And I thought I was clean!

You ignored step 3 of the READ ME. You have AntiVir and Norton installed. Choose which you prefer and uninstall the other. Do this now before continuing.

Also in step 0 of the READ ME we highly recommended uninstalling MessengerPlus3 which comes with bundled malware unless you are very careful when installing and anytime being updated. This software is not trust worthy and is too sneaky to be used.

The version of Spybot you are using is out of date! You must uninstall it, reboot, download the version we asked you to use in the READ ME and install it.

Also your Sun Java and FireFox versions are out of date!

Install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 2
Mozilla Firefox (1.0.7) <--- this may not be found after the update to the new program




If you ran CCleaner on all user accounts as requested the Cookies should have been minimal. But cookies are the least of your concerns and they can easily just be fixed by run Ccleaner even now (run on all accounts). You can compress your current Panda log into a ZIP file and upload it or you can rerun Panda after running CCleaner and then upload the log.

Note the READ ME was just changed again today! You don't need to rerun it.

Please also attach you HijackThis log as requested in step 7.

 

Any user accounts that you don't need should be delete. That would be the best choice for security.

To Disable Spybot's TeaTimer

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

 

In the log from ShowNew is a list of installed programs at the end. The below are from Symantec/Norton.

It looks like more than a firewall to me. It looks like the Internet Security Suite which I believe has an antivirus along with alot of other stuff. If you need all of this just to get a firewall, dump all of this and use one of the free ones we list in the How to protect... sticky thread.

 

The reason your Panda log is so large is because you did not follow the directions in step 1 of the READ ME. You did not clean out the Norton N-Protect folder and that is what is mostly in the log.

 

You still need to run MSconfig and select Normal Startup. You are currently in selective startup mode. After doing this, reboo, and then attach a new HJT log and a new log from GetRunKey. Then we will be able to start addressing any malware problems.

What is the below program you have installed?
Hop! crire v1.0.3 Edition Scolaire

 

Well it was in your previous logs so I will assume you mean you have just now tried to remove it. Thus I will add steps below for getting rid of it.

First look in Add/Remove programs and if any of the below appear, uninstall them:
LiveReg (Symantec Corporation)"
Norton AntiSpam
Norton Internet Security
Norton Personal Firewall 2005 (Symantec Corporation)"
Norton Personal Firewall
Norton WMI Update
Symantec Network Drivers Update
Symantec SCSSDist MSI
SymNet

Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Network Drivers Service (if that is not found, look for the short name: aswUpdSv)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
LiveUpdate
Automatic LiveUpdate Scheduler

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SNDSrvc

Now repeat the Delete NT Service steps for:
LiveUpdate
Automatic LiveUpdate Scheduler

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=
F3 - REG:win.ini: run=C:\WINDOWS\$NtServicePackUninstall$\services.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\9.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\$NtServicePackUninstall$\services.exe
O4 - HKLM\..\Run: [updmgr] c:\program files\fichiers communs\symantec shared\spbbc\updmgr.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pn6V38i] fonrv.exe
O4 - HKLM\..\Run: [mswspl] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunOnce: [sdaemon] C:\WINDOWS\sdaemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Messenger Plus! 2 <--- the whole folder
C:\Program Files\My Web Search Bar <--- the whole folder
C:\Program Files\Symantec <--- the whole folder
C:\Program Files\Fichiers communs\Symantec Shared <--- the whole folder
C:\WINDOWS\$NtServicePackUninstall$\services.exe
C:\Program Files\My Web Search Bar
C:\WINDOWS\System32\fonrv.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode!

After reboot, Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs:
- HJT
- ShowNew
- GetRunky

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Shutdown Spy Sweeper and then use HJT to fix the below lines which I previously requested that you fix. It appears that they were not fixed.


O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\9.bin\MWSBAR.DLL,S
O4 - HKLM\..\RunOnce: [sdaemon] C:\WINDOWS\sdaemon.exe


Then exit HJT.

Make sure the below are deleted (tell me what you find) - Boot in safe mode to delete if necessary.
C:\Program Files\My Web Search Bar <--- the whole folder
C:\WINDOWS\sdaemon.exe

Attach a new HJT log after a reboot.

 

I had sdaemon.exe listed as malware; however after some additional checking it looks like it could belong to Tropical Software. 'PC Security™ 5. Is this part of Akrontech? What the heck would a security company install one of their processes into the Windows root folder. This is where Microsoft only files belong. A security company should know better and should keep their process and DLLs in their own folder. If the file is something you need and if it is missing. A backup may have been saved by HJT the first time you fixed it. Otherwise a reinstall of the PC Security (or Akrontech) software may be required.

However the below line still exists:
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\9.bin\MWSBAR.DLL,S

Did you shutdown Spy Sweeper before trying to fix it? It could be blocking the change. So could any of this other security software you may have installed. I don't know anything about what PC Security 5 does or does not do (like wise for Akrontech).

 

Almost forgot about the w815dm.exe process that I did not include in my list of things to fix. The reason was that I had it listed as:

w815dm.exe - Enuff Parental Control Software by Akrontech

 

That's because it is still appearing in your HJT log in the O4 section. This means it is trying to load at startup. You need to fix that line. If you do not disable or uninstall all of your security type applications, you will not be able to fix it. They are getting in your way. Sometimes if you cannot simply shutdown these kind of applications, they must be uninstalled or they will treat any changes you are trying to make to actually remove malware like malware itself and they will block the attempted changes.