Trojan Downloader.Dyfica.2.AB

Can you download programs to it some how? If so, follow the cleanup procedures given below. Have you run your current scanners while you are in safe mode?

Here the cleanup procedures:

To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

While I appreciate the fact that you are trying to help, I have already given instructions on what needs to be done. Did you read the instructions I already gave below? Your first step is already mention and we have more complete cleaning processes than what is mentioned in the PestPatrol link. Also many people cannot follow the vague instructions that are given at that website and require more specific directions. In addition registry editing is required which most people should not be doing without guidance and without first doing a registry backup.

This is not a fly by forum where you post and leave. If you would like to help users, you need to be here all the time so you can follow up on the help you suggest.

 

The link works just fine for me. Try it again right now.

You have HijackThis running from the ZIP file. Please read my instructions again.

You also have more then AV package installed. You must run only one. You should remove the remaining Norton items.

 

After correct the problem with how you have HijackThis running, continue with the below. You need to resolve that first or you will not get any backups of what we are fixing. You must extract HijackThis from the ZIP file and put the executable in the folder requested (you need to create the folder).

You will need to download LSP - Fix and follow the directions given below

NOW: Unzip it and run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the newdotnet6_38.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move newdotnet6_38.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\f1qwlylm\f1qwlylm.exe
C:\windows\system32\bukigp.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135999488&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135999488&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135999488&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135999488&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135999488&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135999488&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {08AE1DC3-B73C-4E2D-957C-1A2BB8F4205F} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {0A7700DC-6634-4EFD-B1AD-A95D652CD50D} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {19EB2E84-FD00-46F6-8335-01A20579DB14} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {1A6418A0-1568-422D-B509-BF14B76E2E51} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {1E49B0A8-BB71-478B-A6AF-810314F3762D} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {225A9682-72DC-4A9C-89AE-7D111E358064} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {24605CED-4481-4EBA-BE3E-5FA9E2A843E7} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {2613F4E8-8089-4783-A9E6-1AC4201C86CE} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {2BBF2C6C-F400-4768-8FF9-11361ED89C0A} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {2DCA6C5D-6D55-47B0-BA17-34F2D39C9355} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOCUME~1\Mike\LOCALS~1\Temp\cvsmcp.dat (file missing)
O2 - BHO: (no name) - {358C66BD-F733-41D3-BF7B-2E3947DC14B8} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {381532CE-1404-4411-9A45-D05EE3F745EF} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {3C8BC748-6A94-4BA3-9567-32E803D595AD} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {43526F76-2370-43A7-A35C-6C0EDE61429C} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {43CA46E8-3C16-4C60-8572-E50FB38CB507} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {4C82D53B-509C-469D-B75D-56057C18D6CB} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {4CF8B0DC-C680-4C58-9B34-D95D3ACC46DE} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {4D136A3B-C4C2-4F98-8E28-654E741101F0} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {502ED695-F71D-49C5-88DB-13BD14F00E00} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg7b2a.dll
O2 - BHO: (no name) - {58966880-6F7B-4143-B866-931BC73CF481} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {5AB4887D-D96B-4CEC-BEA5-23CBF1BB9E74} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {5CF2461F-3470-47E0-B7D9-6C9D7890AA98} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {5D668442-91A9-427B-8892-4D0C8D972178} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {5E3AC1EB-7657-07F8-7F83-2387E9F6BAC0} - C:\WINDOWS\System32\cem.dll
O2 - BHO: (no name) - {61B08B7C-FA72-494E-8EAC-0CE6A3D6721E} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {61FB8E6C-EB70-4DE0-864A-45F0418146DA} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {62D456CC-A069-4A1F-B2E6-EDD1191FB467} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {695C012C-E8F5-451E-B9C9-73F934A8C7A1} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {6AFFD6EC-A2B5-4EF5-9157-85961E6FDEC7} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {73DBCE4B-708F-4434-9243-93322B497399} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {797FAAE2-B522-4767-8C49-C8A00C4CA96F} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {7A15444A-94B8-4E5B-A8E0-E69D7B9AB342} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {7A6AE977-6214-4057-9F47-1BCD19A60EB4} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {7C3FB92E-3478-4281-8AE8-F54DD3E61A3F} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {80CF70A8-9833-4D3D-B0B2-D74EE42F976F} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {8158D279-9CB0-4A37-9A57-890984F0C071} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {81BBCBCE-47EE-4A5D-8968-365C58BECD11} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {84950EFF-6633-4089-8475-0E4BD56F60B9} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {89AC0B98-B843-4801-968B-E7DFD66D22A7} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {911EA723-5D43-4B98-A016-BB8B30A15B23} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {913C81CC-3362-4E79-9B8F-CB92B05FCCCF} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {93442A4C-6377-44BD-91BC-52EC965DFDF7} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {9390C3C7-896E-4703-ABD6-91E32E848630} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {94078BA0-0554-4F45-AE28-FB5E6F7E9798} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {94ECBD8A-8260-4421-92DB-2369964CEDAB} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {952FBA08-F55D-4273-95F7-28DCCA9000F4} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {9573592B-576A-483B-9F9E-D9D6AD400FE5} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {9B1C5882-1991-4956-998F-9FF1ABC45450} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {9D9CB11F-0BF5-4B3E-AB13-65698E3FD8B6} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {A18B97F7-3884-440A-884E-CBFF58361608} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {A76CA4C6-6DF9-4FE9-8774-D92EBDF053D1} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {AB851B72-BFFA-4EBF-84F4-DB4255ACDC95} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {ACCE712B-2DC1-4F38-97C3-F1C6A2C26B94} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {B206477B-4E5E-40CA-BB76-9278CBD4ED42} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {B4B05F53-F257-4D4C-9A5B-7C1AF858E56A} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {B4FE1DED-C1EC-4B9E-A8EF-A222DE837576} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {C1F1AAB3-4890-4D92-8F6E-1CB9043DEFD5} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {C315E9F1-892C-4234-AEBC-769280712837} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {C51082B7-F346-46FA-AFE6-F1F790D4BD3F} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {C6A20824-7302-488C-9BFA-F292FB9814D1} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {CA03AABC-7E7A-466C-8EB1-8660C6C63A79} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {CF7F5E48-4E96-4E25-9B42-A761F2457086} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {D6078CF5-352B-4979-BCF9-F9196A98CF6A} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {D921589F-7E37-4B16-B168-FD8E2BFB13FE} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {E3CEA1ED-DD1C-4ADF-85CC-9B4EA5E5141F} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {E92AE194-DB53-41E5-AFD6-2788EF874F87} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {EE2136BE-4511-48D1-94A6-DBB93349E730} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {EEED25CF-76A3-4DA9-822A-EC7942A6C6BA} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {F12495D6-40A2-4906-8672-8D93C3F04FD0} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {F1CEB87B-8F7D-4D63-A224-902BA6195578} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {F41A8873-C8D4-4673-97DC-6EE1F965967F} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {F4DB2054-8789-40ED-B230-A6073B331A10} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {FC4FBC82-93DC-4A09-83ED-840C919CC4FD} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {FC89F716-17D6-42B8-B3B5-4CCB34FEB216} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O2 - BHO: (no name) - {FD2771E0-E941-483E-957E-B26D3E14A374} - C:\Program Files\f1qwlylm\f1qwlylm.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [opkdsr] C:\WINDOWS\opkdsr.exe
O4 - HKLM\..\Run: [stengn] C:\WINDOWS\stengn.exe
O4 - HKLM\..\Run: [vmfwnit] C:\WINDOWS\vmfwnit.exe
O4 - HKLM\..\Run: [gxyl] C:\WINDOWS\gxyl.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [*dnswave] C:\WINDOWS\Config\dnswave.exe
O4 - HKLM\..\Run: [*iistapi] C:\WINDOWS\ServicePackFiles\iistapi.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg7b2a.dll"
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [f1qwlylm] C:\Program Files\f1qwlylm\f1qwlylm.exe
O4 - HKLM\..\Run: [bukigp] c:\windows\system32\bukigp.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg7b2a.dll"
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540004} (CInstall Class) - http://freepcscan.com/spyware/Install.cab
O20 - AppInit_DLLs: mad.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\f1qwlylm <--- the whole folder
C:\Program Files\WildTangent <--- the whole folder
C:\WINDOWS\dlmax.dll
C:\WINDOWS\enhtb.dll
C:\WINDOWS\systb.dll
C:\windows\system32\bukigp.exe
C:\WINDOWS\opkdsr.exe
C:\WINDOWS\stengn.exe
C:\WINDOWS\vmfwnit.exe
C:\WINDOWS\gxyl.exe
C:\WINDOWS\Config <--- the whole folder
C:\WINDOWS\ServicePackFiles <--- the whole folder
C:\WINDOWS\System32\sfg7b2a.dll
C:\WINDOWS\System32\mad.dll
C:\WINDOWS\enhupdt.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\WebSavingsfromEbates <--- the whole folder
C:\Program Files\Ebates_MoeMoneyMaker <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now run Ccleaner that you installed while doing the READ ME FIRST.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Just ignore it and move on! It seems to be some kind of software update that never finished. It does not make sense for it to be there.

 

OK! We are looking a little better but you still have more of the baddies. Yes those to files without the EXE extension should have been deleted. If you see any of them that match the first part of the file names this time but extensions do not match, just deleted them. Next time report exactly which files you find and which you do not find (likewise whether they delete or not).

Had you tried to perform any Microsoft Software updates that have failed or never completed. I'm still thinking about the below line:

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3a2852b3cc195eed36c025ea7a0f6110\update\update.exe

You still need to remove the remaining Norton AV items from your PC (part of the reason for it being slow). You must not have more than one AV package installed. Look in Add/Remove programs for an uninstall to Norton or Symantec's AV and uninstall it. Let me know if you cannot find on or it will not uninstall. All of the following items from your log are from Norton. If you decide you want to keep Norton, you must uninstall AVG instead.
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Do you use Viewpoint or Viewpoint Manager? (Crap that AOL sneaks in and 95% of all people do not use it or even know it's there.) If not, uninstall it too.

