[hoss]

Hey guys, you've helped me before so hopefully you can again! Thanks again guys!

I've run adware, spybot, and cwshredder...

here is my hjthislog...

Logfile of HijackThis v1.99.1
Scan saved at 3:52:07 PM, on 7/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\LiveUpdate\LiveUpdate.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [lwq] C:\WINDOWS\System32\lwq.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [BTCLiveUpdate] "C:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111392257640
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Advertisements]

Hi hoss,

I'm working on your log, as soon as another staff member reviews it I'll post a reply. Thank you for your patience.

Regards,

Armodeluxe

[Armodeluxe]

Hi hoss,

I'm working on your log, as soon as another staff member reviews it I'll post a reply. Thank you for your patience.

Regards,

Armodeluxe

[hoss]

notta prob!! Thanks for takin the time to look!

[Armodeluxe]

Hi hoss, welcome to GeeksToGo

Please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here.

Regards,

Armodeluxe

[hoss]

Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\HOSS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\Ssk.log
Adware:adware/winstat No disinfected C:\WINDOWS\SYSTEM32\WinStat12.dll
Adware:adware/navhelper No disinfected HKEY_CLASSES_ROOT\CLSID\{BDF3E430-B101-42AD-A544-FADC6B084872}
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Hoss\Desktop\SSK3_B5 Verticlick 8.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Hoss\installer_MARKETING35.exe
Virus:Trj/Downloader.CZM Disinfected C:\Documents and Settings\Hoss\Local Settings\Temp\360.tmp
Virus:Trj/Downloader.CZM Disinfected C:\Documents and Settings\Hoss\Local Settings\Temp\45A.tmp
Virus:Trj/Downloader.CZM Disinfected C:\Documents and Settings\Hoss\Local Settings\Temp\5E0.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Hoss\Local Settings\Temp\i66.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\Ssk.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskCore.dll
Virus:Trj/Downloader.DHO Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\epx30104.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\epx30105.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\lkejd.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\lwq.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\lwqaeg05.dll
Adware:Adware/Winstat No disinfected C:\WINDOWS\system32\WinStat11.dll
Adware:Adware/Winstat No disinfected C:\WINDOWS\system32\WinStat12.dll

[Armodeluxe]

Hi hoss

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Copy everything in the quote box below (Starting with REGEDIT4) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the 'Save As Type' to 'All Files'. Save it as fixme.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"lwq"=-

Double-click fixme.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt please continue with the instructions below.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [lwq] C:\WINDOWS\System32\lwq.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab


Close HiJackThis.

*Please download CleanUp. We will use it later.

* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

*Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

* Go to Control Panel > Add/Remove Programs and uninstall these. If you get prompted to reboot to complete the uninstall, don't reboot yet.

SurfSideKick 3
Viewpoint
* Navigate to and delete these folders:

C:\Program Files\SurfSideKick 3
C:\Program Files\Viewpoint

* Run Cleanup and delete all temporary files.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\system32\WinStat11.dll
C:\WINDOWS\system32\WinStat12.dll
C:\WINDOWS\system32\epx30104.exe
C:\WINDOWS\system32\epx30105.exe
C:\WINDOWS\system32\lkejd.exe
C:\WINDOWS\system32\lwq.exe
C:\WINDOWS\system32\lwqaeg05.dll
C:\Documents and Settings\Hoss\Desktop\SSK3_B5 Verticlick 8.exe
C:\Documents and Settings\Hoss\installer_MARKETING35.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at the PendingRenameOperations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, post a new HiJackThis log.

[Armodeluxe]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.