BraveSentry removed? - problems remain

[jholland1964]

YaHOOO!
Ok, now, to be absolutely certain that this junk is all gone I would like you to do a few more things.

Run the online Kaspersky Virus Scanner to see if anything remains. It won't remove anything but will produce a log telling us if anything is still there and where it is located. You can find the link for this on PP's Sticky

You also need to update the AVG Anti-spy program I believe I see in your scan logs and run a full system scan with it, allow it to fix whatever it finds.
Save the log and post it back here along with the Kaspersky log.

Download and run RegCleaner
Double click the program to open.
Choose Tools at the top and then choose Registry Cleanup, Do Them All.
The program will scan your system for old, unneeded registry entries.
It should only take a few minutes.
It will then give you a list of All Unnecessary listings.
Choose Select All.
Then Click Remove Selected in the lower right corner.
These unneeded entries will then be removed.

Once you have done all of the above then run a new scan with HJT. Save the log and post it back here with the others I have requested.


Judy

[pkraft]

Judy,

Done all of the appropriate updates & scans.

Logs are attached except the AVG Anti-Spy log. I checked 'automatically save a report' but there isn't one there. It found 9 items. It recommended quarantine for 8 of those and delete on the other. I let it do that & then I deleted the quarantine files. I don't remember what they were - I looked at them but was relying on the report and didn't make note of them. Sorry I messed this one up.

pk

[jholland1964]

Ok, Kaspersky did note some items...some are likely back-ups of Killbox and SmitfraudFix.

C:\!KillBox\ud.dll

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix

Get rid of both of those programs. If you need them again they can always be downloaded.

Some viruses were also noted in your Outlook Express so you need to go in there and delete all old mail it really is NOT a good idea to keep emails this long. This one is dated October 26, 2005.
I am going to PM you the location. It does contain an email address and it isn't a good idea to post the address on an open forum. Since the Kaspersky log also contains this address I am going to remove it from the log also and then see if I can re-attach the altered log. I will assume that you also still have the original and I will also keep a copy of the full original until we are certain it is not needed anymore.

Norton Quarentine needs to be emptied.
You also need to go in and empty;
C:\RECYCLER\
Also, if you are running Norton SystemWorks, it also has a Norton Protected Recycle Bin.. Make sure you clean that..

I would also like you to run another online scan...this time do the Panda Scan, it will often times offer you the chance to clean, if so then please do so.

[jholland1964]

You should also follow PP's instructions for using the ATF-Cleaner. Since you seem to be using Firefox be sure to use the ATF-Cleaner on the Firefox option also. If it asks if you wish to keep your Firefox passwords that is fine for you to do.
Do this in safe mode and then run another full system scan in SAFE MODE of the AVG-Anti-spy program. Have it fix everything it finds.


Another question...Do you know what THIS entry is in your HJT logs?
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon. exe
It has appeared in all HJT logs you have posted. Info is slim...though some refer to it when speaking of the Canon All-In-One printer. I see that you have a Dell Printer on the computer, do you also have the Canon printer?
It also is noted as a questionable file and that is the reason I am asking.

[jholland1964]

Just noticed in Kaspersky scan these entries;
H:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\SmitfraudFix.exe RarSFX: infected - 2 skipped
H:\i-hate-keyloggers.zip/i-hate-keyloggers.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.w skipped
H:\i-hate-keyloggers.zip ZIP: infected - 1 skipped

Assume this is usb stick you have been using to transfer and scan with...this should be cleaned also.

[pkraft]

You should also follow PP's instructions for using the ATF-Cleaner. Since you seem to be using Firefox be sure to use the ATF-Cleaner on the Firefox option also. If it asks if you wish to keep your Firefox passwords that is fine for you to do.
Do this in safe mode and then run another full system scan in SAFE MODE of the AVG-Anti-spy program. Have it fix everything it finds.


Another question...Do you know what THIS entry is in your HJT logs?
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon. exe
It has appeared in all HJT logs you have posted. Info is slim...though some refer to it when speaking of the Canon All-In-One printer. I see that you have a Dell Printer on the computer, do you also have the Canon printer?
It also is noted as a questionable file and that is the reason I am asking.

Yes, I do have a Canon printer also although not a All-In-One.

[pkraft]

Ok, Kaspersky did note some items...some are likely back-ups of Killbox and SmitfraudFix.

C:\!KillBox\ud.dll

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix

Get rid of both of those programs. If you need them again they can always be downloaded.

Some viruses were also noted in your Outlook Express so you need to go in there and delete all old mail it really is NOT a good idea to keep emails this long. This one is dated October 26, 2005.
I am going to PM you the location. It does contain an email address and it isn't a good idea to post the address on an open forum. Since the Kaspersky log also contains this address I am going to remove it from the log also and then see if I can re-attach the altered log. I will assume that you also still have the original and I will also keep a copy of the full original until we are certain it is not needed anymore.

Norton Quarentine needs to be emptied.
You also need to go in and empty;
C:\RECYCLER\
Also, if you are running Norton SystemWorks, it also has a Norton Protected Recycle Bin.. Make sure you clean that..

I would also like you to run another online scan...this time do the Panda Scan, it will often times offer you the chance to clean, if so then please do so.

Judy, was working along thru these. Got about 3 -4 minutes into the Panda Scan & a System Shutdown box came up with a countdown timer - tried to get as much of it written down as I could. This is what I got:

NT Authority Sym???? windows/system32/sass.exe

The pc locked up. Couldn't do anything. Had to hit reset to restart it & I get through the windows login to the blue screen - then nothing. No desktop. No icons. Just the blank screen. Tried Safe Mode - same thing.

pk

[pkraft]

NT Authority Sym???? windows/system32/sass.exe
pk

I mistyped the file name - it was lsass.exe

pk

[jholland1964]

Disconnect the computer from the internet again. Go back to the usable computer and your usb device
Download ComboFix.exe
Try again to boot the infected computer...fingers and toes crossed again.
Hopefully you will be able to run this on the infected computer...
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall