I am still getting popups and other junk

Welcome to Majorgeeks!

You appear to have quite a few problems to fix. SmitFraud, Virtumode, Winlogonhook and more. Let's get started with the Smitfraud issues. Then we will move onto the other problems after this (so don't expect everything to be perfect until we get thru to the other procedures later )

I'm going to post two messages! This is the first! Complete this procedure completely including attaching the requested log before doing the second procedure.


First install the current version of Sun Java from: Sun Java Runtime Environment

Now Uninstall the below old software (some of these should have been uninstalled in step 0 of the READ ME):
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Safety Bar
Screensavers Installer
Viewpoint Manager (Remove Only)
Viewpoint Toolbar V35 (Remove Only)

If any of these do not uninstall, just continue on with the below and tell me about it later.


Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm


IMPORTANT: Do NOT run any other options until you are asked to do so!

 

This is my second message. Make sure you have follow the first procedure before doing the below.

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.

Now also attach new logs from ShowNew and HJT!

 

You need to create NEW logs on your PC from today. Then you should be able to attach them.

 

Yes that is part of what we are still working on and hopefully the below finishes the fix.

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddccbca.dll once and then click the kill button. After you have killed all of the ddccbca.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
wvwwx.dll

Next double click on explorer.exe and again click once on each instance of ddccbca.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
wvwwx.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bfpcviip.dll
O2 - BHO: (no name) - {4AFF07E7-EDCF-F41A-3E4C-018F9F16B982} - C:\WINDOWS\system32\sgoinrl.dll
O2 - BHO: (no name) - {588EE89F-6790-41CC-BED3-E1E9E03642E7} - C:\WINDOWS\system32\wvwwx.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll (file missing)
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\ddccbca.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O20 - Winlogon Notify: ddccbca - C:\WINDOWS\SYSTEM32\ddccbca.dll
O20 - Winlogon Notify: winlkv32 - winlkv32.dll (file missing)
O20 - Winlogon Notify: wvwwx - C:\WINDOWS\system32\wvwwx.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
del %windir%\temp\win*.*
exit

If you get an error message while doing the above command prompt step, just ignore it and continue!

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\{F8EF2BA3-0A60-1033-0519-030429200001}\Update.exe
C:\WINDOWS\mickey32.dll
C:\WINDOWS\system32\bfpcviip.dll
C:\WINDOWS\system32\cortrpif.dll
C:\WINDOWS\system32\ddccbca.dll
C:\WINDOWS\system32\gdukjmg.dll
C:\WINDOWS\system32\iklqtkdt.dll
C:\WINDOWS\system32\jkhetnuo.dll
C:\WINDOWS\system32\movtwdbg.dll
C:\WINDOWS\system32\qtvkqcis.dll
C:\WINDOWS\system32\ryvnnifn.exe
C:\WINDOWS\system32\sgoinrl.dll
C:\WINDOWS\system32\wvwwx.dll
C:\WINDOWS\system32\xwwvw.tmp
C:\WINDOWS\system32\xwwvw.ini
C:\WINDOWS\system32\xwwvw.ini2

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folders and delete if found:
C:\Program Files\Common Files\{F8EF2BA3-0A60-1033-0519-030429200001}
C:\Program Files\Safety Bar
C:\Program Files\Viewpoint

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\temp
C:\Documents and Settings\Joann\Local Settings\Temp

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Based on your HJT log you did not run the steps I gave you in message # 9. You must make sure that no browsers are open and you must all make sure you remember to click the Fix checked button in HJT. Please repeat the previous steps and make sure you fix everything. Post new logs afterwards.

 

No! All of your malware problems are gone now after repeating those previous steps.

Any problems you are having now are not due to malware but are due to things that you are running. Do you really need AOL toolbar? You don't need to load QuickTime, RealPlayer, or Microsoft Office Startup Assistant when you startup your PC. You could just use HJT to fix the below lines to stop them from loading:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Also I see a service from Symantec running (see the O23 line in your HJT log). Exactly what is it from Symantec that you still use? I see this Norton WMI Update in your log from ShowNew. Is there anything else you use from Symantec. That would require that service which is normally part of their antivirus application.

Do you know what Software Suite is that appears in your Uninstall Programs list?

 

The proper thing to do is to uninstall software when possible. Deleting files or fixing with HJT should never be the first step because that could make it impossible to uninstall the application at a later point.

Do you use the AOL software you have installed? I see the below:
AIM Ad Hack"
AOL Coach Version 1.0(Build:20020929.1)
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)


You did not comment on Yahoo Toolbar! Do you us it? It does have an uninstall shown in Add/Remove Programs.

You should also uninstall the Norton WMI Update software I mentioned.