Please Help! Terrible malware problem!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Sting36e, Mar 24, 2006.

  1. Sting36e

    Sting36e Private E-2

    Hi, you all at MajorGeeks have been such a great help to me before, and now I am once again in need of assistance. I have a terrible malware problem at the moment. I have tried everything on the "Read and Run First" page, although the problem does not allow me to run BitDefender or Panda ActiveScan, because my Internet Explorer is so bogged down with these infections. I do not know what else to do.

    I have constant popups, every few seconds, both from Internet Explorer, and from Firefox, which is the browser I actually use now. I believe that the main problem is related to several things...Elite Media Group, Zeno Ads/twinlsag.exe, and Surf Side Kick, although there are probably other culprits as well.

    I have tried everything I can, but to no avail. I have enclosed a HijackThis log, as I believe that I have exhausted all other avenues.

    Thanks.
     

    Attached Files:

    Sting36e, Mar 24, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The READ ME gives you a Special Removal Procedures link that you should have click on. It gives a procedure for SurfSideKick Removal

    Run it and then attach a new HJT log. No wonder you have problems! You are running without a firewall. You should have finished following up on your previous thread with BJ (see: http://forums.majorgeeks.com/showthread.php?t=84148 ) If you had, one of his final messages would have sent you to the How to protect sticky thread which tells you to install a firewall (along with many other important tips. If you are going to start threads requesting help, you should always complete them.
     
    chaslang, Mar 24, 2006
    #2
  3. Sting36e

    Sting36e Private E-2

    I only did not finish that thread because unfortunately my business takes me away from home for weeks at a time, and I have an 11 and a 9 year old who disobey me and use the computer even after I tell them not to :mad: , so I'm afraid they just made all the problems appear again.


    Anyway, I try to remove the Surf Side Kick but it does not work because when I try to run the SSkFix.exe, it tells me there is no repairs.dll file, and also, I could not find any of the mentioned repairs.dll files in the windows/system32 folder. I try deleting the appropriate lines in HijackThis but they just reappear immediately.
     

    Attached Files:

    Sting36e, Mar 24, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to make their user accounts retricted user accounts so they cannot install stuff. This is also dicussed in the How to protect thread.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\System32\ehczrw312.exe
    C:\WINDOWS\System32\fihmspkd.exe
    C:\WINDOWS\System32\F?nts\msconfig.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsvB2B.dll
    O2 - BHO: (no name) - {48484376-A6BC-A938-9978-DF98B011A497} - C:\WINDOWS\System32\ihs.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmkgvh.dll
    O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\System32\lsoda.dll
    O4 - HKLM\..\Run: [H357WLF] "C:\WINDOWS\System32\ehczrw312.exe"
    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\twinlsag.exe FI002
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [Wqjhkqoh] C:\WINDOWS\System32\F?nts\msconfig.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
    O4 - HKCU\..\Run: [Obme] "C:\PROGRA~1\SEMBLY~1\alg.exe" -vt ndrv
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
    O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\System32\lsoda.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Program Files\SurfSideKick 3 <--- the whole folder
    C:\Program Files\SEMBLY~1 <--- the whole folder
    C:\WINDOWS\System32\ehczrw312.exe
    C:\WINDOWS\System32\fihmspkd.exe
    C:\WINDOWS\System32\F?nts\msconfig.exe <--- the F?onts maybe look like Fonts
    C:\WINDOWS\System32\nsvB2B.dll
    C:\WINDOWS\System32\ihs.dll
    C:\WINDOWS\System32\irsmkgvh.dll
    C:\WINDOWS\System32\lsoda.dll
    C:\WINDOWS\System32\ehczrw312.exe
    C:\WINDOWS\System32\twinlsag.exe
    C:\WINDOWS\System32\irssyncd.exe
    C:\WINDOWS\System32\lsoda.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Mar 24, 2006
    #4
  5. Sting36e

    Sting36e Private E-2

    I did as per your instructions. Some of the files you mentioned to delete in the System32 folder were not there, but most of them were, and I did as you instructed.

    As of right now there has yet to be a popup, but it seems some of the unwanted files are still in there, as the new hijackthis log shows.
     

    Attached Files:

    Sting36e, Mar 24, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's see if we can get the rest of them removed. First you must shutdown MS Antispyware as it could be getting in our way. Right click on the icon in you system tray and select Shutdown Microsoft Antispyware then continue to below.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
    O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\System32\lsoda.dll (file missing)
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [H357WLF] "C:\WINDOWS\System32\ehczrw312.exe"
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\System32\lsoda.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete     (tell me exactly what you find and delete or do not find)
    C:\Program Files\SurfSideKick 3 <--- the whole folder
    C:\WINDOWS\System32\ehczrw312.exe
    C:\WINDOWS\System32\lsoda.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now we need to Reset Web Settings (make sure you use www.majorgeeks.com for your home page - at least for now while we fix things):
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Mar 25, 2006
    #6
  7. Sting36e

    Sting36e Private E-2

    Ok, I did not find any of the three that you told me to delete, but I still did everything else again afterwards. So far, just as before, not a single popup. :)

    Enclosed is the new HJT log.
     

    Attached Files:

    Sting36e, Mar 25, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Mar 25, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds