Norton - Connectivity To This Website Is Not Secure

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Fishhead, Mar 15, 2025.

Page 2 of 4
  1. Fishhead

    Fishhead Private First Class

    The forum gave me an error message that he text was too long. I have attached a zip file of the report SearchReg.txt.
     

    Attached Files:

    Fishhead, Mar 20, 2025
    #51
  2. Oh My!

    Oh My! Malware Expert Staff Member

    I am hoping this won't freeze FRST but it might.

    ===================================================

    Farbar Recovery Scan Tool - Run Fix Using Attached File

    --------------------
    • Download Fixlist.txt and save it in the same location as FRST (example, Desktop, USB device) <<< Important
    • Right click on FRST and select Run as administrator
    • Click Fix
    • Once completed the tool will create a Fixlog.txt log in the same location as FRST
    • Zip and upload it to the file hosting site of your choice and post the download link
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Download link
     
    Oh My!, Mar 20, 2025
    #52
  3. Fishhead

    Fishhead Private First Class

    Fishhead, Mar 20, 2025
    #53
  4. Oh My!

    Oh My! Malware Expert Staff Member

    Thanks, it processed correctly.

    Check for pop ups. If you still get them delete the existing Process Monitor file, download a new version and run the steps from Post #43.

    I am ending for the evening but will be back online in the morning.
     
    Oh My!, Mar 20, 2025
    #54
  5. Fishhead

    Fishhead Private First Class

    The popup have continued. I once again ra ProcMon and saved the file and zipped it. Te forum tells that the zip file is too large and I can not upload it. Strange.
     
    Fishhead, Mar 21, 2025
    #55
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Did you try to upload it to trawl.com?

    Did you download a new version of Process Monitor?
     
    Oh My!, Mar 21, 2025
    #56
  7. Fishhead

    Fishhead Private First Class

    Sorry for not being here. I am retired and an old buddy came into town last night and I spent the morning visiting with him.

    I must been rummy last night here is the link.

    http://www.trawl.org/Logfile.zip

    I did download the new version of Process Monitor.

    I can no longer access Excel or Word.
     
    Fishhead, Mar 21, 2025
    #57
  8. Oh My!

    Oh My! Malware Expert Staff Member

    No problem at all.

    That is odd since the last Fixlist didn't touch any of that. Try this. Click Start, type appwiz.cpl amd hit Enter. Right click on Office Home and Business 2013, select Change, then Quick Repair.

    The Logfile.zip is corrupt and won't open. Can you try to re-zip the file and upload it again for me?
     
    Oh My!, Mar 21, 2025
    #58
  9. Fishhead

    Fishhead Private First Class

    Fishhead, Mar 21, 2025
    #59
  10. Fishhead

    Fishhead Private First Class

    The quick repair did not work. Attached is the message.

    Also, this may be related to the message screenshot, but another icon appeared on the desktop call "Thumbs.db". Right now I am suspicious of files appear that I am not expecting. So I deleted it.
     

    Attached Files:

    Fishhead, Mar 21, 2025
    #60
  11. Oh My!

    Oh My! Malware Expert Staff Member

    Before trying to reverse things do you have the Office Home and Business 2013 installation disk handy?
     
    Oh My!, Mar 21, 2025
    #61
  12. Fishhead

    Fishhead Private First Class

    I looked but could not locate them.
     
    Fishhead, Mar 21, 2025
    #62
  13. Oh My!

    Oh My! Malware Expert Staff Member

    Sorry about the delay and the problem.

    Please follow these instructions to run System Restore. Select the Restore Point created around 20-03-2025 19:35:28.

    If System Restore was successful try to open Word and Excel.

    Navigate to the C:\ProgramData\Norton\Antivirus\log folder, zip and attach the folder to your reply.
     
    Oh My!, Mar 22, 2025
    #63
  14. Fishhead

    Fishhead Private First Class

    I found a recovery date of 20-3-2025 19:35:35, so 7 seconds later than what you suggested. There also was one for 20-3-2025 2:20:17, roughly 17 hours earlier.

    Word and Excel still will not open.

    The log file was to large to attach. Also one file was excluded because I did not have permission.

    www.trawl.org/log.zip
     
    Fishhead, Mar 22, 2025
    #64
  15. Oh My!

    Oh My! Malware Expert Staff Member

    Assuming the Restore Operation completed successfully that confirms the issue with Office and Excel is not related to the Fixlist processed just prior to the problem.

    Do you have a Microsoft account you can sign into at account.microsoft.com? If not, complete the following.

    Please run the below but do not post the Fixlog information on the post. Simply let me know if the Product Key information is contained in the Fixlog.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
cmd: wmic path SoftwareLicensingService get OA3xOriginalProductKey
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt.
    ===================================================

    Things I would like to see in your next reply.
    • Log into Microsoft account?
    • Obtain product key information?
     
