Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

surf sidekick 3 and other nondesirables

•

Join Date: Mar 2006

Posts: 13

Reputation: bearpunk is an unknown quantity at this point

Solved Threads: 0

bearpunk

Offline

Newbie Poster

surf sidekick 3 and other nondesirables

Mar 28th, 2006

so i've read about 10000000 ways to get rid of surf sidekick 3 and i swear i followed them each to a t with no luck.... so in hopes of regaining my sanity, here's my hijack this log....
thanks for any ideas you can offer..

justin

Logfile of HijackThis v1.99.1
Scan saved at 3:20:04 AM, on 3/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\services.exe
C:\WINNT\winevent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\mmhqi.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,winusmx.exe
O1 - Hosts: 216.87.210.71 search.kazaa.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINNT\system32\w9seq.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\g8joli1318.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe
O23 - Service: Windows Event (WinEvent) - Unknown owner - C:\WINNT\winevent.exe

unlike other ones i read about, i don't have the VCClient.exe or any of that business...

•

Join Date: Feb 2006

Posts: 244

Reputation: D3m3nt3d is an unknown quantity at this point

Solved Threads: 13

D3m3nt3d

Offline

Posting Whiz in Training

Re: surf sidekick 3 and other nondesirables

Mar 28th, 2006

First place I need you to start is download the following tools for me

CCleaner
http://www.filehippo.com/download/51.../download.html

Ad-Aware SE Personal
http://www.download.com/Ad-Aware-SE-...ml?tag=lst-0-2

Spybot Search and Destroy
http://www.download.com/Spybot-Searc...ml?tag=lst-0-1

Ewido
http://www.download.com/Ewido-Securi...ml?tag=lst-0-1

Spysweeper
http://www.malwareteks.com/dload.php...load&file_id=5

Pocket Killbox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip
-Unzip to its own folder

Now since you have Windows XP - I want us to start in Safe Mode with Networking
-Restart your PC
-Repeatedly tap F8 before the "Loading Windows" screen appears
-Choose Safe Mode with Networking
-You will see the screen scroll down - this is normal

Now on to the cleaning...

Open up CCleaner first
-run ONLY the default scan (Windows Tab). Do Not “Scan For Issues�? unless specifically asked to do so!
-Simply open it and choose Run Cleaner

Open Ad-Aware
-Allow it to update to the latest definitions
-Run it and remove everything it finds

Open Spybot
-Allow it to update
-Run it and fix what it finds

Open Ewido
-Click Update>Start Update
-Run it and remove everything it finds
-Save the report at the end and attach it for me when you return

Now Reboot back into Normal Mode

Open Spysweeper
-Allow it to update then run a Sweep
-Let it remove everything it finds
-Please save this log for me and attach it

Now run Kaspersky Online Scanner
http://www.kaspersky.com/scanforvirus.html

Save the log and attach it for me as well.

If you can not get these logs in one post that is fine, use as many posts as necessary.

I need the following

Ewido Scan Report
Spysweepers log
Kaspersky's log
New HijackThis log

If you run into trouble with a particular step, just skip it and move on. Let me know when you return any problems you may have encountered

Good Luck

Last edited by DMR; Apr 22nd, 2006 at 2:51 am.

Proud Member of ASAP (Alliance of Security Analysis Professionals)

•

Join Date: Mar 2006

Posts: 13

Reputation: bearpunk is an unknown quantity at this point

Solved Threads: 0

bearpunk

Offline

Newbie Poster

Re: surf sidekick 3 and other nondesirables

Mar 29th, 2006

okay so i ran everything and it seemed like there were still unreachable/undeletable files & registry entries because even in safe mode they were loaded... anyhow, here's my spysweeper log:

The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

To ensure proper removal of spyware, adware and other unwanted items, be sure to close any programs that are open.
Your Sweep Options indicate the following will be swept:
Drives: C:
Also sweeping: Memory, Cookies, Registry
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: clkoptimizer
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: findthewebsiteyouneed hijack
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: dollarrevenue
Adware found: command
Trojan Horse found: sdbot
Adware found: quicklink search toolbar
Adware found: targetsaver
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: surfsidekick
Adware found: look2me
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: great net downloadware
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
Adware found: zenosearchassistant
Full Sweep has completed. Elapsed time 00:15:05
Traces Found: 145

next up, my ewido log.

