configreq
asked on
http://go.microsoft.com/fwlink/?LinkId=69157 redirects to www.msn.com
I can't change the homepage for IE7; it keeps redirecting to www.msn.com Recently installed IE7 on XP Pro SP2 laptop which was cleaned from 120 plus spywares, malwares, adwares, trojans, and virus'. Cleaned with numerous tools. Tools used: Norton Antivirus removal, Norton Antivirus, AVG Antivirus, AVG Spware Removal, Webroot Spyware Removal, Registry Mechanic, MRUBlaster, and pick and delete through folders and registry. Owner didn't have original OS disks, or App disks. Cannot stop the IE page homepage from being www.msn.com. First in Inet Options I change to www.google.com or anything else, and it redirects to www.msn.com with the following link: http://go.microsoft.com/fwlink/?LinkId=69157 When I try to search for this in the registry the CPU heats up kicks into overdrive, the fan can't keep it cool enough and it shuts off. I cooled it enough with a ice block and fan...don't laugh. I got to view the search of the registry but nothing was found with this key. I still can't view all of looking for www.msn.com in the registry without it shutting off. This may be just a prank left over from all of the mess that that removed from this box. Or it may be as destructive as phifishing. At any rate, do you have any idea how to stop it? Adware.PurityScan, 2o7.net cookie, atlas dmt cookie, remain after all the cleaning. The ugliest path that keeps getting checked, but doesn't seem to exist in Windows or DOS mode is C:\Program Files\Common Files\?icrosoft.NET.tracer t (part of the My Doom Trojan Horse Downloader.Generic3.CVH. Generic2.CVH was in User\Local Settings\Temporary Internet Files\Content.IE5\57TONLD\ lupdate-42 95(1).0000 . There are many more; like I said 120 at least. I know I should reinstall the OS (but I don't have it), nor do I want to go through all of the User apps.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, if regedit acts weird, you can also try Tuneup Utilities(http://tuneup.swmirror.com/TU2007TrialEN.exe). It has their own customized version of regedit. Also, use the registry cleaner once you've sorted everything out and your computer is clean of virus/spyware/adware.
Does he uses a firewall?
Also check your host file (C:\WINDOWS\system32\drive rs\etc\hos ts)
Either Norton or Spysweeper is blocking the change. My money is on Spysweeper. Disable Spysweeper and you will notice that the change takes. Then go into Spysweeper and go through the options until you find home page protection and you will see where you can have it allow you to change the page when you need to.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for all your suggestions. I am trying multiple solutions. I will keep you posted.
1. I do not have hijackthis yet; couldn't easily find--will though
2. HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Internet Explorer\Main did have the http://go.microsoft.com/fwlink/?LinkId=69157 link; however, once changed and changed in Inet Opts, changed back (even w/firewalls stopped). HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\Main did not.
3. I have not tried (http://tuneup.swmirror.com/TU2007TrialEN.exe) yet;
4. Yes, he does use a firewall; however, tried stopping -- no avail
5. C:\WINDOWS\system32\driver s\etc\host s was default -- no avail
6. Neither Norton or Spysweeper was blocking the change -- no avail
7. Will not use http://www.outerinfo.com/OiUninstaller.exe; contains Adware.MediaTicket
8. Still have not gotten hijackthis; plan to upload the edited (protect user) log for review.
9. Running http://www.superantispyware.com/ now; 9 threats found so far, including Yassle.
I have approx 20 pages of writeup to do. This was a very unusual box. I will post the write up here. Here is what I have so far:
February 9, 2007
User complaint: Cannot view web. Laptop connects, but unable to view. Numerous errors pop up.
____________________
Checked SSL, TLS settings - good
_____________
Used Cingular Communications Manager – Showed full bars/full connection
____________________
ipconfig –all – showed no connection media, IP 0.0.0.0
____________________
Errors upon bootup:
NT On – Access Scanner Service
szAppName: szAppVer: 0.0.0.0 szModName:Kernel32.dll
szModVer:5.1.2600.1106 offset 00013887
Symantec Email Proxy
TCP/IP is disabled. Disable email scanning in your Symantec product options or install TCP/IP 1003,3
http://www.symantec.com/techsupport/servlet/ProductMessages?module=1003&error=3&lanuage=English&product=CC&version=104.0.1.17
_________________________
Microsoft Visual C++ Runtime Library
Runtime Error!
Program C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
.....more to follow :o)
1. I do not have hijackthis yet; couldn't easily find--will though
2. HKEY_LOCAL_MACHINE\SOFTWAR
3. I have not tried (http://tuneup.swmirror.com/TU2007TrialEN.exe) yet;
4. Yes, he does use a firewall; however, tried stopping -- no avail
5. C:\WINDOWS\system32\driver
6. Neither Norton or Spysweeper was blocking the change -- no avail
7. Will not use http://www.outerinfo.com/OiUninstaller.exe; contains Adware.MediaTicket
8. Still have not gotten hijackthis; plan to upload the edited (protect user) log for review.
9. Running http://www.superantispyware.com/ now; 9 threats found so far, including Yassle.
I have approx 20 pages of writeup to do. This was a very unusual box. I will post the write up here. Here is what I have so far:
February 9, 2007
User complaint: Cannot view web. Laptop connects, but unable to view. Numerous errors pop up.
____________________
Checked SSL, TLS settings - good
_____________
Used Cingular Communications Manager – Showed full bars/full connection
____________________
ipconfig –all – showed no connection media, IP 0.0.0.0
____________________
Errors upon bootup:
NT On – Access Scanner Service
szAppName: szAppVer: 0.0.0.0 szModName:Kernel32.dll
szModVer:5.1.2600.1106 offset 00013887
Symantec Email Proxy
TCP/IP is disabled. Disable email scanning in your Symantec product options or install TCP/IP 1003,3
http://www.symantec.com/techsupport/servlet/ProductMessages?module=1003&error=3&lanuage=English&product=CC&version=104.0.1.17
_________________________
Microsoft Visual C++ Runtime Library
Runtime Error!
