Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Removing Surfsidekick 3


  • This topic is locked This topic is locked
11 replies to this topic

#1 LeBoW120

LeBoW120

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 15 February 2006 - 02:46 PM

Hi all,

My problem is that I can't seem to remove SurfSideKick from my computer.
Damn thing keeps coming back after every reboot. I also have trouble accessing some websites including hotmail. My Hijack This log is posted below.

Logfile of HijackThis v1.99.1
Scan saved at 19:38:13, on 15/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
e:\program files\mcafee.com\agent\mcdetect.exe
e:\PROGRA~1\mcafee.com\agent\mctskshd.exe
e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
E:\Program Files\Network Monitor\netmon.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\wanmpsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
e:\progra~1\mcafee.com\vso\mcvsescn.exe
E:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\WINDOWS\System32\taskmgr.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
e:\progra~1\mcafee.com\vso\mcvsftsn.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
e:\PROGRA~1\mcafee.com\vso\mcshield.exe
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Hijack This\HijackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - E:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - E:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - e:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VSOCheckTask] "e:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "e:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSRaid] E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd7.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban7.exe
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0b\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - AppInit_DLLs: repairs302972994.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - e:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - e:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - e:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - E:\Program Files\Network Monitor\netmon.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe


I would appreciate any assistance anyone can provide.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:35 PM

Posted 15 February 2006 - 05:08 PM

Hi LeBoW120,

I will be happy to help you remove Surfsidekick and others, if any. I am going through your log at the moment. It'll take some time, but I'll get back to you as soon as I have my "fix" ready.

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:35 PM

Posted 15 February 2006 - 06:58 PM

Hi LeBoW120, :thumbsup:

Please copy/paste these instructions on a wordpad and save it to your desktop, then, print them out also for easy access. If you read them carefully and follow them in the order they are given, you won't have any problems.

Let's start with downloading some programs that you'll need later.

Download ATF Cleaner by Atribune and save it to your Desktop.

===============================================

Please download the free Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.

Select Configurations (click the Gear wheel at the top) as follows:
  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
Do not use it yet.

Here is a good link for Adaware tutorial. http://www.starpoint.net/help/Maintenance/adware.php

==============================================

Download and install Ewido Anti-Malware

During the installation, uncheck the following under Additional Options:
Install background guard
Install scan via context menu


Check for updates but do not run it yet.

==============================================

You have SpywareGuard installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might interfere with our fix.
1. Right click the running icon of SpywareGuard, it will open the program.
2. Then go to Menu, file, exit.
3. Then confirm the program is closed.

After all of the fixes are complete it is very important that you enable SpywareGuard again

You may also need to give permission if your Mcafee gives you any warning while you are carrying out the fixes.

=============================================

Let's uninstall the unwanted programs

Go to Start>Control Panel<Add/Remove Programs and remove WildTangent, if there.

To get rid of surfsidekick, go to start > run and copy/paste following command in the field:

"C:\Program Files\SurfSideKick 3\Ssk.exe" /u

Click OK.

A new window will open asking you for a password you'll see in that screen. Please enter the password.
Let it finish its job and REBOOT your computer afterwards.

===============================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK

===============================================

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following process:

E:\Program Files\Network Monitor\netmon.exe

Exit the Task Manager when finished.

==============================================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.

====================================================

Scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - E:\Program Files\SurfSideKick 3\SskBho.dll

O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - E:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)

O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd7.exe

O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd7.exe

O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe

O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe

O4 - HKCU\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

O20 - AppInit_DLLs: repairs302972994.dll

O23 - Service: Network Monitor - Unknown owner - E:\Program Files\Network Monitor\netmon.exe


Close all other browsers/windows/applications and click "fix checked". Exit HijackThis but stay in Safe Mode.

=====================================================

Using Windows Explorer, navigate and delete the following folders and files in bold, if found:

E:\Program Files\SurfSideKick
E:\Program Files\WildTangent

E:\Program Files\Network Monitor\netmon.exe

We need to do a search. Start > Search > All Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

repairs302972994.dll

delete this file when found.

======================================================

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

==================================================

Run Ewido.
Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido-Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

==================================================

Run Adaware
To start the scan, Click > "Scan Now" at left
  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.
  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.
==================================================

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

=================================================

Run HijackThis again and save the log.

=================================================

Post Panda scan results, Ewido log and the new HijackThis log in your next reply

Edited by amateur, 15 February 2006 - 07:49 PM.


#4 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 15 February 2006 - 10:00 PM

Hi amateur,

I greatly appreciate your help. I followed your instructions to the letter and a did everything apart from delete file "repairs302972994.dll". I couldn't find the file.