•

Join Date: Mar 2006

Posts: 13

Reputation: bearpunk is an unknown quantity at this point

Solved Threads: 0

bearpunk

Offline

Newbie Poster

Re: surf sidekick 3 and other nondesirables

Mar 29th, 2006

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:06:48 AM, 3/29/2006
+ Report-Checksum: 5D9F546D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[1060] C:\WINNT\system32\lseei.dll -> Adware.Look2Me : Error during cleaning
[1224] C:\WINNT\system32\lseei.dll -> Adware.Look2Me : Error during cleaning
[1564] C:\WINNT\system32\ckpnypj.dll -> Downloader.Qoologic.bj : Error during cleaning
[1568] C:\WINNT\system32\ckpnypj.dll -> Downloader.Qoologic.bj : Error during cleaning
[1108] C:\WINNT\system32\ckpnypj.dll -> Downloader.Qoologic.bj : Error during cleaning
[1596] C:\WINNT\system32\ckpnypj.dll -> Downloader.Qoologic.bj : Error during cleaning
C:\315502.exe -> Trojan.Small : Cleaned with backup
C:\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\�?dobe\ntvdm.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\238W0H1R\drsmartload[1].exe -> Downloader.Adload.ah : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\315502[1].exe -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\aohell[1].exe -> Worm.Small.d : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\izgyxwa[1].cab/slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\izgyxwa[1].cab/faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\keyboard6[1].exe -> Downloader.VB.zo : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\mousepad5[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\newname6[1].exe -> Downloader.Adload.ae : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9CPW0WEK\ZICORN001[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\aohell[1].exe -> Worm.Small.d : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\comscore[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\d72[1].exe -> Downloader.Adload.af : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\drsmartload46a[1].exe -> Downloader.Adload.af : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\error[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\keyboard5[1].exe -> Downloader.VB.zl : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\mousepad6[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\newname5[1].exe -> Downloader.Adload.ae : Cleaned with backup
C:\Documents and Settings\Justin Goellner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6HCZ0B3V\all_launch_reg[1].htm -> Trojan.NoClose.e : Cleaned with backup
C:\drsmartload1.exe -> Downloader.Adload.ah : Cleaned with backup
C:\drsmartload46a.exe -> Downloader.Adload.af : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\windows\keyboard5.exe -> Downloader.VB.zl : Cleaned with backup
C:\windows\keyboard6.exe -> Downloader.VB.zo : Cleaned with backup
C:\windows\mousepad5.exe -> Hijacker.VB.ly : Cleaned with backup
C:\windows\mousepad6.exe -> Hijacker.VB.ly : Cleaned with backup
C:\windows\newname5.exe -> Downloader.Adload.ae : Cleaned with backup
C:\windows\newname6.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINNT\system32\2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\AZYCFILT.DLL -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\AрpPatch\wυauboot.exe -> Adware.PurityScan : Cleaned with backup
C:\WINNT\system32\bbfqt.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINNT\system32\cerpol.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINNT\system32\faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINNT\system32\mwinnag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINNT\system32\myl_qic.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\paytime.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINNT\system32\pre1.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\WINNT\system32\vmdex.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\w9seq.dll -> Adware.Suggestor : Cleaned with backup
C:\WINNT\system32\winspy.exe -> Downloader.Small.ckq : Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__ckpnypj.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINNT\uniq -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINNT\winevent.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\xdos.exe -> Downloader.Adload.af : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup

::Report End

also kaspersky.com/scanforvirus.html isn't loading so i can't show you that log....

i guess i'm okay then? it's hard for me to tell.

how do you get this crap and how do you avoid it properly? i run spybot s&d, adaware and protowall already and if i had all of these problems with them running.... i mean, is there something better i could be doing?

thanks- let me know if you think i'm cleaned up.

justin

•

Join Date: Mar 2006

Posts: 13

Reputation: bearpunk is an unknown quantity at this point

Solved Threads: 0

bearpunk

Offline

Newbie Poster

Re: surf sidekick 3 and other nondesirables

Mar 29th, 2006

oop.s and finally my new hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 4:01:21 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\services.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\mmhqi.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,winusmx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\g6220gfoe62c0.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)
O23 - Service: Windows Event (WinEvent) - Unknown owner - C:\WINNT\winevent.exe (file missing)

also ewido keeps finding

c:\winnt\__delete_on_reboot__services.exe
everytime i scan... it's the only thing left?

•

Join Date: Feb 2006

Posts: 244

Reputation: D3m3nt3d is an unknown quantity at this point

Solved Threads: 13

D3m3nt3d

Offline

Posting Whiz in Training

Re: surf sidekick 3 and other nondesirables

Mar 29th, 2006

It doesnt appear you let Spysweeper remove what it found? It would say Quarantining if you did. Did you get the option, or have you already used the trial of it before? If you did not let it remove, please re-run it.

