Have Yazzle Sudoku and SurfSideKick and cannot remove

Hello, this is my first post, so I apologize if I missed any steps in the posting process.

This is my friend's computer and I am usually the person who is able to remove these programs, but this seems out of my league. I have the directions for removing Yazzle Sudoku and SurfSideKick on other similar posts, but they did not seem to work for me.

I have downloaded HiJackThis but when I attempt to run it, I am getting a prompt stating "McAfee ActiveShield has detected a virus on your computer. We recommend that you use the Scan feature to scan all the drives of your computer." I would do this, except their virus scan needs to be renewed and they are currently on vacation, so I need so direction as to how to bypass this prompt.

I also had SpyFalcon, but I believe that I have removed it.

Here is the thread I followed previously:

http://www.windowsbbs.com/showthread.php?t=54130

I have used Ewido's latest version(twice), as well as the SmitfraudFix(also twice), CWShredder, Ad-aware and Spybot. None of these fixed the problem.

I will be away from this computer until Wednesday, June 7th, but will check back on my computer before then. Please be patient for my responses and do not close this post if I do not reply right away. I have been working on this problem for well over a week now.

Sorry for the windy post, and thank you for your time on this.

 

Hi Aluinn
Welcome to windowsbbs.

Try running the HJT scan in safe mode,

(To Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.)

Then save and post the log here.

If that does not work, you will need to disable McAfee (should be able to do so from the Icon in your task bar) and then try to run the scan.
Geri

 

Should be able to turn off McAfee in start > run > startup tab and uncheck all references to McAfee. Otherwise downoload Startup Control Panel and use it the same way. Turn it back on by reversing the process above.

 

Ok, finally got back to this computer. Thank you for your patience. I had to totally uninstall McAfee to bypass it. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:09 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\kwinrqez.exe
C:\WINDOWS\SYSTEM32\pqdsregm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ipwins\ipwins.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\STEM~1\chkntfs.exe
C:\Program Files\?ppPatch\?pool32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GreatMemo\GreatMemo.exe
C:\Program Files\Weather\Weather.exe
C:\WINDOWS\SYSTEM32\kwinrqez.exe
C:\WINDOWS\TW9tbXkgVm9nZWw\command.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\AIM\smime3.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Mommy Vogel\Desktop\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\kwinrqez.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r6.attbi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tcklb.exe
F2 - REG:system.ini: UserInit=userinit.exe,ewrolfw.exe
O2 - BHO: (no name) - {5EDF5A78-C2EE-964A-9D98-94FC29FFBD94} - C:\WINDOWS\system32\eqfa.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [v7sO35U] cdfsnap.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [enymaerA] C:\WINDOWS\enymaerA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [wf8a3c55.dll] RUNDLL32.EXE wf8a3c55.dll,I2 0011b1430f8a3c55
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinrqez.exe GID003
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [{96-62-2D-D7-ZN}] C:\WINDOWS\SYSTEM32\pqdsregm.exe GID003
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [w002a35a.dll] RUNDLL32.EXE w002a35a.dll,I2 0011b1430002a35a
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe "
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\STEM~1\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [Omdm] C:\Program Files\?ppPatch\?pool32.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: GreatMemo.lnk = C:\Program Files\GreatMemo\GreatMemo.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinrqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\pqdsregm.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING32.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3735352D2D2D.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0035.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/budsinc/grinstall_budsinc1001_sp2.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O20 - AppInit_DLLs: repairs303169587.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9tbXkgVm9nZWw\command.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\enymaer.exe



I now not only have Yazzle and SurfSideKick, but also something called "Zeno" among other things. Please advise.

 

You certainly have a problem; think it's possibly too much to do in HJT. Suggest you decide next whether you wish to spend several days cleaning the computer, in which case you should take it home with you, or just remove the partition with fdisk (which will wipe the disk) and then make a new partition and re-install windows, but you'll need all the drivers for the computer's hardware before you go that route.

