Got it Bad

Well, I'm another one who seems to have picked them up. I've been trying for the past week to rid myself of the following:
Icannews; Look2me; Surfsidekick.

I've been running the following trying to kill them:
Ad-Aware 6.0
Spybot
CCleaner
TrendMicro Antispyware
CounterSpy
Spyware Doctor
Spyware Blaster
MS AntiSpyware Bets
Norton Anti-virus

In fact they seem to be overlapping one another to the point where I can't download MS Updates or software from this site. (I keep seeing some Greek book sales popup in Opera - What gives?)

The malware seems to regenerate itself after rebooting.
I can post the HijackThis log if needed.

I followed the excellent Major Geek reference "Do this before you post... and have followed it to the letter:
MS Java removal
AboutBuster
CWShredder
HSRemove
Kill2Me
Spyware Blaster
Stinger
VX2 Cleaner

Nothing ever seems to pick up Icannews; SurfSideKick gets detected and deleted, but not really. The 3 files in the Program directory appear to be undeletable - I've tried manually and in Safe Mode without success.

I'm running what used to be a Dell Dimension XPS B100r
1 gighz PIII
512 mb Rambus memory
WD raptor SATA HD on Promise controller
WIN XP SP2 v 5.1 Build 2600

Any ides before the format, reinstall, swearing and promise to do better backups?

Thanks.

 

Thanks for the quick response.

As instructed the HJT log file is attached.

Looking forward to your insights.

 

Neither program was found in Add/Remove Programs.

Had HJT fix the entries you listed. When I ran the fix, I got an error (attached PDF file)

015 - Trusted Zone:http://Download... was also fixed

I've attached the latest HJT log.

Note that I'm still getting pop ups from Icannews (almost immediately after reboot.

Thank you for all the help.
You are a wonderful resource.

 

OK, I'm a dope.

Let's try this again - I didn't pay attention to your instruction to fix each line individually. So I went through the scan list again and found the following:

All processes were removed (fixed) except for the two listings
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

Even after repeated fixes and an attempt at fixing them from Safe Mode.

Additionally the process
O20 - AppInit_DLLs: repairs.dll

Caused the unexplained error message I posted in my last reply.

I'm ready for the next step and promise to read more carefully.

This thing is stubborn, isn't it?

Thanks

 

A short update:

SurfSideKick is resistant to everyting I've tried to remove it including HJT and a utility called Move On Boot(Also deletes on boot) It doesn't show up in Add/Remove Programs although it has its own folder in C:/Program Files.

Ran across someting called PopThis in my Windows Add/Remove Programs. Whene I tried to delete it, the window locks up. I noticed my CPU Usage in Task Manager goes to 100%. Strangely, this program has no folder in C:/Program Files

Any insights?

thanks.

 

Latest HJT log is attached.

Thanks

 

I attempted to fix the 3 listings from the HJT scan you indicated:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
- fixed after 2nd try
O20 - AppInit_DLLs: repairs.dll
- Always get the error: "Unexpected error..." for full text see
previous PDF attachment
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\dvspex.dll
- This file did not apear in the HJT scan.

Ran KillBox to delete the two files

C:\Program Files\SurfSideKick 3\SskBho.dll
repairs.dll
C:\WINDOWS\system32\dvspex.dll

Edited registry - found one SurfSideKick entry in .../Current Version/Run
and deleted it.

No references to SSK in the RunOnce directory

Rebooted. New HJT log is attached.

Thanks.

 

All files refuse to be deleted - I get the message that they are in use by some other process. Same thing happens in normal mode

In normal mode, all SSK files in the HJT scan also refuse to be deleted.

What's next??


FYI,
I went to the SSK website and complained there, not because I thought they'd answer but I needed the outlet.
Actually got a response back today, wanted to know what you thought about it:



Hello,

In reply to your request to remove the application from your computer I have included a link to our master uninstaller. This is a completely safe program that will remove all versions of our application as you have requested. This is the most thorough and easy way to remove the application. You have our contact information so feel free to ask any questions you may have about uninstalling. Please read instructions before uninstalling.

Removal Process
Please run the uninstaller by visiting:
http://www.surfsidekick.com/uninstallx.htm

You will be asked for an "uninstall code" please enter the following
code:
632621121629104376

Then also enter the dynamic security code you are prompted to enter. Press the "OK" button once both fields are filled in properly.

Once you have completed this a message will come up to let you know that all browser windows will be closed before you can uninstall. This is fine and part of the process. So make sure you don't have any important work open in a browser while you are using this uninstaller.

If your Windows is blocking the ActiveX you must enable it. It is how this uninstaller works. Please look for the "download unsigned ActiveX controls" option in your Internet Options - Security settings. Simply set this option to "Prompt". This will allow you to use the uninstaller.

This will complete the removal process.
Thank you.


Sounds a bit strange, doesn't it???

 

I've attached two files - the first is a scan right after installation of Ewido, the second a scan after booting into safe mode. I made a third, a scan done within the last hour, that shows 48 infections cleaned. All the software for removing these prgrams and files shows that the files have been deleted but they are always back.

The SSK files and repair.dll just will not be deleted.

This is getting to be a bit tedious.

Thanks again.

 

I've attached the log from the scan I did a while ago this evening.

 

Sorry. It's attached.

 

Ewido and HJT logs attached. Machine has not been rebooted.

 

Didn't see your last post until this morning.
Had some ideas of my own since then.

First was to try to access the problem files from outside Windows - I used a Live CD vesion of Insert, a Linux flavor full of utilities. The software ran just fine from the CD, I found the file manager and mounted the drive. Found the files and was unable to delete or move them. It seems that WINXP Service PAck 2 now prevents you from doing this.

Second idea, next to last resort, was to pull the drive and install it in another machine then run the AV and Malware software from that WinXP OS. This time it worked. Ran Ewido, MacAfee AV, Spyware Doctor, Adaware, Spybot and MS AntiSpyware. They found everthing and actually deleted all the files in the (now) D drive. I checked manually after they finished and all seems to be gone. I reinstalled the hard drive in the original machine and ran Norton AV, Ewido, Spyware Doctor, AdAware, Spybot and MS AntiSpyware. Everything checked out - no infections were noted. The biggest thing is that now boot up, shutdown and program openeing is noticeably faster.

Thank you for sticking with me. This may be a method that some others can try with these stubborn pests. I think the key is that the malware files were in a dormant state and had no way to lock themselves to an operating OS.

Just to note, I ran MacAfee and Ewido before and after the drive change on the second machine just to be sure nothing transferred. All was clear. Neither system has any popups.

Hopefully there will be no next time...