Tech Support Forum - View Single Post - Problems: SurfSidekick.exe & repairs303169590.dll

sUBs · 06-08-2006, 07:51 PM

Please read this post completely before begining the fix.

* * * * * * JOTTI SCAN * * * * * * * * * * * * * * * * * * * * * *

Please visit this website - http://virusscan.jotti.org
Submit the file for a comprehensive scan & then post the results back here.

C:\Documents and Settings\Carina\Application Data\ptads.bin

Please check out the contents of these folders. Let me know what type of files are in there.

C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\misc001

* * * * * * * * * * * *

Download and run - bfu.zip
Checkmark the following boxes:
- Use settings specified in script for the above option
- Show log after script ends
Click the Web button located on the top right corner
Copy/Paste this url into the address bar of the Download script window:

http://metallica.geekstogo.com/alcanshorty.bfu
Execute the script by clicking the Execute button.
When it finishes running, click the Save button for a copy of the log
Post the log created by the script when you have completed the fix

* * * * * *

Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Please download the file attached - regdel.zip
Double-click the file within & allow it to merge with the Registry.
This will remove some malware entries from the Registry

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

Purity Scan /Snowballwars by OIN (or any other programs by OIN)

Please note any other programs that you dont recognize in that list in your next response

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Go to Start->Run and type in regsvr32 /u occache.dll and hit OK.

Locate and delete the following files/folders: (make sure you get ALL of them)

C:\stub_sca3.exe
C:\Mendoza1.exe
C:\visfx500.exe
C:\WINDOWS\apqgo.dll
C:\defender25.exe
C:\WINDOWS\wallpap.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\system32\VSL03.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\NNSCAA638.EXE
C:\WINDOWS\system32tfthot.exe
C:\WINDOWS\system32ftuninst.exe
C:\WINDOWS\system32ssec.exe
C:\WINDOWS\system32\ssec.exe
C:\WINDOWS\system32\tfthot.exe
C:\wd7gi8n.exe
C:\WINDOWS\system32\mptft.exe
C:\msnupdate.exe
C:\lsass.exe
C:\newname24.exe
C:\WINDOWS\manager.exe
C:\WINDOWS\mc-110-12-0000487.exe
C:\svchost.exe
C:\WINDOWS\system32\wnscpsv.exe
C:\d.bat
c:\windows\system32\INNERADINSTALL.LOG
c:\windows\system32\stlb2.xml
c:\windows\downloaded program files\ATPartners.inf
c:\windows\downloaded program files\WinadX.inf
c:\windows\keyboard1.dat
C:\WINDOWS\ahnls.exe
C:\WINDOWS\mbkwnst.exe
C:\WINDOWS\system32\BO2809040510.exe
C:\WINDOWS\system32\removefunc.ram
C:\WINDOWS\system32\xmltok.dll
C:\Documents and Settings\Carina\Internet Optimizer\
C:\Program Files\Common Files\svchostsys\
C:\Program Files\Windows\
C:\WINDOWS\QlJBTkRU\
C:\Program Files\Common Files\oqqf\
C:\Program Files\A?pPatch\
C:\Documents and Settings\Carina\DoctorWeb\Quarantine\

Go to Start->Run and type in regsvr32 occache.dll and hit OK.

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Delete Cookies

4. Click OK
5. Press the CleanUp! button to start the program.

Please post another Hijackthis log & let me know how that went

06-08-2006, 07:51 PM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,326 OS: N/A	Please read this post completely before begining the fix. * * * * * * JOTTI SCAN * * * * * * * * * * * * * * * * * * * * * * Please visit this website - http://virusscan.jotti.org Submit the file for a comprehensive scan & then post the results back here. C:\Documents and Settings\Carina\Application Data\ptads.bin Please check out the contents of these folders. Let me know what type of files are in there. C:\Program Files\Common Files\simtest C:\Program Files\Common Files\misc001 * * * * * * * * * * * * Download and run - bfu.zip Checkmark the following boxes: Use settings specified in script for the above option Show log after script ends Click the Web button located on the top right corner Copy/Paste this url into the address bar of the Download script window: http://metallica.geekstogo.com/alcanshorty.bfu Execute the script by clicking the Execute button. When it finishes running, click the Save button for a copy of the log Post the log created by the script when you have completed the fix * * * * * * Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain Please download the file attached - regdel.zip Double-click the file within & allow it to merge with the Registry. This will remove some malware entries from the Registry * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Uninstall the following programs, if present, using Control Panel->Add/Remove Programs: Purity Scan /Snowballwars by OIN (or any other programs by OIN) Please note any other programs that you dont recognize in that list in your next response * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools -> Folder Options -> View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Go to Start->Run and type in regsvr32 /u occache.dll and hit OK. Locate and delete the following files/folders: (make sure you get ALL of them) C:\stub_sca3.exe C:\Mendoza1.exe C:\visfx500.exe C:\WINDOWS\apqgo.dll C:\defender25.exe C:\WINDOWS\wallpap.exe C:\WINDOWS\system32\VSL05.exe C:\WINDOWS\system32\VSL03.exe C:\WINDOWS\NDNuninstall7_22.exe C:\NNSCAA638.EXE C:\WINDOWS\system32tfthot.exe C:\WINDOWS\system32ftuninst.exe C:\WINDOWS\system32ssec.exe C:\WINDOWS\system32\ssec.exe C:\WINDOWS\system32\tfthot.exe C:\wd7gi8n.exe C:\WINDOWS\system32\mptft.exe C:\msnupdate.exe C:\lsass.exe C:\newname24.exe C:\WINDOWS\manager.exe C:\WINDOWS\mc-110-12-0000487.exe C:\svchost.exe C:\WINDOWS\system32\wnscpsv.exe C:\d.bat c:\windows\system32\INNERADINSTALL.LOG c:\windows\system32\stlb2.xml c:\windows\downloaded program files\ATPartners.inf c:\windows\downloaded program files\WinadX.inf c:\windows\keyboard1.dat C:\WINDOWS\ahnls.exe C:\WINDOWS\mbkwnst.exe C:\WINDOWS\system32\BO2809040510.exe C:\WINDOWS\system32\removefunc.ram C:\WINDOWS\system32\xmltok.dll C:\Documents and Settings\Carina\Internet Optimizer\ C:\Program Files\Common Files\svchostsys\ C:\Program Files\Windows\ C:\WINDOWS\QlJBTkRU\ C:\Program Files\Common Files\oqqf\ C:\Program Files\A?pPatch\ C:\Documents and Settings\Carina\DoctorWeb\Quarantine\ Go to Start->Run and type in regsvr32 occache.dll and hit OK. * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Delete Cookies 4. Click OK 5. Press the CleanUp! button to start the program. Please post another Hijackthis log & let me know how that went __________________ Question - what have you done for the community today? Last edited by sUBs; 06-18-2006 at 01:37 PM.