Malware/Virus infection. Need help to remove, please

Hi, my computer has been infected by a virus that keeps reappearing. Symptoms are - keeps dropping the broadband connection and asking to connect by dial-up. I use Firefox as my browser but it keeps putting IE7 offline and so MSN messenger won't work. Norton Antivirus keeps reporting various dlls and exes which it cannot repair or delete. Spybot continually reports smitfraud-c toolbar. Windows tells me that some files have been changed. I do not have the required windows XP SP2 disc. My system was reinstalled a few months ago by professionals. I only have the SP1 disc which came with the computer!

System info - Windows XP SP2, 2GB RAM. Norton SystemWorks 2003 with firewall and Antivirus. MS Windows Defender. All meticulously up to date.

Many thanks for any assistance
Graham

Hijack This log removed, not always helpful.

 

Hi

I have followed the plan and done all as requested. Logs attached. btw I also ran Adaware tesyerday but it found nothing. Further attachments in next post.

 

Further logs as requested. I trust all this makes sense

Many thanks
Graham

 

Forgot to say that some items were removed but Norton Antivirus continued to alert to VSAdd-in and several exe files in Temporary Internet Files folder. Still losing internet connection from time to time.

Graham

 

First, be sure the viewing of hidden files and folders is enable and also be sure the viewing of system files is enable. Once this is complete delete everything in the folder below.

C:\RECYCLER\NPROTECT

Next, please see the below thread on how to install and run VundoFix.

• Virtumonde aka Trojan Vundo Fix w/ Tool ...

Once you complete the scan above, attach the log from the scan, a fresh HJT log and a fresh Panda log.

 

Hi bjgarrick

I have done as requested. Deleted all files from NPROTECT folder but they are all back! Noted that RECYCLER folder also contains 3 other folders with long numerical names containing apparently identical files to NPROTECT folder. Also ran Vundo fix tool. I ran Panda Activescan again and it reports even more spyware, hacker tools and suspicious files. I continue to get alerts from Norton Antivirus regarding VSAdd-in which it repeatedly claims to have denied access. I am also receiving pop-ups from www.amaena.com advising me to purchase their antivirus software (not fooled by this). Should I be getting worried yet?! Attached activescan, Vundofix and HJT log.

Thanks for your help
Graham

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

VSAdd-in

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {01EDC82C-2368-4031-8837-B75EA89E68D3} - C:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {54572531-4D05-4D67-8421-C9D411F86279} - C:\WINDOWS\system32\ddcya.dll

O2 - BHO: (no name) - {7D4A8498-1E60-45B8-BEB2-F2C92D0786B1} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\xvgflnkx.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjob.dll,startup

O11 - Options group: [INTERNATIONAL] International*

O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\RECYCLER ← Delete everything in this folder!

C:\VundoFix Backups ← Delete this whole folder if it exist!

C:\Program Files\VSAdd-in ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now and also attach a fresh HJT log.

 

Also, are you familiar with the entry below?

 

Hi bjgarrick

Well, I have completed all the tasks without any serious problems. I could not delete one of the numbered folders in RECYCLER, "In use by another application" but I did delete all of it's contents. I just looked and NPROTECT seems to be refilled with identical material. I am inclined to uninstall Norton completely. NAV didn't protect me so maybe a switch to AVG free. What do you think? I have tried a few things and no virus alerts have appeared and no dropping of my internet connection. I did have a quick look at the HJT log (attached) and it does seem that some of the 'fixed' items have reappeared. The entry you mentioned (O17 - HKLM\System\CCS\Services\Tcpip\..\{6775B41B-ABAB-41A1-90B9-7AE267C97651}: NameServer = 80.225.248.50 80.225.253.50) is not related to anything I recognise.

Regards
Graham

 

Just got a warning of VSAdd-in again!!

 

Let's handle one thing at a time, see the thread below...

WareOut Removal

After you complete the above, attach a fresh HJT log along with the log from the utility.

 

Ok ran fixwareout. Logs attached. What next?

 

Let's do this, print this for a reference. Reboot into Safe Mode, pull the internet cable and run this below. Once you complete, reboot to normal mode, reconnect and attach the log from the scan with a fresh HJT log.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

 

OK. I ran Vundofix in safe mode as requested, log attached. When I rebooted into normal mode NAV deleted about 8-9 exe files designated as downloaders. New HJT log also attached. What next?

 

Before we do a manual removal of this baddie, I would you to run the below.

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there.

Note: They must be in the same directory for it to work properly!

Sysclean Package

Pattern.zip

After you complete the above, locate the file "lpt139.zip", right click to extract the contents to the same directory.

Once you complete the steps above, REBOOT INTO SAFE MODE!

Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and attach a fresh HJT log along with the Trend SysClean Log.

 

OK ran Trend SysClean, log attached and new HJT log. NAV is regularly deleting 'downloaders' from my Temporay Internet File. What next?

