Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surfsidekick 3 Just Wont Go Away :(


  • This topic is locked This topic is locked
54 replies to this topic

#1 Viktery

Viktery

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 22 February 2006 - 10:11 PM

So after going against my better judgement, I download Shareaza as a P2P client so I can download and save a quick media trailer so I can install it into my Trea for demoing purposes to someone. And 8 hours later Im infected from everything under the sun.(this is why i dont download MP3s...i just buy my music).

So first thing was Security32 which installed on my box, plus SurfSide(which didnt seem to be doing much at the time), as well as SpySheriff and that red circle with a white cross in the middle popping up on my computer time and time again.

After a long night of registry editing, cleaning I got it down to just the SurfSidekick 3 (I may have Look2Me on here as well) trojan still on my computer. I then looked you guys up, ran through alot of the fixes you guys talked about with others just to make SURE everything was off of my computer. The red circle with the white cross (someone needs to name that thing) dont know if it was part of SpySheriff or not but thanks alot for that help.

Anyways so now after working for a few hours my computer is loading up at "Ok" speeds. As well as I cannot get to the Google.Com website at ALL, and most sites load up VERY slowly. I also cannot get my windows firewall to turn back on, I keep getting a error. Here is my hijack log, any help would be greatly appreciated.

Programs I have already run on my PC:

CCleaner
Hijackthis
Ewido (FYI, this hangs when it attempts to clean the SSK.exe file, on the "Performing Cleaning" screen, not sure why).
KillBox


So I ask for you guys help to get this thing off of my computer. I am missing a deadline I had with a job I was trying to get, and this has happened at the worst time :thumbsup:

Thanks alot.
Vik

Logfile of HijackThis v1.99.1
Scan saved at 9:57:26 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: winapi32.MyBHO - {41DD58D5-6692-433F-AE6C-64E157A496C4} - C:\WINDOWS\system32\winapi32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: repairs302972997.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\m8280ifue8280.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SkhpZ2h0\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:58 PM

Posted 23 February 2006 - 10:34 AM

Hello,

Well, you are dealing with several different infections here.

I see Ewido already cleaned up a lot, but we still have a long way to go.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

We'll deal with surfsidekick and the rest afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Viktery

Viktery
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 February 2006 - 10:49 AM

I am getting the runtime 339 error and I cant download the winsck file because the site doesnt seemto exist. I tried goingto it on another computer and it sent me to a search site as if the link was not correct.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:58 PM

Posted 23 February 2006 - 10:54 AM

The site works fine for me though. Try to copy and paste above link in your browser and try again.
If it still doesn't work, let me know
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Viktery

Viktery
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 February 2006 - 11:01 AM

Nope still doesnt work. IE just says "Done" after tryingto load it for a little bit then kicks me to a Search.Surfside.com page.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:58 PM

Posted 23 February 2006 - 11:12 AM

Ok, I attached it here.
You have to unzip it first and then place it in your C:\Windows\System32 Directory
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Viktery

Viktery
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 February 2006 - 11:18 AM

Thanks. Its running.

#8 Viktery

Viktery
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 February 2006 - 11:34 AM

Look2Me.txt File:

Scanning for infected files.....
Scan started at 2/23/2006 11:17:04 AM

Infected! C:\WINDOWS\system32\m8280ifue8280.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0045381.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0047378.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0047399.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0048437.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0048443.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049449.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049461.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049468.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0050485.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052490.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052814.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052815.dll
Infected! C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052819.dll
Infected! C:\WINDOWS\SYSTEM32\aurace.dll
Infected! C:\WINDOWS\SYSTEM32\botsprx2.dll
Infected! C:\WINDOWS\SYSTEM32\crdial32.dll
Infected! C:\WINDOWS\SYSTEM32\cucfg32.dll
Infected! C:\WINDOWS\SYSTEM32\czmres.dll
Infected! C:\WINDOWS\SYSTEM32\dn2601fse.dll
Infected! C:\WINDOWS\SYSTEM32\dn6201joe.dll
Infected! C:\WINDOWS\SYSTEM32\fp8u03l9e.dll
Infected! C:\WINDOWS\SYSTEM32\fplm0331e.dll
Infected! C:\WINDOWS\SYSTEM32\iHsrecst.dll
Infected! C:\WINDOWS\SYSTEM32\iuetmib1.dll
Infected! C:\WINDOWS\SYSTEM32\iuetppui.dll
Infected! C:\WINDOWS\SYSTEM32\jtlu0739e.dll
Infected! C:\WINDOWS\SYSTEM32\ksduk.dll
Infected! C:\WINDOWS\SYSTEM32\ktlml7311.dll
Infected! C:\WINDOWS\SYSTEM32\ktlql7351.dll
Infected! C:\WINDOWS\SYSTEM32\m8280ifue8280.dll
Infected! C:\WINDOWS\SYSTEM32\oibcint.dll
Infected! C:\WINDOWS\SYSTEM32\q486lels1hq6.dll
Infected! C:\WINDOWS\SYSTEM32\syrobj.dll
Infected! C:\WINDOWS\SYSTEM32\tyrmsrv.dll
Infected! C:\WINDOWS\SYSTEM32\uopnpmgr.dll
Infected! C:\WINDOWS\SYSTEM32\UTBPort.dll
Infected! C:\WINDOWS\SYSTEM32\vla256.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\m8280ifue8280.dll
C:\WINDOWS\system32\m8280ifue8280.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0045381.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0045381.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0047378.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0047378.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0047399.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0047399.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0048437.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0048437.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0048443.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0048443.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049449.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049449.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049461.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049461.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049468.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP401\A0049468.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0050485.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0050485.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052490.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052490.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052814.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052814.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052815.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052815.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052819.dll
C:\System Volume Information\_restore{FAEB99BE-978C-418D-A720-19ACA3F9CFC9}\RP402\A0052819.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\aurace.dll
C:\WINDOWS\SYSTEM32\aurace.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\botsprx2.dll
C:\WINDOWS\SYSTEM32\botsprx2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\crdial32.dll
C:\WINDOWS\SYSTEM32\crdial32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\cucfg32.dll
C:\WINDOWS\SYSTEM32\cucfg32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\czmres.dll
C:\WINDOWS\SYSTEM32\czmres.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\dn2601fse.dll
C:\WINDOWS\SYSTEM32\dn2601fse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\dn6201joe.dll
C:\WINDOWS\SYSTEM32\dn6201joe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\fp8u03l9e.dll
C:\WINDOWS\SYSTEM32\fp8u03l9e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\fplm0331e.dll
C:\WINDOWS\SYSTEM32\fplm0331e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\iHsrecst.dll
C:\WINDOWS\SYSTEM32\iHsrecst.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\iuetmib1.dll
C:\WINDOWS\SYSTEM32\iuetmib1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\iuetppui.dll
C:\WINDOWS\SYSTEM32\iuetppui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\jtlu0739e.dll
C:\WINDOWS\SYSTEM32\jtlu0739e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ksduk.dll
C:\WINDOWS\SYSTEM32\ksduk.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ktlml7311.dll
C:\WINDOWS\SYSTEM32\ktlml7311.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ktlql7351.dll
C:\WINDOWS\SYSTEM32\ktlql7351.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\m8280ifue8280.dll
C:\WINDOWS\SYSTEM32\m8280ifue8280.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\oibcint.dll
C:\WINDOWS\SYSTEM32\oibcint.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\q486lels1hq6.dll
C:\WINDOWS\SYSTEM32\q486lels1hq6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\syrobj.dll
C:\WINDOWS\SYSTEM32\syrobj.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\tyrmsrv.dll
C:\WINDOWS\SYSTEM32\tyrmsrv.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\uopnpmgr.dll
C:\WINDOWS\SYSTEM32\uopnpmgr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\UTBPort.dll
C:\WINDOWS\SYSTEM32\UTBPort.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\vla256.dll
C:\WINDOWS\SYSTEM32\vla256.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 11:31:09 AM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: winapi32.MyBHO - {41DD58D5-6692-433F-AE6C-64E157A496C4} - C:\WINDOWS\system32\winapi32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: repairs302972997.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SkhpZ2h0\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


I also keep getting a popup about a "Blackworm virus" I saw it once yesterday after a cleanup, and once just now. Not sure if its b.s. or not...i know it wasnt a warning from any of my systems. Just internet pop ups. Just thought Id mention that.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:58 PM

Posted 23 February 2006 - 11:48 AM

Ok, we made progress here.
One infection already gone.

Now let's deal with the rest.

Go to start > run and copy and paste next command in the field:

"C:\Program Files\SurfSideKick 3\Ssk.exe" /u

click ok.
A window will open asking you to enter the password you'll find in that screen.
Enter it and click ok.

Then reboot your system! Important.

after reboot..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: winapi32.MyBHO - {41DD58D5-6692-433F-AE6C-64E157A496C4} - C:\WINDOWS\system32\winapi32.dll
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SkhpZ2h0\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\windows\winsysupd10.exe
C:\windows\winsysban10.exe
C:\Program Files\Network Monitor <== folder
C:\Program Files\SurfSideKick 3 <== folder (will be empty though)

*Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Please download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer
* Then go to start > run and copy and paste next command in the field:

sc delete "Network Monitor" Click OK

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Viktery

Viktery
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 February 2006 - 12:01 PM

Before I finish and restart. I have a file called winsysupdate101.exe should I delete this?

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:58 PM

Posted 23 February 2006 - 12:07 PM

Yes, delete that one. That's also one of the reasons I asked you to run the panda scan afterwards to see if there are still files left which are not visible in your hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Viktery

Viktery
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 February 2006 - 12:24 PM

I get a error saying page cannot be displayed *sigh*

#13 Viktery

Viktery
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 February 2006 - 12:31 PM

I downloaded A-squared previously as well and its giving me pop ups on startup about aim, asusprobe(motherboard information center) and IExplorer, and its providing me with long checksums. Could that be it?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:58 PM

Posted 23 February 2006 - 12:43 PM

Not sure here, but where do you get 'page cannot be displayed' ?
If I am not mistaken, A squared will always give you popups about programs that want to load and also blocks things.

Perform next first:

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Viktery

Viktery
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 February 2006 - 12:50 PM

I cannot get there either.
Whats weird is though I cant get to www.google.com I CAN get to www.google.cn




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users