SurfSideKick Romoval Problems

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Did you purchase NoAdware and XoftSpy? If not, uninstall them because they are of no use to you unless you buy them.

Skip to step 7 of the READ ME and get a HijackThis log and attach it. Based on it I will indicate the next steps. You will at some point have to run ALL steps in the READ ME to make sure you PC is properly cleaned. HijackThis does not show all problems.

 

Since you paid for these programs you should contact them and ask for your money back and also ask for an explanation why they cannot remove SurfSideKick and also ask them why they did not report Qoologic and why they also did not remove it. What is the sense in buying programs that cannot detect the malware they are supposedly design to detect and even worse, if they detect it but cannot remove it, what good does it really do you. Any forum like this can tell you all of this for free and remove it for free too.

I'll start working up a fix for you but you really should call both companies on the carpet for an explanation and also demand a refund.

 

If you uninstalled McAfee (which it does appear to be incorrectly and incompletely uninstalled) then what are you using for an antivirus application.

Let's start by doing another scan (not a fix, just a scan) for some hidden files related to Qoologic. I need this to work up a fix for Qoologic.

Download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished.

FindQool is not a removal procedure. It is a scan that helps us to locate hidden files and registry keys so we can work up a fix for the Qoologic infection.


Now let's start doing some other fixes. You have a load of other problems.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee.com McShield (if that is not found, look for the short name: aswUpdSv)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
McAfee SecurityCenter Update Manager
McAfee.com VirusScan Online Realtime Engine

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

McShield

Now repeat the Delete NT Service steps for:
mcupdmgr.exe
MCVSRte
If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Look in Add/Remove Programs for the below and uninstall if found:
NewDotNet
eAcceleration or StopSign or Acceleration Software
SoftwareOnline

Make sure viewing of hidden files is enabled (per the tutorial).
Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\DOCUME~1\april\LOCALS~1\Temp\svchost.exe
C:\WINDOWS\system32\RACLE~1\chkdsk.exe
C:\Documents and Settings\april\Application Data\??crosoft\d?xplore.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: Search - {A32F5F7A-95FD-204C-D256-726729357BEA} - C:\WINDOWS\Qckxvdru.dll (file missing)
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [axdittgA] C:\WINDOWS\axdittgA.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\april\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SOProc_RegWxSzNn] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegWxSzNn
O4 - HKCU\..\Run: [Sshl] "C:\WINDOWS\system32\RACLE~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [Fcjg] C:\Documents and Settings\april\Application Data\??crosoft\d?xplore.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\april\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v46/skillgam/skillgam.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.66.155.171.47.downloads.estara.com./as/OneCCDM.php?template=28029&sessionid=486817855_66.155.171.47_43283&=&req=1140489747198OneCC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O20 - AppInit_DLLs: repairs303169590.dll <--- ignore the error from HijackThis about fixing this and just continue

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if you do not find any of these or cannot delete them, DO NOT stop. Just continue and tell me about it later.)
C:\Program Files\SoftwareOnline <--- delete the whole folder
C:\Program Files\SurfSideKick 3 <--- delete the whole folder
C:\Program Files\Acceleration Software <--- delete the whole folder
C:\Program Files\outlook <--- delete the whole folder
C:\Program Files\mcafee.com <--- delete the whole folder
C:\Program Files\PartyGaming <--- delete the whole folder
C:\Program Files\NEWDOT~1 <--- real name is probably NewDotNet or similar. Delete the folder
C:\WINDOWS\system32\RACLE~1\chkdsk.exe <--- real name may be oracle or similar. Delete the oracle folder
C:\Documents and Settings\april\Local Settings\Temp <--- delete all files and subfolder in this Temp folder
C:\Documents and Settings\april\Application Data\??crosoft\d?xplore.exe
C:\WINDOWS\axdittgA.exe
C:\WINDOWS\Qckxvdru.dll
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\repairs303169590.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Can you delete it now, or does it still block you?

Delete the Qckxvdru.ini file too.

This error occurs because you forgot to have HijackThis fix one of the O4 lines I gave you that mentions this file.

We will fix it below. It does not look like FindQool ran completely. I will give you a fix to try but it may not work since your log really appears to be incomplete. Let's try anyway.

