Please help

I've followed the directions on the READ & RUN ME FIRST pages. I am attaching the logs. I have no clue what is wrong.

I could not run CounterSpy. I ran all the other suggested programs.

The first three files are attached to this thread.

 

Second set of logs

I hope I'm doing this right. . . I appreciate any help you could offer. I'm not sure if I have a virus, or a software issue or what.

I cannot get online in normal boot mode. I can only get on via safe mode. My task bar is white, instead of blue and my computer is very slow.

 

I see nothing in any of your logs that would suggest this is Malware.

What have you installed recently?

 

I didn't install anything I can remember. Other than the programs needed to check for malware.

I had the Geek Squad from Best Buy out here on the 26th of December to help get the wireless network set up. Everything worked great for the next couple of weeks. Then on the 7th of January, I shut the computer down before I went to bed, woke up on the 8th and had the taskbar looking funky, very slow loading, and I mean very slow, and couldn't get online.

I spoke with the fellah from Geek Squad and he had me try a few things that didn't work and then suggested I do a recovery. He also said it *could* be a hard drive issue.

One more thing, in safe mode with networking, I can get online. I cannot in regular mode. Also, when I go into normal boot mode the computer fan runs continuously.

What do you suggest? I really appreciate your help.

 

Going back over your logs, I missed something earlier.

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Follow the directions for Using Sophos Anti-Rootkit

 

Ran both of those. I did not receive a message when running Killbox.

Ran Sophosrootkit thing and the log is attached.

Thank you so much for your help. I hope we are on our way to fixing this issue.

 

Run the Sophos Anti-Rootkit in Normal Mode from an account with Administrator Rights.

 

I know this is a dumb question. . . I don't know how to do that. I am the "user" on this computer. In safe mode, I see an "administrator" but I don't have that option in normal mode.

 

Thanks, once again, for the help.

Okay, rebooted and ran the sophos thing again.

Got a different error this time.

Log attached

 

OK, Sophos Anti-RootKit is having problems running.

Run AVG Anti-Rootkit and attach the log!

 

I don't find a log, but at the end of running the program, it said, "no rootkits found".

 

OK,

Follow the directions for Running Hoster

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

 

Ran Hoster with no problems as far as I can tell.

Logs attached.

 

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

Netscape is an out-dated browser and can leave your system vulnerable to attack.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

 

Ok, did that.

I did not get the pending message when running killbox, but did get a "verifying" type message, it did reboot on its own.

New logs attached. Again, I cannot thank you enough for your help.

 

The logs have to be from "Normal Mode".

Post fresh logs from Normal Mode

 

Sorry 'bout that. Normal mode is still mucked up so I've been avoiding it unless I have to be there.

Fresh logs from "normal" mode are attached.

 

Your logs look pretty good.

What problems are you still having?

 

The computer is still very slow in normal boot mode. I can get on the internet now from normal mode, which is an improvement. The task bar is still white, which I don't have a problem with, but it's different than before. I will boot into normal mode and see if I can hear music.

 

I cannot get online anymore in normal mode. I can't listen to iTunes or songs at all in either safe or normal mode. I get this message:

iTunes has detected a problem with your audio configuration. Audio/Video playback may not operate properly.

As I mentioned before, the computer is very slow in normal mode. Okay, in safe mode.

 

OK, run through the Read Me First again. Give me all new logs when you are finished.

 

Okay, I'm happy to do that. One quick question first.

I am trying to delete Nvidia drivers. Honestly, I don't know where it came from. I don't remember it being on my task bar before all this started. I deleted the driver on add/remove programs, but it keeps coming back. This may be a really stupid thing I'm doing, but what the heck is it and do I need it and can it be causing this problem?

 

The startup for Nvidia will show in the HijackThis log and GetRunKey. We'll deal with it as part of any fix I post after I look at your logs.

 

Okay, went through the READ & RUN ME FIRST stuff again.

Logs attached. My internet connection is spotty in normal mode still. Sometimes it works, sometimes not. The fan seems to continually be running in normal mode, but not safe mode.

 

Rest of the logs are attached. Thanks a million for your help.

