Help Request - infostealer, downloader & others

Hello. My XP system has been infected over the past 2 days or so. I had downloaded several freeware and shareware utilities to convert windows media center recorded tv files into mp4. I think this is when the trouble started even though I religiously scan all downloaded files with Norton Antivirus with the latest virus definitions.

Norton Antivirus has been finding assorted viruses and risks, even though they are supposedly removed -- especially Infostealer, Downloader, Adware.PurityScan, Smitfraud.

I have followed the instructions in your tutorial -- most of them several times. I'm about ready to reformat my C: drive!!! I have also run Lavasoft Ad-Aware, which removed some junk.

I've pretty much lost track of which scan/utility has removed what -- and everything seems to keep coming back. The various logfiles and reports are attached to this message and a reply.

I appreciate any help you can provide.

Stephen
sjthomas

 

Additional files attached


btw - I had emptied the Recycle Bin as instructed, but deleted a couple of files I thought I might need back, so there are a couple of files in there.

Similarly for clearing Norton's Quarantine Area, but the various "threats" keep coming back.

Also, even though Norton did not detect this error, McAfee's online scan said that c:\windows\system32\winbfi32.dll was infected, but couldn't fix it. I eventually renamed it to xxx.xxx to be able to delete it, which I did. Now during windows startup I get a pop-up box stating: "Error loading c:\windows\system32\vssqejj.dll The specified module could not be found".

Also, one of the scans repeatedly identified the registry entry HKEY_Local_Machine\SOFTWARE\Microsoft\WindowsNT\Current_Version\Winlogon\Notify\jkhhg as a problem. I tried deleting the entire key, but it too keeps coming back.

Thanks again.

Stephen
sjthomas

 

Please see the below thread on how to install and run VundoFix.

• Virtumonde aka Trojan Vundo Fix w/ Tool ...

Once you complete the scan above, attach the log from the scan, a fresh HJT log and a fresh Panda log.

 

Thanks for your help. Attached are the requested logs. (I ran the Vunfo fix twice -- the first time it found and deleted several files. The second time it found no files.) I'm still getting occasional Norton warnings about "Downloader".

sjt

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: (no name) - {2A30C74D-2B00-4FD7-8C3F-26EA154FE9A3} - C:\WINDOWS\system32\ddcyw.dll
O2 - BHO: (no name) - {7210452F-B153-09A0-4269-0B7F59CCC348} - C:\WINDOWS\system32\anfovii.dll (file missing)
O2 - BHO: (no name) - {7C8A9138-FF96-432E-9E86-5B1A067A61CF} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\aekmrkvk.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sstn] C:\Documents and Settings\Owner\Application Data\F?nts\tracert.exe
O4 - HKCU\..\Run: [Ealb] "C:\PROGRA~1\COMMON~1\RACLE~1\taskmgr.exe" -vt yazb

O11 - Options group: [INTERNATIONAL] International*

O20 - Winlogon Notify: ddcyw - C:\WINDOWS\system32\ddcyw.dll

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\RACLE~1 ← Delete this whole folder if it exist!

C:\Documents and Settings\Owner\Application Data\F?nts ← Search for this folder and delete if found. Also, note that ? represents an unprintable character so it will not look normal!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\ddcyw.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\efccdeb.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now. Also, please attach a fresh HJT log.

 

Thanks again for your help. Do you ever sleep?

Followed the instructions you posted. Notes:

- Used HijackThis as directed

- C:\Program Files\Common Files\RACLE~1 was not present

- C:\Documents and Settings\Owner\Application Data\F?nts was not present with an unprintable character, only as the folder "Fonts", which was empty, so I deleted it

- Used CCleaner & PocketKillBox (both files were present) as directed.

- I had already disabled System Restore and had not re-enabled it during this entire process. I now have it re-enabled per your instructions.

- After rebooting, Norton is finding (and claiming to remove) the following viruses:

Infostealer: C:\Documents and Settings\Owner\Local Settings\Temp\unefsiid.dll

and

Downloader: C:\Documents and Settings\Owner\Local Settings\Temp\vjgafvee.exe

Subsequent HijackThis log is attached.

stephen

 

FWIW, I noticed the two "ddycw.dll" entries persisting in the hijackthis log, so I again attempted to "fix" them with hijackthis. After again rebooting, they remain (a new hijackthis log is attached). Norton still finds infostealer (now at ....\hjdcwnuf.dll) and downloader (now at ....\bpgxrigp.exe ) viruses.

sjt

 

When I have time, lol!

 

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddcyw.dll once and then click the kill button. After you have killed all of the ddcyw.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of ddcyw.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1A984C53-F2B7-4109-A2D1-74EA80B5AE5B} - C:\WINDOWS\system32\ddcyw.dll
O20 - Winlogon Notify: ddcyw - C:\WINDOWS\system32\ddcyw.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\wycdd.ini
C:\WINDOWS\SYSTEM32\wycdd.ini2
C:\WINDOWS\SYSTEM32\wycdd.bak
C:\WINDOWS\SYSTEM32\wycdd.bak1
C:\WINDOWS\SYSTEM32\wycdd.bak2
C:\WINDOWS\SYSTEM32\wycdd.tmp
C:\WINDOWS\system32\ddcyw.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

It seems like we're getting there (or may be there!); after following your most recent instructions, this is the first reboot after which I have not received any Norton warnings for downloader and infostealer.

FWIW, ProcessExplorer found several ddcyw.dll entries in winlogon.exe, and none in explorer.exe.

In the HijackThis list, the "O2" entry had a different value in the { }, but since it was a ddcyw.dll entry, I deleted it.

HijackThis log attached.

 

Your log is now clean, are you having any further problems?

 

So far, so good. Your help has been invaluable!! Many, MANY thanks! Do you take donations?? I'm still, oh let's just say, VERY unhappy with Norton for not preventing this (are my expectations of Norton too high?)

sjt

 

We did for a while but they do not allow it anymore. :\

Norton IMO is not a good antivirus at all, mainly because it's a resource hog and the fact that it doesn't handle infections well. What I mean is Norton will prompt saying it found something and that's it. It will not attempt to remove it like other antivirus programs will.

Personally, I recommend AVG AntiVirus Free and ZoneAlarm Firewall Free. I use both and never have had any problems. They both use little resources and both are free so you can't get any better.

 

Thanks for the program recommendations. I had downloaded AVG at the beginning of this episode, but did not install it when I saw the recommendation not to have multiple AV programs installed at the same time. I'm going to uninstall Norton (no loss, it was free after rebates) and give AVG a try.

Do you recommend leaving the MS Malicious Software Removal Tool and MS Windows Defender installed along with AVG?

sjt

 

The Microsoft Removal Tool comes as an update from MS thru automatic updates so it's fine to have althought it doesn't do much anyway.

Personally, I don't use MSAS simply because I think Spy Sweeper is the best antispy today.