    Oh My!, Mar 22, 2025
    #65
  16. Fishhead

    Fishhead Private First Class

    Yes I have a Microsoft account. I just login to make sure that username and password still worked.
     
    Fishhead, Mar 23, 2025
    #66
  17. Oh My!

    Oh My! Malware Expert Staff Member

    Great.

    Do you see the Office 2013 download listed?
     
    Oh My!, Mar 23, 2025
    #67
  18. Fishhead

    Fishhead Private First Class

    I searched but could not find a download option for office 2013. But they sure want me to buy microsoft 365.
     
    Fishhead, Mar 23, 2025
    #68
  19. Oh My!

    Oh My! Malware Expert Staff Member

    Yes, Microsoft is good at pestering.

    Run the Fixlist portion of Post #65 and let me know if you get the Product Key for Office.
     
    Oh My!, Mar 23, 2025
    #69
  20. Fishhead

    Fishhead Private First Class

    Yes I now have the product key.
     
    Fishhead, Mar 23, 2025
    #70
  21. Oh My!

    Oh My! Malware Expert Staff Member

    Great.

    I don't think the following step will affect any of your Word and Excel documents but since I am unable to test it I would recommend you back up those files before running the belwo.

    Do this.

    Click Start, type appwiz.cpl and hit Enter. Right click on Office Home and Business 2013, select Change, then Online Repair.

    Let me know how you do.
     
    Oh My!, Mar 23, 2025
    #71
  22. Fishhead

    Fishhead Private First Class

    That did not work. Attached is the error message.
     

    Attached Files:

    Fishhead, Mar 23, 2025
    #72
  23. Oh My!

    Oh My! Malware Expert Staff Member

    Run a FRST scan and attach both reports to your reply.
     
    Oh My!, Mar 23, 2025
    #73
  24. Fishhead

    Fishhead Private First Class

    Attached.
     

    Attached Files:

    Fishhead, Mar 23, 2025
    #74
  25. Oh My!

    Oh My! Malware Expert Staff Member

    We are going to reverse a couple of Task Schedules.

    Please do this.

    ===================================================

    Please zip the C:\Windows\Minidump folder and attach it to your reply.

    ===================================================

    TaskSchedulerView by Nirsoft - Disabling Tasks

    --------------

    • Right click on the TaskschedulerView application icon and select Run as administrator
    • Individually right click on the below entries and select Enable Selected Items each time
    Office Automatic Updates
    Office ClickToRun Service Monitor
    • Reboot your computer
    • Check Word and Excel
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Attached file
    • Word and Excel working?
     
    Oh My!, Mar 23, 2025
    #75
  26. Fishhead

    Fishhead Private First Class

    Excel and Word still have a problem.
     

    Attached Files:

    Fishhead, Mar 23, 2025
    #76
  27. Oh My!

    Oh My! Malware Expert Staff Member

    We have issues popping up in different areas. It is concerning because they don't appear to have a common thread.

    I would like to remove some old Dell programs, one of which is crashing your system. I also think it is time to uninstall Norton. We can reinstall it once things settle down.

    ===================================================

    Uninstalling Programs Using Revo Uninstaller Free Portable

    --------------------

    • Download Revo Uninstaller Free Portable and save it to your Desktop
    • Right click on the folder and select Extract All..., then click Extract
    • Double click on the RevoUninstaller-Portable folder
    • Right click on RevoUPort and select Run as administrator
    • Click OK on the License Agreement
    • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
    Code:
    Dell Digital Delivery
Dell Foundation Services
Dell Product Registration
Norton 360
    • If the program's uninstaller appears work through the steps to remove the program(s)
    • Be sure the Advanced option is selected then click Scan
    • For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
    • Once done click Finish
    • Reboot your computer
    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Launch FRST
    • Copy and paste the following in the Search: box
    Code:
    SearchAll: Norton;Symantec;"Gen Digital"
    • Click Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • The report will be quite large and you may need to zip the file or upload it to a file hosting site and provide the download link.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Programs uninstall?
    • Attached Search report
     
    Oh My!, Mar 23, 2025
    #77
  28. Fishhead

    Fishhead Private First Class

    The programs are uninstalled. File attached.
     

    Attached Files:

    Fishhead, Mar 23, 2025
    #78
  29. Oh My!

    Oh My! Malware Expert Staff Member

    That is the previous Search.txt and not the one for Norton.
     
    Oh My!, Mar 23, 2025
    #79
  30. Fishhead

    Fishhead Private First Class

    This should be better.
     

    Attached Files:

    Fishhead, Mar 23, 2025
    #80
  31. Fishhead

    Fishhead Private First Class

    I am confused. the delete removed the files from the list of programs, but I just noticed the Norton 360 icon on my desktop. I clicked and the program is still there. Is that correct?
     