Program C:\PROGRA~1\Symantec\LIVEU
.....more to follow :o)
ASKER
Dell Inspirion 5100
Pentium 4
CPU 2.8 GHz
512MB RAM
__________________________ __________ _________
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1524
Date: 2/9/2007
Time: 6:08:39 PM
User: S-1-5-21-204266967-2096854 778-247298 8758-1005
Computer: HOSTNAME
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
__________________________ __________ _________
Event Type: Error
Event Source: SENS
Event Category: None
Event ID: 0
Date: 2/9/2007
Time: 7:36:53 PM
User: N/A
Computer: HOSTNAME
Description:
The description for Event ID ( 0 ) in Source ( SENS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.
, ServiceStart(): SensInitialize() failed.
__________________________ __________ _________
Event Type: Error
Event Source: McLogEvent
Event Category: None
Event ID: 5051
Date: 2/9/2007
Time: 7:43:56 PM
User: NT AUTHORITY\SYSTEM
Computer: DRTOM
Description:
The description for Event ID ( 5051 ) in Source ( McLogEvent ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: c:\PROGRA~1\mcafee.com\vso \mcshield. exe, 201608, 808 (0x328), 0x7ffe0304,
Build Sep 8 2001 15:13:39 / 8.52
Object being scanned = \Device\HarddiskVolume2\Do cuments and Settings\UserName\Local Settings\desktop.ini ( @ 7025 (7024,7019,7011,93))
__________________________ __________ _________
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 2/9/2007
Time: 7:44:00 PM
User: N/A
Computer: HOSTNAME
Description:
Faulting application , version 0.0.0.0, faulting module KERNEL32.DLL, version 5.1.2600.1106, fault address 0x00013887.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 20 30 2e ure 0.
0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0020: 20 4b 45 52 4e 45 4c 33 KERNEL3
0028: 32 2e 44 4c 4c 20 35 2e 2.DLL 5.
0030: 31 2e 32 36 30 30 2e 31 1.2600.1
0038: 31 30 36 20 61 74 20 6f 106 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 31 33 38 38 37 013887
__________________________ __________ _________
Pentium 4
CPU 2.8 GHz
512MB RAM
__________________________
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1524
Date: 2/9/2007
Time: 6:08:39 PM
User: S-1-5-21-204266967-2096854
Computer: HOSTNAME
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
__________________________
Event Type: Error
Event Source: SENS
Event Category: None
Event ID: 0
Date: 2/9/2007
Time: 7:36:53 PM
User: N/A
Computer: HOSTNAME
Description:
The description for Event ID ( 0 ) in Source ( SENS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.
, ServiceStart(): SensInitialize() failed.
__________________________
Event Type: Error
Event Source: McLogEvent
Event Category: None
Event ID: 5051
Date: 2/9/2007
Time: 7:43:56 PM
User: NT AUTHORITY\SYSTEM
Computer: DRTOM
Description:
The description for Event ID ( 5051 ) in Source ( McLogEvent ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: c:\PROGRA~1\mcafee.com\vso
Build Sep 8 2001 15:13:39 / 8.52
Object being scanned = \Device\HarddiskVolume2\Do
__________________________
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 2/9/2007
Time: 7:44:00 PM
User: N/A
Computer: HOSTNAME
Description:
Faulting application , version 0.0.0.0, faulting module KERNEL32.DLL, version 5.1.2600.1106, fault address 0x00013887.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 20 30 2e ure 0.
0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0020: 20 4b 45 52 4e 45 4c 33 KERNEL3
0028: 32 2e 44 4c 4c 20 35 2e 2.DLL 5.
0030: 31 2e 32 36 30 30 2e 31 1.2600.1
0038: 31 30 36 20 61 74 20 6f 106 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 31 33 38 38 37 013887
__________________________
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
rpggamergirl. Now how can you possibly say that I don't trust your advice, I'm happy to have your advice and I've been using the tools you provided for the last 4 hours. No doubt you know what you are talking about! As for Purityscan -- its definately part of the promblem: both Yazzle and Cowabanga. Just had to pick what to use first. You can look at the hijack log in that you provided me an excellent link. And I certainly thank you for http://www.superantispyware.com; I was amazed to still see 19 items left. What was even more amazing was when it started cleaning, and it kept trying to install itself into the Restore partitions I ran two different Antispyware and Antivirus tools on two different computers for the http://www.outerinfo.com/OiUninstaller.exe and came up with the same results: MediaTicket; there are many false positives, I'm sure this must be one. Thanks for everything, but I still need your help.
ASKER
February 9, 2007
Ok, guys and gals. This has become an obsession and I need to get rid of this box! I have this one final thing to fix and the output of hijackthis is at the bottom of this post. I have run the latest http://www.superantispyware.com. I have changed HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Internet Explorer\Main to reflect www.dogpile.com. I have disabled: Norton Antivirus, Spyweeper, Superantispy, engaged the wireless modem, brought up IE7, and it still throws the redirect up. Maybe I'm just tired and not seeing something.
_______________________
Tools used:
WinsockxpFix.exe
Norton_Removal_Tool
20070215-033-x86 NAV defs forced
Norton SystemWorks 2006
avg75free_441a944.exe
avgas-setup-7.5.0.50
CheckIt
cports.zip from nirsoft.net
xp_exe_fix.zip
Helix fprot antivirus
IE7-WindowsXP-x86-enu.exe
Webroot SpySweeper
mrublastersetup.exe
regscanner from nirsoft.net
spywareblastersetup351.exe
myuninst.zip
Registry Mechanic
SuperAntiSpyware.exe
alternativ hijackthis
__________________________ _________-
Found throughout:
Trojan LuckBar888
Adware Softomate
Adware Click Spring
Adware Drive Clean
Trojan Dropper.Dollar
PurityScan
Webhancer
SaveNow
Not-A-Virus
Adware New Dot Net
Trojan Downloader
Trojan Dropper.Small
Adware Why PPC
Tracking Cookie Clickbank
Tracking Cookie TribalFusion
Tracking Cookie Findwhat
Adware Media Ticket
Adware Command
Adware Maxfiles
__________________________ _______
User liked viewing porn sites
User did not keep service packs and hot fixes up to date
User accepted that Norton Antivirus had stopped working
User had no firewall
User had no Anti Spyware
_________________________-
Best guess: user viewed particular porn site
Picked up Webhancer
Opened vulnerabilities for Adwares
Opened port for MyDoom2
Opened vulnerabilities for Dropper.Dollar
Opened port for MyDoom3
Disabled / corrupted Anti-virus portion of Norton SystemWorks
Norton corrupted TCP/IP Stack
Made numerous copies of self in GoBack
Opened port for Dropper.Small
Lost connectivity December 14, 2006
__________________________ ___
Here's the history:
User complaint: Cannot view web. Laptop connects, but unable to view. Numerous errors pop up.
