Directory attributes changed?

Cleaning a HP system - ran and cleaned with CounterSpy, Spybot, Ad-Aware SE, Kaspersky (online and trial). Ran Smitfraud fix. Installed Norman Internet Security + (Norman AV, Personal Firewall and Ad-Aware SE Personal). Norman installed OK but upon required reboot didn't load. In safe mode tried to run their repair tool but 'Access denied - Error Code 5'. Changed attributes under Security settings to allow full access (was set to read only). Reboot, Norman loads but says there is a problem, reboot to correct, so reboot and Norman doesn't load. Look at attributes again and reset to read only once again. Ran GetRunKey, Show New and Hijack This. Logs attached. Any suggestions?

 

CounterSpy or Windows Defender Logs?

Panda and Bit Defender Logs?

 

Thankyou. Hee are the scan reports:

 

Your HJT is WAY out of date, please update to Hijack This 1.99.1 and attach a new log using the new version.

 

OK, here's the log from the latest version

Thanks

 

If you installed CounterSpy during the Read Me, you can now uninstall it. Also, you need to disable Ad-Watch so it will not block anything we try and fix.

Once you complete these steps, reboot and attach a fresh HJT log.

 

New log attached - thanks

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q305&bd=pavilion&pf=desktop

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...


Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.



Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thankyou - Norman AntiVirus is still not loading at startup. I could attempt a repair (as suggested by their support) but thought I'd wait until you see the latest HijackThis log. I see that svchost.exe is still running.

 

Your log looks good, you must now remove Kaspersky or Norman AntiVirus. Pick the one you want and uninstall the other, afterwards reboot and let me know how things are running and if any problems remain.

 

Thanks for all your help - but the original issues remain - Norman AntiVirus doesn't load - go to Safe mode and the Norman folder permissions is set to read only. Change permissions and security policy (even tried adding the user and granting specific full access permissions), reboot, Norman loads but then says it has encountered an error and needs to reboot - reboot and permissions are back to read only again (and specific security policy I had set is gone) and Norman therefore doesn't load. Checked all the services and dependances (again Norman services could'nt be started - Access Denied - Code 5), disabled all the rediculous HP apps at startup, incuding RECGUARD.EXE (prevents users from changing important system files etc), but still the behaviour is the same. Something is changing the permissions/security policies. If not malware, a Windows problem? Any suggestions? Worthy to note that the Norman directory is the only directory of C drive where 'Access Denied - Code 5' occurrs. Very strange. I've installed Norman on hundreds of machines and I have never encountered this. Can't uninstall because the Norman listing in the add or remove programs has been removed, but in safe mode and after changing permissions I can run the repair tool and Norman reports that it is repaired, so it must be installed.confused

Thanks

 

First, did you remove the Kaspersky? You can't run multiple antivirus' on your computer.

Stop! Don't do anything else, let's remove both and start from scratch.

Download Your Uninstaller! 2006 5.0.0.256, save to desktop and install.

Locate Kaspersky and Norman, uninstall them both. Once you are complete, reboot and then before you do anything else, navigate to C:\Program Files and delete any folder related to Kaspersky or Norman. Reboot once more and then try a reinstall of Norman.

 

No, Kaspersky had already been uninstalled. Norman wasn't listed in Your Uninstaller, even in Advanced mode. Went to Safe mode and changed the attributes again to the Norman folder. Ran the Norman Repair tool (which thankfully had an uninstall option) and uninstalled from there. Deleted Kaspersky and Norman directories. Rebooted to normal mode (user has admin rights) and re-installed Norman. Exactly the same result - Norman installs, downloads updates, advises to reboot to complete the installation, Norman fails to initalise/load on reboot, Norman directory has Access Denied - Code 5. This is not normal behaviour. Normally the Norman directory is accessable at all times. Grrr.

 

Problem identified - thanks for your help and patience bjgarrick. Turns out that some HP and Compac machines will not allow the installation of programs outside the default C:\Program Files directory. Norman installs by default in it's own directory on C: drive. Changing the default installation target directory to C:\Program Files fixes the problem. I've installed Norman on many a HP and Compaq machine and never had this problem - but this is a more recent machine - HP and Compac are dropkicks. Put it down to experience, but thanks so much for all your help - this is certainly a clean machine now.

 

Glad to hear problem is resolved, are you having any other issues?