    Fishhead, Mar 23, 2025
    #81
  32. Oh My!

    Oh My! Malware Expert Staff Member

    Let's run this and see if things change.

    ===================================================

    Farbar Recovery Scan Tool - Run Fix Using Attached File

    --------------------
    • Download the attached file and save it in the same location as FRST.exe (example, Desktop, USB device) <<< Important
    • Right click on FRST and select Run as administrator
    • Click Fix and once completed your computer will reboot
    • The tool will create a log on the desktop called Fixlog.txt
    • Attach the file to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached Fixlog
     

    Attached Files:

    Oh My!, Mar 23, 2025
    #82
  33. Fishhead

    Fishhead Private First Class

    File attached.

    The norton icon is no longer on the desktop, but if I click the little arrow on the Taskbar to show hidden icons, Norton is still there and it does open the program.
    Also, it still on the C drive under Programs. So are some of the "deleted" Dell files such as Dell Foundation Services and Dell Digital Delivery.
     

    Attached Files:

    Fishhead, Mar 23, 2025
    #83
  34. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    Norton is fighting against our efforts to completely remove the program.

    The above items may very well be all that is left but I would like us to run another SearchAll: to make sure we check the entire system for remnants. Please run the below. I will then provide another Fixlist which we will run in a special way and hopefully overcome Norton's resistance.

    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Launch FRST
    • Copy and paste the following in the Search: box
    Code:
    SearchAll: Norton;Symantec
    • Click Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • The report will be quite large and you may need to zip the file or upload it to a file hosting site and provide the download link.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Attached Search report
     
    Oh My!, Mar 24, 2025
    #84
  35. Fishhead

    Fishhead Private First Class

    Attached Files:

    Fishhead, Mar 24, 2025
    #85
  36. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the information.

    I am going to need some time to evaluate not only the Search.txt but the FRST and Addition.txt reports as well. There appear to be some addition Norton files that are not named under Norton. I need to make sure they are safe to remove. I am going to be away from my computer for a few hours.

    I have found the only way to completely uninstall Norton (and other AV programs) is to do a SearchAll: follow-up. What is difficult is the Process Monitor logs might be indicating Norton itself is involved in trying to access the site being blocked. It doesn't make sense to me off the bat but I need to evaluate/troubleshoot that possibility.

    I appreciate your patience and efforts. As I mentioned, this is a tough one.
     
    Oh My!, Mar 24, 2025
    #86
  37. Oh My!

    Oh My! Malware Expert Staff Member

    It would be helpful to take a cellphone picture of, or print out the instructions for reference.

    Before starting the Fix instructions it is important to make sure we successfully create a System Restore Point. Name the Restore Point Norton Remnants. Only after you have confirmed the Restore Point was successfully created complete the next step.

    ===================================================

    Farbar Recovery Scan Tool Fix - Safe Mode Command Prompt with Attached File

    --------------------
    • If necessary, download Farbar Recover Scan Tool for 64 bit systems and save it to a USB device
    • Download the attached file and save it in the same USB device
    • Click Start, type msconfig, then select Run as administrator
    • Click on the Boot tab
    • Check Safe boot, then select Alternative shell
    • Click Apply, then OK
    • Click Restart and allow the black Command Prompt window to appear
    • Insert the USB device into your compromised computer
    • In the command window type in Notepad and press Enter.
    • Under File menu select Open
    • Locate and and left click on your USB drive letter
    • Near the lower right hand corner of the Open window change Text Documents (*.txt) to All Files (*.*)
    • Right click on the FRST icon and select Run as administrator
    • Click Yes to disclaimer that may appear
    • Press Fix
    • Click OK to automatically restart your computer into Normal Boot
    • A fixlog.txt file will be saved on the USB drive. Please copy and paste it to your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     

    Attached Files:

    Oh My!, Mar 24, 2025
    #87
  38. Fishhead

    Fishhead Private First Class

    Sorry for not being attentive. I normally return to the forum after receiving an email notifying me that there was a posting, but I never received one for your last post.

    Anyway, I created a restore point and then went and looked to ensure that it was truly there. It was.

    I ran Frst Fix and went through the reboot. Once things were fully loaded, I took a peak at the hidden icons, and Norton is still there and running. I opened it to be sure.