____________________
Checked SSL, TLS settings - good
_____________
Used Cingular Communications Manager – Showed full bars/full connection
____________________
ipconfig –all – showed no connection media, IP 0.0.0.0
____________________
Check Network Connections
Connected. Cingular Accelerated Connected. Full Bars.
ping google.com
Windows Sockets interface, error code 0 returned
_______________________
WINDOWS
IP Configuration
IP Routing Enabled: No
WINS Proxy Enabled: No
Ethernet Adapter Wireless Network Connection: 2
Sierra Wireless 3G Adapter
DHCP Enabled: Yes
Autoconfiguration Enabled: Yes
Subnet Mask 0.0.0.0
IP Address 0.0.0.0
Default Gateway
DHCP Server 0.0.0.0
ipconfig /all
no media connected
__________________________ __
Errors upon bootup:
NT On – Access Scanner Service
szAppName: szAppVer: 0.0.0.0 szModName:Kernel32.dll
szModVer:5.1.2600.1106 offset 00013887
Symantec Email Proxy
TCP/IP is not disabled. Disable email scanning in your Symantec product options or install TCP/IP 1003,3
http://www.symantec.com/techsupport/servlet/ProductMessages?module=1003&error=3&lanuage=English&product=CC&version=104.0.1.17
________________________
Microsoft Visual C++ Runtime Library
Runtime Error!
Program C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
__________________________ ____
Program:C:\Program Files\Common Files\Symantec Shared\ccApp.exe
__________________________ __________
ConfigWiz
Another instance of the Wizard is running
__________________________ _______
Services running AIM at startup
__________________________ ________
Checked Logs --- Significant:
Dell Inspirion 5100
Pentium 4
CPU 2.8 GHz
512MB RAM
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1524Date: 2/9/2007
Time: 6:08:39 PM
User: S-1-5-21-204266967-2096854 778-247298 8758-1005
Computer: HOSTNAME
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
__________________________ __________ _________
Event Type: Error
Event Source: SENS
Event Category: None
Event ID: 0
Date: 2/9/2007
Time: 7:36:53 PM
User: N/A
Computer: HOSTNAME
Description:
The description for Event ID ( 0 ) in Source ( SENS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may
be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Event System Win32 Error: No service is operating at the destination
network endpoint on the remote system.
, ServiceStart(): SensInitialize() failed.
__________________________ __________ _________
Event Type: Error
Event Source: McLogEvent
Event Category: None
Event ID: 5051
Date: 2/9/2007
Time: 7:43:56 PM
User: NT AUTHORITY\SYSTEM
Computer: HOSTNAME
Description:
The description for Event ID ( 5051 ) in Source ( McLogEvent ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.
You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: c:\PROGRA~1\mcafee.com\vso \mcshield. exe, 201608, 808
(0x328), 0x7ffe0304,
Build Sep 8 2001 15:13:39 / 8.52
Object being scanned = \Device\HarddiskVolume2\Do cuments and Settings\UserName\Local Settings\desktop.ini ( @ 7025 (7024,7019,7011,93))
__________________________ __________ _________
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 2/9/2007
Time: 7:44:00 PM
User: N/A
Computer: HOSTNAME
Description:
Faulting application , version 0.0.0.0, faulting module KERNEL32.DLL, version 5.1.2600.1106, fault address 0x00013887.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 20 30 2e ure 0.
0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0020: 20 4b 45 52 4e 45 4c 33 KERNEL3
0028: 32 2e 44 4c 4c 20 35 2e 2.DLL 5.
0030: 31 2e 32 36 30 30 2e 31 1.2600.1
0038: 31 30 36 20 61 74 20 6f 106 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 31 33 38 38 37 013887
__________________________ __________ _________
Installed People PC ISP
ipconfig /all
no connection media
uninstalled People PC ISP
__________________________ __-
googled errors:
Followed SENS error
joined Experts Exchange
Found answer with -- Windows XP Home Can't Get an IP Address_WinsockxpFix.exe
_______________________
GOT CONNECTION
__________________________
Multiple popups
Freezes
Stalls
Overheating
_____________________
Application Errors:
June 2006 System Volume Information \ eatalog.wci is corrupt
July 2006 Classes registry file corrupt
July 2006 msvcrt.dll - bpgame.exe - McAfee
Aug 2006 Outlook MOF
__________________________
Other logs: Logs saved (Windows format):
__________________________ __________ __________
BootTime with hard connect 3 min
__________________________ __________
Specs of the system:
Display Adapter Mobility Radeon 7500
Conexant D480 MDC V.92 Modem
Sierra Wireless AirCard 3G Modem
Standard Modem
Multifunction adapters
- Sierra Wireless AirCard 3G
adapter parent
Network Adapters
- 1394 Net adapter
- Broadcom 440x 10/100 Integrated Controller
- Sierra Wireless Adapter
PCMCIA adapters
- Texas Instruments PCI -4510 cardbus controller
IRQ:
11 – Sierra Wireless 3G Adapter
11 – Sierra Wireless Air Card 3G Modem
10 – Conexant D480 MDC V.92 Modem
__________________________ __________
Add and Remove
Programs:
Tried to remove:
888Bar
error while uninstall: New Starter Uninstall: Completed
Could not load C:\Program Files\Common Files\ {3CA20FSF-OAE5-1033-0428-0 3021105000 1}\888Bar. dll
Completed
Adobe Downloader Manager 2.0 (Remove Only)
1/13/2005
Adobe Reader 7.05
1/13/2005
AIM 6.0
12/15/2006
AOL Instant Messenger
11/12/2006
AOL Toolbar 2.0
Cingular Communication Manager
Publisher: Cingular
Version: 5.2.19.0
Cust Supp 1-800-331-0500
Cowabanga by OIN
12/11/2006
Dataware
DAO
Dell Support
2/11/206
Direct X Media Runtime 5.1
HP Document Viewer
Live Update 2.7 / Symantec Corp
1/29/2007
Version 2.7.39.0
McAfee Security Center
6/1/2003
McAfee Virus Scanner Online
6/1/2003
Microsoft Encarta
Microsoft Money 2003
6/1/2003
Microsoft Money 2003 System Pack
6/1/2003
Microsoft PowerPoint Viewer 97
6/11/2003
Microsoft Streets and Trips 2002
6/1/2003
Microsoft Works Setup Launcher
6/1/2003
Microsoft Works 7.0
6/1/2003
Microsoft Works 7.0 Suite Addin
6/1/2003
__________________________ _________
exported Reg C:\Windows\System32\9FEB07 .reg
__________________________ _________
created Windows Restore Point – appeared to be effective.