First Disable Spybots TeaTimer..you should be able to right click it in the System Tray and choose Exit

Go to Start>Run type Services.msc and press Enter.
-Locate the following two services one at a time

•

Windows Event
Microsoft Windows Update Service

-Right click and choose Stop if it's not greyed out
-Next choose Properties
-Change Startup Type to Disabled

Now Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy the following two one at a time in the box and delete them.

•

Windows Event
Microsoft Windows Update Service

Please download Look2Me-Destroyer.exe to your desktop.
--Close all windows before continuing.
--Double-click Look2Me-Destroyer.exe to run it.
--Put a check next to Run this program as a task.
--You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
--When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
--Once it's done scanning, click the Remove L2M button.
--You will receive a Done Scanning message, click OK.
--When completed, you will receive this message: Done removing infected files! --Look2Me-Destroyer will now shutdown your computer, click OK.
--Your computer will then shutdown.
--Turn your computer back on.
--Please post the contents of C:\Look2Me-Destroyer.txt when you return

Now scan with HijackThis and place a check next to the following

•

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\mmhqi.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,winusmx.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\g6220gfoe62c0.dll (file missing)
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)
O23 - Service: Windows Event (WinEvent) - Unknown owner - C:\WINNT\winevent.exe (file missing)

Now with All Browsers closed, choose Fix Checked

Now reboot to Safe Mode and delete the following

•

C:\WINNT\system32\mmhqi.exe
C:\WINNT\system32\winusmx.exe

The F2 lines may come back - if they do there is another way to get them...

Reboot back to Normal Mode and attach the following logs

•

Look2Me Destroyer
New HijackThis
Spysweeper (after removal)

Proud Member of ASAP (Alliance of Security Analysis Professionals)

•

Join Date: Mar 2006

Posts: 13

Reputation: bearpunk is an unknown quantity at this point

Solved Threads: 0

bearpunk

Offline

Newbie Poster

Re: surf sidekick 3 and other nondesirables

Mar 30th, 2006

"It doesnt appear you let Spysweeper remove what it found? It would say Quarantining if you did. Did you get the option, or have you already used the trial of it before? If you did not let it remove, please re-run it."

yeah maybe i didn't post the right log (i just cut and paste what it said in the window as it was scanning) but there were like 10 things quarantined

"Now reboot to Safe Mode and delete the following"

those files were already gone by the point i went back to delete them...

here's my new hijack this. i'm a total jackass and deleted the look2me detroyer log by accidnet (i saw the .txt file and figured it was a 'readme' kind of thing not thinking 'oh thats the log') so i can't post that...

here's the hjt and i'll post the spysweeper when iget done running it...

thanks for helping. i feel pretty dumb. i also now have 3 quick launches on my toolbar?? who knows...

justin

Logfile of HijackThis v1.99.1
Scan saved at 2:51:25 AM, on 3/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

•

Join Date: Feb 2006

Posts: 244

Reputation: D3m3nt3d is an unknown quantity at this point

Solved Threads: 13

D3m3nt3d

Offline

Posting Whiz in Training

Re: surf sidekick 3 and other nondesirables

Mar 30th, 2006

Your last log looks good, you can uninstall SpySweeper if you are not going to purchase it now if you are sure you quarantined what was found.

As for the Quick launch....unusual. Can you delete two of them?

Proud Member of ASAP (Alliance of Security Analysis Professionals)

•

Join Date: Mar 2006

Posts: 13

Reputation: bearpunk is an unknown quantity at this point

Solved Threads: 0

bearpunk

Offline

Newbie Poster

Re: surf sidekick 3 and other nondesirables

Mar 30th, 2006

if i delete anything from it, it gets deleted from all three... really it's so strange and only started happening when istarted messing around with the virus stuff.... maybe i went too crazy on my registry key?

also last but not least, one thing keeps being found...

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R9G34SX8\sane[1].exe -> Backdoor.SdBot.xd : Cleaned with backup

everything says it's leaning it but it's always there... should i bother? should i reboot in safe mode and manually delete it?

and if i were to purchase one of these fine programs that saved my poor computer, would it be ewido or spysweeper?

•

Join Date: Feb 2006

Posts: 244

Reputation: D3m3nt3d is an unknown quantity at this point

Solved Threads: 13

D3m3nt3d

Offline

Posting Whiz in Training

Re: surf sidekick 3 and other nondesirables

#10

Mar 30th, 2006

Have you actually messed with your registry keys? Can you get me a screenshot of this?

For that file - just do as you said and reboot to Safe Mode and delete it.

Ewido and SS are both solid so the vote would go either way if you asked 100 different people. I am a SS kind of guy myself

Proud Member of ASAP (Alliance of Security Analysis Professionals)