    Here is the Fixlog:

    ix result of Farbar Recovery Scan Tool (x64) Version: 18-03-2025
    Ran by Peter (26-03-2025 20:17:22) Run:9
    Running from D:\
    Loaded Profiles: Peter
    Boot Mode: Safe Mode (minimal)
    ==============================================

    fixlist content:
    *****************
    C:\Windows\Prefetch\NORTONUI.EXE-C83AD5EA.pf
    C:\Windows\Prefetch\NORTONUI.EXE-C83AD5EB.pf
    C:\Windows\Prefetch\NORTONUI.EXE-C83AD5F1.pf
    C:\ProgramData\Norton
    C:\Program Files\Norton
    C:\Windows\Temp\_norton_
    C:\Users\Peter\AppData\Roaming\Norton
    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++support.norton.com
    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cnorton.com%29
    C:\Users\Peter\AppData\Local\Norton
    C:\Users\Peter\AppData\Local\Temp\_norton_
    C:\ProgramData\Norton
    C:\Program Files\Common Files\Norton
    C:\Windows\system32\nllBoot.exe
    C:\Windows\system32\icarus_rvrt.exe
    C:\Windows\System32\drivers\nllArDisk.sys
    C:\Windows\System32\drivers\nllArPot.sys
    C:\Windows\System32\drivers\nllbidsdriver.sys
    C:\Windows\System32\drivers\nllbidsh.sys
    C:\Windows\System32\drivers\nllbuniv.sys
    C:\Windows\System32\drivers\nllKbd.sys
    C:\Windows\System32\drivers\nllMonFlt.sys
    C:\Windows\System32\drivers\nllNetHub.sys
    C:\Windows\System32\drivers\nllRdr2.sys
    C:\Windows\System32\drivers\nllRvrt.sys
    C:\Windows\System32\drivers\nllSnx.sys
    C:\Windows\System32\drivers\nllSP.sys
    C:\Windows\System32\drivers\nllStm.sys
    C:\Windows\System32\drivers\nllVmm.sys
    R0 nllArDisk; C:\Windows\System32\drivers\nllArDisk.sys [20568 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllArPot; C:\Windows\System32\drivers\nllArPot.sys [246880 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllbidsdriver; C:\Windows\System32\drivers\nllbidsdriver.sys [384096 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R0 nllbidsh; C:\Windows\System32\drivers\nllbidsh.sys [296032 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R0 nllbuniv; C:\Windows\System32\drivers\nllbuniv.sys [84576 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllKbd; C:\Windows\System32\drivers\nllKbd.sys [37984 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllMonFlt; C:\Windows\System32\drivers\nllMonFlt.sys [278616 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllNetHub; C:\Windows\System32\drivers\nllNetHub.sys [553568 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllRdr; C:\Windows\System32\drivers\nllRdr2.sys [98912 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R0 nllRvrt; C:\Windows\System32\drivers\nllRvrt.sys [69728 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllSnx; C:\Windows\System32\drivers\nllSnx.sys [959064 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllSP; C:\Windows\System32\drivers\nllSP.sys [1427552 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R3 nllStm; C:\Windows\System32\drivers\nllStm.sys [207456 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R0 nllVmm; C:\Windows\System32\drivers\nllVmm.sys [389720 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F130806-2047-44B1-95C0-589B935DE389}|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F130806-2047-44B1-95C0-589B935DE389}\InprocServer32|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\InProcServer32|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\InProcServer32|ReleaseName
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|NortonUI.exe
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NortonUI.exe
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager|PendingFileRenameOperations
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbIDSAgent|ImagePath
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsdriver\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsdriver\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsh\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsh\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbuniv\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbuniv\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllNetHub\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllNetHub\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSnx\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSnx\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|SubscriptionsFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|ProgramFolders
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|DataFolders
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|LimitedFolders
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\Norton\Suite\NortonUI.exe
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Norton Mail Scanner Trusted
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Norton SSL Scanner Cache
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Norton
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Norton Mail Scanner Trusted
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Norton SSL Scanner Cache
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\Software\Norton
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Antivirus
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Firewall
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Tools
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NortonWscReporter
    DeleteKey: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Norton
    cmd: bcdedit /deletevalue {default} safeboot
    Reboot:
    *****************

    "C:\Windows\Prefetch\NORTONUI.EXE-C83AD5EA.pf" => not found
    "C:\Windows\Prefetch\NORTONUI.EXE-C83AD5EB.pf" => not found
    C:\Windows\Prefetch\NORTONUI.EXE-C83AD5F1.pf => moved successfully

    "C:\ProgramData\Norton" Folder move:

    Could not move "C:\ProgramData\Norton" => Scheduled to move on reboot.


    "C:\Program Files\Norton" Folder move:

    Could not move "C:\Program Files\Norton" => Scheduled to move on reboot.


    "C:\Windows\Temp\_norton_" Folder move:

    C:\Windows\Temp\_norton_ => moved successfully

    "C:\Users\Peter\AppData\Roaming\Norton" Folder move:

    C:\Users\Peter\AppData\Roaming\Norton => moved successfully

    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++support.norton.com" Folder move:

    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++support.norton.com => moved successfully

    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cnorton.com%29" Folder move:

    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cnorton.com%29 => moved successfully

    "C:\Users\Peter\AppData\Local\Norton" Folder move:

    C:\Users\Peter\AppData\Local\Norton => moved successfully

    "C:\Users\Peter\AppData\Local\Temp\_norton_" Folder move:

    C:\Users\Peter\AppData\Local\Temp\_norton_ => moved successfully

    "C:\ProgramData\Norton" Folder move:

    Could not move "C:\ProgramData\Norton" => Scheduled to move on reboot.


