blue warning popup

Welcome to Majorgeeks!

Please empty your Norton Nprotect folder as requested in step 0 of the READ ME.

The do the below.

Let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

I see part of Symantec Antivirus installed. Did you have it installed at one time and then uninstall it? Did you uninstall it before or after installing AVG?
I see Norton SystemWorks! Did it have an antivirus as part of the application?

 

If you uninstall Norton System Works, just delete the below folders if still found:
C:\RECYCLER\NPROTECT
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Norton SystemWorks

If any of Norton's stuff is still running (like the below) you will not be able to delete all folders:
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Download and install the latest Sun Java 5.0 Update 7 (from here: http://java.com/en/ ) and then uninstall the below old versions of Sun Java
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05

You are way out of date with FireFox which is on version 1.5.0.4. Get it here: Mozilla FireFox
Mozilla Firefox (1.0.3)


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Internet Optimizer

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Did you actually uninstall ALL of the Symantec/Norton software??

Did you use the procedure I gave in the READ ME for emptying the Nprotect folder?

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

What do the popups say? Give exact and complete messages in the popup.

 

Are you saying you tried this procedure for NProtect: Emptying the Norton Protected Recycle Bin

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Network Drivers Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SNDSrvc

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Norton SystemWorks <-- the whole folder
C:\Program Files\Common Files\Symantec Shared <-- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I'm not sure why you are having problems with Nprotect. With all their Software uninstalled, it should not be an issue. This is one of the reasons why we don't like Symantec software that much. It behaves too much like malware when you try to uninstall it. For now let's ignore Nprotect.


Please download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the Blacklight log file here.

 

Is c:\Program Files\Synipod something you installed? Does it have soemthing to do with an iPod as the name seems to imply? It does not appear in your installed programs list I had you get with HijackThis.


The below files questionable. Do you have any idea what that are for?
C:\PROGRAM FILES\SYNIPOD\MCIVCI70.EXE
c:\Program Files\Synipod\ace.dll <--- this filename is normally associated with Apropos but not from this folder!
c:\Program Files\Synipod\WinGenerics.dll <--- this filename is normally associated with Apropos but not from this folder!
C:\WINDOWS\SYSTEM32\CID2DISP.EXE
c:\WINDOWS\system32\drivers\crukssrv.sys


Run the below procedure and then attach the requested log:

AproposMedia Fix


I would also like you to use this online file scanner: http://virusscan.jotti.org/
to scan the above listed files.

Let me know what it reports for each file. (attach a log for each).

 

No you do not need to run the scan anymore. My suspicions were confirmed by AproposFix. I was correct that you had a problem with Apropos hiding itself from all standard scans. AproposFIx procedure I had you run has taken care of the hiding rootkit.

You should now completely delete the c:\Program Files\Synipod folder.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome! You're welcome! You're welcome!

Surf safely!