hjt log

[jholland1964]

Ok philentropy,

You are going to need to PRINT OUT these instructions as you will need to boot to SAFE MODE for some of these steps and therefore will not have access to the internet to refer to these steps.

Please Enable Viewing of Hidden Files and Folders
You still show multiple items which must be removed. I want you to UPDATE your Norton Anti-virus, but don't scan yet, make sure it is updated.

Update the AVG Anti-Spyware program. Do not run it yet.

Next you need to download, install and update the following programs if you do not already have them. If you DO already have them then update them;

SpyBot Search & Destroy

AdAwareSE Personal Edition

CCleaner

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Place a check in the checkbox labeled Run VundoFix as a task. You will receive a message stating that VundoFix will close and re-open in a minute or less.
• When VundoFix reopens, click the OK button.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click the YES button.
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click the OK button.

Now you will need to disconnect completely from the internet. Remove the internet plug from the back of the computer.
Once you have done so then reboot the computer in SAFE MODE.

All of these next steps will be run in SAFE MODE. Do not reboot until all have been completed.

Once the computer is booted into safe mode Open and RUN CCleaner with the default options to clean out temporary files. Only use the Default Scan (Windows Tab) and select Run Cleaner. Do not run any other options from other tabs.

Open SpyBotS & D and Click “Check for Problems.” Allow SpyBot to fix what it finds. REMOVE EVERYTHING SHOWN IN RED

Run Ad-Aware SE. Make sure all other windows, including your browser, is closed.
* Click on the gear icon in the upper right (Settings).
* Click "Scanning".
* Select:
- "Scan within archives"
- "Scan my IE Favorites for banned URLs"
- "Scan my hosts file"
* Click "Tweaks".
* Click "Cleaning Engine".
* Select "Automatically try to unregister objects prior to deletion".
* Click "Proceed".
* Click "Start".
* Select "Use custom scanning options".
* Click "Next" and wait for the scanning process to complete.
* Select all the items found for removal. ("Removal" actually puts things in quarantine, so you can generally recover them if you need to.)

Next run your Norton Anti-Virus program. Have it do a Full system
scan and REMOVE everything found.

Now run the AVG Anti-Spyware click Scanner > Complete System Scan.
Allow it to fix what it finds and click on Save Report. Save the log to where it can be easily found and please attach it along with your HijackThis log when you post back.

Next, STILL IN SAFE MODE and with Viewing of Hidden Files Enabled

I want you to again go to My Computer.
Double Click "C" Drive.
Once in "C" Drive go to the following folders and delete the items noted in RED. I repeat, just the entry noted in RED not the entire folder;

C:\WINNT\system32\wfxqhv.exe
C:\Program Files\System Files\System.exe
C:\Program Files\PSHope\PSHope.exe
C:\Program Files\Common Files\??stem\d?xplore.exe
C:\Program Files\TClock\tclock_install.exe

Make note of any you cannot find and proceed to the next one.
Once you have completed all these steps then reboot the computer in Normal Mode, but do not reconnect to the internet yet.

With ALL browsers closed, run a NEW HJT scan and place a checkmark next to any of the following items remaining in the log;

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (file missing)

O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINNT\system32\xeymi.dll (file missing)

O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)

O4 - HKLM\..\Run: [qcr40486] "RUNDLL32.EXE" w20c5d8c.dll,n 002404840000000320c5d8c

O4 - HKLM\..\Run: [w20cc6f4.dll] "RUNDLL32.EXE" w20cc6f4.dll,I2 00240484020cc6f4

O4 - HKLM\..\Run: [spywarebot] C:\Program Files\spywarebot\SpywareBot.exe -boot

O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"

O4 - HKCU\..\Run: [PSHope] "C:\Program Files\PSHope\PSHope.exe"

O4 - HKCU\..\Run: [Lflwn] C:\Program Files\Common Files\??stem\d?xplore.exe

O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe

O15 - Trusted Zone: http://download.windowsupdate.com

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123

O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll

O20 - Winlogon Notify: awtqn - C:\WINNT\system32\awtqn.dll (file missing)
O20 - Winlog
on Notify: MS-DOS Emulation - C:\WINNT\

Once you have placed checkmarks next to any of the above items found then click the FIX button.
Exit HJT.
Reboot, and with ALL BROWSERS CLOSED run a NEW HJT scan, save the log. Reconnect to the internet and post it here with the saved AVG log.

