danielwebb
asked on
Surf Sidekick is screwing up my 200 server station and i can't remove it! HELP!!!!
hey guys my boss's kids were looking at porn on the server computer which they have repeatedly been told not to use. anyway they got some spyware on there called surf sidekick 3 and i can't get it off. I even tried deleting the registry keys but they keep coming back. Windows defender can't remove it either. Now It is displaying error messages when it boots up. It says one or more drivers or services failed to start check event log. When i check the even log it says the lpd service failed to start and it also says something about the network adapter not working. The internet has stopped working even though it is showing an open connection with the router and the device manager says the network adapter is working properly. What should i do?
Aside from what war1 said I recommened Ad-Aware SE, its free and its incredibly effective. Do a full scan and your problem will be solved. Here's the link:
http://www.lavasoft.de/software/adaware/
http://www.lavasoft.de/software/adaware/
danielwebb,
We have not heard from you. Did any comment help you solve your problem? Do you have any more question? If an Expert helped you, please accept his/her answer above with an excellent or good grade.
Thanks, war1
We have not heard from you. Did any comment help you solve your problem? Do you have any more question? If an Expert helped you, please accept his/her answer above with an excellent or good grade.
Thanks, war1
ASKER
well i got the surf sidekick off but now mcafee is detecting a pup called adware-clickspring in c:\program files\-dobe\chkdsk.exe, and a trojan named downloader-ev in c:\winnt\system32\A-pPatch
danielwebb,
1. If these trojans are in System Restore, antivirus programs cannot delete them. Disable and Enable System Restore
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
2. If no joy, antivirus programs are designed to remove virus, not mailware. You need mailware removers.
Ewido to remove trojans
http://www.ewido.net/en/
and
Spy Sweeper to remove spyware
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html
or
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/
3. If still no joy, download HijackThis
http://www.majorgeeks.com/download3155.html
Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save. Post a link to the saved list here.
1. If these trojans are in System Restore, antivirus programs cannot delete them. Disable and Enable System Restore
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
2. If no joy, antivirus programs are designed to remove virus, not mailware. You need mailware removers.
Ewido to remove trojans
http://www.ewido.net/en/
and
Spy Sweeper to remove spyware
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html
or
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/
3. If still no joy, download HijackThis
http://www.majorgeeks.com/download3155.html
Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save. Post a link to the saved list here.
ASKER
ASKER
here is the hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 10:52:38 AM, on 7/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\System32\termsrv.
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\system32\drivers\
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\CBA\pds.
C:\WINNT\System32\llssrv.e
C:\WINNT\System32\tcpsvcs.
C:\WINNT\System32\sfmprint
c:\PROGRA~1\mcafee.com\age
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\snmp.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER
C:\WINNT\system32\stisvc.e
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.
C:\WINNT\system32\Dfssvc.e
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\
C:\WINNT\System32\sfmsvc.e
C:\WINNT\System32\msdtc.ex
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.
C:\WINNT\system32\winlogon
C:\WINNT\system32\rdpclip.
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\VSO\mcvss
c:\program files\mcafee.com\agent\mca
c:\progra~1\mcafee.com\vso
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\ctfmon.e
C:\DOCUME~1\ADMINI~1\APPLI
C:\WINNT\system32\sistray.
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee.com\age
c:\program files\mcafee.com\shared\mg
c:\PROGRA~1\mcafee.com\vso
C:\WINNT\explorer.exe
C:\WINNT\system32\logon.sc
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\VSO\mcvss
c:\progra~1\mcafee.com\vso
c:\program files\mcafee.com\agent\mca
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\ctfmon.e
C:\DOCUME~1\ADMINI~1\APPLI
C:\WINNT\system32\sistray.
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip3
C:\Documents and Settings\Administrator\Loc
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroChec
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VS
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvss
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oascl
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Wacinrka] C:\DOCUME~1\ADMINI~1\APPLI
O4 - HKCU\..\Run: [Edrc] "C:\PROGRA~1\MANTEC~1\lsas
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {266B9238-31A5-4B53-9039-2
O16 - DPF: {2B323CD9-50E3-11D3-9466-0
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {E7D2588A-7FB5-47DC-8830-8
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - AppInit_DLLs: C:\WINNT\system32\services
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\CBA\pds.
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\age
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Age
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Logfile of HijackThis v1.99.1
Scan saved at 10:52:38 AM, on 7/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\System32\termsrv.
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\system32\drivers\
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\CBA\pds.
C:\WINNT\System32\llssrv.e
C:\WINNT\System32\tcpsvcs.
C:\WINNT\System32\sfmprint
c:\PROGRA~1\mcafee.com\age
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\snmp.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER
C:\WINNT\system32\stisvc.e
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.
C:\WINNT\system32\Dfssvc.e
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\
C:\WINNT\System32\sfmsvc.e
C:\WINNT\System32\msdtc.ex
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.
C:\WINNT\system32\winlogon
C:\WINNT\system32\rdpclip.
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\VSO\mcvss
c:\program files\mcafee.com\agent\mca
c:\progra~1\mcafee.com\vso
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\ctfmon.e
C:\DOCUME~1\ADMINI~1\APPLI
C:\WINNT\system32\sistray.
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee.com\age
c:\program files\mcafee.com\shared\mg
c:\PROGRA~1\mcafee.com\vso
C:\WINNT\explorer.exe
C:\WINNT\system32\logon.sc
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\VSO\mcvss
c:\progra~1\mcafee.com\vso
c:\program files\mcafee.com\agent\mca
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\ctfmon.e
C:\DOCUME~1\ADMINI~1\APPLI
C:\WINNT\system32\sistray.
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip3
C:\Documents and Settings\Administrator\Loc
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroChec
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VS
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvss
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oascl
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Wacinrka] C:\DOCUME~1\ADMINI~1\APPLI
O4 - HKCU\..\Run: [Edrc] "C:\PROGRA~1\MANTEC~1\lsas
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {266B9238-31A5-4B53-9039-2
O16 - DPF: {2B323CD9-50E3-11D3-9466-0
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {E7D2588A-7FB5-47DC-8830-8
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - AppInit_DLLs: C:\WINNT\system32\services
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\CBA\pds.
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\age
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Age
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
my ip address begins with a 166.82 does that mean that those are probably legit?
Yes, those IP address are probably legit.
ASKER
well i ran hjt and fixed the two issues you told me to but mcafee is still detecting viruses.
Check if McAfee is giving you a false positive. Use another online service to check for virus
Housecall Online Scan
http://housecall.antivirus.com
or
Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
or
Kaspersky Virus Scan
http://www.kaspersky.com/virusscanner
Housecall Online Scan
http://housecall.antivirus.com
or
Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
or
Kaspersky Virus Scan
http://www.kaspersky.com/virusscanner
ASKER
well I've downloaded, spysweeper, adaware, advanced spyware remover, spybot SD, and Ewido and almost all of them are detecting things that i can't get rid of.
danielwebb,
Did you disable and re-enable System Restore? Sometimes mailware are hidden there.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
Did you disable and re-enable System Restore? Sometimes mailware are hidden there.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
ASKER
that document only talks about doing that on xp I'm running 2000 server
Danielwebb,
Sorry! Windows 2000 does not have System Restore. You may have a rootkit. Here is how to detect and remove it
Rootkit Revealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html
or
F-Secure Blacklight
http://www.f-secure.com/blacklight/try.shtml
Sorry! Windows 2000 does not have System Restore. You may have a rootkit. Here is how to detect and remove it
Rootkit Revealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html
or
F-Secure Blacklight
http://www.f-secure.com/blacklight/try.shtml
Here is how to remove SurfSideKick 3
http://www.bleepingcomputer.com/forums/topic9549.html
If you have difficulty with the HijackThis log, Post the log at http://www.hijackthis.de/ and click Analyse, Save. Post a link to the saved list here.
Best wishes!