removal Guide.) Thanks.