You can try removing the following list in safe mode after first turning off system restore and moving hijackthis to it's own folder, like c:\hjt\ so it has a place to put recovery files

Code:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = sas.r6.attbi.com:8000

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - 
{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tcklb.exe
F2 - REG:system.ini: UserInit=userinit.exe,ewrolfw.exe
O2 - BHO: (no name) - {5EDF5A78-C2EE-964A-9D98-94FC29FFBD94} - C:\WINDOWS\system32\eqfa.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [v7sO35U] cdfsnap.exe
O4 - HKLM\..\Run: [enymaerA] C:\WINDOWS\enymaerA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [wf8a3c55.dll] RUNDLL32.EXE wf8a3c55.dll,I2 0011b1430f8a3c55
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
C:\WINDOWS\system32\kwinrqez.exe GID003
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [{96-62-2D-D7-ZN}] C:\WINDOWS\SYSTEM32\pqdsregm.exe GID003
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [w002a35a.dll] RUNDLL32.EXE w002a35a.dll,I2 0011b1430002a35a
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [CAS Client]  "C:\Program Files\Cas\Client\casclient.exe "
O4 - HKCU\..\Run: [Sen]  "C:\WINDOWS\STEM~1\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [Omdm] C:\Program Files\?ppPatch\?pool32.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: GreatMemo.lnk = C:\Program Files\GreatMemo\GreatMemo.exe
O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinrqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\pqdsregm.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...35352D2D2D.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0035.exe
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0006.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9tbXkgVm9nZWw\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\enymaer.exe

That may make the computer easier to work with and the next step I'd suggest is to run the two online antivirus scans listed in links in my sig.(page down). Post the results and.let them remove what they will.

 

I brought the computer home and tomorrow after work I will run the virus scans and such. If at that point it stills seems like a task to fix, I will reformat the whole thing. Afterwords, could I possibly get some advice on preventing this from happening? I have never had spyware/virus problems on my computer, but this happens to her computer several times a year, and I do not want to go through this all over again any time soon.

Once again, thanks for all the help.

 

Hi Aluinn

Read through this
http://www.helpwithwindows.com/techfiles/protect-your-pc.html

Download
SpywareBlaster - (Disable real time protection on this one if you download IESPYAD)
IESPYAD
a anti-spyware program. and get a firewall along with your AV.

KEEP ALL UPDATED.

For a spyware program Windows defender is a good free one, Check out this web site for rouge programs.
spywarewarrior

Geri

 

Excuse me while I give some quick advice here:

I hope this is not too late..............

[SIZE= "3"]DO NOT UNDER ANY CIRCUMSTANCES USE HIJACKTHIS TO REMOVE ANY 010 ENTRIES!!![/SIZE]
You may very well, in all likelihood, lose your internet connection.

You have several infections, and a couple of them require special tools for removal, but a reformat is not really required.

Please do not fix anything yet.

Let us know if you received this particular post in time and did not fix anything, especially those 010 entries.

Sorry for stepping in here.

 

I have not done anything yet! I just got home from work! We're SAFE! Should I atleast proceed with a virus scan or two? Or should I wait for further instructions at this point?

 

Hi Aluinn
I will help get you started, But...
DO NOT RUN ANY OF THESE PROGRAMS UNTIL TeMerc GIVES YOU THE OK !!

Download these programs...
Major Geeks SSK removal
Download the programs for windows XP

You have the NewDotNet infection.
First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

Do not do the below until OK'ed by TeMerc

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel ", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

AGAIN, DO NOT RUN THESE UNTIL OK'ed by TeMerc. just download the programs and wait for his instructions.

Geri

 

I've not had the time to look over this log file.

I'll do so tonite and reply back once I have a plan of action.

Thanks for being patient.

 

Hi Aluinn

I need to ad mend my posting on pervention I stated above....

This "real time protection " should be "Restricted sites zone "

This is from IESPYADS instructions web site
SpywareBlaster & Spybot Search & Destroy

Because IESPYADS list of Restricted sites zones is much greater then Spyware blasters. IESPYADS would be the better choice to use.

Also, this....

This was meant....
"And a" anti-spyware program ".
Such as Windows defender or Spy Sweeper....

Sorry for any confussion
Geri

 

OK, apologies for not getting here last nite.

I was playing on the test box, and actually had much of what you have here, excluding SurfsideKick and some others.

Lets work on a couple of easier ones first.

