HJT log - 'issues' with spyware/malware etc on pc

hi there

i'm hoping someone here may be able to help me out.

i stupidly attempted to use limewire a few days ago as a friend had told me it no longer had pop-ups/spyware /malware etc

not so... after launching, within minutes my laptop was chock full of **** everywhere.

ok so since then a friend has advise dme some programs to download and use, some of them wont run after i down load them i get an error message saying 'xxxxfile is not a valid win32 application' ... further to this i am unable to load anything from th eicons on my desktop - however that was happening before lime ware. if i try to open i file i get an error saying i dont have the proper access levels or something. but i can move the file from the dt to a my comp folder and open it fine...
i'm also getting a pop up here abd there saying i have the blackworm virus
i dont know if this is a real error & my norton is not running as i need a new rego code...

anyways so i have been able to run Ad aware & SpyBot search & destroy

I also ran 'Registry Mechanic' all 3 of these tools removed over a hundred files of various types including malware. but i get an error message n both spybot& adaware saying there are files they cannot remove & to try again afer a restar
the one that come up in adaware is called : C:\WINDOWS\system32\k4620ejoehoc0.dll

the ones from spybot:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

my friend got me to do a hijackthis scan prve to using the tools & said i should post this latest one here..
so here it is >

Logfile of HijackThis v1.99.1
Scan saved at 1:07:29 AM, on 20/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\csrrs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\eMule\emule.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD2.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{47BCBB57-CFA2-445F-BCCB-CADE3F4FD1B0}: NameServer = 202.126.103.238
O20 - Winlogon Notify: MSSYCLM - C:\WINDOWS\system32\k4620ejoehoc0.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

any ideas on what i can do to get this stuff of my pc?

i swear no more limeware-ish downloads

any help would be great!

thanks'

Deyve

 

Hello deyve,

What I would do:

Do you have a System Restore point just prior to the installation of Limewire?

If so, restore back to that point. That will restore the registry and the Windows folder to the way it was before Limewire and will eliminate any .exe files added to Program Files or anywhere else since that restore point, including the ones for Spybot and Ad-Aware, so you have to re install any anti malware apps again.

Then run those anti malware apps in safe mode - tap the F8 key on bootup.

Then re post the HJT log again.

Regards - Charles

 

hi charles

thanks for your info... but i should've mentioned, my system restore was not on so i cannot revert back..

previous to your reply i also tried to run ad aware & spybot in safe mode upon the recommendation of a friend, which all worked but again i couldnt remove a couple of files.

nothing seems to have improved, its still pop-up city.

any other suggestions?

 

Hi deyve,

Download and scan with Ewido http://www.ewido.net/en/

Install as a scanner only: under "Additional Options ", uncheck "Install background guard" and "Install scan via context menu" and before using it, update it.

Regards - Charles

 

hey charles

i tried to get the ewido happening, but it wouldnt open the file. kept saying it was incomplete download, even after i downloaded it a few times.

my friend came and had a look at the comp and we found that it looks like 'surfsidekick' is the main offender, we tried to remove it in various ways to no avail. then i found >

http://www.daniweb.com/techtalkforums/thread40636.html
and tried to remove it via those instruction but got to the part where you had to find the 'repair' dll files and couldnt find any..

i think i might just chuck the lappy out the window

 

Hi deyve,

Looked at your link - can't improve on that.

Here's another tool: autoruns. Shows auto start locations. surfsidekick and whatever other malware you have running is auto starting from somewhere. This app does not install, it's an execute and run.

http://www.sysinternals.com/Utilities/Autoruns.html

The first obvious place to look is in the logon tab and then go from there. Run the tool in safe mode. You can either disable startups, use that if in doubt about whether legitimate or not, or deleting, which deletes the reg entry.

i think i might just chuck the lappy out the window
If it comes to it, do you have an XP install cd or a "recovery" cd from the OEM?

Regards - Charles

 

hi charles,

just wanted to say thanks and give an update. i am now spyware & malware free spydoctor was the thing i needed all along.
got it last night and within half an hour was all ok again,

thanks again for your help!!

you wouldnt happen to know anything about installing external dvd burners would you? i hooked it up a few weeks ago but nero burn express doesnt recognise a disc being in the drive...the comp recognises the burner however..

as you can see i'm easily frustrated by this stuff so i have just ignored the burner til now

any suggestions would be great!

Deyve

 

hi deyve,

Glad you solved the problem.

As a rule, I'm reluctant to recommend payware to people because if the problem's not solved, you're out $$$ and nothing to show for it.

Post your problem with the DVD burner in the Hardware section where people with the interest and expertise will take a look at it. I do recall that there has been quite a number of problems with Nero lately.

For the record, I have a DVD burner and never had a problem - I use Roxio basic Easy Media Creator 7.

Regards - Charles

 

thanks so much for your help charles
i'll give Hardware a go