Solved

Surf Sidekick is screwing up my 200 server station and i can't remove it! HELP!!!!

Posted on 2006-06-09
16
166 Views
Last Modified: 2008-02-26
hey guys my boss's kids were looking at porn on the server computer which they have repeatedly been told not to use.  anyway they got some spyware on there called surf sidekick 3 and i can't get it off.  I even tried deleting the registry keys but they keep coming back.  Windows defender can't remove it either.  Now It is displaying error messages when it boots up.  It says one or more drivers or services failed to start check event log.  When i check the even log it says the lpd service failed to start and it also says something about the network adapter not working.  The internet has stopped working even though it is showing an open connection with the router and the device manager says the network adapter is working properly.  What should i do?
0
Comment
Question by:danielwebb
  • 8
  • 7
16 Comments
 
LVL 97

Expert Comment

by:war1
ID: 16871080
Greetings, danielwebb !

Here is how to remove SurfSideKick 3
http://www.bleepingcomputer.com/forums/topic9549.html

If you have difficulty with the HijackThis log, Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!
0
 
LVL 1

Expert Comment

by:M0nit0r
ID: 16882682
Aside from what war1 said I recommened Ad-Aware SE, its free and its incredibly effective. Do a full scan and your problem will be solved. Here's the link:


http://www.lavasoft.de/software/adaware/
0
 
LVL 97

Expert Comment

by:war1
ID: 16895485
danielwebb,

We have not heard from you. Did any comment help you solve your problem? Do you have any more question? If an Expert helped you, please accept his/her answer above with an excellent or good grade.

Thanks, war1
0
 

Author Comment

by:danielwebb
ID: 17101919
well i got the surf sidekick off but now mcafee is detecting a pup called adware-clickspring in c:\program files\-dobe\chkdsk.exe, and a trojan named downloader-ev in c:\winnt\system32\A-pPatch\cmd.exe and it can't clean quarantine or delete them
0
 
LVL 97

Expert Comment

by:war1
ID: 17102730
danielwebb,

1. If these trojans are in System Restore, antivirus programs cannot delete them.  Disable and Enable System Restore
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

2. If no joy, antivirus programs are designed to remove virus, not mailware.  You need mailware removers.

Ewido to remove trojans
http://www.ewido.net/en/
and
Spy Sweeper to remove spyware
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html
or
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.
0
 

Author Comment

by:danielwebb
ID: 17122444
0
 

Author Comment

by:danielwebb
ID: 17122454
here is the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:52:38 AM, on 7/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\CBA\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\sfmprint.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\ctfmon.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1\fast.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\logon.scr
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\ctfmon.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1\fast.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.towergate.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) -  - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Wacinrka] C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1\fast.exe
O4 - HKCU\..\Run: [Edrc] "C:\PROGRA~1\MANTEC~1\lsass.exe" -vt ndrv
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138403477671
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livewc02.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05801ECE-E547-41EB-B2CA-D1E53ECE437C}: NameServer = 166.82.1.3,166.82.1.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{05801ECE-E547-41EB-B2CA-D1E53ECE437C}: NameServer = 166.82.1.3,166.82.1.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{05801ECE-E547-41EB-B2CA-D1E53ECE437C}: NameServer = 166.82.1.3,166.82.1.8
O20 - AppInit_DLLs:  C:\WINNT\system32\services.dll C:\WINNT\system32\nopdb.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\CBA\pds.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0
 
LVL 97

Accepted Solution

by:
war1 earned 500 total points
ID: 17123082
Here is your saved analyzed Hijackthis log

http://hijackthis.de/logfiles/77e9ee5a9be6ec18f1b986a586593353.html

1. Put a check mark by the following items in HijackThis log and select "Fix Checked"

R3 - URLSearchHook: (no name) - - (no file)
O4 - HKCU\..\Run: [Edrc] "C:\PROGRA~1\MANTEC~1\lsass.exe" -vt ndrv
O20 - AppInit_DLLs: C:\WINNT\system32\services.dll C:\WINNT\system32\nopdb.dll

2. If you have not install Windows PowerToys, remove the following item from HijackThis log.

O4 - HKCU\..\Run: [Wacinrka] C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1\fast.exe

3. If you did not install this program, have HJT remove it.

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livewc02.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab                 

If the name server does not belong to your domain, have HJT remove these items.

O17 - HKLM\System\CCS\Services\Tcpip\..\{05801ECE-E547-41EB-B2CA-D1E53ECE437C}: NameServer = 166.82.1.3,166.82.1.8               
O17 - HKLM\System\CS1\Services\Tcpip\..\{05801ECE-E547-41EB-B2CA-D1E53ECE437C}: NameServer = 166.82.1.3,166.82.1.8               
O17 - HKLM\System\CS2\Services\Tcpip\..\{05801ECE-E547-41EB-B2CA-D1E53ECE437C}: NameServer = 166.82.1.3,166.82.1.8               
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:danielwebb
ID: 17123584
my ip address begins with a 166.82 does that mean that those are probably legit?
0
 
LVL 97

Expert Comment

by:war1
ID: 17123821
Yes, those IP address are probably legit.
0
 

Author Comment

by:danielwebb
ID: 17124645
well i ran hjt and fixed the two issues you told me to but mcafee is still detecting viruses.
0
 
LVL 97

Expert Comment

by:war1
ID: 17124684
Check if McAfee is giving you a false positive.  Use another online service to check for virus

Housecall Online Scan
http://housecall.antivirus.com
or
Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
or
Kaspersky Virus Scan
http://www.kaspersky.com/virusscanner
0
 

Author Comment

by:danielwebb
ID: 17161925
well I've downloaded, spysweeper, adaware, advanced spyware remover, spybot SD, and Ewido and almost all of them are detecting things that i can't get rid of.
0
 
LVL 97

Expert Comment

by:war1
ID: 17161975
danielwebb,

Did you disable and re-enable System Restore?  Sometimes mailware are hidden there.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
0
 

Author Comment

by:danielwebb
ID: 17163984
that document only talks about doing that on xp I'm running 2000 server
0
 
LVL 97

Expert Comment

by:war1
ID: 17164245
Danielwebb,

Sorry! Windows 2000 does not have System Restore.  You may have a rootkit.  Here is how to detect and remove it
Rootkit Revealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html
or
F-Secure Blacklight
http://www.f-secure.com/blacklight/try.shtml
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Whether you believe the “gig economy,” as it has been dubbed, is the next big economic paradigm shift (https://www.theguardian.com/commentisfree/2015/jul/26/will-we-get-by-gig-economy) or an overstated trend (http://www.wsj.com/articles/proof-of-a-g…
I've been asked to discuss some of the UX activities that I'm using with my team. Here I will share some details about how we approach UX projects.
The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
Articles on a wide range of technology and professional topics are available on Experts Exchange. These resources are written by members, for members, and can be written about any topic you feel passionate about. Learn how to best write an article t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now