First, please open Add/Remove programs and uninstall New.Net or NewDotNet from there if listed. If it is not listed, follow these instructions:

• From a computer that has Internet access, click on the following link:
  http://www.new.net/support/uninstall6_90.exe.
• Download and save uninstall6_90.exe to the Desktop.
• Go to the Desktop and double-click on uninstall6_90.exe
• · Click on the OK button.
• After removal, you may be prompted to reboot. Please reboot even if not prompted.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Once you have restarted your machine, please DL AutoRuns From Systernals. Save it to your desktop, then open the zip file and double-click the 'autoruns' file to run it. Approve any messages you get to allow it to run.

Once it is completed, which may take a minute or two, click the 'services' tab and select the following threee services:

• Network Monitor
• Windows Overlay Components
• Command Service

Right-click each, select 'Delete', then close out Autoruns.


Please go to 'Task Manager' by hitting Ctrl+Alt+Delete and 'End Task' on the following process(es):
C:\WINDOWS\system32\kwinrqez.exe (all instances)
C:\WINDOWS\SYSTEM32\pqdsregm.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\STEM~1\chkntfs.exe
C:\Program Files\?ppPatch\?pool32.exe
C:\Program Files\Weather\Weather.exe
C:\WINDOWS\TW9tbXkgVm9nZWw\command.exe
C:\Program Files\Network Monitor\netmon.exe

Please go to Add/Remove, and if found, uninstall the following:
ipwins
Weather
Network Monitor
SurfSideKick3
webHancer
CAS or Casino Client
Great Memo

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com


R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tcklb.exe

F2 - REG:system.ini: UserInit=userinit.exe,ewrolfw.exe


O2 - BHO: (no name) - {5EDF5A78-C2EE-964A-9D98-94FC29FFBD94} - C:\WINDOWS\system32\eqfa.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


O4 - HKLM\..\Run: [v7sO35U] cdfsnap.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [enymaerA] C:\WINDOWS\enymaerA.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe

O4 - HKLM\..\Run: [wf8a3c55.dll] RUNDLL32.EXE wf8a3c55.dll,I2 0011b1430f8a3c55

O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinrqez.exe GID003

O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe

O4 - HKLM\..\Run: [{96-62-2D-D7-ZN}] C:\WINDOWS\SYSTEM32\pqdsregm.exe GID003

O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [w002a35a.dll] RUNDLL32.EXE w002a35a.dll,I2 0011b1430002a35a

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe "

O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\STEM~1\chkntfs.exe" -vt ndrv

O4 - HKCU\..\Run: [Omdm] C:\Program Files\?ppPatch\?pool32.exe

O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe

O4 - Startup: GreatMemo.lnk = C:\Program Files\GreatMemo\GreatMemo.exe

O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinrqez.exe

O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\pqdsregm.exe


O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/do...ARKETING32.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c5.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) -

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...35352D2D2D.exe

O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0035.exe

O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...nc1001_sp2.cab

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1162

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45...o/wordmojo.cab

O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0006.exe

O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40...an/hangman.cab


O20 - AppInit_DLLs: repairs303169587.dll


O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9tbXkgVm9nZWw\command.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\enymaer.exe

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\ ipwins<<<<---folder
C:\Program Files\ Weather<<<<---folder
C:\WINDOWS\ STEM~1<<<<---folder
C:\Program Files\ Network Monitor<<<<---folder
C:\Program Files\ SurfSideKick 3<<<<---folder
C:\Program Files\ webHancer<<<<---folder
C:\PROGRA~1\ NEWDOT~1<<<<---folder
C:\Program Files\ Cas<<<<---folder
C:\Program Files\Common Files\ svchostsy<<<<---folder
C:\WINDOWS\ TW9tbXkgVm9nZWw<<<<---folder
pqdsregm.exe<<<--file
kwinrqez.exe<<<--file
cdfsnap.exe<<<--file
eqfa.dll<<<--file
ewrolfw.exe<<<--file
tcklb.exe<<<--file


To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Start up Ewido, select 'update' then click the 'Start Update' button, let it update(there was one today already).

Run another scan please and post logfile here.

Post a new HJT log along with any other logs requested back into this thread please.

 

Ok, wasn't able to remove SurfSideKick via Add/Remove Programs. It crashed the computer each time I tried. I need to run another Ewido scan and will post that when finished, but here are the Smitfraud and HJT logs:

SmitFraudFix v2.58

Scan done at 21:48:34.23, Sat 06/10/2006
Run from C:\Documents and Settings\Mommy Vogel\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mommy Vogel\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MOMMYV~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



AND THE HJT LOG


Logfile of HijackThis v1.99.1
Scan saved at 11:07:40 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tcklb.exe
C:\WINDOWS\system32\drthba.exe
C:\WINDOWS\system32\tcklb.exe
C:\WINDOWS\system32\tcklb.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r6.attbi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tcklb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ewrolfw.exe
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [cjxybx] C:\WINDOWS\system32\drthba.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ygfac] C:\WINDOWS\system32\drthba.exe reg_run
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: vafih.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: repairs303169587.dll
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

 

ok, Here's the Ewido scan:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:56:06 PM, 6/10/2006
+ Report-Checksum: 93146CD6

+ Scan result:

HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Ignored
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Ignored
HKU\S-1-5-21-2681377278-742929182-1243267824-1006\Software\SurfSideKick3 -> Adware.SurfSide : Ignored
HKU\S-1-5-21-2681377278-742929182-1243267824-1006\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Ignored
[1476] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Ignored
[1488] C:\WINDOWS\system32\tcklb.exe -> Downloader.Qoologic.bj : Ignored
[1496] C:\WINDOWS\system32\drthba.exe -> Downloader.Qoologic.bj : Ignored
[1552] C:\WINDOWS\system32\tcklb.exe -> Downloader.Qoologic.bj : Ignored
[1564] C:\WINDOWS\system32\tcklb.exe -> Downloader.Qoologic.bj : Ignored
[1804] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Ignored
[1848] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Ignored
[1932] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Ignored
[1948] C:\WINDOWS\system32\repairs303169587.dll -> Adware.Surfside : Ignored
[2016] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Ignored
[164] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Ignored
[372] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Ignored
[596] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Ignored
[484] C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Ignored
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\vafih.exe -> Downloader.Qoologic.bj : Ignored
:mozilla.98:C:\Documents and Settings\Mommy Vogel\Application Data\Mozilla\Firefox\Profiles\4hxb7ame.default\cookies.txt -> TrackingCookie.Falkag : Ignored
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@kmpads[2].txt -> TrackingCookie.Kmpads : Ignored
C:\Program Files\Movie Maker\__delete_on_reboot__WMM2FXA.exe -> Adware.Agent : Ignored
C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : Ignored
C:\Program Files\SurfSideKick 3\Ssk.exe -> Adware.SurfSide : Ignored
C:\Program Files\SurfSideKick 3\SskBho.dll -> Adware.SurfSide : Ignored
C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : Ignored
C:\Program Files\whInstall -> Adware.Webhancer : Ignored
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Ignored
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Ignored
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Ignored
C:\Program Files\ΑppPatch\ѕpool32.exe -> Adware.PurityScan : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc2\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\webhdll.dll -> Adware.WebHancer : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\whagent.exe -> Adware.WebHancer : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\whiehlpr.dll -> Adware.WebHancer : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\whinstaller.exe -> Adware.WebHancer : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\whsurvey.exe -> Adware.WebHancer : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc5\asappsrv.dll -> Adware.CommAd : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc5\command.exe -> Adware.CommAd : Ignored
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc6.exe -> Adware.ZenoSearch : Ignored
C:\SS1001.exe -> Dropper.Small.qn : Ignored
C:\VSL.dl_ -> Downloader.Small.ctp : Ignored
C:\warebundle.exe -> Adware.Look2Me : Ignored
C:\webnexmk.exe -> Dropper.Agent.hl : Ignored
C:\WINDOWS\Downloaded Program Files\3735352D2D2D.exe -> Downloader.Adload.bl : Ignored