DO NOT, I repeat, DO NOT run any other fixes other than those noted here. Do not post any logs other than those requested.

[philentropy]

these never go away when scanning with Spybot : SurfSideKick, Microsoft.WindowsSecurityCenter.AntiVirusDisableNo tice


...with Ad-aware: Delfin, Cydoor

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:15:23 AM 11/8/2006

+ Scan result:



HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loc t_4 -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Ser vices -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Ser vices\Queue -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Dvx -> Adware.Delfin : No action taken.


::Report end

[jholland1964]

First of all, why did you post the AVG log without the new HJT log? AND why didn't you tell AVG to repair the items found? That is the point of running the program, fixing. DID you do ALL of the steps directed, IN THE ORDER directed?
Please complete ALL steps, making note of items you wish to question in each. You should then post those questions along with the requested logs together in your posts AFTER following all the steps.
Secondly;
The Spybot notice; Microsoft.WindowsSecurityCenter.AntiVirus Disable
Notice is NOT a bug or a virus, it is information. Telling you that "somebody" has disabled your anti-virus program and letting you know the Windows Security Center is notifying you of this, or has tried to and it has been ignored.
If you changed the settings yourself you can safely tell Spybot-S&D to exclude those detections from further scans.
In order to do so please right-click each notice in turn, then click "exclude this detection from future scans"

Now what is the EXACT wording in Spybot concerning Surfside Kick?

[philentropy]

Logfile of HijackThis v1.99.1
Scan saved at 10:09:00 AM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2H1. EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\MAFWTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINNT\system32\xeymi.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (file missing)
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2H1 .EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINNT\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DigidesignMMERefresh] "C:\Program Files\Digidesign\Drivers\MMERefresh.exe"
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINNT\system32\MAFWTray.exe
O4 - HKLM\..\RunServices: [Windows Updater] paste.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1134880047125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133155693185
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:15:23 AM 11/8/2006

+ Scan result:



HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loc t_4 -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Ser vices -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Ser vices\Queue -> Adware.Cydoor : No action taken.
HKU\S-1-5-21-1214440339-879983540-725345543-1000\Software\Dvx -> Adware.Delfin : No action taken.


::Report end

[philentropy]

AVG does not fix automaically. You have to do it manually. I did manually fix the issues found in AVG. That's what happened the first time and the second time. Sorry I didnt save the log file at the right time.

[jholland1964]

AVG does not fix automaically. You have to do it manually. I did manually fix the issues found in AVG. That's what happened the first time and the second time. Sorry I didnt save the log file at the right time.

I am sorry, but you must have it configured incorrectly. It DOES have a cleaning in it. Please note my attachment.
What version are you running?

Also, can we have the SurfsideKick information? Where is it found on the system? Is it found during Safe Mode Scans? If it will not clean it, what message do you receive?

Have also just looked at your HJT log. I don't see much difference. Did you apply the fixes I recommended?

[philentropy]

Have also just looked at your HJT log. I don't see much difference. Did you apply the fixes I recommended?

Yes

[philentropy]

I am using AVG Anti-Spyware 7.5. Everytime you have said that I didnt fix the infections that were found I looked through every single are of AVG Anti-Spyware 7.5 (including just now), finding that there is automatic fix...
Even after the scan. I had to fix each infection manually.

SurfSideKick shows up in red when I do the Spybot S&D scan in safe mode. It doesnt show up in ad remove programs and when I search "For Files and Folders" that contain SurfSideKick I do not find anything.

[jholland1964]

Double click that Surfside entry in S & D and see where it is located. Tell it to remove then empty the Quarantine in there.
Do you mean you do not see a fix option in AVG or you DO see one? And if you do see one are you running this scan in SAFE MODE?

[philentropy]

I do not see an automatic fix. I scan everything in Safe Mode.