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx
***OIN Installations EULA, AVG Antispyware scan report and Hijackthis log removed by rpggamergirl PE***
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx
3 hours trying to use Norton SystemWorks
continuous shutdowns
__________________________ ______
Started Install XP SP2 from CD
2 failures -- over heat
__________________________ _____
cooled with upside down compressed air
__________________________ ____
Installed XP SP2
__________________________ ____
Posted this at Experts Exchange
I would like to install Symantec Norton SystemWorks 2006 (don't have original software). I have partially removed a corrupt version of 2006.
I'm working on a Windows XP Pro Dell laptop. I had the problem where I couldn't connect on all medias. I used experts-exchange suggested http://www.snapfiles.com/get/winsockxpfix.html and it worked
FANTASTICALLY! So I not longer had the 'TCP/IP is not disabled. Disable email scanning in your Symantec product options or install TCP/IP 1003, 3
http://www.symantec.com/techsupp/servlet/ProductMessages?module=1003&error=3&language=English&product=CC&version=104.0.1.17
I initially thought my problem was tied to a corrupt Symantec Norton SystemWorks 2006. There were all kinds of problems and would not remove completely. I got desparate and tried to hack Symantec and Norton
out of the registry (backed up) and pick through the directory. But I get the same problems. I am trying to reistall the app. I tried Symantecs' 'NortonRemoval Tool'. The problem seems to be the Goback. But even
though the GoBack.rxc is missing, I did get a success restore out of it after a bluescreen scare (use of Webroot Spysweeper (removing 77 instances; latest being 'webhancer' -- a proposed adware that changes reg
and runs in memory). (may be the initial problem -- December 14, 2006)
Upon bootup, I get Norton 2006 Corrupt - A necessary file could not be loaded: NAVPro 1002, 1 --- which is the same problem as 18 hours ago.
http://www.symantec.com/techsupp/servlet/ProductMessages?module=1002&error=1&language=English&product=CC&version=104.0.1.17 it puts me back to the removal tool.
__________________________
Deleted Temporary Inet files
Deleted Trash
Disk Defrag
Removed McAfee -- long process
Removed Symantec Utilities - again
__________________
Posted again:
This is my first time using this. I guess I need to ask now what? I have a concern. The kernel is in my best guess still unstable. I do not wish to remove the GoBack since it really was able to recover the box nicely.
I would just like to be able to install the Utilities and the Antivirus, if possible. Since webhancer, I suspect the laptop as being a bot. Let's discuss further....I think may be dealing with ADS (alternate data streams)
http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx in that the HD has 17GB available, yet when trying to choose additional features of Norton SystemWorks, it shows that it will take approx 300MB
to install but to install on 0 (zero) K. I need to return this box to the user as soon as possible.
_________________
I'm going to try to boot to a linux antivirus and removal tool -- Helix and clean in this fashion. I will keep you updated. However, I'd like to hear your direction.
_______________
This didn't work. Mounted drives but saw 0 files. Received WARNING: Hard link count is wrong for /: This may be a bug in your filesystem driver. I have downloaded the free version of AVG Anti-Spyware. So far
Adwares/Malwares found quarantined and/or deleted. Next I'll run there AV. Still waiting on hearing your approach.
____________________
SAFE MODE
________________
msconfig
repeats
___________
pic through files -- Program Files\Common Files and registry
LiveUpdate
CheckIt
Norton
Symantec
___________
Finally Norton Removal Tool and remove Norton
________________
Installed / ran CheckIt
_______________
System Passes All
_______________
4 attempts to install Norton SystemWorks
CPU maxed ---- overheat
________________________-
ALL USER DATA BACKED UP TO REMOVABLE MEDIA
_________________________
Installed on its side with fan blowing behind
block of ice to cool to push into intake of laptop
Norton Installed
___________________
There's another 10 pages, but you get the idea:
willing to answer any questions.
________________
webhancer
purityscan
savenow
targetsaver
go.com
zango
findwhat
2o7net
Thank you.