 

Also, just so I can give you more info, it takes several minutes for OE to come up when I open it. It's taking several minutes for the computer to boot UP and DOWN.

 

Uninstall Counter Spy, we're done with this anyway.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to NVIDIA Display Driver Service or NVSvc (Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

NVIDIA Display Driver Service or NVSvc (Whichever you found above)[/quote]In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Click on the "Back" Button

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.


Norton appears to be broken it may need to be reinstalled. First uninstall all Norton processes using Add or Remove Programs reboot and install.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

 

Okay, I did what I could with those instructions. When trying to Kill Process while using HJT on C:/Windows/sytem32/nvsvc32.exe I ran into trouble because I could not find that file. I also ran into trouble putting a check next to the O23 service because it wasn't there either.

I did not get the PendingFileRenameOperations prompt when running Pocket Killbox.

I could not uninstall Norton because I get an error message saying there are authentication problems.

Thanks again for your continued help. New logs attached.

Oh, and after doing the recommended steps, I could no longer access the internet in normal mode, which is prolly why I could not be authenticated for uninstalling Norton, maybe? The computer is still very slow. Sometimes sounds works, sometimes not.

 

This is what Symantec recommends I do to fix the error I'm getting when trying to uninstall Norton. I will not do anything til I hear from you again.

http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2006091213530013?Open&src=_mi

 

Before continuing with any fixes, follow the instructions from Norton. Their instructions are pretty good at fixing problems with Norton. Let's see if that fixes your connection issues in Normal Mode.

Your logs look pretty good, there are a couple of issues and questions I want to address; but let's get the connectivity issues fixed first. I'm fairly certain that Norton is at the heart of the problems.

 

I ran that Symantec fix and I still cannot uninstall Norton.

 

I've attached the "log" I get when running that Symantec fix. Thanks again for your help.

 

Let's get Norton off the system.

Download the Norton Removal Tool

 

That did the trick. It's gone. Computer still booted up slowly, but I am online in "normal" mode. I've been able to do that sometimes, sometimes not.

Thanks again. What's next? I don't want Norton back. I would rather get a different product.

 

Post a fresh HijackThis log. Don't surf around while you have no AV installed. Let me make sure there is nothing else, before I recommend a new AV.

 

Lost internet connection in normal mode after about five minutes or so. Just wanted to keep you updated.

 

HJT log attached. I ran it in normal mode but am posting it in safe mode. I can only get online in safe mode now. Is it okay for me to keep this page up without a AV program?

 

Dr. Watson is runnning, which meeans there is something wrong with the OS.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Symantec Core LC ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

 

Symantec Core LC was already stopped. I disabled it as directed. Could not delete an NT service because it wasn't there. Also could not do the Process part because the file was not there. Could not place a check next to O23 cause it's not there. Did not get PENDING FILE RENAME issue.

Ran new HJT, Shownew and Getrun in normal mode, then rebooted into safe mode so I can post. Logs attached.

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

 

New logs attached. I did get the pending file rename message this time.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Download
- ExplorerXP

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

 

I need help on how to navigate to the thing you want me to delete. When I open that ExplorerXP, it's only giving me installation options.

 

I'm thinking you want me to install that Explorer XP then navigate to the file and delete it. Is that what you want me to do? I'm sorry, I'm not trying to be thick, just trying not to mess up.

 

I get what you wanted me to do now. rolleyes at myself.

New logs coming in a sec. I'm booting into normal mode now.

 

New logs. Still cannot get online in normal mode.

 

Your logs are clean.

Do the following:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

I recommend installing AVG Free as the AV.

I looks like a repair install is in order here.

 

I can't run through the "How to Protect. . . " because I cannot get access to the internet in normal mode. When I try to update windows I get an error message

[Error number: 0x8007043C]
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.

 

OK, sounds like you are still having problems with the Cryptographic services.

Start -> Run
type services.msc
Click 'OK'

A list of Windows Services should now appear on your screen, scroll down the list until you find Cryptographic Services. Right click this and select properties. Now ensure that the startup type is set to automatic and click the start button in that window if the service status is stopped.

 

Cryptographic services was started and it was already set to automatic.