Are you running C:\windows\system32\calc.exe o r is it running on its own?

Have you been runnning KaZaA ? If so, you must stop using it and uninstall anything related to it.

 

After taken care of items from my previous message and answering any questions, continue with the below procedure.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look
for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\windows\system32\bukigp.exe
C:\windows\system32\calc.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right
now:
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: (no name) - {5D797ADA-73D4-47DC-8323-7DF9583C83E9} - C:\Program Files\f1qwlylm\f1qwlylm.dll (file missing)
O2 - BHO: (no name) - {8DB05049-8DF9-4FC5-8401-30EFDB461A94} - C:\Program Files\f1qwlylm\f1qwlylm.dll (file missing)
O2 - BHO: (no name) - {ED78CAEE-A6D6-4DC1-82EA-80EE3BD5A6D6} - C:\Program Files\f1qwlylm\f1qwlylm.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TaskReg] C:\Program Files\KaZaA\My Shared Folder\the sims add on bit.exe
O4 - HKLM\..\Run: [bukigp] c:\windows\system32\bukigp.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\enhtb.dll
C:\Program Files\KaZaA <--- delete the whole KaZaA folder (make sure you have saved anything you need from the the subfolders first)
c:\windows\system32\bukigp.exe
C:\WINDOWS\enhupdt.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file. You must tell me which exactly which file you cannot find or delete (if any). All of these files are there and should be locatable with viewing of hidden files enabled.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go
back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files
and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel),
Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like
www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

It sounds to me like you did not properly use the steps to enable viewing of hidden files. One of the steps there is to also make sure you do not have a check on the option to "Hide extension for known file types". I think you are hiding extensions. You need to set that option properly.


I did not ask you do delete the Norton items! What I said was to uninstall them. You need to open Control Panel and select Add/Remove programs and uninstall the Norton/Symantec AV stuff.

The Viewpoint program path shows right in your HJT log. I also ask you to uninstall it if you do not use it. The first method to remove applications is to alway look for an uninstall. Viewpoint has an uninstall. So you should use it.

I don't understand why you say calc.exe does not appear in you log. It shows up everytime. In fact it is in you last log too. It is a valid Windows program but it normally does not load at startup.

Apparently you are not delete the files properly and need to make sure you have properly enabled viewing of hidden files and folders (read those steps carefully from the READ ME). I'll repeat the steps here for you. Double check that each is set properly:

- Click Start.
- Select Explore.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide extensions for known file types option.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Apply.
- Click OK.

You still have the bad programs on your PC which means you have not been deleting them. Either that or something on your system is blocking the repairs.

Are you sure you are fixing lines in HJT and that you are deleting the files?
Please uninstall Microsoft Antispyware using Add/Remove programs. I worried that it may be preventing some fixes. Either that is the case or you may have an infection in your Explorer.exe shell.

Make sure you have taken care of all the above! And truly have enabled viewing of hidden files and EXTENSIONS properly. Then continue with the below.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. These process are there. Please look closely!
C:\windows\system32\bukigp.exe
C:\windows\system32\calc.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [bukigp] c:\windows\system32\bukigp.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\dlmax.dll
C:\WINDOWS\farmmext.exe
c:\windows\system32\bukigp.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

First check under other user accounts to see if the software was installed in another user account. Boot to each user account and look in Add/Remove programs for Norton or Symantec and uninstall if found. As far as Live Update. If you have no other Norton programs accept the antivirus application we are trying to remove then uninstall Live Update.

Try giving the below tools a run:
Kazaa Spyware Removal
KazaaBegone

If you still cannot get all the above uninstalled, we will have to do it manually.

 

Is this a company owned PC and was Norton installed by an IT department? Removal could be password protected and blocked. Are you the administrator of the PC?

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Reboot your PC into safe mode!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
If these do not end or do not appear, just continue (but tell me the results when you come back).

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {5E3AC1EB-7657-07F8-7F83-2387E9F6BAC0} - C:\WINDOWS\System32\cem.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

After clicking Fix, exit HJT.
Use Windows Explorer to delete:
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\cem.dll
C:\WINDOWS\wupdt.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Empty your Recycle Bin and goto to C:\windows\Prefetch and delete all files in the folder.
Now also run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.
Make sure you tell me of any problems you had in executing these steps.

 

It sounds to me like you did not enable viewing of hidden files properly as per the tutorial. You negelected to uncheck the option that says Hide extensions for known file types.

Also the R1 lines that I asked you to fix and you said you could not find are still in your HJT log. You must fix all three:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

Perhaps they just did not show in safe mode boot.

Do you use this below program:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

It is stuff the AOL installs without asking you. Most people do not use it, know what it is for, or even know it is there. If you don't use it, you should uninstall it using Add/Remove programs. It is a waste of system resources.

 

That log is clean now.

As far as your comment

That is why we always tell people that each user account must be checked. Each user has there own registry entries and different items can load for each.