Ok, guys and gals. This has become an obsession and I need to get rid of this box! I have this one final thing to fix and the output of hijackthis is at the bottom of this post. I have run the latest http://www.superantispyware.com. I have changed HKEY_LOCAL_MACHINE\SOFTWAR
_______________________
Tools used:
WinsockxpFix.exe
Norton_Removal_Tool
20070215-033-x86 NAV defs forced
Norton SystemWorks 2006
avg75free_441a944.exe
avgas-setup-7.5.0.50
CheckIt
cports.zip from nirsoft.net
xp_exe_fix.zip
Helix fprot antivirus
IE7-WindowsXP-x86-enu.exe
Webroot SpySweeper
mrublastersetup.exe
regscanner from nirsoft.net
spywareblastersetup351.exe
myuninst.zip
Registry Mechanic
SuperAntiSpyware.exe
alternativ hijackthis
__________________________
Found throughout:
Trojan LuckBar888
Adware Softomate
Adware Click Spring
Adware Drive Clean
Trojan Dropper.Dollar
PurityScan
Webhancer
SaveNow
Not-A-Virus
Adware New Dot Net
Trojan Downloader
Trojan Dropper.Small
Adware Why PPC
Tracking Cookie Clickbank
Tracking Cookie TribalFusion
Tracking Cookie Findwhat
Adware Media Ticket
Adware Command
Adware Maxfiles
__________________________
User liked viewing porn sites
User did not keep service packs and hot fixes up to date
User accepted that Norton Antivirus had stopped working
User had no firewall
User had no Anti Spyware
_________________________-
Best guess: user viewed particular porn site
Picked up Webhancer
Opened vulnerabilities for Adwares
Opened port for MyDoom2
Opened vulnerabilities for Dropper.Dollar
Opened port for MyDoom3
Disabled / corrupted Anti-virus portion of Norton SystemWorks
Norton corrupted TCP/IP Stack
Made numerous copies of self in GoBack
Opened port for Dropper.Small
Lost connectivity December 14, 2006
__________________________
Here's the history:
User complaint: Cannot view web. Laptop connects, but unable to view. Numerous errors pop up.
____________________
Checked SSL, TLS settings - good
_____________
Used Cingular Communications Manager – Showed full bars/full connection
____________________
ipconfig –all – showed no connection media, IP 0.0.0.0
____________________
Check Network Connections
Connected. Cingular Accelerated Connected. Full Bars.
ping google.com
Windows Sockets interface, error code 0 returned
_______________________
WINDOWS
IP Configuration
IP Routing Enabled: No
WINS Proxy Enabled: No
Ethernet Adapter Wireless Network Connection: 2
Sierra Wireless 3G Adapter
DHCP Enabled: Yes
Autoconfiguration Enabled: Yes
Subnet Mask 0.0.0.0
IP Address 0.0.0.0
Default Gateway
DHCP Server 0.0.0.0
ipconfig /all
no media connected
__________________________
Errors upon bootup:
NT On – Access Scanner Service
szAppName: szAppVer: 0.0.0.0 szModName:Kernel32.dll
szModVer:5.1.2600.1106 offset 00013887
Symantec Email Proxy
TCP/IP is not disabled. Disable email scanning in your Symantec product options or install TCP/IP 1003,3
http://www.symantec.com/techsupport/servlet/ProductMessages?module=1003&error=3&lanuage=English&product=CC&version=104.0.1.17
________________________
Microsoft Visual C++ Runtime Library
Runtime Error!
Program C:\PROGRA~1\Symantec\LIVEU
__________________________
Program:C:\Program Files\Common Files\Symantec Shared\ccApp.exe
__________________________
ConfigWiz
Another instance of the Wizard is running
__________________________
Services running AIM at startup
__________________________
Checked Logs --- Significant:
Dell Inspirion 5100
Pentium 4
CPU 2.8 GHz
512MB RAM
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1524Date: 2/9/2007
Time: 6:08:39 PM
User: S-1-5-21-204266967-2096854
Computer: HOSTNAME
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
__________________________
Event Type: Error
Event Source: SENS
Event Category: None
Event ID: 0
Date: 2/9/2007
Time: 7:36:53 PM
User: N/A
Computer: HOSTNAME
Description:
The description for Event ID ( 0 ) in Source ( SENS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may
be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Event System Win32 Error: No service is operating at the destination
network endpoint on the remote system.
, ServiceStart(): SensInitialize() failed.
__________________________
Event Type: Error
Event Source: McLogEvent
Event Category: None
Event ID: 5051
Date: 2/9/2007
Time: 7:43:56 PM
User: NT AUTHORITY\SYSTEM
Computer: HOSTNAME
Description:
The description for Event ID ( 5051 ) in Source ( McLogEvent ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.
You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: c:\PROGRA~1\mcafee.com\vso
(0x328), 0x7ffe0304,
Build Sep 8 2001 15:13:39 / 8.52
Object being scanned = \Device\HarddiskVolume2\Do
__________________________
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 2/9/2007
Time: 7:44:00 PM
User: N/A
Computer: HOSTNAME
Description:
Faulting application , version 0.0.0.0, faulting module KERNEL32.DLL, version 5.1.2600.1106, fault address 0x00013887.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 20 30 2e ure 0.
0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0020: 20 4b 45 52 4e 45 4c 33 KERNEL3
0028: 32 2e 44 4c 4c 20 35 2e 2.DLL 5.
