Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Everything Is Wrong!


  • This topic is locked This topic is locked
15 replies to this topic

#1 Help Wanted

Help Wanted

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 21 May 2006 - 09:19 PM

My little brother and sister share a computer, and it has become quite messed up. Popups, spyware, trojans. McAfee has helped all it can, and I've tried to clear this stuff out with adaware and spybot, but to no avail. I have followed the posted instructions and recommendations.

Every time I run HijackThis things come back. Like SurfSidekick (ssk)... I can't get it to go away. I'm running HJT in safe mode, I downloaded it onto my cmputer, etc. Everthing is still such a mess. Any assistance would be most appreciated.

I ave posted the HJT log below. I know there's a lot of junk, but I can't seem to make it vanish.


Logfile of HijackThis v1.99.1
Scan saved at 7:15:17 PM, on 5/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\sms_msn.exe
C:\WINDOWS\system32\sms_msn40.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ngpw40.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\David\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cbbssgv.exe
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {0FA7FD6B-47C3-425B-AE30-36383F1C4503} - C:\WINDOWS\system32\ejrwx8drl.dll
O20 - AppInit_DLLs: repairs303169572.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Edited by Help Wanted, 21 May 2006 - 09:20 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 22 May 2006 - 04:37 PM

Hello,

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.
  • Download Brute Force Uninstaller to your C:\
  • Unzip it to a folder of its own (C:\BFU). So the BFU-folder should be on your root. In most cases this is C:\
  • Download sidekickFix.bat (rightclick on this link and choose save as)
  • Place sidekickFix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick sidekickFix.bat, Close all browsers and explorer folders.
  • Type Y for yes to start the fix and follow the prompts.
  • It will ask to reboot your computer, so please allow it to reboot.
-----------------
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • It will ask to reboot your computer, so please allow it to reboot.
After the second reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cbbssgv.exe
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O18 - Filter: text/html - {0FA7FD6B-47C3-425B-AE30-36383F1C4503} - C:\WINDOWS\system32\ejrwx8drl.dll
O20 - AppInit_DLLs: repairs303169572.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
We'll need that later.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\sms_msn.exe
C:\WINDOWS\system32\sms_msn40.exe
C:\WINDOWS\system32\ngpw40.exe
C:\WINDOWS\system32\ejrwx8drl.dll

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
---------------
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Reboot back to normal mode.

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply together with a new hijackthislog.

Edited by miekiemoes, 22 May 2006 - 04:50 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 28 May 2006 - 05:21 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 04 June 2006 - 12:19 PM

Reopened.. Please perform my above steps. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Help Wanted

Help Wanted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 June 2006 - 03:10 PM

Thank you so much for your help. I found your instructions to be extemely well expressed. Unfortunately things didn't seem to be going away. Ssk stuck around for the whole process -- it wouldn't go away. And the DrWeb log is the scariest thing I've ever seen.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:58:45 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinlqez.exe FI003
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe




and here is the DrWeb.csv log:

swinlqez.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Deleted.;
repairs303169590.dll;C:\WINDOWS\system32;Probably MULDROP.Trojan;Incurable.Will be deleted after reboot.;
Ssk.exe;C:\Documents and Settings\Nanou\Local Settings\Temp\temp.fr9777;Adware.Surfside;Incurable.Deleted.;
SskBho.dll;C:\Documents and Settings\Nanou\Local Settings\Temp\temp.fr9777;Adware.Surfside;Incurable.Deleted.;
SskCore.dll;C:\Documents and Settings\Nanou\Local Settings\Temp\temp.fr9777;Adware.Surfside;Incurable.Deleted.;
i32.tmp;C:\Documents and Settings\Roberta\Local Settings\Temp;Adware.Surfside;Incurable.Deleted.;
i74.tmp;C:\Documents and Settings\Roberta\Local Settings\Temp;Adware.Surfside;Incurable.Deleted.;
u10E.tmp;C:\Documents and Settings\Roberta\Local Settings\Temp;Adware.Surfside;Incurable.Deleted.;
u110.tmp;C:\Documents and Settings\Roberta\Local Settings\Temp;Adware.Surfside;Incurable.Deleted.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Deleted.;
Catcher.dll;C:\Program Files\DNS;Adware.Maxifiles;Incurable.Deleted.;
cwebpage.dll;C:\Program Files\DNS;Adware.Maxifiles;Incurable.Deleted.;
patchw32.dll;C:\Program Files\Quicken;Probably WIN.WORM.Virus;Incurable.Deleted.;
A0037630.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP212;Adware.EliteMedia;Incurable.Deleted.;
A0037686.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP213;Adware.EliteMedia;Incurable.Deleted.;
A0037730.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP215;Adware.EliteMedia;Incurable.Deleted.;
A0037750.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP217;Adware.EliteMedia;Incurable.Deleted.;
A0037773.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP218;Adware.EliteMedia;Incurable.Deleted.;
A0037794.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP219;Adware.EliteMedia;Incurable.Deleted.;
A0037823.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP220;Adware.ClickSpring;Incurable.Deleted.;
A0038733.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP221;Adware.Maxifiles;Incurable.Deleted.;
A0038734.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP221;Adware.Maxifiles;Incurable.Deleted.;
A0038740.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP221;Adware.EliteMedia;Incurable.Deleted.;
A0039725.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP221;Adware.Maxifiles;Incurable.Deleted.;
A0039727.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP221;Adware.Maxifiles;Incurable.Deleted.;
A0039742.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP222;Adware.EliteMedia;Incurable.Deleted.;
A0040727.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP223;Adware.EliteMedia;Incurable.Deleted.;
A0040734.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP223;Adware.Maxifiles;Incurable.Deleted.;
A0040735.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP223;Adware.Maxifiles;Incurable.Deleted.;
A0040781.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP224;Adware.EliteMedia;Incurable.Deleted.;
A0041730.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP224;Adware.Maxifiles;Incurable.Deleted.;
A0041731.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP224;Adware.Maxifiles;Incurable.Deleted.;
A0042739.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP224;Adware.Maxifiles;Incurable.Deleted.;
A0042740.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP224;Adware.Maxifiles;Incurable.Deleted.;
A0042761.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP224;Adware.EliteMedia;Incurable.Deleted.;
A0042766.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP225;Adware.EliteMedia;Incurable.Deleted.;
A0043737.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP225;Adware.Maxifiles;Incurable.Deleted.;
A0043738.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP225;Adware.Maxifiles;Incurable.Deleted.;
A0043762.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP226;Adware.EliteMedia;Incurable.Deleted.;
A0044738.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP226;Adware.Maxifiles;Incurable.Deleted.;
A0044739.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP226;Adware.Maxifiles;Incurable.Deleted.;
A0045738.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP226;Adware.Maxifiles;Incurable.Deleted.;
A0045739.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP226;Adware.Maxifiles;Incurable.Deleted.;
A0045768.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP226;Adware.Maxifiles;Incurable.Deleted.;
A0045769.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP226;Adware.Maxifiles;Incurable.Deleted.;
A0045789.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP226;Adware.MediaTicket;Incurable.Deleted.;
A0046765.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP228;Adware.Maxifiles;Incurable.Deleted.;
A0046766.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP228;Adware.Maxifiles;Incurable.Deleted.;
A0046779.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP228;Adware.ZenoSearch;Incurable.Deleted.;
A0046809.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP228;Adware.Surfside;Incurable.Deleted.;
A0046810.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP228;Adware.Surfside;Incurable.Deleted.;
A0046811.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP228;Adware.Surfside;Incurable.Deleted.;
A0046823.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP228;Adware.Maxifiles;Incurable.Deleted.;
A0046824.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP228;Adware.Maxifiles;Incurable.Deleted.;
A0046838.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP229;Trojan.DownLoader.6271;Deleted.;
A0047063.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP230;Adware.Surfside;Incurable.Deleted.;
A0047095.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP230;Adware.Maxifiles;Incurable.Deleted.;
A0047096.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP230;Adware.Maxifiles;Incurable.Deleted.;
A0047102.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP230;Trojan.DownLoader.6271;Deleted.;
A0047252.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP231;Trojan.DownLoader.6271;Deleted.;
A0047266.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP231;Adware.Surfside;Incurable.Deleted.;
A0047267.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP231;Adware.Surfside;Incurable.Deleted.;
A0047268.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP231;Adware.Surfside;Incurable.Deleted.;
A0047269.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP231;Adware.Surfside;Incurable.Deleted.;
A0047271.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP231;Adware.Surfside;Incurable.Deleted.;
A0047341.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP232;Adware.Maxifiles;Incurable.Deleted.;
A0047342.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP232;Adware.Maxifiles;Incurable.Deleted.;
A0049279.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP234;Trojan.Qoologic;Deleted.;
A0049309.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP234;Adware.Maxifiles;Incurable.Deleted.;
A0049311.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP234;Adware.Maxifiles;Incurable.Deleted.;
A0049319.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP234;Adware.EliteMedia;Incurable.Deleted.;
A0050322.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP234;Trojan.Qoologic;Deleted.;
A0050326.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP234;Trojan.Qoologic;Deleted.;
A0050344.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP235;Adware.Maxifiles;Incurable.Deleted.;
A0050345.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP235;Adware.Maxifiles;Incurable.Deleted.;
A0051330.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP236;Adware.Maxifiles;Incurable.Deleted.;
A0051331.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP236;Adware.Maxifiles;Incurable.Deleted.;
A0051397.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP239;Adware.ZenoSearch;Incurable.Deleted.;
A0051492.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP242;Trojan.DownLoader.5580;Deleted.;
A0051494.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP242;Adware.Maxifiles;Incurable.Deleted.;
A0051495.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP242;Adware.Maxifiles;Incurable.Deleted.;
A0051516.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP242;Trojan.MulDrop.3071;Deleted.;
A0051527.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP242;Adware.Maxifiles;Incurable.Deleted.;
A0051528.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP242;Adware.Maxifiles;Incurable.Deleted.;
A0051533.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP242;Trojan.Maxi;Incurable.Moved.;
A0051536.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP242;Adware.TargetServer;Incurable.Deleted.;
A0052665.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP256;Adware.ZenoSearch;Incurable.Deleted.;
A0054167.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP262;Adware.QuickLinks;Incurable.Deleted.;
A0054173.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP262;Adware.Yavak;Incurable.Deleted.;
A0054174.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP262;Adware.ClickSpring;Incurable.Deleted.;
A0054758.exe\data001;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP268\A0054758.exe;Adware.Yavak;;
A0054758.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP268;Archive contains infected objects;Moved.;
A0054761.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP268;Adware.QuickLinks;Incurable.Deleted.;
A0054776.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP268;Adware.QuickLinks;Incurable.Deleted.;
A0054834.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP270;Adware.Surfside;Incurable.Deleted.;
A0054901.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP271;Adware.Casclient;Incurable.Deleted.;
A0054913.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP271;Trojan.DownLoader.6077;Deleted.;
A0054930.exe;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP272;Adware.Surfside;Incurable.Deleted.;
A0054931.dll;C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP272;Adware.Surfside;Incurable.Deleted.;
eliteunstall.exe;C:\WINDOWS;Adware.EliteMedia;Incurable.Deleted.;
htwfdr.exe;C:\WINDOWS;Trojan.DownLoader.3945;Deleted.;
idlemg.exe;C:\WINDOWS;Trojan.DownLoader.5013;Deleted.;
mvtiyl.exe;C:\WINDOWS;Probably DLOADER.Trojan;Incurable.Deleted.;
bk.exe;C:\WINDOWS\system32;Adware.Surfside;Incurable.Deleted.;
kwinlsai.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Deleted.;
kwinlsaw.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Deleted.;
mwinqrag.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Deleted.;
pwinkraf.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Deleted.;
pwinkrag.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Deleted.;
pwinkrez.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Deleted.;
qjdsregm.exe;C:\WINDOWS\system32;Trojan.DownLoader.6077;Deleted.;
qpdsregl.exe;C:\WINDOWS\system32;Trojan.DownLoader.6077;Deleted.;
qrdsregk.exe;C:\WINDOWS\system32;Trojan.DownLoader.6077;Deleted.;
repairs303169590.dll;C:\WINDOWS\system32;Probably MULDROP.Trojan;Incurable.Will be deleted after reboot.;
rkdsregm.exe;C:\WINDOWS\system32;Trojan.DownLoader.6077;Deleted.;




Once again, thank you so much.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 04 June 2006 - 03:31 PM

Ok, let's see if its uninstaller still works, so perform next:

Go to start > run and copy and paste next command in the field:

"C:\Program Files\SurfSideKick 3\Ssk.exe" /u

Then hit enter.
Normally a little window should open, asking you to enter a code you'll find in the same window.
Please do so.
Then reboot!! Really important!!

Post a new hijackthislog in your next reply.

If above didn't open a small window to enter a code etc..
Perform next step again - please make sure you perform it exactly as described.
  • Download Brute Force Uninstaller to your C:\
  • Unzip it to a folder of its own (C:\BFU). So the BFU-folder should be on your root. In most cases this is C:\
  • Download sidekickFix.bat (rightclick on this link and choose save as)
  • Place sidekickFix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick sidekickFix.bat, Close all browsers and explorer folders.
  • Type Y for yes to start the fix and follow the prompts.
  • It will ask to reboot your computer, so please allow it to reboot.
  • After the PC has restarted please post another hijackthis log.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Help Wanted

Help Wanted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 June 2006 - 03:58 PM

To make sure I understand correctly:

I am re-downloading BFU and sidekickfix.bat? Not using my current version?

Do I delete? Overwrite? Create a different folder?

Thanks.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 04 June 2006 - 05:16 PM

No, don't redownload BFU. Just make sure it's on your C:\ in a folder called BFU.

Also, let me know if the fix asked to reboot - that's how I am sure it really ran.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Help Wanted

Help Wanted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 08 June 2006 - 08:01 PM

After I ran sidekickfix it asked me to reboot. But, as you can see, sidekick is still on the computer.

Logfile of HijackThis v1.99.1
Scan saved at 5:57:54 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinlqez.exe FI003
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 09 June 2006 - 12:14 AM

Not sure what is causing this, but I guess you are doing something wrong here, or McAfee interfered with it.

Try next:

* Download Combofix.zip
Unzip it to its own folder.
Read here how to unzip/extract properly.
Open the Combofix folder and doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Help Wanted

Help Wanted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 14 June 2006 - 09:13 PM

The lik to Combofix.zip is ot working. I get taken to a bleepingcomputer error page every time. All links to combofix on Google seem to all point o bleepingcomputer, but I can't acess the file.

I made sure McAfee was not running and ran Sidekickfix again. Surf Sidekick seems to be as strong as ever. Many popups. Should I run sidekickfix in Safe Mode?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 15 June 2006 - 12:29 AM

Hi,

Try this link:

http://download.bleepingcomputer.com/sUBs/combofix.exe
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 21 June 2006 - 03:56 AM

Problem solved?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Help Wanted

Help Wanted
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 21 June 2006 - 09:22 PM

Thanks so much for your help and patience. I do believe that combofix did the trick. I do believe McAfee was somehow interfering with sidekickfix, even though I had exited it. When I ran comofix, McAfee somehow stopped the process, so I clicked, "Run script completely." When cobofix rebooted and started again, McAfee did this again. I once again told it to ignore and run the whole script.

Here's the HJT log. I don't see sidekick or anything.

Logfile of HijackThis v1.99.1
Scan saved at 7:17:57 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brmfrmps.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\AIM\aim.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinlqez.exe FI003
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe



Thanks so much.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 AM

Posted 22 June 2006 - 12:23 AM

Hello,

Can you post the log from combofix please?
It is present on your C:\ with the name combofix.txt
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users