Help - trying to remove BraveSentry etc

[StckFigure]

I'm about to do all this, but I figured it might be worth a mention that, while I was gone tonight, Norton ran its weekly scan and came up with woinstall.exe, under threat name Adware.Ezula. It's quarantined now, but I assume everything's relevant

[StckFigure]

For uninstalling, both Adobe and J2SE gave me the following message (Viewpoint went without a problem): "The Windows Installer Service could not be accessed. This can occur if you're running Windows in Safe Mode or if the Windows Installer is not correctly installed. Contact your support personnel for assistance." (I'm in normal mode, so that's not the issue). Thus, I'm going to skip the installations too for now, since the old versions aren't leaving, and move on to the registry updates, etc. I assume that I'm supposed to fix it if it looks like "curr ent" with the space, as before?

EDIT: Oh, and I notice that the last two registry fix entries don't have the - sign in front... I assume that's accurate, but I'm just checking.

[StckFigure]

And another question (sorry)... is internat.dll supposed to have a path as well, or just be all by itself?

[StckFigure]

Notes from the other side of these tasks:

- KillBox found 13 of these items (I count, I think, 19 listed).
- C:\Program Files\SpySheriff not found
- C:\Windows\inet20099 not found
- CCleaner run with everything checked (default); deleted <b>contents</b> of /Windows/Prefetch but <b>not</b> folder itself.

New logs coming as soon as computer reboots.

[StckFigure]

Both logs are in this zip file, even though it's just called hijackthis.

Thanks SO much!

[ShadowPuterDude]

Move HijackThis to C:\HJT. The desktop is not a prefered location for several reasons.

Download Qoofix from the link below. Unzip to a convenient location such as C:\Qoofix. Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe. Select Begin Removal and the removal process will commence. A reboot may be necessary if an infection is found.

Download Qoofix (84 KB)

Run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\system32\click.exe
  C:\WINDOWS\system32\flash.exe
  C:\WINDOWS\system32\keylog.dll
  C:\WINDOWS\system32\kr_done1
  C:\WINDOWS\system32\LexFiles.ulf
  C:\WINDOWS\system32\pavas.ico
  C:\WINDOWS\system32\Thumbs.db
  C:\WINDOWS\system32\tmp.reg
  C:\WINDOWS\system32\tmp.txt
  C:\WINDOWS\system32\Uninstall.ico

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

1. Download Sophos Anti-RootKit and run the program sarsfx.exe.
2. Accept the licence agreement.
3. Follow the instructions to install the program.
4. When you run the installation, two programs are installed, sargui.exe and sarcli.exe in C:\SOPHTEMP, which is the default location. sargui.exe is the graphical user interface (GUI) of the Sophos Anti-Rootkit.
5. To start . Sophos Anti-Rootkit, double-click sargui.exe.
6. In the initial dialog box, make sure all boxes are checked and click Start scan.
7. Sophos Anti-Rootkit scans the selected areas and displays any suspicious files in the upper panel. When it is finished, a pop-up screen appears confirming the status and results of the scan. Click OK to continue.
8. Exit Sophos Anti-RootKit.
9. Do the following Start -> Run, type notepad %TEMP%\sarscan.log, click 'OK'
10. Save that log to your DeskTop

Attach fresh logs for HijackThis and ISeeYouXP and the sarscan.log.

[StckFigure]

Notes from this sequence:

Qoofix: "No malicious modules found" / "No Qoologic infected files found" / "Note: Some registry keys may have been removed"

Killbox: All ten files found; no error messages

Sophos: No hidden items found by scan.

Logs (optimistically) attached

[jholland1964]

I am letting SPD read these logs, but I have a question...is this still the old, non-updated Norton program you have been running all along...that you wanted to get rid of?

How is that for lousy grammar...but you know what I mean I am sure.

[StckFigure]

I do know what you mean... and yes, it's the old, non-updated Norton that I want to get rid of I'm waiting to delete it until I can get back on the internet on that computer and download something else like AVG.

[ShadowPuterDude]

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to AFSEGTGF Windows Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

AFSEGTGF Windows Service

Click on the "Back" Button. Click the 'Scan' button. Place a checkmark in the box next to the following lines:

O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsezu.exe (file missing)

O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\system32\flash.exe
  C:\WINDOWS\system32\Help.ico
  C:\WINDOWS\system32\keylog.dll
  C:\WINDOWS\system32\kr_done1
  C:\WINDOWS\system32\LexFiles.ulf
  C:\WINDOWS\system32\pavas.ico
  C:\WINDOWS\system32\Thumbs.db
  C:\WINDOWS\system32\tmp.reg
  C:\WINDOWS\system32\tmp.txt
  C:\WINDOWS\system32\Uninstall.ico

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Your Sophos AntiRootkit log is incomplete. Which, leads me to believe that a RootKit is active on the system. What Anti-RootKit scanners have you run?

Post fresh logs for HijackThis and ISeeYouXP.