0030: 31 2e 32 36 30 30 2e 31 1.2600.1
0038: 31 30 36 20 61 74 20 6f 106 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 31 33 38 38 37 013887
__________________________
Installed People PC ISP
ipconfig /all
no connection media
uninstalled People PC ISP
__________________________
googled errors:
Followed SENS error
joined Experts Exchange
Found answer with -- Windows XP Home Can't Get an IP Address_WinsockxpFix.exe
_______________________
GOT CONNECTION
__________________________
Multiple popups
Freezes
Stalls
Overheating
_____________________
Application Errors:
June 2006 System Volume Information \ eatalog.wci is corrupt
July 2006 Classes registry file corrupt
July 2006 msvcrt.dll - bpgame.exe - McAfee
Aug 2006 Outlook MOF
__________________________
Other logs: Logs saved (Windows format):
__________________________
BootTime with hard connect 3 min
__________________________
Specs of the system:
Display Adapter Mobility Radeon 7500
Conexant D480 MDC V.92 Modem
Sierra Wireless AirCard 3G Modem
Standard Modem
Multifunction adapters
- Sierra Wireless AirCard 3G
adapter parent
Network Adapters
- 1394 Net adapter
- Broadcom 440x 10/100 Integrated Controller
- Sierra Wireless Adapter
PCMCIA adapters
- Texas Instruments PCI -4510 cardbus controller
IRQ:
11 – Sierra Wireless 3G Adapter
11 – Sierra Wireless Air Card 3G Modem
10 – Conexant D480 MDC V.92 Modem
__________________________
Add and Remove
Programs:
Tried to remove:
888Bar
error while uninstall: New Starter Uninstall: Completed
Could not load C:\Program Files\Common Files\ {3CA20FSF-OAE5-1033-0428-0
Completed
Adobe Downloader Manager 2.0 (Remove Only)
1/13/2005
Adobe Reader 7.05
1/13/2005
AIM 6.0
12/15/2006
AOL Instant Messenger
11/12/2006
AOL Toolbar 2.0
Cingular Communication Manager
Publisher: Cingular
Version: 5.2.19.0
Cust Supp 1-800-331-0500
Cowabanga by OIN
12/11/2006
Dataware
DAO
Dell Support
2/11/206
Direct X Media Runtime 5.1
HP Document Viewer
Live Update 2.7 / Symantec Corp
1/29/2007
Version 2.7.39.0
McAfee Security Center
6/1/2003
McAfee Virus Scanner Online
6/1/2003
Microsoft Encarta
Microsoft Money 2003
6/1/2003
Microsoft Money 2003 System Pack
6/1/2003
Microsoft PowerPoint Viewer 97
6/11/2003
Microsoft Streets and Trips 2002
6/1/2003
Microsoft Works Setup Launcher
6/1/2003
Microsoft Works 7.0
6/1/2003
Microsoft Works 7.0 Suite Addin
6/1/2003
__________________________
exported Reg C:\Windows\System32\9FEB07
__________________________
created Windows Restore Point – appeared to be effective.
xxxxxxxxxxxxxxxxxxxxxxxxxx
***OIN Installations EULA, AVG Antispyware scan report and Hijackthis log removed by rpggamergirl PE***
xxxxxxxxxxxxxxxxxxxxxxxxxx
3 hours trying to use Norton SystemWorks
continuous shutdowns
__________________________
Started Install XP SP2 from CD
2 failures -- over heat
__________________________
cooled with upside down compressed air
__________________________
Installed XP SP2
__________________________
Posted this at Experts Exchange
I would like to install Symantec Norton SystemWorks 2006 (don't have original software). I have partially removed a corrupt version of 2006.
I'm working on a Windows XP Pro Dell laptop. I had the problem where I couldn't connect on all medias. I used experts-exchange suggested http://www.snapfiles.com/get/winsockxpfix.html and it worked
FANTASTICALLY! So I not longer had the 'TCP/IP is not disabled. Disable email scanning in your Symantec product options or install TCP/IP 1003, 3
http://www.symantec.com/techsupp/servlet/ProductMessages?module=1003&error=3&language=English&product=CC&version=104.0.1.17
I initially thought my problem was tied to a corrupt Symantec Norton SystemWorks 2006. There were all kinds of problems and would not remove completely. I got desparate and tried to hack Symantec and Norton
out of the registry (backed up) and pick through the directory. But I get the same problems. I am trying to reistall the app. I tried Symantecs' 'NortonRemoval Tool'. The problem seems to be the Goback. But even
though the GoBack.rxc is missing, I did get a success restore out of it after a bluescreen scare (use of Webroot Spysweeper (removing 77 instances; latest being 'webhancer' -- a proposed adware that changes reg
and runs in memory). (may be the initial problem -- December 14, 2006)
Upon bootup, I get Norton 2006 Corrupt - A necessary file could not be loaded: NAVPro 1002, 1 --- which is the same problem as 18 hours ago.
http://www.symantec.com/techsupp/servlet/ProductMessages?module=1002&error=1&language=English&product=CC&version=104.0.1.17 it puts me back to the removal tool.
__________________________
Deleted Temporary Inet files
Deleted Trash
Disk Defrag
Removed McAfee -- long process
Removed Symantec Utilities - again
__________________
Posted again:
This is my first time using this. I guess I need to ask now what? I have a concern. The kernel is in my best guess still unstable. I do not wish to remove the GoBack since it really was able to recover the box nicely.
I would just like to be able to install the Utilities and the Antivirus, if possible. Since webhancer, I suspect the laptop as being a bot. Let's discuss further....I think may be dealing with ADS (alternate data streams)
http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx in that the HD has 17GB available, yet when trying to choose additional features of Norton SystemWorks, it shows that it will take approx 300MB
to install but to install on 0 (zero) K. I need to return this box to the user as soon as possible.
_________________
I'm going to try to boot to a linux antivirus and removal tool -- Helix and clean in this fashion. I will keep you updated. However, I'd like to hear your direction.
_______________
This didn't work. Mounted drives but saw 0 files. Received WARNING: Hard link count is wrong for /: This may be a bug in your filesystem driver. I have downloaded the free version of AVG Anti-Spyware. So far
Adwares/Malwares found quarantined and/or deleted. Next I'll run there AV. Still waiting on hearing your approach.
____________________
SAFE MODE
________________
msconfig
repeats
___________
pic through files -- Program Files\Common Files and registry
LiveUpdate
CheckIt
Norton
Symantec
___________
Finally Norton Removal Tool and remove Norton
________________
Installed / ran CheckIt
_______________
System Passes All
_______________
4 attempts to install Norton SystemWorks
CPU maxed ---- overheat
________________________-
ALL USER DATA BACKED UP TO REMOVABLE MEDIA
_________________________
Installed on its side with fan blowing behind
block of ice to cool to push into intake of laptop
Norton Installed
___________________
There's another 10 pages, but you get the idea:
willing to answer any questions.
________________
webhancer
purityscan
savenow
targetsaver
go.com
zango
findwhat
2o7net
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There comes a point when it makes more sense to rebuild the system than to keep troubleshooting. I think you are well past that point.
There may be so many corrupted files by now that the system may never run right.
Backup your data and scrub it well using many scanners and rebuild the system.
