Posted on 4 Comments

Clean that machine!

One of the things I can do well is bring a PC back to life that has been so heavily attacked with viruses, malware, spyware, and adware that it can’t even boot. I charge $95 to clean the machine and ask that you let me bring it to my house since it usually takes 5 or more hours.

Right now I have one that is giving me a hard way to go because of something called Surf SideKick. Here’s a list of the baddies:

  • tfthot.exe – Trojan.StartPage residing in C:\Windows\System32\
  • 876056.exe – Adware.Mirar
  • Dc12.exe – Adware.ZangoSearch
  • NDNuninstall7_22.exe – Adware.NDotNet
  • NNSCAA638.EXE – Adware.NDotNet
  • pndsregg.exe – Adware.ZenoSearch
  • pwinoqez.exe – Adware.ZenoSearch
  • repairs303169590.dll – Adware.SurfSideKick
  • SbAds.dll – Adware.Hotbar
  • SbGuard.exe – Adware.Hotbar
  • SbHostOE.dll – Adware.Hotbar
  • SbOEAddOn.exe – Adware.Hotbar
  • SbSrv.exe – Adware.Hotbar
  • SbWallpaper.dll – Adware.Hotbar
  • SbWeatherOnTray.exe – Adware.Hotbar
  • SskBho.dll – Adware.SurfSideKick
  • SskCore.dll – Adware.SurfSideKick
  • WinNB57.dll – Adware.Mirar
  • x3cqp0.dll – Adware.LinkMaker

These will each need to be removed by hand.

  1. Reboot into safe mode (press F8 repeatedly while rebooting) with networking using the Administrator account and confirm everything in add/remove programs is appropriate. Programs that do not sound familiar:
    • 2Wire Gateway – a Blingo search suggests this has to do with home networking so we will deem it safe.
    • easy Internet sign-up – (kinda of screams evil) turns out that is a legit program by HP/Compaq to assist with connecting to the Internet
    • Fill-Up from Bell South – What were they thinking when they named that one?! Hmm. Can find no info. REMOVED
    • Forethought – Could have something to do with audio or more likely malware – REMOVED
    • Greetings Workshop – legit
    • Instant Support – This is an HP/Compaq program that maintains information to help you communicate with HP.
    • Kazaa Lite K++ v2.4.3 – WHAT?! Might as well run naked through the red light district. REMOVED
    • KO Fader – AOL gizmo. Declaring SAFE.
    • OmniPass – possibly adware ah! more info – Softex OmniPass secure password management Deemed safe DO NOT REMOVE
    • OpenMG Secure Module 4.2.00 – music software, safe
    • Overball by Bell South and Overball from Hewlett-Packard Desktops (remove only) – apparently spybot search and destroy or adaware already removed this but the reference remains in Add/Remove Programs.. REMOVE
    • PS2 – too nondiscript. removed in trying to get more info which is suspect. REMOVE
    • Quicklinks – REMOVE
    • Readiris 7.5 – sounds safe. OCR scanning software.
    • RecordNow – Safe.
    • RingMaster from Compaq (remove only) – sounds suspect. Already removed by other scanners. REMOVE
    • BlasterBall Wild from Compaq (remove only) – REMOVE
    • Excavation from Compaq (remove only) – REMOVE
    • Final Drive Nitro from Hewlett-Packard Desktops (remove only) – REMOVE
    • Search Basket – should be self-evident. REMOVE
    • Shopper Reports – Wanna guess? REMOVE
    • Simple Installer – Multilanguage Version – Here is the scary part of what I do. I can find zero information on this but because of the condition of the machine and the vagueness of the program name, I am going to remove it. If it is a needed program, it can be reinstalled and data should remain intact. REMOVE
    • Snowboard Extreme from Compaq (remove only) – REMOVE
    • SonicStage 3.2 – sound related. Legit.
    • Space Rocks from Compaq (remove only) – REMOVE
    • Spam Blocker Utility from ShopperReports – REMOVE
    • SpamBlockerUtility Browser, Weather and Wowpapers Tools – REMOVE
    • SpamBlockerUtility Email Toolbar – REMOVE of interest: the add/remove locked the computer during uninstallation necessitating a reboot. Could possibly undo a lot of this work.
    • SpamSubtract – Apparently it is ok. This program has never proven itself to me and I have yet to trust it. HP seems to trust it.
    • Support.com Web Controls – REMOVE
    • To The Eds-treme – Cartoon network game. Safe.
    • Tumble Bees To Go – Pogo game. Safe.
    • Viewpoint Manager (remove only) – REMOVE. If it comes back, no big deal.
    • Viewpoint Media Player – REMOVE. if it comes back no big deal.
    • Virtual Warfare from Compaq (remove only) – REMOVE
    • Web Savings from Ebates – REMOVE
    • Weblinklegit may consider removing it later
    • WexTech AnswerWorks – Hmmm. Seems unnecessary. This computer has too much of this kind of "tech support". May remove later.
    • Xingtone Ringtone Maker – appears legit and popular
  2. Reboot using The Ultimate Boot CD (actually the pc version) choosing to activate network support and remove by hand the files identified at the top of this post