Here are the new scan reports:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 02:08:36, 16/02/2006
+ Report-Checksum: D23AAD2F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0B7BB476-D99E-5DD3-E092-CBD7B7A94A44} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1197D8F4-67C3-1EBA-A0B5-2D3266286005} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2AA6A6A5-5956-39DD-EADF-D656474D57D6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2D607394-E8EB-CD29-C71D-D3905009E2D5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{35C5CD9A-30D8-2E59-4A14-BDCDD883F77E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3698678C-C5F1-2B0F-7784-86A3A0B91EC5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3959283E-C72B-D2BA-8167-B27A8FA8F55B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{42818257-D0FC-EEBA-AAE9-8A81C72D9FD3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{42850B31-650A-1A17-D1B0-881BB42C236B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4A515210-1CD0-C708-D58B-235E88247714} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5F54EEA2-3EC1-1710-F455-1257E2CC6910} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{618C589E-9822-B92D-324E-4A3A25DEE649} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{647B7C3A-BE72-E122-772D-4D78A24E913E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{678A2E0B-5139-6762-A9B9-0027B9B197E5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{72B2792C-D29E-16A4-EE1D-D7DC8988D531} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{77DE2D83-957F-1DC7-29B3-8314649B33C1} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7FF53652-4DA9-7C18-869B-8B90C486CE63} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8EDA2BD3-6A45-E3A2-BF45-6B2B79D7BCFF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9349E2D9-9792-5461-B625-11C9885773A4} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9B7FF2FB-F800-5594-D274-1F27F041B9D6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A486C68F-6631-2A80-9130-5AAE5A0D6D0E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B310B79D-3B9C-C41E-D331-13987320963B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B3E2B483-AA0E-3DFD-41B9-7B33957286D3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B46BD484-7071-F0EF-F47D-A3DA3A0F33C2} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B4A77CF6-02BF-DD85-3F0E-C3AEABCEDC8F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B75BCD02-ABA7-9B5A-4478-A8AD97904CAC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C735153A-68D1-A733-70E3-4788A0DFAFED} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CDBCDF8D-F3C6-EE7D-C673-A31C7CDFB1F3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DB58988A-7E72-E50C-B2C0-29E44B377388} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DF6EE72D-6DA9-D49D-AEDC-B86B1D310C21} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E07FEBA7-DA76-CC40-6C75-197B46A15FC9} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E0FF3E5C-4043-EAF0-0397-EB24D486A427} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E1C3C5B8-DB64-9214-3152-74004E9FCB93} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E3367314-1EAE-8F76-CB90-062589DB57E1} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1229272821-220523388-725345543-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1229272821-220523388-725345543-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
C:\Program Files\Altnet\Download Manager\asmps.dll -> Adware.Altnet : Cleaned with backup
E:\Documents and Settings\Adam\Local Settings\Temp\un6.tmp -> Adware.SurfSide : Cleaned with backup
E:\Documents and Settings\Adam\Local Settings\Temp\un97.tmp -> Adware.SurfSide : Cleaned with backup
E:\Documents and Settings\Adam\Local Settings\Temp\unA.tmp -> Adware.SurfSide : Cleaned with backup
E:\Documents and Settings\Adam\Local Settings\Temp\__unin__.exe -> Adware.Altnet : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@ehg-aha.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@ehg-amlawmedia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@ehg-bestwestern.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@ehg-bt.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@ehg-tfl.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@phg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
E:\Program Files\Common Files\InetGet\mc-110-12-0000228.exe -> Dropper.Agent.aac : Cleaned with backup
E:\Program Files\Common Files\VCClient\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
E:\Program Files\Common Files\Windows\mc-110-12-0000228.exe -> Dropper.Agent.aac : Cleaned with backup
E:\Program Files\Common Files\Windows\services32.exe -> Adware.Maxifiles : Cleaned with backup
E:\Program Files\TBONBin -> Adware.BetterInternet : Cleaned with backup
E:\RECYCLER\S-1-5-21-1229272821-220523388-725345543-1003\De259\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
E:\WINDOWS\inet20010\winlogon.exe -> Downloader.CWS.s : Cleaned with backup
E:\WINDOWS\system32\barseek.dll -> Proxy.Small.du : Cleaned with backup
E:\WINDOWS\system32\drivers\sysbus32.sys -> Not-A-Virus.SpamTool.Win32.Mailbot.al : Cleaned with backup
E:\WINDOWS\system32\scmt16.exe -> Downloader.Small.cjg : Cleaned with backup
E:\WINDOWS\tool3.exe -> Downloader.Agent.aea : Cleaned with backup


::Report End




---------------------------------------------------------
Panda Active Scan Report
---------------------------------------------------------

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected E:\Documents and Settings\Adam\Application Data\Sskcwrd.dll

::Report End




---------------------------------------------------------
HijackThis Log
---------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 02:48:28, on 16/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
e:\program files\mcafee.com\agent\mcdetect.exe
e:\PROGRA~1\mcafee.com\agent\mctskshd.exe
e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\wanmpsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
e:\progra~1\mcafee.com\vso\mcvsescn.exe
E:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
e:\progra~1\mcafee.com\vso\mcvsftsn.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
e:\PROGRA~1\mcafee.com\vso\mcshield.exe
E:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - e:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VSOCheckTask] "e:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "e:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSRaid] E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0b\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - e:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - e:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - e:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe

::Report End


Once again, thanks for your help.

