thatks to quads and delphinium for that bit of information. i have run indivigual scan without spybot and am happy to report the SAS was clean. norton found only 1 tracking cookies (removed). i am scared to say that this might be over with because i dont have the best luck with these things so i am posting my latest HJT and MBA logs for your review. i hope they prove that this thing has been removed from my system... againthanks to delphinium, quads and mattsegers for your help.

please let me know if the logs show anything at all.

-Joker

Hi,

I would suggest removing Spybot from your computer as having Norton Auto-Protect is enough, along with Malwarebytes' Anti-Malware and SUPERAntiSpyware Free Edition.  Please do not pay for Malwarebytes' as this will add Real-Time Protection.

Could you Re-Start in to Safe Mode again, making sure you Update all three Products, and do three Full System Scans with Norton, Malwarebytes' and SUPERAntiSpyware in the Administrator Account.

And you should do all Anti-Virus Scans dis-connected from the Internet.

Can't remembered if you mentioned what Norton Product and Version you are using; could you tell us. 

Thanks!

________________________________________________________-

What was the Name of the Trojan that Norton (?) Removed?

Please run HiJackThis and check the following:

R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

Then click on "Fix checked" in HiJackThis.

Please download GMER from http://www.gmer.net and run the program. Select "Scan" and then "Save" the log. Do nothing else with the GMER program as it can harm your system if used incorrectly. Then attach the log file as a text file to a post here. The Add Attachments link is below the orange Post button. It will be reviewed for possible malware and we will get back to you. Again, thanks for your help in this.

---

---

Please download GMER from http://www.gmer.net and run the program. Select "Scan" and then "Save" the log. Do nothing else with the GMER program as it can harm your system if used incorrectly. Then attach the log file as a text file to a post here. The Add Attachments link is below the orange Post button. It will be reviewed for possible malware and we will get back to you. Again, thanks for your help in this.

---

Why GMER when there is no mention or symptom of a Rootkit, their Norton works etc??

Quads 

ok i have run MBA and SAS in safe mode disconnected from the internet (the version of norton 360 i have does not run in safe mode) but SAS came up clean in safe mode and so did norton in normal mode. MBA found 4 "trojan fake alerts" named  Hkey_Classes_Root\CLSID and 3 others of Hkey_Classes_Root. they keep reapearing each time i roboot my system. i am about to run HJT and fix the issues dbrisendine pointed out... after that i will download and run GMER because this all started with the rootkit virus and dont want it to come back.

ill post the results as soon as they are done.

-Joker

ok i have made the "fixes" that dbrisendine noted from my HJT log and i have finished running the GMER program. *** A not to aanyone planning to run this program it takes a LONG time. i stoped cloking it at 3 hours and just let it run over night but it had stopped at 5am so it could could only have run for a max of 5 hours.*** 

please let me know if this GMER log shows anything of interest. 

-Joker

Hi

It's not a Rootkit, but those bad registry entries shown in the GMER log should have been detected by Malwarebytes.

Dis you use Malwarebytes all the way through to remove what it found??

Quads 

yes... i have run malware bytes seveal times and,except for the first time i ran it, the only things it finds are 4 tojan.fake alerts called

Hkey_classes_Root\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d}

Hkey_classes_Root\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058}

Hkey_classes_Root\xml.xml

Hkey_classes_Root\xml.xml.1

that  is all that malwarebytes finds. ill post the most recient malware bytes log to show you.

-Joker

Hi

That's interesting MBAM has detected the  HKCR registry part of the Malware but not the HKLM section.

Which hs various names like "Explorer32.Hijacker"

I will build a script for the removal.

Quads