Overrun with Spyware

Welcome to Majorgeeks! Looks like you did not run Ccleaner or empty your Recycle bin before starting the online scans. I can tell since a load of stuff in your log is just from the Recycle bin not being emptied. You should manually remove the items that Bitdefender failed to fix. Check your log. At least one is in email.

You ignored step 3 of the READ & RUN ME. Uninstall all but one antivirus program. You have three!

 

Make sure viewing of hidden files is enabled (per the tutorial).

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to add into the registry.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
We recommend that nothing be in the Trusted Zone unless absolutely necessary and I have rarely found a case where it is.
O15 - Trusted Zone: http://www.greatestjournal.com
O15 - Trusted Zone: http://*.greatestjournal.com
O15 - Trusted Zone: http://www.photobucket.com
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\AWS <--- the whole folder
c:\documents and settings\sunnie\favorites\health <--- the whole folder
C:\Documents and Settings\karey\Local Settings\Temp\_ps_inst.exe
C:\WINDOWS\SYSTEM32\fiz1 <--- the whole folder
C:\WINDOWS\SYSTEM32\SHAgentNew.dll


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Nah! This is only 10 to 15 minutes of work. 20 Minutes max.

 

Not a problem. It showed in your HJT log but may have been gone already. We were just making sure.

Good! It looked like a folder in the log but I was not sure.

You still have not done step 3 of the READ ME.

Notice the below info from your log show THREE antivirus applications:

 

You are not supposed to just delete files. Programs must be uninstalled or they will leave tons of junk laying around. If you manually delete any components of the programs before actually using Add/Remove programs to uninstall, the uninstall will no longer work. Which may be the case for you now!! You will probably have to use manual procedures now to cleanup all the junk left over from Avast and Symantec. You cannot just simply delete all files and fix lines with HJT. It will not allow that since there are system services (the O23 lines in HJT) running. They must first be stopped and disabled. Then you need to delete the NT Service. When that is finished and you reboot, you will then be able to cleanup any remaining file from the programs; however, there will probably be a bunch of residual junk still in the registry from the programs,

We can work up cleaning these up tomorrow when I get back in (probably in the evening my time).

 

Okay let's see what we can do to get rid of the excess AV programs.

First start by looking in Add/Remove programs and seeing if you can uninstall the one you do not want. (By the way I assume you want McAfee....is that correct?)

After trying to uninstall, try running the below for Symantec (I'm not sure what version you have of Symantec but it is worth trying this first):

Using the Norton uninstall tool

Then continue with the below which should clean up Avast!

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to iAVS4 Control
Service (if that is not found, look for the short name: aswUpdSv)... then right click the entry, select 'Properties' and press 'Stop
Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
Antivirus
Mail Scanner
Web Scanner

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower
right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into
the box that opens, and press "OK":

aswUpdSv

Now repeat the Delete NT Service steps for:
Antivirus
Mail Scanner
Web Scanner
If you receive any error messages just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to.

After reboot, attach a new HJT log and we will continue to remove anything else left over from Symantec and Avast.

 

Okay! I'll be waiting!

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Event Manager (if that is not found, look for the short name: ccEvtMgr)... then right click the entry, select 'Properties' and press 'Stop
Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
Symantec Password Validation
Symantec Settings Manager
Norton AntiVirus Auto Protect Service
SAVScan
ScriptBlocking Service


Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower
right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into
the box that opens, and press "OK":

ccEvtMgr

Now repeat the Delete NT Service steps for:
ccPwdSvc
ccSetMgr
navapsvc
SAVScan
SBService
Symantec Core LC

If you receive any error messages (two of them probably will) just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to.

After reboot, run HijackThis and select any of the below lines that still exist and click Fix Checked

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Now attach a new HJT log

 

Yes you can delete that registry patch.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely.