surfsidekick and more?

Hmmm! Limewire may be at the root of all these problems. You have a bunch of baddies on this PC. This may take a few steps but let's see what we can do in the first run.

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
C:\WINDOWS\system32\feawuith.dll
C:\WINDOWS\jpsjjgjA.exe
C:\WINDOWS\Lktbgzsf.dll
C:\WINDOWS\errorhandler.exe
C:\windows\system32\qpdsregq.exe
C:\WINDOWS\system32\nwinqrag.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\kkhmu.dat
C:\WINDOWS\system32\fmsjic.exe
C:\WINDOWS\system32\vvjni.exe
C:\WINDOWS\system32\ltrjakf.dll
C:\WINDOWS\system32\grqrtht.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xtekp.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
C:\Program Files\Common Files\??crosoft\d?xplore.exe
C:\PROGRA~1\ASEMBL~1\wowexec.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDyUaazwlbdhe5db443nNig5YZ4MOr6MS8+TBqEkSAtxwRJzXtIjdEJIIQXMtkSd7kIfHug/ArzJ/okbFgijoLlIiNI5G2JZXZJq0jLoRnkE0rgGmCwfEDDK2bqqDBJUcCTXfRkhzqn30OjAB6pWVURpiynPMKSLfM6sHlWuDRcyrIGSf22kSO9A==
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vvjni.exe
F2 - REG:system.ini: UserInit=userinit.exe,grqrtht.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll (file missing)
O2 - BHO: (no name) - {88B82A4C-E48B-B12B-A81D-BA5E17683393} - C:\WINDOWS\system32\feawuith.dll
O2 - BHO: (no name) - {D5F224B8-3D4F-3A58-F697-415C8C9D7609} - C:\WINDOWS\Lktbgzsf.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Search - {33676672-676C-76E0-B73B-543587D2AF4E} - C:\WINDOWS\Lktbgzsf.dll
O4 - HKLM\..\Run: [jpsjjgjA] C:\WINDOWS\jpsjjgjA.exe
O4 - HKLM\..\Run: [{23-31-1C-CA-ZN}] C:\windows\system32\qpdsregq.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwinqrag.exe CORN001
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazb
O4 - HKCU\..\Run: [Tiyezu] C:\Program Files\?ssembly\?explore.exe
O4 - HKCU\..\Run: [ruzr] C:\PROGRA~1\COMMON~1\ruzr\ruzrm.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwinqrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm594YYUS
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int13.exe
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\tqddd.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\OgmInfo.dll (file missing)

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
C:\Documents and Settings\Owner\Local Settings\Temp <--- Delete all file and subfolders in this Temp folder. Only the ones from your current PC bootup date may be refused as your PS is using them.
C:\Program Files\apsi <--- the whole folder
C:\Program Files\EQBranch <--- the whole folder
C:\Program Files\?ssembly <--- the whole folder
C:\Program Files\Common Files <--- the whole folder
C:\PROGRAM FILES\EQAdvice <--- the whole folder
C:\WINDOWS\system32\feawuith.dll
C:\WINDOWS\jpsjjgjA.exe
C:\WINDOWS\Lktbgzsf.dll
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\keyboard51.dat
C:\WINDOWS\ubber60.ini
C:\windows\system32\qpdsregq.exe
C:\WINDOWS\system32\qndsregj.exe
C:\WINDOWS\system32\nwinqrag.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\kkhmu.dat
C:\WINDOWS\system32\fmsjic.exe
C:\WINDOWS\system32\vvjni.exe
C:\WINDOWS\system32\ltrjakf.dll
C:\WINDOWS\system32\grqrtht.exe
C:\WINDOWS\system32\BMGi_b.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xtekp.exe


Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

Shutdown MS Antispyware and other similar tools and then have HJT fix the below lines:

O4 - HKLM\..\Run: [eewbia] C:\WINDOWS\system32\fmsjic.exe reg_run
O4 - HKCU\..\Run: [bbdck] C:\WINDOWS\system32\fmsjic.exe reg_run

Then attach a new HJT log. Is eveything still working OK?

 

You never said what the actual error were so I have no idea what you are seeing. I do not use any popup blocking programs! I don't find them to be necessary. Just use Firefox if popups are a problem. It has built in popup blocking.

In this forum (and most other malware forums) no one would tell you to keep Limewire or any other P2P program. In fact some forums will refuse to provide any fixes until ALL P2P software is uninstalled. The more recent versions of Limewire are "supposed to be malware free" but P2P is by design not safe and is a spreader of malware. It is your friends decision in the end.

 

Maybe not! Sometimes the MS Installer gets messed up. You could try just putting the disks in to see if it fixes it, but it may not. This would however be an issue for the Software Forum.

 

You are not supposed to delete programs. You are supposed to uninstall them. Is that what you meant?

Who installed the following junk: WinAntiVirus Pro 2006

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

By the way, you did not follow the directions for creating a Bitdefender log. But don't worry about it now, I don't need it.

 

First run Add/Remove programs and uninstall the below:
Notifier
RelevantKnowledge
Viewpoint Media Player


Is the below line due to something you install or use?
O11 - Options group: [INTERNATIONAL] International*

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the mailscan.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move mailscan.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Service Hosts ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Service Hosts

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\iefwbho.dll (file missing)
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\system32\ddaby.dll (file missing)
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe"
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O20 - Winlogon Notify: ddaby - C:\WINDOWS\system32\ddaby.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WinAntiVirus Pro 2006 <-- the whole folder
C:\WinAntiVirus Pro 2006 <-- the whole folder
C:\Program Files\common files\Companion Wizard <-- the whole folder
C:\WINDOWS\system32\FT_SilentSudokuInstaller.exe
C:\WINDOWS\system32\qndsregj.exe
c:\windows\keyboard101.dat
c:\windows\ubber60.ini

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).
Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

That's strange! They showed in the previous logs!

Still have another bad service to remove!

Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Firewall service... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

FWSvc

If you receive any error messages just ignore them and continue.

Now exit HJT but and reboot if it tells you it needs to.

Then after reboot attach a new HJT log.

You did not answer my question about the below line:
O11 - Options group: [INTERNATIONAL] International*

Also does the person who this PC belongs to use Alcohol Software's CD/DVD writing application named Alcohol 120%? I'm questioning the service that is running with the file named C:\WINDOWS\System32\ScsiAccess.EXE

I would like to get some more info on the C:\WINDOWS\System32\ScsiAccess.EXE. Locate it using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too. If there is no Version tab, use the below link to scan this file and attach the report of what is found:

http://virusscan.jotti.org/

 

Okay! Make sure you get the properties info and run the online file scan on ScsiAccess.EXE

 

Your log is clean other than my concerns on this ScsiAccess.EXE file. Please try putting it into a ZIP file and uploading it here as an attachment. Hopefully it will be small enough to do that.

 

That file could be related to one of the programs mentioned in the below link:

http://www.neuber.com/taskmanager/process/scsiaccess.exe.html

I saw both ASPI and Kodak Easyshare in the uninstall files list!

 

Well from the file itself I still cannot tell who created it, but it does seem to be a valid application. It could be part of something that was installed. It does appear to even have a method of uninstalling the service, but since we do not know what application it belongs too it could break something the user needs if stopped. I have stopped this service on other PCs in the past and it did not appear to affect anything. At least there were no comments about it causing any problems.

For now, if you are not having any other malware issues, I would just leave it alone.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!