A Challenge - lots of trojans and more

[Skittles]

Wow this laptop has alot of nasties on it.

It already detected several trojans, malware, a few worms, backdoors and other viruses.  Some I was able to heal, but some said they are unhealable.

A couple of them are WeirdOnTheWeb and SurfSideKick3.

Here is the hjt log

oh and keep in mind this computer is set up using Swedish so I will need help from our Swedes or any who might know the language enough to be able to help me recognize some of the areas in the computer that are written in svenska.  I have been doing pretty well in figuring it out, but there are some things I have trouble with finding because it is in Swedish.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 14:48:01, on 2005-11-28
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Compaq\EASYAC~1\BttnServ.exe
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\HJT do not use without help\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [8etpnr5l] C:\WINDOWS\System32\8etpnr5l.exe
O4 - HKLM\..\Run: [MNI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://c:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs302972979.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)

[normmork]

We will try toget our Swedish expert to help you

[Die Hard]

I will be here later tonight and review the log  :thumbsup:

Regards

Die Hard :)

[Skittles]

I will check on it tomorrow....and see if I have some instructions.

btw....I have since downloaded ewido, and ran that....but I dont have a new hjt log to give ya.  I did not bring the laptop down here tonight.

It is a pain to switch the broadband over to the laptop.  Because I have to disconnect the modem for 30 mins so it can reset so that it can recognize the different computer and connect.

So I won't bring it back down until I see some instructions.  I don't want to bother my friends too much by going back and forth...hehehehe.

[Skittles]

Is it too hard of one to fix? 

[Corrine]

I read elsewhere that Die Hard got tied up with something -- real life does, on occasion, interfer. 

[Die Hard]

Hi skittles :)

Sorry for the delay in replying. Like Corrine said, I was tied up and hadn´t the time requiered for looking at your log earlier, sorry for that.

Now, proceed like this:

1. Click (Windowskey+R) and type services.msc and in the right pane of the windpw scroll until you find Hardware Clock Driver.Doubleclick on it and in the new window set the "Startup type" to disabled and hit the stop button. Click Apply and close.
If you are uncertain if you have the right service, there is also a filepath to "C:\WINDOWS\System32\hwclock.exe" in the window.

2. Go to your control panel applet and "Add Remove programs" and see if "SurfSideKick" is listed, uninstall it.
Then uninstall WeirdOnTheWeb, if that´s also listed.

3. Run HiJack This and checkmark the following details and have them fixed:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [8etpnr5l] C:\WINDOWS\System32\8etpnr5l.exe
O4 - HKLM\..\Run: [MNI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O20 - AppInit_DLLs: repairs302972979.dll
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)

4. Reboot into safe mode and remove the following files and folders:
C:\Program\ SurfSideKick 3\ <<<folder
C:\Program\ WeirdOnTheWeb\ <<<folder
C:\WINDOWS\System32\ 8etpnr5l.exe <<<file
C:\WINDOWS\Downloaded Program Files\ UWFX5LP_0001_0614NetInstaller.exe <<<file
scvhost.exe <<<file Note this filename: There is a legimit Windows-file named "Svchost.exe" and that   mustn´t be touched
repairs302972979.dll <<<file
C:\WINDOWS\System32\ hwclock.exe <<<file

5. While still in safe mode, run a full system scan with Ewido and let it remove what it finds.When the scan is finished, save the report.

6. Then , reboot normally and make a scan with Panda and/or TrendMicro
Panda ActiveScan http://www.pandasoftware.com/activescan/
Trend Micro HouseCall http://housecall.trendmicro.com/

7.  Go here and download "EmptyTempFolders" : http://www.danish-shareware.dk/soft/emptemp/
Install the program and click "Options" and select "Predefined folders".
Checkmark :
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temporary Internet files
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temporary Internet files
C:\Windows\Temp 

Then click "Empty all folders" (blue lightning) to remove the contents in the preset folders

8. Please post back with a new HJT log and the report from Ewido 

Best regards

Die Hard :)

[Skittles]

1. Click (Windowskey+R) and type services.msc

You are talking about the Run, correct?  Like where you type msconfig to check for startup programs and such?

I guess I never used the Windows Key...lol  I am assuming it is the key that has the lil windows icon flag waving between the alt and ctrl buttons?   Hey also tell me, does anyone know where the ANY KEY is?  hehehe

I will get to this when I can take the laptop over to my friends house and get it hooked up to their broadband.

Probably on  Monday, maybe tomorrow, but I doubt it.

[Die Hard]

1. Click (Windowskey+R) and type services.msc

You are talking about the Run, correct?  Like where you type msconfig to check for startup programs and such?

That´s correct, the key between Ctrl and Alt  :P

Hey also tell me, does anyone know where the ANY KEY is?  hehehe

That´s the key on the upper right side..............no, on the lower left side..........no,no, it´s between the F and H...........or is the one below the Enter-key?

No wait, here´s a professional explanation:































Die Hard :)

[tabjork]

 :hysterical: :hysterical: :hysterical:
:hysterical: :hysterical: :hysterical:

ouch my stomach hurts from laughing so hard....and the TEARS....lol

Okay I am now working on this pc.

Oh btw....this is Skittles.....hehehe As if you didn't know. ;)

[Skittles]

DieHard I have a question for ya.

I need the translation into Swedish to get into the area where I need to do step 4...to remove the files and folders.

Start....Den här datorn?....then C? 

Usually I go into Windows Exploer when I do this, but I can't find it here in Swedish.

[Skittles]

Same thing with step 1.

I need the swedish translation for what I need to click.

I was able to get into the Hardware Clock Driver but I cannot figure out where to Disable the Startup type and all that stuff, cuz it is in Swedish.

[Skittles]

I got them!

Someone came by here, at the apartment and was able to translate it for me.

I just ran the hjt and fixed the ones you wanted but there were 3 that were not listed at all.  I am thinking that Ewido might have fixed it after I installed it, since the log that I posted before was before I installed the Ewido.

It was these three...

O4 - HKLM\..\Run: [MNI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O20 - AppInit_DLLs: repairs302972979.dll
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)

Moving on to the SafeMode steps now

[Skittles]

Here is the new hjt log....below that will be the Ewido scan log and the Panda log.

Logfile of HijackThis v1.99.1
Scan saved at 15:35:41, on 2005-12-05
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\Program\Compaq\EASYAC~1\BttnServ.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\ewido\security suite\ewidoguard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\HJT do not use without help\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://c:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

*************************************************************************************************

Ewido Scan Log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         13:27:38, 2005-12-05
+ Report-Checksum:      62C750E

+ Scan result:

   C:\Documents and Settings\Lilla Edets Kommun\Cookies\lilla edets kommun@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Lilla Edets Kommun\Lokala inställningar\Temp\temp.fr2615\Ssk.exe -> Adware.SurfSide : Cleaned with backup
   C:\Documents and Settings\Lilla Edets Kommun\Lokala inställningar\Temp\temp.fr2615\SskBho.dll -> Adware.SurfSide : Cleaned with backup
   C:\Documents and Settings\Lilla Edets Kommun\Lokala inställningar\Temp\temp.fr2615\SskCore.dll -> Adware.SurfSide : Cleaned with backup
   C:\WINDOWS\system32\updt.pif -> Backdoor.SdBot.aiw : Cleaned with backup


::Report End

****************************************************************************************

Panda Scan Report Log


Incident                      Status                        Location                                                                                                                                                                                                                                                       

Adware:adware/weirdontheweb   Not desinfected               C:\Documents and Settings\Lilla Edets Kommun\Favoriter\WeirdOnTheWeb.url                                                                                                                                                                                       
Spyware:spyware/surfsidekick  Not desinfected               C:\Documents and Settings\Lilla Edets Kommun\Lokala instllningar\Temporary Internet Files\Ssk.log                                                                                                                                                               
Adware:adware/ucmore          Not desinfected               C:\WINDOWS\ucmoreiex.exe                                                                                                                                                                                                                                       
Adware:adware/gator           Not desinfected               C:\Documents and Settings\Lilla Edets Kommun\Lokala instllningar\Temp\fsg_tmp                                                                                                                                                                                   
Adware:adware/dyfuca          Not desinfected               Windows Registry                                                                                                                                                                                                                                               
Virus:W32/Gaobot.LJK.worm     Disinfected                   C:\WINDOWS\system32\TFTP784                                                                                                                                                                                                                                     
Adware:Adware/Weirdontheweb   Not desinfected               C:\WINDOWS\weirdontheweb_topc.exe                                                                                                                                                                                                                               
********************************************************************************'

I also ran Spybot after all this, which it found 86 more items, which I removed.  But 71 of the entries came from WinFixer.  I am unsure what WinFixer is.  If the ppl who own this laptop has downloaded this, or bought it, or what.  I have never used it and don't know anything about it.  So I am wondering if that is something I should remove as well.  It seems to cause some problems.  I had to disable it in the Start Ups, because it was always popping up, constantly wanting me to register it and to run a full scan....which I did not.

[Skittles]

Well I will be back tomorrow maybe to see if there is anything further that I will need to do.

I am heading home to make supper.

See yas later