C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx -> Adware.MediaTickets : Ignored
C:\WINDOWS\enymaer.exe -> Hijacker.VB.ij : Ignored
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Ignored
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Ignored
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Ignored
C:\WINDOWS\SYSTEM32\btnetw3_venturahot_246765.exe -> Adware.HotSearchBar : Ignored
C:\WINDOWS\SYSTEM32\d80mlid1180.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\dmonwv.dll -> Downloader.Agent.agw : Ignored
C:\WINDOWS\SYSTEM32\dqrgui.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\drthba.exe -> Downloader.Qoologic.bj : Ignored
C:\WINDOWS\SYSTEM32\e0jm0a11ed.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\enj6l11s1.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\ewrolfw.exe -> Downloader.Qoologic.bj : Ignored
C:\WINDOWS\SYSTEM32\fp6003jme.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\fp8u03l9e.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\GSM3-0511.exe -> Trojan.Registrator.b : Ignored
C:\WINDOWS\SYSTEM32\guard.tmp -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\ipikm.dat -> Downloader.Qoologic.bj : Ignored
C:\WINDOWS\SYSTEM32\kddhu.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\m882lilo18qc.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\m8lsli3718.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\oins.exe -> Downloader.PurityScan.cp : Ignored
C:\WINDOWS\SYSTEM32\repairs303169587.dll -> Adware.Surfside : Ignored
C:\WINDOWS\SYSTEM32\rk.exe -> Adware.RK : Ignored
C:\WINDOWS\SYSTEM32\stbcsp.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\tcklb.exe -> Downloader.Qoologic.bj : Ignored
C:\WINDOWS\SYSTEM32\w002a35a.dll -> Downloader.Agent.ahv : Ignored
C:\WINDOWS\SYSTEM32\w002ea75.dll -> Downloader.Agent.ahv : Ignored
C:\WINDOWS\SYSTEM32\weirdontheweb_ventura.exe -> Adware.WeirWeb : Ignored
C:\WINDOWS\SYSTEM32\wf8a3996.dll -> Downloader.Agent.ahv : Ignored
C:\WINDOWS\SYSTEM32\winoba32.dll -> Trojan.Agent.qt : Ignored
C:\WINDOWS\SYSTEM32\ZICORN003.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\SYSTEM32\zxpfldr.dll -> Adware.Look2Me : Ignored
C:\WINDOWS\SYSTEM32\__delete_on_reboot__jythrii.dll -> Downloader.Qoologic.bj : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@as-us.falkag[1].txt -> TrackingCookie.Falkag : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@atdmt[2].txt -> TrackingCookie.Atdmt : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@doubleclick[2].txt -> TrackingCookie.Doubleclick : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@fastclick[2].txt -> TrackingCookie.Fastclick : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@kmpads[1].txt -> TrackingCookie.Kmpads : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@media.fastclick[1].txt -> TrackingCookie.Fastclick : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@questionmarket[2].txt -> TrackingCookie.Questionmarket : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@statcounter[1].txt -> TrackingCookie.Statcounter : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@targetnet[1].txt -> TrackingCookie.Targetnet : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@trafficmp[1].txt -> TrackingCookie.Trafficmp : Ignored
C:\WINDOWS\Temp\Cookies\mommy vogel@zedo[2].txt -> TrackingCookie.Zedo : Ignored
C:\WINDOWS\Temp\tp7543.exe -> Downloader.Qoologic.ax : Ignored
C:\WINDOWS\Temp\win11.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win21.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win27.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win29.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win2D.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win35.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win3D.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win40.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win44.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\win7A.tmp.exe -> Trojan.Dialer.oy : Ignored
C:\WINDOWS\Temp\winF.tmp.exe -> Downloader.Small.cvw : Ignored
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Ignored
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Ignored
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Ignored
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Ignored
C:\WINDOWS\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Ignored
C:\WINDOWS\winres.dll -> Downloader.IstBar.ff : Ignored
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Ignored
C:\ZIGID003.exe -> Adware.ZenoSearch : Ignored


::Report End

 

I can't help but notice that the entire Ewido report indicates all threats were 'Ignored'.

We need to change the action from 'Ignore' to 'Remove' in the dropp down menu. Please run the scan again with these settings and post back the new log, sorry if I hadn't explained that part of the set up with Ewido.