Question: Is this SmartShopper program something you installed?

Now download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\UNWN.EXE
C:\WINDOWS\system32\kfsco.exe
C:\WINDOWS\system32\ubagycu.exe
C:\WINDOWS\system32\dmonwv.dll



If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kfsco.exe
F2 - REG:system.ini: UserInit=userinit.exe,ubagycu.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4389/mcfscan.cab



Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\WINDOWS\UNWN.EXE
C:\WINDOWS\system32\kfsco.exe
C:\WINDOWS\system32\ubagycu.exe
C:\WINDOWS\system32\dmonwv.dll


Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

See if you can rename the mcusshl.dll file. Right click on it and select Rename. Change the name to mcusshl.ddd If it let's you do this, then reboot and try to delete after reboot.

There should only be two log files for you to attach. The one complete log from running FindQool. This is the file you attached named report.txt and the second attachment I requested is a new HijackThis log. I don't need those other files. They are temporary files FindQool makes inorder for it to make the final report.txt file. Don't do anything right now with HijackThis or the previous fix procedure. I need to create a new fix since I now have the full log from FindQool.

First you must download it from the link I gave to you. This is an executable file download. After you download it to your Desktop, you can immediately double click on it to run it. The file is named killbox.exe. You don't need to extract it or do anything else to it. You also do not need to save it to your Desktop. You can download it to its own folder anywhere. We just suggest the Desktop to make it easy for you to find.

 

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Program Files\mcafee.com\mcusshl.dll <--- just incase you still could not delete or rename this McAfee file
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\UNWN.EXE
C:\WINDOWS\system32\atqcb.dat
C:\WINDOWS\system32\tvcxow.exe
C:\WINDOWS\system32\kfsco.exe
C:\WINDOWS\system32\adbygff.dll
C:\WINDOWS\system32\ubagycu.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\mdnyu.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kfsco.exe
F2 - REG:system.ini: UserInit=userinit.exe,ubagycu.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...89/mcfscan.cab

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\Program Files\mcafee.com <--- if the file was delete by Killbox, see if you can now delete the folder.
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\UNWN.EXE
C:\WINDOWS\system32\atqcb.dat
C:\WINDOWS\system32\tvcxow.exe
C:\WINDOWS\system32\kfsco.exe
C:\WINDOWS\system32\adbygff.dll
C:\WINDOWS\system32\ubagycu.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\mdnyu.exe


Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

I don't know why you are trying to run the READ & RUN ME procedure now. What you needed to do is what I gave you in message #16 and you still need to do this. Please complete those steps.

 

You can changes your preferences by clicking Quick Links --> User Control Panel --> Edit Options. Scroll down to Thread Display Options . I display Linear - Newest First and I show 40 messages per page.

Let's finish your malware fixes.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [tngpou] C:\WINDOWS\system32\tvcxow.exe reg_run
O4 - HKCU\..\Run: [pkmrp] C:\WINDOWS\system32\tvcxow.exe reg_run
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (it should already be gone! We are double checking!):
C:\WINDOWS\system32\tvcxow.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

These remaining problems are not malware. I will give you some tips but this is not really a topic for the malware forum.

Your problems are due to the items you are running. You need to go thru the stuff you have installed and decide which things you really need to use. Also one being resource hog is that you have the Microsoft Indexing Service running. I know this because cidaemon.exe is running. This service should really be stopped and set to manual mode.

Uninstall things you don't use or really need. A couple examples may be:
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

Do you need all three of the below Messengers? The first should definitely be removed!
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

These next items are not even necessary to load at startup:
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe <--- only needed for ease of use
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Stop playing all the Online Games and remove all the related O16 lines for the Games!

This is a process for your Lexmark printer. If you need to share your printer over a network this will be necessary. You could start but blocking it from being a server and see how everything works for you. If you run into problems using the printer thru your network, then bring up ZoneAlarm and change the permission for the process to allow it.

 

What is the file named and where is it located?

 

They are not problems! We just were not done with the final steps yet. The killox items are from what we were cleaning up using Pocket Killbox. You can just delete the whole !Killbox folder. The others are in System Restore which if you remember in step 0 of the READ ME we stated we needed to toggle when we were finished fixing malware. So that being said, do the below!

It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!