Error messages (ddccy.exe and gebby.dll) plus a really slow system...

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

You need to attach the requested log from ComboFix. It is at C:\combofix.txt

Is your copy of Spyware Doctor a paid version or a free trial version? If free, uninstall it now. If paid, make sure your tell me.

Now Disable Spybot's TeaTimer as requested in the READ & RUN ME

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Disable Windows Defender's realtime protection:

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {3AB6CF00-6CDC-4942-A4E5-1FEE54326FF1} - C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
O2 - BHO: (no name) - {EC5E2CAB-76AE-4E7A-9E14-F62B61FB9294} - C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a some files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

File::
C:\Windows\eRy.exe
C:\Windows\Temp\symlcsv1.exe
C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
C:\Users\jdhansom\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\jdhansom\AppData\Local\Temp\yccdd.ini
C:\Users\jdhansom\AppData\Local\Temp\yccdd.ini2

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Just continue on with all instructions and ignore those O2 line in HijackThis. They may have renamed themselves or may have already been deleted. They were in your previous logs but malware can change names at each power down or reboot. After completing all instructions and attaching your new logs, DO NOT power down or reboot so we can avoid this problem.

 

You are not doing something correctly. Just dragging the CFScript.txt (did you name it CFScript.txt) file ontop of ComboFix should cause it to run. It should not cause it to try and be renamed. Are you right clicking or left click with your mouse?

 

That is a different thing than what you said in your previous message.

Since you are running Vista, it is critical that you have UAC disabled. Do you still have UAC disabled? This was covered in the Using MGtools link in the READ ME.

It is also quite possible that any protection software you are running is interferring with ComboFix. Thus shutdown all protection software before trying the fix (like Spyware Doctor, AVG Antispyware, and Symantec). If you still have a problem after trying all of the above, boot into safe mode and try the fix.

I previously asked you if Spyware Doctor was a paid or free version and you did not answer. If free, just uninstall it.

Let me know the results.

 

Try booting in safe mode and do the below:



Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines (or any similar lines will DLL files that are loading from your Temp folder) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3AB6CF00-6CDC-4942-A4E5-1FEE54326FF1} - C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
O2 - BHO: (no name) - {EC5E2CAB-76AE-4E7A-9E14-F62B61FB9294} - C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll

After clicking Fix, exit HJT.

Then locate the below files and delete them yourself:
C:\Windows\eRy.exe
C:\Windows\Temp\symlcsv1.exe
C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
C:\Users\jdhansom\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\jdhansom\AppData\Local\Temp\yccdd.ini
C:\Users\jdhansom\AppData\Local\Temp\yccdd.ini2

If any of them will not delete, reboot your PC back into safe mode and then try deleting them.

Then no matter what happens while doing the above, come back here and tell me what happened while trying to do the above and then run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

 

You need to allow GetLogs.bat to run until it is finished. You closed to command prompt window before it was finished. See the snapshot on the Using MGtools download page that shows you what it will look like when it is finished.

Attach a new log afterwards. Make sure that you have already disabled UAC and rebooted before you try to run GetLogs.bat and also make sure your use Run As Administrator as requested on the Using MGtools page for Vista users.


We need to get ComboFix to run on your computer some how or we may not be able to fix your problems. The DLL files are in use because they are hooked in to Windows system processes that are running.

 

Make sure you are not using HijackThis's (analyse.exe) ability to filter processes or items from the logs. We need to be able to see everything and your HJT process list is not showing all Windows processes.

Uninstall AVG Antispyware that was installed in the while doing the READ ME.

I see you have Ad-Aware's Ad-Watch feature running. If you are going to use this you should not use Windows Defender otherwise they may conflict with each other. So either uninstall Ad-Aware 2007 or disable Windows Defender.

In fact, Windows Defender has even been infected by the Vundo infection. The ddccy.dll file has hooked into Windows Defender and runs anytime that Defender is running. Also Ad-Aware 2007, Windows Defender and Symantec AV may be the reason for your problems with ComboFix so you may want to consider actually uninstalling Ad-Aware 2007 for now and then disabling Windows Defender. The reason for trying this is because if we cannot get ComboFix to work, you may have to do a reinstall to fix this problem since there are no other tools that support Vista that can help us to remove this Vundo infection.

I will attempt to create another manual type fix below, but it is going to be long an tedious since the infection has hooked itself into many of your running processes. At last count it was hooked into 19 processes which is why you could not manually delete the files and is why it keeps coming back. Anytime any one of these process run, the infection is recreated. And in addition, there are dozens of other files related to the infection in your Temp folders.

Continue by downloading Process Explorer which will we use to try and unhooked the Vundo DLL from your running processes.

• Extract it to its own folder somewhere that you will be able to locate it later.
• Make sure that one and only one Internet Explorer browser is opened up
• Run Process Explorer
• Below I will give a list of process that you will have to double click on (one at a time) to bring up a Properties form. On the Properties form you will click on the Threads tab at the top to show the Threads.
• Once you see the Threads form, click on each instance of ddccy.dll or ddccy.exe (if found) and then click the kill button. Take care to look thru the list carefully to find these hooked ddccy files. You may only find the ddccy.dll file but make sure you look for both and look for multiple occurrences.
• After you have killed all instances of any of the DLL under the process, click OK and move on to the next process (If you do not find the DLL, just continue on.)

Here is the list of processes to perform the above procedure on:
ERAGENT.EXE
RtkBtMnt.exe
ENMTRAY.EXE
WZQKPICK.EXE
BTTray.exe
lsass.exe
taskeng.exe
iexplore.exe
rundll32.exe
wmpnscfg.exe
winamp.exe
sidebar.exe
Explorer.EXE
RtHDVCpl.exe
EPOWER_DMC.EXE
MSASCui.exe
Dwm.exe
ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
WLLoginProxy.exe

• After you have killed all instances of any of the ddccy.dll or ddccy.exe under all of the processes, just exit Process Explorer and continue.

Now run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\Users\jdhansom\AppData\Local\Temp\ddccy.exe
O2 - BHO: (no name) - {2106773A-C69D-411E-9F51-66729C0FEBFE} - C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
O2 - BHO: {04a5a35f-c266-52c9-fc34-2f3ec919e6a9} - {9a6e919c-e3f2-43cf-9c25-662cf53a5a40} - C:\Windows\system32\clwrnegs.dll (file missing)
O2 - BHO: (no name) - {F269E76F-AC5C-411A-86B5-619740F138AE} - C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll,c

After clicking Fix, exit HJT.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now delete the below file:
C:\Windows\System32\aebnyxci.ini

Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\Temp
C:\Users\jdhansom\AppData\Local\Temp

If you have problems deleting any files, note the file name to try again later on and to tell me also.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

You should print or save the below locally because it would be best that you do not open any browers or run anything except what is requested below when we boot into safe mode.

Now reboot your PC into safe mode where we will repeat some of the above steps.

Now while in safe mode continue with the below.

Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\Temp
C:\Users\jdhansom\AppData\Local\Temp

If you have problems deleting any files, note the file name and tell me when you come back.

Now run ATF-Cleaner again.

While in safe mode, also try to run ComboFix again!!! Just continue if you cannot.

Now reboot in normal mode.

Come back here and tell me what happened while trying to do the above and then run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip
• also attach C:\ComboFix.txt if it ran.

 

You need to attach the requested new MGlogs.zip file. If that DLL file did not delete you are still infected and it could be hooked into another running process which may be why you could not delete it. Even if you already created the new MGlogs.zip file, get a brand new one right now to attach. And then DO NOT power down or reboot your PC because power down/up or reboots can cause the infection to mutate or spread which would make your logs invalid for any fix I create after you post them.

Strange, I thought we tested ATF-cleaner on Vista. I'll have to recheck.

 

Okay that DLL file is still hooked into some running processes. Until we get it unhook from all process, you will not be able to delete those ddccy.exe and ddccy.dll files. Let's try again a similar fix. Be very careful to find everything listed. Why I'm giving you is direct from the logs you just posted. So if you kept your PC running, these should all be found. However it is possible that just by running during this time frame that the DLL has hook into more process.

• Extract it to its own folder somewhere that you will be able to locate it later.
• Make sure that one and only one Internet Explorer browser is opened up
• Run Process Explorer
• Below I will give a list of process that you will have to double click on (one at a time) to bring up a Properties form. On the Properties form you will click on the Threads tab at the top to show the Threads.
• Once you see the Threads form, click on each instance of ddccy.dll or ddccy.exe (if found) and then click the kill button. Take care to look thru the list carefully to find these hooked ddccy files. You may only find the ddccy.dll file but make sure you look for both and look for multiple occurrences.
• After you have killed all instances of any of the DLL under the process, click OK and move on to the next process (If you do not find the DLL, just continue on.)

Here is the list of processes to perform the above procedure on:
lsass.exe
iexplore.exe
rundll32.exe
explorer.exe

• After you have killed all instances of any of the ddccy.dll or ddccy.exe under all of the processes, just exit Process Explorer and continue.

Now run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\Users\jdhansom\AppData\Local\Temp\ddccy.exe
O2 - BHO: (no name) - {BAD06BB2-D818-480F-9113-2D2E464A50AF} - C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
O2 - BHO: (no name) - {C7FE111D-CF47-4D4A-8121-D27C464C2355} - C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll

After clicking Fix, exit HJT.

Right now see if you can manually delete the below files ( if found):
C:\Users\jdhansom\AppData\Local\Temp\ddccy.exe
C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
C:\Users\jdhansom\AppData\Local\Temp\fla121E.tmp
C:\Users\jdhansom\AppData\Local\Temp\flaCD8F.tmp
C:\Users\jdhansom\AppData\Local\Temp\TMP3D01.tmp
C:\Users\jdhansom\AppData\Local\Temp\TMP59B5.tmp
C:\Users\jdhansom\AppData\Local\Temp\TMPCB8A.tmp
C:\Users\jdhansom\AppData\Local\Temp\yccdd.ini
C:\Users\jdhansom\AppData\Local\Temp\yccdd.ini2
C:\Windows\Temp\symlcsv1.exe


If you get a message saying any of these are in use, go back up to the Process Explorer procedure and look one by one thru EVERY process shown running and look thru the threads for ddccy.dll and kill all instances of this DLL. Then try to delete the files again. Then even if it does not work, continue on but when you come back describe what happened to me.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run this procedure and attach the log when you come back: SUPERAntiSpyware - running & getting a log


Now reboot your PC into safe mode where we will repeat some of the above steps.

Now while in safe mode continue with the below.

Now look for and try to delete any of the below files that still exist.
C:\Users\jdhansom\AppData\Local\Temp\ddccy.exe
C:\Users\jdhansom\AppData\Local\Temp\ddccy.dll
C:\Users\jdhansom\AppData\Local\Temp\fla121E.tmp
C:\Users\jdhansom\AppData\Local\Temp\flaCD8F.tmp
C:\Users\jdhansom\AppData\Local\Temp\TMP3D01.tmp
C:\Users\jdhansom\AppData\Local\Temp\TMP59B5.tmp
C:\Users\jdhansom\AppData\Local\Temp\TMPCB8A.tmp
C:\Users\jdhansom\AppData\Local\Temp\yccdd.ini
C:\Users\jdhansom\AppData\Local\Temp\yccdd.ini2
C:\Windows\Temp\symlcsv1.exe

If you have problems deleting any files, note the file name and tell me when you come back.

Now run Ccleaner.

Now reboot in normal mode.

Come back here and tell me what happened while trying to do the above and then run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip
• SuperAntiSpyware log.

 

Looks like we got it this time!

How are things working. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Sometimes repetition with a little variation is required to take care of these malware infections. Note, it would have been a lot easier if ComboFix would run on your PC but on about 1% of all PCs it just will not run.

Surf safely.