See this page for a good screenshot of where to change the option.

 

Here is what happened. I ran it a first time removing everything that popped up, but when it gets to "Perform Cleaning: C:\Program FIles\SurfSideKick 3\ssk.exe" it just stops. I am running it again now and it has been idle at that point for atleast an hour (although it is not frozen) and I do not have the option yet to save a report.

So I just ran another scan and ignored everything to get you a report. I will let my current scan continue whatever it's doing until it finishes or freezes, whichever comes first.

 

Ok, I am getting somewhere I think. Finally got Surf SideKick to remove from add/remove programs. Ran another HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:16:06 PM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Messenger\TYPE.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r6.attbi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tcklb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ewrolfw.exe
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe



then ran Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:52:29 PM, 6/11/2006
+ Report-Checksum: 6B9A4AF9

+ Scan result:

HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2681377278-742929182-1243267824-1006\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-21-2681377278-742929182-1243267824-1006\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2681377278-742929182-1243267824-1006\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[1440] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Cleaned with backup
[1664] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Error during cleaning
[1692] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Error during cleaning
[1804] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Error during cleaning
[1848] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Error during cleaning
[1856] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Error during cleaning
[1964] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Error during cleaning
[2040] C:\WINDOWS\system32\jythrii.dll -> Downloader.Qoologic.bj : Error during cleaning
[296] C:\Program Files\NetWaiting\BVRPDiag.exe -> Adware.Agent : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Mommy Vogel\Application Data\Mozilla\Firefox\Profiles\4hxb7ame.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@ehg-pcsecurityshield.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Mommy Vogel\Cookies\mommy vogel@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\Catcher.dll -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\cwebpage.dll -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\NetWaiting\BVRPDiag.exe -> Adware.Agent : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup
C:\Program Files\ΑppPatch\ѕpool32.exe -> Adware.PurityScan : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc2\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\webhdll.dll -> Adware.WebHancer : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\whagent.exe -> Adware.WebHancer : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\whiehlpr.dll -> Adware.WebHancer : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\whinstaller.exe -> Adware.WebHancer : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc3\Programs\whsurvey.exe -> Adware.WebHancer : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc5\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc5\command.exe -> Adware.CommAd : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc6.exe -> Adware.ZenoSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc7.exe -> Adware.ZenoSearch : Cleaned with backup
C:\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\VSL.dl_ -> Downloader.Small.ctp : Cleaned with backup
C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup
C:\webnexmk.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\3735352D2D2D.exe -> Downloader.Adload.bl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\WINDOWS\drsmartload849a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\WINDOWS\enymaer.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\SYSTEM32\btnetw3_venturahot_246765.exe -> Adware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\d80mlid1180.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\dqrgui.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\e0jm0a11ed.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\enj6l11s1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\fp6003jme.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\fp8u03l9e.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\GSM3-0511.exe -> Trojan.Registrator.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\guard.tmp -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipikm.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\SYSTEM32\kddhu.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\m882lilo18qc.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\m8lsli3718.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\msdtc.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\SYSTEM32\oins.exe -> Downloader.PurityScan.cp : Cleaned with backup
C:\WINDOWS\SYSTEM32\rk.exe -> Adware.RK : Cleaned with backup
C:\WINDOWS\SYSTEM32\stbcsp.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\w002a35a.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\SYSTEM32\w002ea75.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\SYSTEM32\weirdontheweb_ventura.exe -> Adware.WeirWeb : Cleaned with backup
C:\WINDOWS\SYSTEM32\wf8a3996.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\SYSTEM32\winoba32.dll -> Trojan.Agent.qt : Cleaned with backup
C:\WINDOWS\SYSTEM32\ZICORN003.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\zxpfldr.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\mommy vogel@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\Temp\tp7543.exe -> Downloader.Qoologic.ax : Cleaned with backup
C:\WINDOWS\Temp\win11.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win21.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win27.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win29.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win2D.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win35.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win3D.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win40.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win44.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win7A.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winF.tmp.exe -> Downloader.Small.cvw : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\winres.dll -> Downloader.IstBar.ff : Cleaned with backup
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End



Also ran a the eTrust and Housecall virus scans. Never made it through an entire Housecall scan before IE would shut down, but here is what eTrust found - notice it was not able to cure anything:


Scan Results: 57146 files scanned. 35 viruses were detected.