 

Okay let's start by downloading two tools we will need:

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddcya.dll once and then click the kill button. After you have killed all of the ddcya.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of ddcya.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02C0738F-D62B-423A-B8CB-EAFF8BDAD810} - C:\WINDOWS\system32\ddcya.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\ponouxki.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{6775B41B-ABAB-41A1-90B9-7AE267C97651}: NameServer = 212.139.132.52 212.139.132.53

O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\aycdd.ini
C:\WINDOWS\SYSTEM32\aycdd.ini2
C:\WINDOWS\SYSTEM32\aycdd.bak
C:\WINDOWS\SYSTEM32\aycdd.bak1
C:\WINDOWS\SYSTEM32\aycdd.bak2
C:\WINDOWS\SYSTEM32\aycdd.tmp
C:\WINDOWS\system32\ddcya.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

OK. Done all that. The following entry did not appear in the HJT list in safe mode. But I did fix it in normal mode.

O17 - HKLM\System\CCS\Services\Tcpip\..\{6775B41B-ABAB-41A1-90B9-7AE267C97651}: NameServer = 212.139.132.52 212.139.132.53

HJT log attached.
What next?

 

Had to restore the O17 link as my browser failed to find any websites!

 

That's the purpose of backups and why HJT should be ran from it's requested location. Because of the Wareout hijacking those entires in previous post I wanted to be sure it was gone, if that belongs to your internet it's ok.

 

Your HJT log is clean, are you having any further problems?

 

Well everything seemed fine for a while but bad stuff is back.

The internet connection dropped. NAV reported and deleted a dozen or more exe files, designated 'downloader', in the folder C:\!killbox\. This folder contained many of the dll files that we spent so long removing !! I have deleted the folder which hasn't (yet) returned.

NAV also reorted and deleted a file, designated 'infostealer', which was in the HJT backups folder. This file was named like a backup file but with a dll extension. There are two other similar dll files in the folder both 677Kb in size. I scanned these with NAV which reported clean, but that is little reassurance these days!

I ran Panda active scan which identified over 1300 spyware files and 6 suspicious files but it locked up when I tried to save the log. I ran it again and this time it identified 40 spyware files and 3 suspicious files. Activescan.txt file attached.

Computer has slowed to a crawl at least twice. An svchost.exe process runs at 99%cpu for a few minutes.

I also discovered, by chance, some strange files in 'My Shared Folder'. This is on drive F and is where I store my P2P downloads, music and video etc. I use Azureus which I have not run since several days before this infection. These files were named something like 'album + very long numerical. jpg'. when I deleted them Windows warned that I was deleting a system file.

Latest HJT log also attached.

Starting to get worried at this end. What next?

Graham

 

Those P2P apps or unsafe surfing is most likely the cause for this.

Go back to my previous post and run the Vundo Removal Tool, afterwards attach the log with a fresh HJT log.

 

Hi. I ran Vundofix and it found no infected files so did not generate a log. HJT log attached. Security centre doesn't recognise NAV. No other odd happenings since last post but computer hasn't been on much.

Graham

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

Next, run CCleaner to clean up cookies and temp files.

Now, Please boot back into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\VundoFix Backups ← Delete this whole folder if it exist!

C:\RECYCLER\NPROTECT <-- Delete everything in this folder, be sure you have hidden files and system files enabled so you can see the contents.

Once you complete this, reboot back to normal and run a fresh Panda scan.

 

Hi. Done all as requested without problem. NPROTECT folder now contains some 97 files not the 1501 it had before. Panda activescan log attached. HJT log appended for good measure. What next?

Many thanks for your patience and tenacity with this problem.

Graham

 

Are you removing the contents of that folder?

Reboot into Safe Mode...

C:\!KillBox <-- Delete this folder!

C:\RECYCLER\NPROTECT <-- Delete everything in this folder!

Run CCleaner once more.

Reboot back to normal mode, open Norton and empty the Quaratine items.

After you complete this, reboot once more and let me know how things are runnings.

 

Hi. Yes, I am deleting the full contents of the NPROTECT folder and emptying the recycle bin manually immediately afterwords. It still contains about 30 files on start-up.

Completed all the tasks requested. No files in Norton quarantine but several in backup folder so deleted those.

Got the following message on reboot. "Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability, Windows must restore the original versions of these files" and requested the Windows XP SP2 disc. I don't have this! My motherboard was replaced about 6 months ago and Windows XP SP2 reinstalled by professionals. My original SP1 disc is not recognised by the system.

So, what next?

Regards
Graham

 

Download Reg Supreme 1.4

When prompted, run the "Aggressive" scan and fix all found problems. Be sure you create the backup file just in case you have any problems. Reboot once complete and let me know what problems remain.

 

Ok. I ran Reg Supreme and it fixed some 600+ entries. No warning about unrecognised files on reboot. But then I had to click to accept these versions to get past the warning and complete the boot up!

My broadband connection dropped a while back, before this last fix.

Nothing else apparent (yet!)

Regards
Graham

 

Reboot a few more times and let me know overall how things are running.

Also you should see this article on How to Protect yourself from malware!

 

Hi bjgarrick.

Things seem to be running ok. No obvious problems and none of those files have reappeared. Many thanks for all your help. Your time, patience and clear instructions have been greatly appreciated.

Regards
Graham

ps no logs attached!

 

Your Welcome!

Glad things are running better, Surf Safely!