    "C:\Program Files\Common Files\Norton" Folder move:

    Could not move "C:\Program Files\Common Files\Norton" => Scheduled to move on reboot.

    Could not move "C:\Windows\system32\nllBoot.exe" => Scheduled to move on reboot.
    C:\Windows\system32\icarus_rvrt.exe => moved successfully
    Could not move "C:\Windows\System32\drivers\nllArDisk.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllArPot.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllbidsdriver.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllbidsh.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllbuniv.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllKbd.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllMonFlt.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllNetHub.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllRdr2.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllRvrt.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllSnx.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllSP.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllStm.sys" => Scheduled to move on reboot.
    Could not move "C:\Windows\System32\drivers\nllVmm.sys" => Scheduled to move on reboot.
    nllArDisk => Unable to stop service.
    HKLM\System\CurrentControlSet\Services\nllArDisk => removed successfully
    nllArDisk => service removed successfully
    HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\\UpperFilters nllArDisk => value removed successfully
    HKLM\System\CurrentControlSet\Services\nllArPot => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllbidsdriver => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllbidsh => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllbuniv => could not remove, key could be protected
    nllKbd => Unable to stop service.
    HKLM\System\CurrentControlSet\Services\nllKbd => removed successfully
    nllKbd => service removed successfully
    HKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\\UpperFilters nllKbd => value removed successfully
    HKLM\System\CurrentControlSet\Services\nllMonFlt => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllNetHub => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllRdr => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllRvrt => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllSnx => could not remove, key could be protected
    nllSP => Unable to stop service.
    HKLM\System\CurrentControlSet\Services\nllSP => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllStm => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllVmm => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F130806-2047-44B1-95C0-589B935DE389} => Access Denied
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F130806-2047-44B1-95C0-589B935DE389}\InprocServer32 => Access Denied
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24} => Access Denied
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\InProcServer32 => Access Denied
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\InProcServer32 => Access Denied
    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\NortonUI.exe" => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NortonUI.exe => Error = 5
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations" => removed successfully
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbIDSAgent => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsdriver\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsdriver\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsh\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsh\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbuniv\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbuniv\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllNetHub\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllNetHub\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSnx\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSnx\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters => Access Denied
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Program Files\Norton\Suite\NortonUI.exe" => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Norton Mail Scanner Trusted => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Norton SSL Scanner Cache => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Norton => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Norton Mail Scanner Trusted => not found
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Norton SSL Scanner Cache => not found
    HKEY_LOCAL_MACHINE\SYSTEM\Software\Norton => removed successfully
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Antivirus => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Firewall => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Tools => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NortonWscReporter => could not remove, key could be protected
    HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Norton => could not remove, key could be protected

    ========= bcdedit /deletevalue {default} safeboot =========

    The operation completed successfully.


    ========= End of CMD: =========


    Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 26-03-2025 20:21:38)

    C:\ProgramData\Norton => Could not move
    C:\Program Files\Norton => Could not move
    C:\ProgramData\Norton => Could not move
    C:\Program Files\Common Files\Norton => Could not move
    C:\Windows\system32\nllBoot.exe => Could not move
    C:\Windows\System32\drivers\nllArDisk.sys => Could not move
    C:\Windows\System32\drivers\nllArPot.sys => Could not move
    C:\Windows\System32\drivers\nllbidsdriver.sys => Could not move
    C:\Windows\System32\drivers\nllbidsh.sys => Could not move
    C:\Windows\System32\drivers\nllbuniv.sys => Could not move
    C:\Windows\System32\drivers\nllKbd.sys => Could not move
    C:\Windows\System32\drivers\nllMonFlt.sys => Could not move
    C:\Windows\System32\drivers\nllNetHub.sys => Could not move
    C:\Windows\System32\drivers\nllRdr2.sys => Could not move
    C:\Windows\System32\drivers\nllRvrt.sys => Could not move
    C:\Windows\System32\drivers\nllSnx.sys => Could not move
    C:\Windows\System32\drivers\nllSP.sys => Could not move
    C:\Windows\System32\drivers\nllStm.sys => Could not move
    C:\Windows\System32\drivers\nllVmm.sys => Could not move

    Result of scheduled keys to remove after reboot:

    HKLM\System\CurrentControlSet\Services\nllArPot => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllbidsdriver => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllbidsh => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllbuniv => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllMonFlt => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllNetHub => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllRdr => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllRvrt => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllSnx => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllSP => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllStm => could not remove, key could be protected
    HKLM\System\CurrentControlSet\Services\nllVmm => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SOFTWARE\Norton => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Antivirus => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Firewall => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Tools => could not remove, key could be protected
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NortonWscReporter => could not remove, key could be protected
    HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Norton => could not remove, key could be protected

    ==== End of Fixlog 20:21:39 ====
     
    Fishhead, Mar 26, 2025
    #88
  39. Oh My!

    Oh My! Malware Expert Staff Member

    No problem at all. At least you are OK, I was a bit concerned.

    Norton is continuing to block our efforts so we will do things a different way.

    ==================================================

    Farbar Recovery Scan Tool Fix From Recovery Partition - Attached File

    --------------------
    • If necessary, download Farbar Recover Scan Tool for 64 bit systems and save it to a USB device
    • Download the attached file and save it to the same USB
    • Insert the USB device into your compromised computer
    • Holding down the Shift Key click Start, click the power icon, then select Reboot
    • Click Troubleshoot
    • Click Advanced options
    • Click Command Prompt
    • Choose an account to continue
    • If necessary, enter the password then hit Continue
    • In the command window type in Notepad and press Enter
    • Under File menu select Open
    • Select This PC and double click on your USB drive letter
    • Next to Files of type: select All Files
    • Right click on the FRST icon and select Run as administrator
    • Click Yes to disclaimer that may appear
    • Press Fix button
    • A fixlog.txt file will be saved on the USB drive
    • Reboot your computer then copy and paste the contents of Fixlog.txt your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     

    Attached Files:

    Oh My!, Mar 27, 2025 at 10:15 AM
    #89
  40. Fishhead

    Fishhead Private First Class

    Fixlog:

    Fix result of Farbar Recovery Scan Tool (x64) Version: 18-03-2025
    Ran by SYSTEM (27-03-2025 07:58:07) Run:10
    Running from D:\
    Boot Mode: Recovery
    ==============================================

    fixlist content:
    *****************
    C:\ProgramData\Norton
    C:\Program Files\Norton
    C:\Windows\Temp\_norton_
    C:\Users\Peter\AppData\Roaming\Norton
    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++support.norton.com
    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cnorton.com%29
    C:\Users\Peter\AppData\Local\Norton
    C:\Users\Peter\AppData\Local\Temp\_norton_
    C:\ProgramData\Norton
    C:\Program Files\Common Files\Norton
    C:\Windows\system32\nllBoot.exe
    C:\Windows\system32\icarus_rvrt.exe
    C:\Windows\System32\drivers\nllArDisk.sys
    C:\Windows\System32\drivers\nllArPot.sys
    C:\Windows\System32\drivers\nllbidsdriver.sys
    C:\Windows\System32\drivers\nllbidsh.sys
    C:\Windows\System32\drivers\nllbuniv.sys
    C:\Windows\System32\drivers\nllKbd.sys
    C:\Windows\System32\drivers\nllMonFlt.sys
    C:\Windows\System32\drivers\nllNetHub.sys
    C:\Windows\System32\drivers\nllRdr2.sys
    C:\Windows\System32\drivers\nllRvrt.sys
    C:\Windows\System32\drivers\nllSnx.sys
    C:\Windows\System32\drivers\nllSP.sys
    C:\Windows\System32\drivers\nllStm.sys
    C:\Windows\System32\drivers\nllVmm.sys
    R0 nllArDisk; C:\Windows\System32\drivers\nllArDisk.sys [20568 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllArPot; C:\Windows\System32\drivers\nllArPot.sys [246880 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllbidsdriver; C:\Windows\System32\drivers\nllbidsdriver.sys [384096 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R0 nllbidsh; C:\Windows\System32\drivers\nllbidsh.sys [296032 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R0 nllbuniv; C:\Windows\System32\drivers\nllbuniv.sys [84576 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllKbd; C:\Windows\System32\drivers\nllKbd.sys [37984 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllMonFlt; C:\Windows\System32\drivers\nllMonFlt.sys [278616 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllNetHub; C:\Windows\System32\drivers\nllNetHub.sys [553568 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllRdr; C:\Windows\System32\drivers\nllRdr2.sys [98912 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R0 nllRvrt; C:\Windows\System32\drivers\nllRvrt.sys [69728 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllSnx; C:\Windows\System32\drivers\nllSnx.sys [959064 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R1 nllSP; C:\Windows\System32\drivers\nllSP.sys [1427552 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R3 nllStm; C:\Windows\System32\drivers\nllStm.sys [207456 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    R0 nllVmm; C:\Windows\System32\drivers\nllVmm.sys [389720 2025-03-13] (Microsoft Windows Hardware Compatibility Publisher -> Gen Digital Inc.)
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F130806-2047-44B1-95C0-589B935DE389}|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F130806-2047-44B1-95C0-589B935DE389}\InprocServer32|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\InProcServer32|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\InProcServer32|ReleaseName
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|NortonUI.exe
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NortonUI.exe
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager|PendingFileRenameOperations
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbIDSAgent|ImagePath
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsdriver\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsdriver\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsh\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbidsh\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbuniv\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllbuniv\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllNetHub\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllNetHub\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSnx\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSnx\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|ProgramFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|DataFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|SubscriptionsFolder
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|ProgramFolders
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|DataFolders
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nllSP\Parameters|LimitedFolders
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\Norton\Suite\NortonUI.exe
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Norton Mail Scanner Trusted
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Norton SSL Scanner Cache
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Norton
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Norton Mail Scanner Trusted
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Norton SSL Scanner Cache
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\Software\Norton
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Antivirus
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Firewall
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Tools
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NortonWscReporter
    DeleteKey: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Norton

