Spyware cons

[cypher]

There's a folder in my windows xp partition, in program files, called surfsidekick 3. I used Spybot to remove this adware but after reboot, it appeared again. NAV 2005 also detects this as adware and is unable to delete it. Since the files are running in memory, Im not abe to delete these. How do i delete it permanently, folder and reg entries?

 

[QwertyManiac]

Post your HijackThis Log here Hijack This

try finding the adware in "msconfig"'s startup tab... and uncheck it.

 

[anandk]

y dont u schedule a boot-time scan of spybot ? there is such an option in the settings.

usually, in such cases (when a spyware ir running in memory) u shud run ur antivirus/antispy in safe mode. else try to remove it from startups. reboot and then run ur scans.

along with spybot, i recommened that u use an addl freeware anti-spy like spywaredoctor 3.1 or ms anti-spyware or adware.

if this fails, then post ur hijackthis logfile here.

 

[swatkat]

Post the HijackThis log file here. SurfSideKick is not that easy to remove using "conventional" tools.

 

[sakumar79]

Look at *www.scanspyware.net/info/SurfSideKick.htm or *securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html for manual removal instructions

Also, after ensuring that you have completely remove it, make sure to remove all old system restore points and create a new one so that you dont go back to a time when it was there...

Arun

 

[cypher]

Here's the HIJACK it log

heres the log file u gys asked
and i use only firefox 1.5



Logfile of HijackThis v1.99.1
Scan saved at 12:05:29 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton Internet Security\ccPxySvc.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\FLASHGET\flashget.exe
D:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
D:\Program Files\DU Meter\DUMeter.exe
D:\Program Files\Winamp\winamp.exe
C:\Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Cooling] C:\Program Files\ASUS\Probe\Cooling.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [winupdate] D:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DU Meter] D:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [CursorXP] D:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FLASHGET\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FLASHGET\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://D:\Documents and Settings\ShadeMe.TALOS.000\Application Data\Mozilla\Firefox\Profiles\t02kkgyc.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://D:\Documents and Settings\ShadeMe.TALOS.000\Application Data\Mozilla\Firefox\Profiles\t02kkgyc.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{7120F671-9DD5-4C72-8F6A-496FC5F99D85}: NameServer = 61.1.192.65 61.0.0.5
O20 - Winlogon Notify: MCPClient - D:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

[anandk]

u have been infected by winupdate virus.
it must be in D:\Program Files\winupdate\winupdate.exe
first disable it or remove it from the startups list

u also have a p2p infection.
P2P Networking.exe is an advertising program by Joltid.
it monitors your browsing habits and distributes the data
back to the author's servers for analysis.
it also prompts advertising popups.

u also appear to have been infected with a BHO coolwebsearch
spyware variant BHO msacmx.dll. :roll:

i would recommend u run ur antivirus and atleast 2 anti-spyware
(microsoft anti-spy and adware/spywaredoctor), in safe mode/boot-time.

 

[swatkat]

Re: Here's the HIJACK it log

Hi,

First boot in Safe Mode and run HijackThis. Then click the button "Do only a system scan". Then select these entries:

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [winupdate] D:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe

Close all other programs, and click "Fix Checked" in HijackThis.


Next, delete this folder:-
D:\Program Files\winupdate

And this file (Use Search feature to find this file):-
p2pnetworking.exe



Next, to remove SurfSideKick, follow the procedures given here.

 

[cypher]

Using ad-aware pro 1.06 with latest defs.
i'l do as u say. actually, i had deleted the p2pnetworking file and its entries
i think SSK is downloading these stuff