Spyware and Adware Infection

Cheesewiz · May 23, 2005

Hey guys,

Normally I consider myself to be decent at fixing some minor spyware problems, but this time I think I'm in a bit over my head. My computer was infected the other day when I was looking for a pacman game online.(Pacman, of all things...).

Anyway, I did my usual scans with Adaware, Spybot S&D, and Microsoft Anti spyware. Both Spybot and MSA both told me my system was clean, whereas Adaware found two registry keys worth of spyware, which normally shouldn't offer a major problem. However, as luck would have it, these things keep returning and with them they have been bringing a few more friends. Yet, when I scan, it still only shows those two registry keys and one registry value. When I go to check around for odd-ball programs, I find quite a few that are obviously malware, and many of those won't delete, claiming that they are in use. In addition I'm getting hit fairly hard with pop-ups, dispite my blocker. I could really use some help.

Would you guys like me to post an Adaware scan result log? Or perhaps something else?

I'm new here and would really appreciate some assistance.

Thanks in Advance,
Cameron

chaslang · May 23, 2005

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Cheesewiz · May 23, 2005

Hey again,

I did as you said, and although it does seem to have cleared off a few things, the Adaware scan still indicated this reg key, which is called surfsidekick. I really think it is the root of all of this. I also noted a few other things.

1. There are around 6 files under programs files that seem to be fishy.
2. My computer is running a slight bit quicker.
3. I am still being hit with pop-ups, most of which are for online poker.

I ran a scan with HijackThis, and I'm attaching my results.

I'm assuming that you will help me decide which of the results are friendly. I think I could figure that part out alone, but, since I'm not an expert, I figure it would be best if left up to experts.

Thanks for the help so far!

chaslang · May 23, 2005

First you must disable Spybot's Teatimer as it could get in the way of making the fixes.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer. Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.

Now quit Spybot!

You MUST remember to exit browsers (C:\Program Files\Internet Explorer\iexplore.exe) before running HijackThis.

Open Control Panel and run Add/Remove Programs and uninstall SurfSideKick 3 if found.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

If these next two R0 lines are not recognized to be valid fix them, otherwise skip them
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.greene.xtn.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.goto.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [befdnn] C:\WINDOWS\System32\befdnn.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O15 - Trusted Zone: http://www.neededware.com
After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SurfSideKick 3 <--- the whole folder
C:\WINDOWS\System32\befdnn.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Cheesewiz · May 23, 2005

Ok, I did as you said.

The pop-ups are gone.

The alerts from Microsoft's AntiSpyware are gone.

The computer is running rather quickly.

Horray

I'm attaching my new logfile. One thing to note is that I did go ahead and reinstall my pop-up blocker. It's one from MSN, and I trust it fairly well.

Thanks a bunch again man!

chaslang · May 23, 2005

You're welcome! But it appears you missed some items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [befdnn] C:\WINDOWS\System32\befdnn.exe

Cheesewiz · May 24, 2005

I went back and fixed those, no noticeable difference, but, they could have always been the source of a future problem.

Thank you very much! I'll come back if I have any other problems.

chaslang · May 25, 2005

Cheesewiz said:

I went back and fixed those, no noticeable difference, but, they could have always been the source of a future problem.
Click to expand...

Okay! But did they get fixed this time? Especially the O4 line.

To help keep you clean you should check out the below:

How to Protect yourself from malware!

Cheesewiz · May 25, 2005

Yup, the O4 line is also clean. I'll have a look at that thread

Thanks.

chaslang · May 26, 2005

You're welcome! Surf safely.

Log in or Sign up

Spyware and Adware Infection

Cheesewiz Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Cheesewiz Private E-2

Attached Files:

1hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Cheesewiz Private E-2

Attached Files:

3hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Cheesewiz Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Cheesewiz Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member