Safety Alerter 2006

My son was complaining of pop-ups recently. I went to check his computer last night & kept getting pop-ups even from the system tray. When I looked in his "Add/ remove Programs," there's an entry for "safety Alerter 2006" which I cannot uninstall (it keeps asking me to re-start my computer, after which its there again.) NAV 2006 with recent updates doesn't find a thing...

As it was late last night when I made this discovery & ran NAV to no avail, I simple shut down the computer & instructed him not to start it up until I can fix it. I'm at work right now, but plan on following your directions for cleaning malware off computers as soon as I return home.

I was just wondering if there was some special removal tool/ procedure that I should use to get rid of this thing...

 

Just wondering, as the directions don't answer my question.

Will it "screw anything up" when I re-boot into "safe mode with networking" to run the online scans, after I've already run Ccleaner, Spybot S&D & Counterspy? Should I run them again after the re-boot & before the online scans?

Also, as it was getting late when I ran Counterspy last night, I let the computer run the scan & left it on all day--as I had to be to a very early meeting at work this morning. If I now return from work to grab the resultant log, will it have messed anything up such that I have to run it again?

 

Here are the first 3 files

 

And the second set...

I kept seeing a yellow pop-up window which said "Symantec Anti-virus is disabled."

In the step where I was supposed to empty the "Norton Protected Files," the option to do so when I right-clicked the recycle bin wasn't present. (I must apologize--I didn't think to search for the protected bin on the drive until after I had ran the Panda scan. I have since emptied it.)

Spybot S&D found Desktopscam & Trojan downloader. Counterspy found Desktopscam & Trojan_downloader.zlob.media-codec.

Bitdefender found 8 instances of Trojan.zlob.By & 1 instance of Trojan.Muldrop.1326.AA

Pandascan found 100 bad things.

I noticed that when I re-started into normal mode after running Pandascan, the system took much longer than normal to stabilize. Also, things ran slower than normal after stabilization.

Other than the fact that I had to allow many of the scans to run overnight, & hence had to leave the computer on all the next day until I returned home from work, the entries above were the only things of note in the process--most ran very smoothly. & yes, I have followed the directions to the letter (except for emptying the NProtect folder). It's just that I was concerned as to the length of time that I had to put between the steps in the directions due to leaving the computer on for extended periods of time.

 

Computer startup was still slower than it has been in the past, but not near as slow as last night.

Immediately after startup, a Windows error message popped up, informing me that SymSPort.exe had encountered a problem & needed to close. (I clicked on the “Don’t send” button.)

Right after that, 3 separate Symantec Client Firewall messages popped up, saying that a remote system was attempting to access my computer. All three had a protocol of UDP (inbound) & an IP of 192.168.1.101 (which I don’t recognize as one of my home network IPs), but each had a separate port—1030, 1034, or 64—in that order.

Following your latest instructions:

Uninstallation of Counterspy & the older Firefox went OK. When I went to the Program Files folder to make sure there were no remnants or old directories of either in it, I noticed that there were 2 folders, “found.000” & “found.001” in my C:\. They were both hidden & read-only, & I didn’t recognize them, but did nothing with them.

After running your fixes in HJT, I went to the Program Files folder again, to make sure that the log had saved properly. I noticed at that point that both “found.00*” folders were still there, but they were no longer hidden. I still did nothing with them.

I restarted the computer, seeing the same Symantec message the second time. If nothing else, I will uninstall & reinstall the Symantec package after you give the all-clear for my current malware problem.

The new HJT log is attached. I appreciate the help. Computer seems to be working fine, with the exception of the disabled Symantec service. Attempting to restart the service before restart did not correct the problem, nor did restarting the computer a third time. But the exact same Symantec messages occurred at the third startup as well.

 

I have successfully uninstalled, rebooted & reinstalled the Norton product. Doing so fixed the SymSport.exe problem, & also sped up the system boot time some.

I myself did not. The only person that I think could have done it would be the ISP techie that was sent out to originally hook my computers up on the home network when we switched to cable. Are there settings that I should change?

I have no idea. How would I discover which software package is using it?

Evidently my router settings have changed. We had some power outages/ surges this fall, & maybe they were the culprit. I’ll reset them as soon as I find my directions to do so. “Network.txt” is attached.

I can’t recall ever doing so. Again, the only person I can think of who might have done so would have been that ISP techie.

I went ahead & deleted the 2 “found.00*” directories.

I also had HJT fix the 4 lines you suggested.

I have rebooted the system, updated the new install of Norton & am running a full system scan on my son’s computer as I type this on mine. Everything seems to be working fine, except that when I open any MS Office product, I get a “Windows Installer” box that pops up, seeming to install something but not naming what it’s installing. After about 30 seconds to a minute, it goes away. But if I open that same Office product (Word in this case), the installer box pops right back up.

I thought to run an HJT log for attachment again, but the Norton scan will take a while. I can attach a new one if wish after the scan is complete. I will also be running windows update again after the scan, to see if it can fix the “Windows Installer” issue. I will let you know if that works as well.

Thanks so much for your help. It’s taken a wee bit longer than a re-format might have, but I don’t have to go digging out all the original install disks, copying files that I would always worry about being infected onto another machine, I don’t have to re-do any “options” & besides, I’ve learned much from your assistance.

P.S. I now have my son’s computer “locked down,” such that there are only specific websites he may visit, only certain “friends” he may receive email from, & only certain things he can run on it. I really owe you a debt of gratitude, Chas. I wish I could find your snail mail address, to add you to my Christmas card list!

 

UPDATE: The AV scan came up clean, & all Windows is updated totally. System seems to be running stable, but I still have that pesky "Windows Installer" that pops up almost every time I try to run anything Windows/ Office related. Firefox opens fine for me, though.

I'm thinking it might be a problem with NIS 2007. I'm reading where folks have had issues with some of its automated scans similar to this one.

Thanks again. If you know of any way I can get rid of that Windows Installer box every time I try to do something, I sure would like to know. Also, are there any setting changes pertaining to tcpsvcs.exe or TCP/IP Version 6 I should concern myself with?

 

Thanks much, Chas!