    Using Agent Ransack all occurances of tfthot.exe including its hiding in prefetch have been removed.
    876056.exe removed.
    Dc12.exe also revealed itself as SmitfraudC12.zip, Dc120.m4p, Dc121.m4p, Dc122.m4p, Dc123.m4p, Dc124.m4p, Dc125.m4p, Dc126.m4p, Dc127.m4p, Dc128.m4p, Dc129.m4p, Dc12.tdb, Dc12.mpg. All deleted.
    NDNuninstall7_22.exe removed.
    NNSCAA638.EXE removed.
    pndsregg.exe removed from two places.
    pwinoqez.exe removed from system32 and prefetch
    repairs303169590.dll removed
    SbAds.dll removed
    SbGuard.exe removed
    SbHostOE.dll removed as well as SbHostOL and one other (search on SBhost)
    SbOEAddOn.exe removed
    SbSrv.exe removed as well as SbSrvPS.dll
    SbWallpaper.dll removed
    SbWeatherOnTray.exe removed
    SskBho.dll removed as well as ssk.log and sskknwrd.dll and SSK.EXE.35B0063B.pf (prefetch)
    SskCore.dll removed
    WinNB57.dll removed
    x3cqp0.dll cannot find

    delete program files\kazaa lite k++
    delete program files\spam blocker directory
    delete program files\SurfSideKick 3 directory
    delete program files\support.com

  3. Stay in UBCD and EZPCFix under malware tools.
  4. Load the hives. Delete temp files including _restore, cookies, and prefetch. History is optional.
  5. Load Registry Keys. Remove all references to surfsidekick, ps2, dfndra, kybrd, pndsreg, jxktjj, pwinoqez, omuwm,
  6. Click Downloaded Program Files and remove all.
  7. Doubleclick the Winsock/Winsock2 option.
  8. Close EZPC fix.
  9. Under Malware Programs run Adaware and spybot search n destroy identifying:
    • ABetterInternet (HKEY_USERS\{USERB}_ON_C\Software\ZServ)
    • CallingHome.biz (HKEY_USERS\{USERB}_ON_C\Software\DLMax)
    • HitsLink (4 tracking cookies – no big deal)
    • Hotbar (c:\Documents and Settings\{username}\Application Data\ShooperReports\) and (HKEY_USERS\{USERB}_ON_C\Software\Hotbar)
    • SideStep (HKEY_USERS\{USERA}_ON_C\Software\SideStep HKEY_USERS\{USERB}_ON_C\SideStep and HKEY_USERS\Owner_ON_C\Software\SideStep)
    • SurfSideKick (HKEY_USERS\Owner_ON_C\Software\Microsoft\Internet Explorer\URLSearchHooks\{02EE5B04-F144-47BB-83FB-A60BD91B74A9} HKEY_USERS\Administrator_ON_C\Software\Microsoft\Internet Explorer\URLSearchHooks\{02EE5B04-F144-47BB-83FB-A60BD91B74A9} HKEY_USERS\Owner_ON_C\Software\SurfSideKick3 and HKEY_USERS\Administrator_ON_C\Software\SurfSideKick3 )
    • VX2/f (HKEY_USERS\{USERB}_ON_C\Software\MxTarget)

    Allow Spybot to fix all found problems.

  10. Under Antivirus tools run AV Personal. Be sure to update. (ignore the ad) if it fails, move to McAfee Stinger.
  11. Run McAfee Stinger. No viruses found.
  12. Run Avast! virus cleaner. No viruses found.
  13. Unplug network cable and reboot into safemode as Administrator.
  14. Run HijackThis Search each questionable item and confirm its authenticity. If you don’t know exactly what it is, it’s questionable. If your search results don’t say "required by windows" (or something similar) then it can probably go away.
    • Removing bellsouth as Default_Page_URL
    • Removing http://srch-qus8.hpwis.com/ as Default_Search_URL
    • Removing Internet Connection Wizard reference to http://mrfindalot.com/
    • Default URLSearchHook is missing so remove the registry reference
    • Removing system.ini reference to kdictoh.exe which appears to be part of ABetterInternet
    • Remove all references that say (no file) or (file missing)
    • Note: Recguard, nvcpl.dll, and nwiz.exe are ok.
    • ALCXMNTR.EXE in question but looks safe. Leave for the scanners.
    • Remove the runonce reference to ftuninst.exe and delete file in C:\WINDOWS\SYSTEM32
    • Remove the runone reference to gbe90qs.exe and delete the file from c:\windows\system32\
    • Remove IERESET.INF:START_PAGE_URL
    • Remove AppInit_DLL: repairs303169590.dll
    • Fix checked.
  15. Run CWShredder.
  16. Run delcwssk
  17. Run PeperFix.exe
  18. Run Adaware. Reports SurfSideKick and Win32.Trojan.Starter
  19. Run Spybot SND – Reports SurfSideKick still on system.
  20. Manually remove SurfSideKick with these instructions and confirm with these instructions.
  21. Reboot plugging network cable in after powercycle.
  22. Run SpyBot – Clean!
  23. Run Adaware. Alerts on Win32.Trojan.Starter (c:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP0\A0000012.exe )
  24. Get properties on Internet Explorer – Click Delete Files, check Delete all offline content and click ok. Then click Settings. Click View Objects. Delete any damaged or unknown objects (there shouldn’t be any at this point).
  25. Run Windows Update and get latest patches.
  26. Update virus software with latest definitions and begin deep scan of entire system.
  27. Norton Antivirus reports c:\wd7gi8n.exe (downloader) and c:\RECYCLERS\S-1-5-18\Dc3.exe (Trojan.StartPage) still on system.
  28. Reboot to UBCD linux version for virus scans. Starting with FPROT.

For the record, a lot of these "Spam blocker" programs generate your malware! Use only trusted software like Spybot SND and Adaware! Periodically check your machine with