Malware Attack Seems to be Preventing Activating Norton Anti-Virus

Please download Hijackthis:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Click on "Install", accept the agreement, then click on "Do a system scan and save a logfile".

Post the scan log here as an attachment.

I ran a complete NAV manual scan, it found two hijacker files and eliminated them.  I rebooted and now AutoProtect is on.  I don't think I still have a problem.  What do you think?  I have this s/w already installed.  Log attached.
hijackthis.log

You are still infected. Put a check next to the following entries:

O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.sxload.net (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
Click "fix checked".
 
I would then download, update and run the following scanner:

http://www.malwarebytes.org/mbam.php

Please select "complete scan" and post the log.

I ran a complete NAV manual scan, it found two hijacker files and eliminated them.  I rebooted and now AutoProtect is on.  I don't think I still have a problem.  What do you think?  I have this s/w already installed.  Log attached.

Don't know what happened above.  Done.  here's the log.
mbam-log-7-17-2008--20-23-03-.txt

Shall I delete the 10 infections?

Good morning!
Yes, when the MBAM scan ends, click Show Results. Make sure all entries are checked at their far left, then click on  " Remove Selected" . MBAM will  delete and quarantine what it has found.
Then please post a fresh HJT log.

Hey PhotoTropic! Good morning too.
I had to shut down my PC last night, so MBAM is not up.  There were actually about 15 items listed, all on the C:\ drive or registry, right?
1.   Can I safely delete items like this in the future, as I do with, say, Spybot?
2.   Do I need to rerun MBAM again to get back to where I was? (I guess it didn't save the last run?)
3.   I have multiple partitions (music on one, photos on a 2nd, videos on a 3rd, files on a 4th) and I've limited my program installs to the C:\ drive.  Can I just choose to scan C:\ or do I really need to go thru all of my drives/partitions?  (I don't think the log indicated any other partition, did it?)
4.  Any idea where these infections came from?  My wife/kid were shopping on line when it happened.  What did they do?  And are these one infection or multiple?
5.   I'm at work now; I'll do this when I get home, including rerun HJT and post that log.
Thanks so much for your answers here and help.

WSC

1. Yes;
2. Yes;
3. Complete system scan of all drives would make sense right now;
4. "...What did they do?..." Probably clicked on a pop-up of some kind (Yes/No - it makes no difference);
5. Good luck!!!

Deleted 21 items and I thought MBAM saved a log, but I can't find it.  Here's the new HJT log.  Am I clean?
hijackthis.log

Winpatrol is reporting "The program currently associated with this file type is 'MicroSoft regedit.exe %1.  A change was made to use the following program for this file type: MicroSoft regedit.exe %1 %*.  Is this change okay?"

And "%1 /S a change was made to use the following program for this file type.  %1 %*."

What does this mean?  Should I allow Scottie to make these changes or not?

Here's a snapshot in a Word doc of the question WinPatrol is posing.  What, why?  

Thx.

WSC
WinPatrol-Query.Doc

Good morning

OK. Your HJT log looks clean.  Congratulations.
The Win Patrol message is hard to understand.  I would deny the change and then run a system file check, to make sure there are no compromised system files.
Start - run - type the following:

sfc /scannow

Have your XP CD ready - it will ask for it if it needs to replace a file.
When it completes, reboot the pc and check performance.

Good luck.

Ok.  I'll try it.  I'm outta town on vacation, but will do this when I get back.  I'll leave this question open until then, if that's okay.  

1.  How long does this sfc utility take?  
2.  I have an OEM Dell XPS.  Will the XP CD be the one that came with my PC?  I'm concerned I'll get lotsa questions I can't answer.  (I don't want to open a can of worms.)
3. Let me know if you find anything else about the WinPatrol error.  If I can avoid this step, so much the better.

And thanks for the great help here!!

1. About 15 - 30 minutes;
2. The XP CD that came with your pc will be fine;  "...I'm concerned I'll get lotsa questions I can't answer..." You will not be asked any questions at all. Sfc will start to run; if it finds a missing or compromised system file, it will ask you to insert the XP CD so that it can replace it; that is definitely ALL that is going to happen.
3. I've Googled the WinPatrol error. The only references I've found are from people who are as mystified as we are; I'll let you know if I come up with anything...

Bon voyage!!!

Any updates on this WinPatrol error?  I updated to the latest version; I've got to believe that it's related, but no information from them, and I did ask....

P.S.  What happens if I accept the change?  Or has it already occurred and WinPatrol wants to change it back?

Ah!
 Got this reply from the creator of WinPatrol:

"Hi Scott, As always thank you for your support.  I suspect something you've installed is updating the regedit file type setting and luckily the change they've made is legitimate.  You should feel comfortable saying yes to this change.  Thanks again, Bill Pytlovany"

So, do you think that I can say yes too, Phototropic, to the message?

I found nothing conclusive about the WinPatrol warning.
If WinPatrol's tech support are happy, then I would go ahead and accept the change.  If there is a problem, you can always revert to an earlier registry backup via System Restore.

Have you tried running sfc /scannow?  This will restore any compromised system files, as I explained above.
And how is the pc running now?  Is NAV running at startup?  Your last HJT log looked clean, so hopefully your computer is back on track...

Everything is running great except the WinPatrol message, so I'll accept it next time and see what happens.  (If you can't trust MicroSoft, who can you trust?  Oh, never mind....)  Do I still need to run SFC if all is smooth?  Is running SFC inserting another unknown or a wise thing to do anyway?

Thx!

Yeah, I'm superstitious.  I don't update drivers, etc. unless there's a reason to.  Hopefully all is well.  Thanks again for your help and patience.

Expert answered all questions and helped me thru to the end!

You are welcome.