    *****************

    C:\ProgramData\Norton => Could not move
    C:\Program Files\Norton => Could not move
    C:\Windows\Temp\_norton_ => Could not move
    C:\Users\Peter\AppData\Roaming\Norton => Could not move
    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++support.norton.com" => not found
    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cnorton.com%29" => not found
    C:\Users\Peter\AppData\Local\Norton => Could not move
    C:\Users\Peter\AppData\Local\Temp\_norton_ => Could not move
    C:\ProgramData\Norton => Could not move
    C:\Program Files\Common Files\Norton => Could not move
    C:\Windows\system32\nllBoot.exe => moved successfully
    C:\Windows\system32\icarus_rvrt.exe => moved successfully
    C:\Windows\System32\drivers\nllArDisk.sys => moved successfully
    C:\Windows\System32\drivers\nllArPot.sys => moved successfully
    C:\Windows\System32\drivers\nllbidsdriver.sys => moved successfully
    C:\Windows\System32\drivers\nllbidsh.sys => moved successfully
    C:\Windows\System32\drivers\nllbuniv.sys => moved successfully
    C:\Windows\System32\drivers\nllKbd.sys => moved successfully
    C:\Windows\System32\drivers\nllMonFlt.sys => moved successfully
    C:\Windows\System32\drivers\nllNetHub.sys => moved successfully
    C:\Windows\System32\drivers\nllRdr2.sys => moved successfully
    C:\Windows\System32\drivers\nllRvrt.sys => moved successfully
    C:\Windows\System32\drivers\nllSnx.sys => moved successfully
    C:\Windows\System32\drivers\nllSP.sys => moved successfully
    C:\Windows\System32\drivers\nllStm.sys => moved successfully
    C:\Windows\System32\drivers\nllVmm.sys => moved successfully
    nllArDisk => service not found.
    HKLM\System\ControlSet001\Services\nllArPot => removed successfully
    nllArPot => service removed successfully
    HKLM\System\ControlSet001\Services\nllbidsdriver => removed successfully
    nllbidsdriver => service removed successfully
    HKLM\System\ControlSet001\Services\nllbidsh => removed successfully
    nllbidsh => service removed successfully
    HKLM\System\ControlSet001\Services\nllbuniv => removed successfully
    nllbuniv => service removed successfully
    nllKbd => service not found.
    HKLM\System\ControlSet001\Services\nllMonFlt => removed successfully
    nllMonFlt => service removed successfully
    HKLM\System\ControlSet001\Services\nllNetHub => removed successfully
    nllNetHub => service removed successfully
    HKLM\System\ControlSet001\Services\nllRdr => removed successfully
    nllRdr => service removed successfully
    HKLM\System\ControlSet001\Services\nllRvrt => removed successfully
    nllRvrt => service removed successfully
    HKLM\System\ControlSet001\Services\nllSnx => removed successfully
    nllSnx => service removed successfully
    HKLM\System\ControlSet001\Services\nllSP => removed successfully
    nllSP => service removed successfully
    HKLM\System\ControlSet001\Services\nllStm => removed successfully
    nllStm => service removed successfully
    HKLM\System\ControlSet001\Services\nllVmm => removed successfully
    nllVmm => service removed successfully
    "HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F130806-2047-44B1-95C0-589B935DE389}\\" => removed successfully
    "HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F130806-2047-44B1-95C0-589B935DE389}\InprocServer32\\" => removed successfully
    "HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\\" => removed successfully
    "HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\InProcServer32\\" => removed successfully
    "HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{472083B2-C522-11CF-8763-00608CC02F24}\InProcServer32\\ReleaseName" => removed successfully
    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\NortonUI.exe" => removed successfully
    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NortonUI.exe" => removed successfully
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllbIDSAgent" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllbidsdriver\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllbidsdriver\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllbidsh\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllbidsh\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllbuniv\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllbuniv\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllNetHub\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllNetHub\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllSnx\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllSnx\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllSP\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllSP\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllSP\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllSP\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllSP\Parameters" => not found
    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nllSP\Parameters" => not found
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" => not found
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Norton Mail Scanner Trusted => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Norton SSL Scanner Cache => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Norton => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Norton Mail Scanner Trusted" => not found
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Norton SSL Scanner Cache" => not found
    "HKEY_LOCAL_MACHINE\SYSTEM\Software\Norton" => not found
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Antivirus" => not found
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Firewall" => not found
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Norton Tools" => not found
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NortonWscReporter" => not found
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Norton" => not found