There may be so many corrupted files by now that the system may never run right.
Backup your data and scrub it well using many scanners and rebuild the system.
ASKER
Yes SudburyComputer,
I agree, but I can't stop now--I'm learning far too much. I'm not getting any money for this box; it was just a really good way to get back into a sideline business -- and back into geeking after 10 years. The user doesn't seem to have any of the original software either, so it would kind of be a hassel to use mine, activate, download, etc, etc, etc, this is much more fun.
I agree, but I can't stop now--I'm learning far too much. I'm not getting any money for this box; it was just a really good way to get back into a sideline business -- and back into geeking after 10 years. The user doesn't seem to have any of the original software either, so it would kind of be a hassel to use mine, activate, download, etc, etc, etc, this is much more fun.
ASKER
rpggamergirl,
You know your stuff!!!! LOTTA ROOT KIT!!! Wish I could give you 5,000 points!! I believe this to be a kernel-mode rootkit; hence the former found KERNEL32.DLL corruption; and the unavailability with HELIX to view
drive partions. Mounted drives but saw 0 files. Received WARNING: Hard link count is wrong for /: This may be a bug in your filesystem driver.
HERE IS THE ANSWER FOR THE REDIRECT: HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Cryptogr aphy\RNG -- Rootkit Revealer told me.
Data Mismatch between Windows AP and raw hive data .....It appears to be the last piece (and the most cryptic...no pun intended--well maybe).
Now if I could just get the binary key; or learn how to import one from another computer.....with it being a crypto key, could I just copy it? I wonder.....
If not: It's OK the msn is a ligitimate site. I loaded Opera: Version 9.10 Build 8679 Platform Win32 System Windows XP Java Sun Java Runtime Environment version 1.5
XHTML+Voice Plug-in not loaded for the main browser to ensure that http://go.microsoft.com/fwlink/?LinkId=69157 does infact redirect to www.msn.com; and it does.
Thank you, thank you....this is one of the cleanest-fastest-boxes that I have ever used.
I used the OIN uninstaller http://www.outerinfo.com/OiUninstaller.exe
I uninstalled Viewpoints Manager Add/Remove
I used https://europe.f-secure.com/blacklight/try.shtml ---- AWESOME!
I applied all the reg fixes you stated.
Again manually edited HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Internet Explorer\Main; where it shows the redirect; made sure no tools running; made sure no firewall running; changed Inet Options and it
changed back
I removed C:\Program Files\Common Files\ {3CA20FSF-OAE5-1033-0428-0 3021105000 1}\888Bar. dll
Sad news: combofix has been desupported by the author
>>The tool, ComboFix has been temporarily withdrawn. The author discovered a rootkit infection that will intefere with ComboFix's running. This will cause Combofix to be UNSAFE FOR USE on your machine.
Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL Apologies for any inconvenience caused <<
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xx
***Rootkit Revealer's and Hijackthis' logs removed by rpggamergirl, PE***
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xx
DONE. THANK YOU.
You know your stuff!!!! LOTTA ROOT KIT!!! Wish I could give you 5,000 points!! I believe this to be a kernel-mode rootkit; hence the former found KERNEL32.DLL corruption; and the unavailability with HELIX to view
drive partions. Mounted drives but saw 0 files. Received WARNING: Hard link count is wrong for /: This may be a bug in your filesystem driver.
HERE IS THE ANSWER FOR THE REDIRECT: HKEY_LOCAL_MACHINE\SOFTWAR
Data Mismatch between Windows AP and raw hive data .....It appears to be the last piece (and the most cryptic...no pun intended--well maybe).
Now if I could just get the binary key; or learn how to import one from another computer.....with it being a crypto key, could I just copy it? I wonder.....
If not: It's OK the msn is a ligitimate site. I loaded Opera: Version 9.10 Build 8679 Platform Win32 System Windows XP Java Sun Java Runtime Environment version 1.5
XHTML+Voice Plug-in not loaded for the main browser to ensure that http://go.microsoft.com/fwlink/?LinkId=69157 does infact redirect to www.msn.com; and it does.
Thank you, thank you....this is one of the cleanest-fastest-boxes that I have ever used.
I used the OIN uninstaller http://www.outerinfo.com/OiUninstaller.exe
I uninstalled Viewpoints Manager Add/Remove
I used https://europe.f-secure.com/blacklight/try.shtml ---- AWESOME!
I applied all the reg fixes you stated.
Again manually edited HKEY_LOCAL_MACHINE\SOFTWAR
changed back
I removed C:\Program Files\Common Files\ {3CA20FSF-OAE5-1033-0428-0
Sad news: combofix has been desupported by the author
>>The tool, ComboFix has been temporarily withdrawn. The author discovered a rootkit infection that will intefere with ComboFix's running. This will cause Combofix to be UNSAFE FOR USE on your machine.
Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL Apologies for any inconvenience caused <<
xxxxxxxxxxxxxxxxxxxxxxxxxx
***Rootkit Revealer's and Hijackthis' logs removed by rpggamergirl, PE***
xxxxxxxxxxxxxxxxxxxxxxxxxx
DONE. THANK YOU.
Sorry about the combofix, yeah it is now withdrawn because if this rootkit -->qwertybot.exe
IF present in the system ,it will caused combofix to malfunction,(deletes all the files in the systemdrive, terrible outcome)
According to sUBs(author), the rootkit involved is relatively easy to disinfect. Reboot to safe mode & HJT fix the O4 entry below:
HKLM\..\Run - [qwertybot.exe] - C:\Windows\system32\qwerty bot.exe
Delete files:
C:\Windows\system32\qwerty bot.exe
C:\Windows\system32\comdlg 77.dll
But, even if the "qwertybot.exe" is not present, some other rootkits that comes along might do the same thing, so the author withdrawn the tool. The file in the link now is just a dummy file.
RKR log, well those in the System volume information is easy to remove by turning off System Restore and rebooting.
Those in Norton's protected bin, if I were you I would turn it off or empty it to recover the lost space. Norton's bin do take up a lot of space, everything goes in there, even the files from the windows recycle bin goes in there, it's the destination of all deleted files.
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Cryptogr aphy\RNG <-- this usually a false positive, it shows up sometimes in RKR, part of the internal encryption used by Microsoft Windows, and the "Seed" variable under that key is heavily protected.
Hijackthis log looks good, you can fix these entries below, these are just registry clutters:
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Now that this question is closed, we can delete the logs so people don't have to scroll much.
Is the pc okay now?
Thanks for the points!
IF present in the system ,it will caused combofix to malfunction,(deletes all the files in the systemdrive, terrible outcome)
According to sUBs(author), the rootkit involved is relatively easy to disinfect. Reboot to safe mode & HJT fix the O4 entry below:
HKLM\..\Run - [qwertybot.exe] - C:\Windows\system32\qwerty
Delete files:
C:\Windows\system32\qwerty
C:\Windows\system32\comdlg
But, even if the "qwertybot.exe" is not present, some other rootkits that comes along might do the same thing, so the author withdrawn the tool. The file in the link now is just a dummy file.
RKR log, well those in the System volume information is easy to remove by turning off System Restore and rebooting.
Those in Norton's protected bin, if I were you I would turn it off or empty it to recover the lost space. Norton's bin do take up a lot of space, everything goes in there, even the files from the windows recycle bin goes in there, it's the destination of all deleted files.
HKEY_LOCAL_MACHINE\SOFTWAR
Hijackthis log looks good, you can fix these entries below, these are just registry clutters:
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
Now that this question is closed, we can delete the logs so people don't have to scroll much.
Is the pc okay now?
Thanks for the points!
ASKER
rpggamergirl,
Yes, please delete the logs. I tried to sanitize but I missed. I was loosing sleep over that last night/this morning. I would request you keep the first part of my stuff only:
i.e., Tools used:
WinsockxpFix.exe
Norton_Removal_Tool
20070215-033-x86 NAV defs forced
Norton SystemWorks 2006
avg75free_441a944.exe
avgas-setup-7.5.0.50
CheckIt
cports.zip from nirsoft.net
xp_exe_fix.zip
Helix fprot antivirus
IE7-WindowsXP-x86-enu.exe
Webroot SpySweeper
mrublastersetup.exe
regscanner from nirsoft.net
spywareblastersetup351.exe
myuninst.zip
Registry Mechanic
SuperAntiSpyware.exe
alternativ hijackthis
__________________________ _________-
Found throughout:
Trojan LuckBar888
Adware Softomate
Adware Click Spring
Adware Drive Clean
Trojan Dropper.Dollar
PurityScan
Webhancer
SaveNow
Not-A-Virus
Adware New Dot Net
Trojan Downloader
Trojan Dropper.Small
Adware Why PPC
Tracking Cookie Clickbank
Tracking Cookie TribalFusion
Tracking Cookie Findwhat
Adware Media Ticket
Adware Command
Adware Maxfiles
__________________________ _______
User liked viewing porn sites
User did not keep service packs and hot fixes up to date
User accepted that Norton Antivirus had stopped working
User had no firewall
User had no Anti Spyware
__________________________ _________
and the last comment prior to this, if I can pick and choose what stays and goes.
__________________________
I don't know the site policy, I'm new to this. Again thanks, and I will put the last pieces provided in place.
Yes, please delete the logs. I tried to sanitize but I missed. I was loosing sleep over that last night/this morning. I would request you keep the first part of my stuff only:
i.e., Tools used:
WinsockxpFix.exe
Norton_Removal_Tool
20070215-033-x86 NAV defs forced
Norton SystemWorks 2006
avg75free_441a944.exe
avgas-setup-7.5.0.50
CheckIt
cports.zip from nirsoft.net
xp_exe_fix.zip
Helix fprot antivirus
IE7-WindowsXP-x86-enu.exe
Webroot SpySweeper
mrublastersetup.exe
regscanner from nirsoft.net
spywareblastersetup351.exe
myuninst.zip
Registry Mechanic
SuperAntiSpyware.exe
alternativ hijackthis
__________________________
Found throughout:
Trojan LuckBar888
Adware Softomate
Adware Click Spring
Adware Drive Clean
Trojan Dropper.Dollar
PurityScan
Webhancer
SaveNow
Not-A-Virus
Adware New Dot Net
Trojan Downloader
Trojan Dropper.Small
Adware Why PPC
Tracking Cookie Clickbank
Tracking Cookie TribalFusion
Tracking Cookie Findwhat
Adware Media Ticket
Adware Command
Adware Maxfiles
__________________________
User liked viewing porn sites
User did not keep service packs and hot fixes up to date
User accepted that Norton Antivirus had stopped working
User had no firewall
User had no Anti Spyware
__________________________
and the last comment prior to this, if I can pick and choose what stays and goes.
__________________________
I don't know the site policy, I'm new to this. Again thanks, and I will put the last pieces provided in place.
configreg,
It's okay, there is no site policy on posting Hijackthis logs. But it is recommended that logs are uploaded to any hosting sites and only post the link here, or at EE-stuff.com because some logs can be quite lengthy.
I only removed the OIN Installations EULA, AVG Antispyware scan report, 2 Hijackthis logs, Rootkit Revealer's log, and left everything else intact.
In the Hijackthis zone, we don't delete hijackthis logs, well I don't anyway, :)
https://www.experts-exchange.com/Software/Internet_Email/Spy_Ad_Blockers/HijackThis/
Thanks!
It's okay, there is no site policy on posting Hijackthis logs. But it is recommended that logs are uploaded to any hosting sites and only post the link here, or at EE-stuff.com because some logs can be quite lengthy.
I only removed the OIN Installations EULA, AVG Antispyware scan report, 2 Hijackthis logs, Rootkit Revealer's log, and left everything else intact.
In the Hijackthis zone, we don't delete hijackthis logs, well I don't anyway, :)
https://www.experts-exchange.com/Software/Internet_Email/Spy_Ad_Blockers/HijackThis/
Thanks!