File Infection Status Path
backup-20060610-221705-882.dll Win32/Clspring!generic cannot cure C:\hjt\backups\
mc-110-12-0000228.exe Win32/SillyDl.APN cannot cure C:\
netmon.exe Win32/NetMon.A cannot cure C:\RECYCLER\S-1-5-21-2681377278-742929182-1243267824-1006\Dc2\
Trelew.exe Win32/Clspring.EL cannot cure C:\
VSL.dl_ Win32/Zquest.D cannot cure C:\
VSL02.exe Win32/Zquest.D cannot cure C:\
warebundle.exe Win32/Canbede.M cannot cure C:\
webnexmk.exe Win32/Multidropper.Y cannot cure C:\
drsmartload45a.exe Win32/Thoog.CX cannot cure C:\WINDOWS\
drsmartload46a.exe Win32/Thoog.CX cannot cure C:\WINDOWS\
drsmartload849a.exe Win32/Thoog.CX cannot cure C:\WINDOWS\
MTE3NDI6ODoxNg.exe Win32/SillyDl.YQ cannot cure C:\WINDOWS\
eqfa.dll Win32/Clspring!generic cannot cure C:\WINDOWS\SYSTEM32\
ipikm.dat Win32/Qoologic.AB cannot cure C:\WINDOWS\SYSTEM32\
m882lilo18qc.dll Win32/Canbede cannot cure C:\WINDOWS\SYSTEM32\
oins.exe Win32/Clspring!generic cannot cure C:\WINDOWS\SYSTEM32\
w002a35a.dll Win32/Acee.A cannot cure C:\WINDOWS\SYSTEM32\
w002ea75.dll Win32/Acee.A cannot cure C:\WINDOWS\SYSTEM32\
wf8a3996.dll Win32/Acee.A cannot cure C:\WINDOWS\SYSTEM32\
winoba32.dll Win32/Nebuler.A cannot cure C:\WINDOWS\SYSTEM32\
tp7543.exe Win32/Qoologic!generic cannot cure C:\WINDOWS\Temp\
win11.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win21.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win27.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win29.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win2D.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win35.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win3D.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win40.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win44.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
win7A.tmp.exe Win32/SillyDl.AGC cannot cure C:\WINDOWS\Temp\
unwn.exe Win32/Qoologic!generic cannot cure C:\WINDOWS\
visfx500.exe Win32/Notiex.E cannot cure C:\WINDOWS\
winres.dll Win32/Startpage.TZ cannot cure C:\WINDOWS\
YAXUninst.exe Win32/Clspring.EN cannot cure C:\WINDOWS\


But I think we're finally going in the right direction! (And if we're not, I really have no qualms with a re-format)

 

OK, very good, yes we are headed in the right direction for sure.

One more major nasty to rmove, here is the fix:

Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next "
• In the box to choose where to extract the files to,
• Click "Browse "
• Click on the + sign next to "My Computer "
• Click on "Local Disk (C: ) or whatever your primary drive is
• Click "Make New Folder "
• Type in BFU
• Click "Next ", and Uncheck the "Show Extracted Files" box and then click "Finish ".
• Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
• Place qoofix.bat in your C:\BFU - folder. (Important!)
• Doubleclick qooFix.bat, Close all browsers and explorer folders.
• Choose option 1 (Qoolfix autofix) and follow the prompts.
• Please be patient, it will take about five minutes.
• After the PC has restarted please post another hijackthis log.

Then, to help remove some of those temp files:

Download: CCleaner (freeware)
http://www.majorgeeks.com/download4191.html
Once installed, run CCleaner click the Windows [tab]
Select the following:

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs. ", click Ok
Then click Run Cleaner (bottom right) then Exit

 

Post-qoofix run. Is that TClock and easy remove? I have no idea what it is, but it usurped the windows clock and is displaying military time. Gonna run CCleaner and such now.


Logfile of HijackThis v1.99.1
Scan saved at 5:52:26 PM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Movie Maker\WMM2RES2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r6.attbi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe