Help - trying to remove BraveSentry etc

[ShadowPuterDude]

Using Add or Remove Programs in the Control Panel; uninstall the following:

Adobe Reader 7.0.7
J2SE Runtime Environment 5.0 Update 2
Viewpoint Media Player

Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

Install Java Runtime Environment (JRE) 6u1 available from Major Geeks.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-link AirPlus G DWL-G120 Wireless USB.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"Windows installer"=-
"SpySheriff"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"xp_system"=-
"Explorer32"=-
"ControlPanel"=-

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  internat.dll
  C:\winstall.exe
  C:\Documents and Settings\Owner\Application Data\.rdr.ini
  C:\Program Files\SpySheriff\SpySheriff.exe
  C:\WINDOWS\ijl11.dll
  C:\WINDOWS\inet20099\services.exe
  C:\WINDOWS\system32\click.exe
  C:\WINDOWS\system32\cmd32.exe
  C:\WINDOWS\system32\efsdfgxg.exe
  C:\WINDOWS\system32\flash.exe
  C:\WINDOWS\system32\Help.ico
  C:\WINDOWS\system32\keylog.dll
  C:\WINDOWS\system32\kr_done1
  C:\WINDOWS\system32\LexFiles.ulf
  C:\WINDOWS\system32\pavas.ico
  C:\WINDOWS\system32\streamhlp.dll
  C:\WINDOWS\system32\tmp.reg
  C:\WINDOWS\system32\tmp.txt
  C:\WINDOWS\system32\Uninstall.ico

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

C:\Program Files\MFInstall
C:\Program Files\Ofb11
C:\Program Files\SpySheriff
C:\WINDOWS\inet20099

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the following logs as attachments:
ISeeYouXP
HijackThis

[StckFigure]

I'm about to do all this, but I figured it might be worth a mention that, while I was gone tonight, Norton ran its weekly scan and came up with woinstall.exe, under threat name Adware.Ezula. It's quarantined now, but I assume everything's relevant

[StckFigure]

For uninstalling, both Adobe and J2SE gave me the following message (Viewpoint went without a problem): "The Windows Installer Service could not be accessed. This can occur if you're running Windows in Safe Mode or if the Windows Installer is not correctly installed. Contact your support personnel for assistance." (I'm in normal mode, so that's not the issue). Thus, I'm going to skip the installations too for now, since the old versions aren't leaving, and move on to the registry updates, etc. I assume that I'm supposed to fix it if it looks like "curr ent" with the space, as before?

EDIT: Oh, and I notice that the last two registry fix entries don't have the - sign in front... I assume that's accurate, but I'm just checking.

[StckFigure]

And another question (sorry)... is internat.dll supposed to have a path as well, or just be all by itself?

[StckFigure]

Notes from the other side of these tasks:

- KillBox found 13 of these items (I count, I think, 19 listed).
- C:\Program Files\SpySheriff not found
- C:\Windows\inet20099 not found
- CCleaner run with everything checked (default); deleted <b>contents</b> of /Windows/Prefetch but <b>not</b> folder itself.

New logs coming as soon as computer reboots.

[StckFigure]

Both logs are in this zip file, even though it's just called hijackthis.

Thanks SO much!

[ShadowPuterDude]

Move HijackThis to C:\HJT. The desktop is not a prefered location for several reasons.

Download Qoofix from the link below. Unzip to a convenient location such as C:\Qoofix. Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe. Select Begin Removal and the removal process will commence. A reboot may be necessary if an infection is found.

Download Qoofix (84 KB)

Run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\system32\click.exe
  C:\WINDOWS\system32\flash.exe
  C:\WINDOWS\system32\keylog.dll
  C:\WINDOWS\system32\kr_done1
  C:\WINDOWS\system32\LexFiles.ulf
  C:\WINDOWS\system32\pavas.ico
  C:\WINDOWS\system32\Thumbs.db
  C:\WINDOWS\system32\tmp.reg
  C:\WINDOWS\system32\tmp.txt
  C:\WINDOWS\system32\Uninstall.ico

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

1. Download Sophos Anti-RootKit and run the program sarsfx.exe.
2. Accept the licence agreement.
3. Follow the instructions to install the program.
4. When you run the installation, two programs are installed, sargui.exe and sarcli.exe in C:\SOPHTEMP, which is the default location. sargui.exe is the graphical user interface (GUI) of the Sophos Anti-Rootkit.
5. To start . Sophos Anti-Rootkit, double-click sargui.exe.
6. In the initial dialog box, make sure all boxes are checked and click Start scan.
7. Sophos Anti-Rootkit scans the selected areas and displays any suspicious files in the upper panel. When it is finished, a pop-up screen appears confirming the status and results of the scan. Click OK to continue.
8. Exit Sophos Anti-RootKit.
9. Do the following Start -> Run, type notepad %TEMP%\sarscan.log, click 'OK'
10. Save that log to your DeskTop

Attach fresh logs for HijackThis and ISeeYouXP and the sarscan.log.

[StckFigure]

Notes from this sequence:

Qoofix: "No malicious modules found" / "No Qoologic infected files found" / "Note: Some registry keys may have been removed"

Killbox: All ten files found; no error messages

Sophos: No hidden items found by scan.

Logs (optimistically) attached

[jholland1964]

I am letting SPD read these logs, but I have a question...is this still the old, non-updated Norton program you have been running all along...that you wanted to get rid of?

How is that for lousy grammar...but you know what I mean I am sure.

[StckFigure]

I do know what you mean... and yes, it's the old, non-updated Norton that I want to get rid of I'm waiting to delete it until I can get back on the internet on that computer and download something else like AVG.