Antispyware Gurus: Having trouble cleaning computer and uninstalling Norton AV 2002

[bovinda]

I'm trying to clear my family's laptop of gunk that has been hogging the CPU, opening pop-ups, showing up as viruses, etc. I've used Spybot, Ad-aware, and finally Hijack This. There's still a couple entries (the O4 ones) that look strange to me and don't show up on Google searches except in the context of other people's Hijack This logs. Can anyone point me in the right direction or tell me if I'm clean?

Also, Norton AV hasn't been able to get rid of the W32.Spybot.Worm and W32.Spybot.KHC from the computer, it's only been able to quarentine them. I also have been unable to uninstall Norton AV to put a newer version on (it's 2002) because I keep getting the error: Error 1324: The folder path "My Pictures" contains an invalid character. This computer doesn't even seem to have a My Pictures folder though, so I don't understand.

Any and all help is greatly appreciated.


Here's my hijack-this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:54 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\dbnest.exe
C:\WINDOWS\system32\ciopldlg.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\surfmonkey\SMProxy.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [p76X33R] dbnest.exe
O4 - HKLM\..\Run: [rcn] C:\WINDOWS\rcn.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKCU\..\Run: [Ywp7RTd8R] ciopldlg.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O21 - SSODL: mtklef - {34D4E60E-E513-4496-6497-1C571205798B} - C:\WINDOWS\System32\joxuh32.dll (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edit: I've given up, I'm just going to reformat the laptop. Yay!

 

[mechBgon]

1) download WinSockFix from here and save it. If your Internet connection fails after you pry loose the malware, use this to fix it.

2) download Kaspersky Antivirus Personal 5.0 trial version from http://www.kaspersky.com/trials

3) Disable System Restore

4) Unplug your network cable or turn off your wireless access point, to quarantine the computer from the Internet

5) Install Kaspersky and set its protection to Maximum for both real-time and on-demand scanners. Click "Configure Updater" and set the updater to use Extended Databases.

6) Connect to the Internet long enough to update Kaspersky, then reboot into Safe Mode and run an exhaustive Kaspersky antivirus scan.

7) You can also dump your HJT log into http://hijackthis.de and nuke all the questionable or bad items, I see those too.

8) If you don't have a firewall then get one on there, whether it's software, hardware (a router) or both. Once the system's clean, examine the behaviors that are bringing this junk in the door (file-sharing, warez, unwise surfing habits, whatever).

 

[bovinda]

Thanks for your help (again) mechBgon. I will give all that a try tonight and post my results. Quick question for you (or anyone else who cares to answer): since a number of the Hijack This items came back as unknown (and google doesn't show any notable results for them), you think it's safe to go ahead and fix 'em?

 

[mechBgon]

I would try to fix them if it were me, but also realize that these randomly-named .exe's are often rebuilt after you kill them, until you kill the root of the problem. So hopefully the combination of Kaspsersky and your other tools will be able to hit the underlying master program.

 

[slots]

If you need help with a Hi-Jack file, I reccomend this forum, its a good start.

http://www.lavasoftsupport.com/index.ph...302b46f91bb780e199dd6bf23&showforum=44

 

[bovinda]

Hey guys, in trying to install Kaspersky it tells me that I should uninstall Norton AV to avoid program conflicts. The thing is I can't uninstall Norton because of that "Error 1324." Should I go ahead and install Kaspersky anyway? Is there some other way to uninstall Norton?

 

[mechBgon]

Symantec's info on that error message It sounds like Windows is Seriously Messed Up? and needs blown away. If you want to try installing Kaspersky on top of Norton, I don't guess there's much to lose as long as you've backed up your data first. Another idea would be to try running the Norton installer again and see if it can get Norton reinstalled/repaired so it'll uninstall cleanly.

 

[hertz9753]

Are you trying to do this on the original computer or with the hard drive in your own computer?

 

[bovinda]

I'm trying to do it on the original computer, which is a laptop. I'm thinking that I'm probably just going to reformat the whole thing, as per mechBgon's suggestion. After everything, unknown spyware is still popping up from no obvious place, and Norton keeps finding new viruses, and I'm unable to install Kaspersky. I'm going to back everything up and try to reformat this evening.

My only question now is: how is reformatting a laptop any different from a desktop?

And: can anyone point me to a good guide/link on reformatting? (And if it's specifically for laptops, all the better!)

Thanks guys for your help!