Trojan....

It sure does not look like you ran CCleaner on this. Look at all the cookies and stuff in the Recycle Bin. Ccleaner should have removed them. Did you run it?

You must make sure the Recycle Bin is getting emptied. And while cookies are not always too big a deal, let's make sure they get cleaned too. So make sure CCleaner cleans them or do it manually youself. Then check another Panda log and make sure it is clean.

You did not attach the BitDefender log. You attach a summary which does not report where problems are found. It only gives names of problems. Follow the directions in step 6 and you will have a proper log (which is a html file changed to txt).

You also need to empty C:\quarantine

Which application does this belong to? (Probably Symantec/Norton). This is not a good way to install anything. Since the quarantine has no program name associated with it this way. So empty quaratines for any tools on the PC.

You NEED the Admin password. Notice how Ewido could not clean anything. The Admin password could still be just blank (meaning no password) if it was never set. Aren't any of the other accounts admin accounts? What about the first one we already cleaned? You can use it to change the priveledges on the other accounts if necessary while cleaning.

 

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {D5ED90A7-2C30-5DE2-6039-796235BF19C2} - (no file)
O4 - HKCU\..\Run: [Fdvhruxs] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [Ncao] "C:\Program Files\nrpn\osoa.exe" -vt mt

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\nrpn <--- the whole folder
C:\WINDOWS\System32\?hkdsk.exe <--- this is not chkdsk.exe. Sort the folder alphabetically and look for a chkdsk.exe which is not in alpha order. It will probably be much larger in size than the valid file too. The ? contains hidden non-valid characters making it look like chkdsk.exe.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

The main one is probably just Symantec/Norton.

 

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\System32\?hkdsk.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {D5ED90A7-2C30-5DE2-6039-796235BF19C2} - (no file)
O4 - HKCU\..\Run: [Fdvhruxs] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [Ncao] "C:\Program Files\nrpn\osoa.exe" -vt mt
After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\nrpn <--- the whole folder
C:\WINDOWS\System32\?hkdsk.exe<--- note that this is NOT chkdsk.exe. It looks like it is but it is not. There will be two files showing in your system32 folder that look like chkdsk.exe. One will not be in alphabetical order. That is the one you need to delete.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

What do you mean you cannot connect to the internet?

Is this a new problem? Nothing we did in the last procedure would have anything to do with your internet access.

Please explain! Is the problem only for the Kala account?

Your HJT log is clean now.

 

If it is the router, how are you coming here now?

Why do yo want to delete the accounts that were already fixed? Deleting the accounts does not uninstall software but if the software is the kind that only installs for the individual account loading it (and not all users), you will not have any access to the software.

 

You may not have the allowable range for your DHCP server setup properly (to allow for enough IP addresses) or you may have set some PC's for static IP's rather than using DHCP. Using static IP's could cause a conflict with another PC if the DHCP server already assigned it.

Do this before deleting the accounts.

 

Yes! Make sure things work like you want before your delete the accounts.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\System32\j?vaw.exe
C:\PROGRA~1\COMMON~1\DOBE~1\taskmgr.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [Eaovqnq] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\DOBE~1\taskmgr.exe" -vt ndrv

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Common Files\DOBE~1\taskmgr.exe <-- I'm not exactly sure what DOBE~1 will expand into. But this does not belong here. Tell me the whole folder name and list any other files in it. We may want to delete the whole folder.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Just complete the directions I gave you.

But yes it is okay if MS AS removed the same registry entry I requested.

I don't think that the DOBE~1 folder is the same as Adobe. Shortnames like DOBE~1 are abbreviations for longer names and the first few characters (typical the first 6) are the same as in the full name. For example:

PROGRA~1 = Program Files
COMMON~1 = Common Files

 

What do you mean typed in? Are you searching for folders using Windows Search or are you using Windows Explorer to navigate to folders.

Are you saying there are no files in any of the Adobe folders?
Does anything from Adobe appear in Add/Remove programs (typically most people will have at least Adobe Reader so they can view PDF files.)

You still have not complete the steps in msg # 71.

 

You forgot this too:

Leave the Adobe folders alone. They are okay.

 

Looks good now!

If that was the last user account and if you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!