    ==== End of Fixlog 07:58:13 ====
     
    Fishhead, Mar 27, 2025 at 11:05 AM
    #90
  41. Fishhead

    Fishhead Private First Class

    I just checked. Norton is still installed and working.
     
    Fishhead, Mar 27, 2025 at 11:34 AM
    #91
  42. Oh My!

    Oh My! Malware Expert Staff Member

    This certainly is not normal.

    Repeat the previous step but utilize the attach Fixlist instead of the original one.
     

    Attached Files:

    Oh My!, Mar 27, 2025 at 2:16 PM
    #92
  43. Fishhead

    Fishhead Private First Class

    Norton appears to be removed.

    Fix result of Farbar Recovery Scan Tool (x64) Version: 18-03-2025
    Ran by SYSTEM (27-03-2025 12:00:37) Run:11
    Running from D:\
    Boot Mode: Recovery
    ==============================================

    fixlist content:
    *****************
    RemoveDirectory: C:\ProgramData\Norton
    RemoveDirectory: C:\Program Files\Norton
    RemoveDirectory: C:\Windows\Temp\_norton_
    RemoveDirectory: C:\Users\Peter\AppData\Roaming\Norton
    RemoveDirectory: C:\Users\Peter\AppData\Local\Norton
    RemoveDirectory: C:\Users\Peter\AppData\Local\Temp\_norton_
    RemoveDirectory: C:\Program Files\Common Files\Norton
    *****************

    "C:\ProgramData\Norton" => removed successfully
    "C:\Program Files\Norton" => removed successfully
    "C:\Windows\Temp\_norton_" => removed successfully
    "C:\Users\Peter\AppData\Roaming\Norton" => removed successfully
    "C:\Users\Peter\AppData\Local\Norton" => removed successfully
    "C:\Users\Peter\AppData\Local\Temp\_norton_" => removed successfully
    "C:\Program Files\Common Files\Norton" => removed successfully

    ==== End of Fixlog 12:00:51 ====
     
    Fishhead, Mar 27, 2025 at 3:07 PM
    #93
  44. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    If Office is still not working properly repeat the steps in Post #71.
     
    Oh My!, Mar 27, 2025 at 3:23 PM
    #94
  45. Fishhead

    Fishhead Private First Class

    The steps in Post #71 did not work. I received an error notice attached. I have also lost network connection to Thunderbird.
     

    Attached Files:

    Fishhead, Mar 27, 2025 at 3:45 PM
    #95
  46. Fishhead

    Fishhead Private First Class

    Malwarebytes Firewall Control was blocking the network. I removed it and the network connection now works.
     
    Fishhead, Mar 27, 2025 at 4:03 PM
    #96
  47. Oh My!

    Oh My! Malware Expert Staff Member

    Oh My!, Mar 27, 2025 at 4:41 PM
    #97
  48. Oh My!

    Oh My! Malware Expert Staff Member

    Continue the download because you should have a copy of the installation media anyway.

    Once the download finishes please do this.

    ===================================================

    Modifying Service State and Startup Type

    --------------------

    • Click Start, type services.msc then hit Enter
    • Locate and right click on Microsoft Office Click-to-Run Service and select Properties
    • Under Service status click Start
    • To the right of Startup type: click the down arrow and change it to Automatic
    • Click Apply then OK
    • Close all open windows, reboot your computer, and check Office
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Results?
     
    Oh My!, Mar 27, 2025 at 4:56 PM
    #98
  49. Fishhead

    Fishhead Private First Class

    Success! Both Word and Excel now work.

    Since I no longer have Norton installed, there have been no popup notices. What I don't know is whether whatever was causing the popup to appear is doing something else.
     
    Fishhead, Mar 27, 2025 at 5:18 PM
    #99
  50. Oh My!

    Oh My! Malware Expert Staff Member

    I am away from my computer for an hour or two but will post instructions to follow upon my return.
     
    Oh My!, Mar 27, 2025 at 5:22 PM
    #100
Page 2 of 4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds