Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Surfsidekick


  • This topic is locked This topic is locked
4 replies to this topic

#1 cutt

cutt

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 30 August 2006 - 05:02 PM

Thanks for the help, great site!!

I ran Ad-Aware, Spybot S&D, PcCillin and can't get rid of SurfSidekick the file always says it is in use.

Here is my HJT Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:56:06 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\{486B629E-0A60-1033-0519-030429200001}\Update.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Epson] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P5 "Epson" /O16 "IP_192.168.0.4P1" /M "Stylus CX4600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: 00THotkey.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\fp0m03d1e.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:50 AM

Posted 31 August 2006 - 08:34 AM

Hello and welcome to the forums :thumbsup:

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 cutt

cutt
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 31 August 2006 - 03:56 PM

Here is the combofix log

Cutt - 06-08-31 16:21:08.79
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Cutt\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{423B5411-6AA5-4B16-8F82-DCBBC11940F8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{423B5411-6AA5-4B16-8F82-DCBBC11940F8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{423B5411-6AA5-4B16-8F82-DCBBC11940F8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{423B5411-6AA5-4B16-8F82-DCBBC11940F8}\InprocServer32]
@="C:\\WINDOWS\\system32\\sylwid.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\aei3d1ag.dll
C:\WINDOWS\system32\bnpanui.dll
C:\WINDOWS\system32\djskcopy.dll
C:\WINDOWS\system32\enlql1351.dll
C:\WINDOWS\system32\f0j2la1o1d.dll
C:\WINDOWS\system32\fnl0213mg.dll
C:\WINDOWS\system32\h40q0ed5eh0.dll
C:\WINDOWS\system32\hfpertrm.dll
C:\WINDOWS\system32\iQsrecst.dll
C:\WINDOWS\system32\ir44l5hq1.dll
C:\WINDOWS\system32\j0l4la3q1d.dll
C:\WINDOWS\system32\kcdca.dll
C:\WINDOWS\system32\lv0609dse.dll
C:\WINDOWS\system32\m6julg1916.dll
C:\WINDOWS\system32\mcxml2r.dll
C:\WINDOWS\system32\mntRate.dll
C:\WINDOWS\system32\MUJET35.DLL
C:\WINDOWS\system32\mzutilse.dll
C:\WINDOWS\system32\ngtman.dll
C:\WINDOWS\system32\q0680ajuedo80.dll
C:\WINDOWS\system32\q4rq0e95eh.dll
C:\WINDOWS\system32\qjvd.dll
C:\WINDOWS\system32\sdbiop.dll
C:\WINDOWS\system32\sucurity.dll
C:\WINDOWS\system32\sylwid.dll
C:\WINDOWS\system32\vdr.dll
C:\WINDOWS\system32\wsn87em.dll
C:\WINDOWS\system32\wwcsvc.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\repairs303169590.dll
C:\Documents and Settings\Cutt\Application Data\Sskdmns.dll
C:\Documents and Settings\Cutt\Application Data\Sskknwrd.dll
C:\Documents and Settings\Cutt\Application Data\Sskuknwrd.dll
C:\WINDOWS\system32\bk.exe
C:\Program Files\surfsidekick 3\Ssk.exe
C:\Program Files\surfsidekick 3\SskBho.dll
C:\Program Files\surfsidekick 3\SskCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\aaa00000.dll
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\tsuninst.exe
C:\deskbar.exe
C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\uninst104.exe
C:\Program Files\Deskbar
C:\Program Files\PSLister
C:\Program Files\Common Files\{486B629E-0A60-1033-0519-030429200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Cutt\My Documents\SMBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-30 17:02 236,561 -r--s---- C:\WINDOWS\system32\f02mlaf11d2.dll
2006-08-30 15:28 302 --a------ C:\restore.reg
2006-08-30 15:21 86,016 --------- C:\WINDOWS\unvise32.exe
2006-08-30 14:49 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-08-30 14:49 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-30 14:49 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-08-30 14:49 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-08-29 08:03 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-29 08:03 303,104 --a------ C:\WINDOWS\system32\rlls.dll
2006-08-29 08:03 1,150,976 --a------ C:\WINDOWS\system32\rlvknlg.exe
2006-08-29 07:59 53,248 --a------ C:\topaff.exe
2006-08-29 07:59 283,728 -r-hs---- C:\WINDOWS\fmzrjgg.exe
2006-08-29 07:59 186,219 --a------ C:\WINDOWS\srvebjwvfo.exe
2006-08-29 07:59 159,744 --a------ C:\WINDOWS\sys101214997150.exe
2006-08-28 22:51 159,744 --a------ C:\WINDOWS\ms049971501214.exe
2006-08-28 22:50 25 --a------ C:\WINDOWS\win320715012149972006.exe
2006-08-28 22:13 159,744 --a------ C:\WINDOWS\sys034997150121.exe
2006-08-28 21:42 45,056 --a------ C:\WINDOWS\system32fufudc.exe
2006-08-28 21:42 28,672 --a------ C:\WINDOWS\system32ra8pv.exe
2006-08-28 21:42 24,576 --a------ C:\WINDOWS\system32ha3f.exe
2006-08-28 21:39 24,576 --a------ C:\WINDOWS\system32\ha3f.exe
2006-08-28 21:38 61,952 --a------ C:\WINDOWS\system32\pwmb1850.dll
2006-08-28 21:38 186,223 --a------ C:\WINDOWS\srvfulxeex.exe
2006-08-28 21:38 1,233 --a------ C:\WINDOWS\system32\pwmb1850.sys
2006-08-28 21:35 53,120 --a------ C:\WINDOWS\srvpmrxxvu.exe
2006-08-28 21:35 365,568 --a------ C:\814.exe
2006-08-28 21:35 32,768 --a------ C:\WINDOWS\unstall.exe
2006-08-28 21:35 215,308 --a------ C:\WINDOWS\srvcehuqay.exe
2006-08-28 21:35 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2006-08-28 21:34 139,264 --a------ C:\WINDOWS\MirarSetup_876075.exe
2006-08-28 21:34 115,160 --a------ C:\WINDOWS\Eim03.exe
2006-08-21 16:48 53,248 --a------ C:\WINDOWS\uni_ehhhh.exe
2006-08-21 11:36 78,848 --a------ C:\WINDOWS\system32\nsw551.dll
2006-07-31 12:25 24,576 --a------ C:\WINDOWS\system32\ewxcksr.exe
2006-07-31 12:25 1,142,784 --a------ C:\WINDOWS\system32\kcnzrop6.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 16:24 -------- d-a------ C:\Program Files\Common Files
2006-08-30 17:56 -------- d-------- C:\Program Files\HijackThis
2006-08-30 14:53 -------- d-------- C:\Program Files\HaxFix
2006-08-30 13:48 -------- d-------- C:\Program Files\Trend Micro
2006-08-29 09:22 -------- d-------- C:\Program Files\rc6xhba4
2006-08-29 09:20 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-29 09:14 -------- d-------- C:\Program Files\Common Files\mwkf
2006-08-29 08:42 -------- d-------- C:\Program Files\Windows Media Player
2006-08-29 08:42 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-28 21:51 -------- d-------- C:\Program Files\Cosmi
2006-08-26 17:24 -------- d-------- C:\Program Files\QUICKENW
2006-08-16 17:20 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-08-16 17:20 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-08-16 16:51 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-08-07 22:29 -------- d-------- C:\Program Files\Oberon Media
2006-07-25 17:24 -------- d-------- C:\Program Files\Replay7
2006-07-25 17:18 737280 --a------ C:\WINDOWS\iun6002.exe
2006-07-20 10:01 -------- d---s---- C:\Documents and Settings\Cutt\Application Data\Microsoft
2006-07-13 15:23 -------- d-------- C:\Program Files\Burn4Free
2006-07-13 14:58 -------- d-------- C:\Program Files\Ahead
2006-07-13 14:34 -------- d-------- C:\Program Files\Internet Explorer
2006-07-13 14:22 -------- d-------- C:\Program Files\Messenger
2006-07-13 14:21 -------- d-------- C:\Program Files\Movie Maker
2006-07-13 14:15 -------- d-------- C:\Program Files\NetMeeting
2006-07-13 14:14 -------- d-------- C:\Program Files\Windows NT
2006-07-13 14:14 -------- d-------- C:\Program Files\Outlook Express
2006-07-13 14:14 -------- d-------- C:\Program Files\Common Files\System
2006-07-05 15:40 -------- d-------- C:\Program Files\Microsoft IntelliPoint 5.5
2006-07-05 15:40 -------- d-------- C:\Program Files\Microsoft IntelliPoint
2006-07-03 18:29 -------- d-------- C:\Program Files\NETGEAR Print Server Utility
2006-07-03 12:03 1065 --a------ C:\Documents and Settings\Cutt\Application Data\AdobeDLM.log
2006-07-03 12:03 0 --a------ C:\Documents and Settings\Cutt\Application Data\dm.ini
2006-07-03 11:43 -------- d-------- C:\Program Files\Yahoo!


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4600 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P35 \"EPSON Stylus CX4600 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus CX4600\""
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PmProxy"="C:\\Program Files\\Analog Devices\\SoundMAX\\PmProxy.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"EPSON Stylus CX4600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P26 \"EPSON Stylus CX4600 Series\" /O6 \"USB001\" /M \"Stylus CX4600\""
"Epson"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P5 \"Epson\" /O16 \"IP_192.168.0.4P1\" /M \"Stylus CX4600\""
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"sunb"="C:\\WINDOWS\\System32\\sunb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"SurfSideKick 3"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\pogovupup.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Windows Media Player\\medes.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Billminder.lnk"
"backup"="C:\\WINDOWS\\pss\\Billminder.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\QUICKENW\\BILLMIND.EXE -startup"
"item"="Billminder"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Startup.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\QUICKENW\\QWDLLS.EXE "
"item"="Quicken Startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Cutt^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
"path"="C:\\Documents and Settings\\Cutt\\Start Menu\\Programs\\Startup\\WinMySQLadmin.lnk"
"backup"="C:\\WINDOWS\\pss\\WinMySQLadmin.lnkStartup"
"location"="Startup"
"command"="C:\\mysql\\bin\\WINMYS~1.EXE "
"item"="WinMySQLadmin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"tmproxy"=dword:00000002
"TmPfw"=dword:00000002
"Tmntsrv"=dword:00000002
"SoundMAX Agent Service (default)"=dword:00000002
"PcCtlCom"=dword:00000002
"MySql"=dword:00000002
"MDM"=dword:00000002
"iPodService"=dword:00000003
"IDriverT"=dword:00000003
"DVD-RAM_Service"=dword:00000002
"Brother XP spl Service"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"SurfSideKick 3"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"



Completion time: Thu 08/31/2006 16:25:07.57
ComboFix.txt

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:50 AM

Posted 01 September 2006 - 06:03 AM

Lets continue :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

==

2. Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

4. Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
==

5. IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :flowers:
Hi there, stranger!

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:50 AM

Posted 15 September 2006 - 06:01 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users