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:35 PM

Posted 16 February 2006 - 08:21 AM

Good job, LeBow120. :thumbsup: You've done very well. :flowers: How is the computer running now?

Using Windows Explorer, navigate to the following file in bold and delete it. (If you cannot delete it in normal mode, try safe mode)

E:\Documents and Settings\Adam\Application Data\Sskcwrd.dll

Empty your recycle bin. Clean the temp files and cookies for every user with ATF. Reboot the computer. Run Ewido and Panda again and post back the logs.

#6 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 16 February 2006 - 01:45 PM

Hi amateur,

Thanks for your help. There seems to be no sign of SurSideKick left in my system. However I have problems accessing some websites like Hotmail. This started after I got the virus. Any ideas? Anyway, the new logs are posted below.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:23:04, 16/02/2006
+ Report-Checksum: 9C891CE2

+ Scan result:

No infected objects found.


::Report End



---------------------------------------------------------
Panda Active Scan report
---------------------------------------------------------

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected E:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Ssk.log


I completely removed everything in my Temporary Internet Files, so I don't know why it still says Ssk.log.

Cheers.

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:35 PM

Posted 16 February 2006 - 01:50 PM

Oh, that's just a log file. You can go ahead and delete that too.

There is one thing I missed earlier though. I would like you to do it now.

Please go to Add/Remove Programs and remove Network Monitor. Then go to C:\Program Files and delete the folder Network Monitor. Empty the recycle bin.

Can you tell me a little bit more about the problem you are having with accessing websites: Which other web sites; what kind of a problem; are you getting an error; what kind of error note, etc.?

Edited by amateur, 16 February 2006 - 03:00 PM.


#8 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 16 February 2006 - 07:52 PM

Hi amateur,

Can't seem to remove Network Monitor. It says there was an error in removing it. Checked it in the Program Files and it's not there.

The websites I can't access are not many, just stuff like Blackboard system which is a university learning tool and Hotmail. For some reason I can't seem to access Hotmail at all. Could it be a problem with the site itself?

Thanks.

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:35 PM

Posted 16 February 2006 - 09:30 PM

Hi LeBow120,

Try the following and see if it helps any, and let me know please.

Go to Control Panel > Internet Options. Click on the Programs tab then
click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click
the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you
should see an entry checked called something like "Security info" or similar.
If it is there, select that entry and click the "Delete" button. Click OK
then Apply and OK.

#10 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 19 February 2006 - 07:39 PM

Hi amateur,

I did what you asked but found no sign of security info. I recently switched to using a NetGear wireless router. Could this be at fault? I'm using AOL as my ISP and apparently this is one of the few routers that have been tested to work using AOL.

Thanks for your help.

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:35 PM

Posted 19 February 2006 - 11:04 PM

Hi LeBow120,

This is what MSN suggests you do:

1. Click ‘Start’, ‘Run’ then type: ‘iexplore’ (without apostrophes)
2. Click ‘Tools’, ‘Internet Options’
3. Under General, click:

a. ‘Delete Cookies’, ‘OK’
b. ‘Delete Files’, ‘Delete all offline contents’, ‘OK’
c. ‘Clear History’, ‘Yes’
d. ‘Settings’, Adjust the amount to 300 MB, ‘OK’

4. Under Security, click ‘Internet’, ‘Default Level’, then ‘Apply’
5. Click ‘Privacy’, ‘Default’, then Apply
6. Under Content, click ‘AutoComplete’, ‘Clear Forms’, ‘Clear Passwords’ then ‘OK’
7. Under Connections, do the following: (skip these if you are using DSL)

a. Select the connection in the Dial-up and Virtual Private Network settings
b. Click ‘Settings’, uncheck all of the checkboxes, ‘OK’
c. Click ‘LAN Settings’, uncheck all of the checkboxes, ‘OK’

8. Under Advanced, click ‘Restore Default’, ‘Apply’, then ‘OK’
III. If the issue persists, please update Internet Explorer.

1. Connect to the Internet
2. Click ‘Start’, ‘Run’, then type: ‘iexplore’ (without apostrophes)
3. Download the updated version of Internet Explorer by going to http://www.microsoft.com/downloads/...&DisplayLang=en
4. Click ‘Download’

OPTION 2:

1. Connect to the Internet
2. Click ‘Start’, ‘Run’, then type: ‘iexplore’ (without apostrophes)
3. Go to http://www.microsoft.com/downloads/
4. Click on 'Internet Explorer 6 Service Pack 1' then click 'Download' button

Also, please post

a new HijackThis log
a new online virus scan result
a new Panda log

to make sure that the computer is clean. Once we establish that, you should patch your Windows XP with SP2.

Edited by amateur, 20 February 2006 - 10:03 AM.


#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:35 PM

Posted 01 March 2006 - 08:57 AM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users