Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log For Xp... Help Please!


  • This topic is locked This topic is locked
4 replies to this topic

#1 Caulfield6

Caulfield6

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 18 March 2006 - 03:06 AM

Hello,
I need hlep, i am infected by Surf Side Kick, Please help me. :thumbsup:
I did a HJT Scan and this is the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:01:24 PM, on 18/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Network\ipnetwork.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Patrick\My Documents\Games and Appz\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [newname] C:\\newname3.exe
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142655186625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\g8lmli3118.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Thank you if you help, and if you don't, I need it!

C6
C6

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:51 PM

Posted 18 March 2006 - 06:57 AM

Hello and welcome to the site. :thumbsup:

Please download the Gaobot virus removal tool here and follow the instructions: http://securityresponse.symantec.com/avcen...moval.tool.html

When you are finished, please reboot and post back with a fresh HijackThis log. Let me know if it helped you in any way (you still have few different infections there -- we'll fix the rest).
Hi there, stranger!

#3 Caulfield6

Caulfield6
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 18 March 2006 - 06:10 PM

Awesome dude, you're gonna help. Done that what you said and here is the :

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:09:37 AM, on 19/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Patrick\My Documents\Games and Appz\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [newname] C:\\newname3.exe
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142655186625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\enrul1991.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Gaobot Log:

Symantec W32.Gaobot FixTool 1.30.0

C:\Documents and Settings\Saasha.BACKROOM\Local Settings\Temporary Internet Files\Content.IE5\68GK5MN7\x1pbglk-vqL4Bv0D9ZBOFhf7IAFZsn3FpYZ7MaqH5JBsGQ19gizTDwNUz2mr4TuMigeaBeA_P7r6hkDj1rYLwwpKg3TmTaBtEszyX_vBC5MJcMrQu85RGTwSViCmztKUNGtMHtCNBXaIRSe7TwS_zDovw[1].jpeg (WARNING: not scanned, path to long)
C:\Documents and Settings\Saasha.BACKROOM\Local Settings\Temporary Internet Files\Content.IE5\68GK5MN7\x1pbglk-vqL4Bv0D9ZBOFhf7IAFZsn3FpYZ7MaqH5JBsGQIFLktslM9Xl3UTb2jdJTP45wLrJMPz-rUCN38p0H0MRoSpKzvlIHrDjggeXwJm0yQ3AtJ18XMB-xz9ygnP-VADNbB7STmfYSzTWEJZuQ5gw[1].jpeg (WARNING: not scanned, path to long)
C:\Documents and Settings\Saasha.BACKROOM\Local Settings\Temporary Internet Files\Content.IE5\68GK5MN7\x1pbglk-vqL4Bv0D9ZBOFhf7IAFZsn3FpYZ7MaqH5JBsGQIqc6R7uILXDbHSbx-z4jABFemML4329rGLmtyeW845DGowN_jL97BB2Lo-WvJJtddCv_ugkOQwVhUDYrLSrQzsvoo1F5pbIErtkjDV4N5EQ[1].jpeg (WARNING: not scanned, path to long)
C:\Documents and Settings\Saasha.BACKROOM\Local Settings\Temporary Internet Files\Content.IE5\68GK5MN7\x1pbglk-vqL4Bv0D9ZBOFhf7IAFZsn3FpYZ7MaqH5JBsGQmcbRPPmAxFx9grgVg7E4RaW3q51neM71uk19ejK-YA8ITb3K9uAujfY78gS2jibAC6Oi6mQ-wt3As3t0UDC9jyU0GjsnzjbdhcX4cvw7Qaw[1].jpeg (WARNING: not scanned, path to long)
C:\Documents and Settings\Saasha.BACKROOM\Local Settings\Temporary Internet Files\Content.IE5\68GK5MN7\x1pbglk-vqL4Bv0D9ZBOFhf7IAFZsn3FpYZ7MaqH5JBsGQMTgfjj59N1CRO-KOoCRL7G_hbuobgZilJGengxyqQittlr01oXlu6xjNoaryrambMffERG4XGQeK0Vw4zlL706CrrdCd3PR6Tn9Q9Zb15kw[1].jpeg (WARNING: not scanned, path to long)
C:\Documents and Settings\Saasha.BACKROOM\Local Settings\Temporary Internet Files\Content.IE5\68GK5MN7\x1pbglk-vqL4Bv0D9ZBOFhf7IAFZsn3FpYZ7MaqH5JBsGQUjuDZZSi-v3mRG4S10zpMEEu1e-ANcgsr36lyZ8DLN8frdqe6fj_2ZzuQr7qcmlJVM5mPZS2pma8U9dHx6gsU-raIiEf__Tw2bXiKiKFTeQ[1].jpeg (WARNING: not scanned, path to long)
C:\Documents and Settings\Saasha.BACKROOM\Local Settings\Temporary Internet Files\Content.IE5\68GK5MN7\x1pbglk-vqL4Bv0D9ZBOFhf7IAFZsn3FpYZ7MaqH5JBsGQv6arVoT4Cm1V9Etyq12y1EKglIynH-fFpa0qdLeOs7hg2-UA3bk5Bn8VKs1JuXhZ6YNpIWAbREXXtPD2W1RVjELBazyQU2SKTOpWPWmSn2A[1].jpeg (WARNING: not scanned, path to long)
C6

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:51 PM

Posted 19 March 2006 - 03:27 AM

Hi again, lets continue. :thumbsup:

You might want to print these instructions out for easier reference. :flowers:

==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

Please do the following, as Prevx protection might interfere with the fixes:

Right-click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..

On the Management Console click the Protection Level drop-down menu.

You will see three levels:
  • Maximum
  • 1
  • Off
  • User Defined.
To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.

Click the X on the upper right hand corner to exit the Management console. Once we are done cleaning up, you can repeat the steps setting the level this time to Maximum in order to re-enable protection.

==

Go to -> Control Panel -> Add/Remove programs and uninstall the following entries if present:

Surf Sidekick
Surf Sidekick 2
Surf Sidekick 3


It may prompt about whether or not you are sure you want to remove this program. Reply Yes to this prompt.

==

IF there is no Add/Remove Programs entry for this program(s), click on Start -> Run and type in:

C:\Program Files\SurfSideKick 3\Ssk.exe /u

and hit OK. A code will be displayed that it will ask you to enter. Please enter this code and reboot. Once back to your desktop continue with the rest of the fix.

==

Run a scan with HijackThis and check the following objects for removal if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [newname] C:\\newname3.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Please reboot, yet again.

==

Download and unzip BFUzip from HERE.

Run the program and click the Web button as shown here:

Posted Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html


==

Navigate to, and delete the following files/folders if present:

C:\Program Files\SurfSideKick 3\
csrrs.exe <= Locate with Windows Search

Empty Recycle bin.

==

Do you need the following program for something:

C:\Program Files\Network\ipnetwork.exe

As it seems quite suspicious; I just want to check before doing anything to it.

==

Please download the following regfile to your desktop. When it is finished downloading, double-click on it and confirm with Yes when it asks if you would like to merge the data with registry.

Fixssk.reg.

Reboot when done, again.

==

Finally, post back with a fresh HijackThis log.

Edited by Rawe, 19 March 2006 - 04:54 AM.

Hi there, stranger!

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:51 PM

Posted 25 March 2006 - 08:15 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users