Malware/Virus infection. Need help to remove, please

Discussion in 'Malware Help (A Specialist Will Reply)' started by Curlews, Nov 6, 2006.

  1. Curlews

    Curlews Private E-2

    Hi, my computer has been infected by a virus that keeps reappearing. Symptoms are - keeps dropping the broadband connection and asking to connect by dial-up. I use Firefox as my browser but it keeps putting IE7 offline and so MSN messenger won't work. Norton Antivirus keeps reporting various dlls and exes which it cannot repair or delete. Spybot continually reports smitfraud-c toolbar. Windows tells me that some files have been changed. I do not have the required windows XP SP2 disc. My system was reinstalled a few months ago by professionals. I only have the SP1 disc which came with the computer!

    System info - Windows XP SP2, 2GB RAM. Norton SystemWorks 2003 with firewall and Antivirus. MS Windows Defender. All meticulously up to date.

    Many thanks for any assistance
    Graham

    Hijack This log removed, not always helpful.
     
    Last edited by a moderator: Nov 6, 2006
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
      • Bitdefender
      • Panda Scan
      • HijackThis
    .
     
  3. Curlews

    Curlews Private E-2

    Hi

    I have followed the plan and done all as requested. Logs attached. btw I also ran Adaware tesyerday but it found nothing. Further attachments in next post.
     

    Attached Files:

  4. Curlews

    Curlews Private E-2

    Further logs as requested. I trust all this makes sense

    Many thanks
    Graham
     

    Attached Files:

  5. Curlews

    Curlews Private E-2

    Forgot to say that some items were removed but Norton Antivirus continued to alert to VSAdd-in and several exe files in Temporary Internet Files folder. Still losing internet connection from time to time.

    Graham
     
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First, be sure the viewing of hidden files and folders is enable and also be sure the viewing of system files is enable. Once this is complete delete everything in the folder below.

    C:\RECYCLER\NPROTECT

    Next, please see the below thread on how to install and run VundoFix.Once you complete the scan above, attach the log from the scan, a fresh HJT log and a fresh Panda log.
     
  7. Curlews

    Curlews Private E-2

    Hi bjgarrick

    I have done as requested. Deleted all files from NPROTECT folder but they are all back! Noted that RECYCLER folder also contains 3 other folders with long numerical names containing apparently identical files to NPROTECT folder. Also ran Vundo fix tool. I ran Panda Activescan again and it reports even more spyware, hacker tools and suspicious files. I continue to get alerts from Norton Antivirus regarding VSAdd-in which it repeatedly claims to have denied access. I am also receiving pop-ups from www.amaena.com advising me to purchase their antivirus software (not fooled by this). Should I be getting worried yet?! Attached activescan, Vundofix and HJT log.

    Thanks for your help
    Graham
     

    Attached Files:

  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download Pocket KillBox
    • Save it to your desktop or a place easy to find.
    • Do not run it yet
    Please look in Add/Remove Programs for the following and uninstall them if found:

    VSAdd-in

    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    O2 - BHO: (no name) - {01EDC82C-2368-4031-8837-B75EA89E68D3} - C:\WINDOWS\system32\ddabb.dll (file missing)
    O2 - BHO: (no name) - {54572531-4D05-4D67-8421-C9D411F86279} - C:\WINDOWS\system32\ddcya.dll

    O2 - BHO: (no name) - {7D4A8498-1E60-45B8-BEB2-F2C92D0786B1} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\xvgflnkx.dll

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjob.dll,startup

    O11 - Options group: [INTERNATIONAL] International*

    O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll

    Again, make sure ALL browser windows are closed when you click FIX.

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    C:\RECYCLER Delete everything in this folder!

    C:\VundoFix Backups Delete this whole folder if it exist!

    C:\Program Files\VSAdd-in Delete this whole folder if it exist!

    Next, run CCleaner to clean up cookies and temp files.

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

    ** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    After you complete the above, REBOOT and proceed with the rest of this fix...

    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
    After you complete the above reboot once more and then scan with HijackThis and attach the new log.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now and also attach a fresh HJT log.
     
  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Also, are you familiar with the entry below?

     
  10. Curlews

    Curlews Private E-2

    Hi bjgarrick

    Well, I have completed all the tasks without any serious problems. I could not delete one of the numbered folders in RECYCLER, "In use by another application" but I did delete all of it's contents. I just looked and NPROTECT seems to be refilled with identical material. I am inclined to uninstall Norton completely. NAV didn't protect me so maybe a switch to AVG free. What do you think? I have tried a few things and no virus alerts have appeared and no dropping of my internet connection. I did have a quick look at the HJT log (attached) and it does seem that some of the 'fixed' items have reappeared. The entry you mentioned (O17 - HKLM\System\CCS\Services\Tcpip\..\{6775B41B-ABAB-41A1-90B9-7AE267C97651}: NameServer = 80.225.248.50 80.225.253.50) is not related to anything I recognise.

    Regards
    Graham
     

    Attached Files:

  11. Curlews

    Curlews Private E-2

    Just got a warning of VSAdd-in again!!
     
  12. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let's handle one thing at a time, see the thread below...

    WareOut Removal

    After you complete the above, attach a fresh HJT log along with the log from the utility.
     
  13. Curlews

    Curlews Private E-2

    Ok ran fixwareout. Logs attached. What next?
     

    Attached Files:

  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let's do this, print this for a reference. Reboot into Safe Mode, pull the internet cable and run this below. Once you complete, reboot to normal mode, reconnect and attach the log from the scan with a fresh HJT log.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
     
  15. Curlews

    Curlews Private E-2

    OK. I ran Vundofix in safe mode as requested, log attached. When I rebooted into normal mode NAV deleted about 8-9 exe files designated as downloaders. New HJT log also attached. What next?
     

    Attached Files:

  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Before we do a manual removal of this baddie, I would you to run the below.

    Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there.

    Note: They must be in the same directory for it to work properly!

    Sysclean Package

    Pattern.zip

    After you complete the above, locate the file "lpt139.zip", right click to extract the contents to the same directory.

    Once you complete the steps above, REBOOT INTO SAFE MODE!

    Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and attach a fresh HJT log along with the Trend SysClean Log.
     
  17. Curlews

    Curlews Private E-2

    OK ran Trend SysClean, log attached and new HJT log. NAV is regularly deleting 'downloaders' from my Temporay Internet File. What next?
     

    Attached Files:

  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Okay let's start by downloading two tools we will need:

    - Process Explorer 10.21

    - Pocket KillBox

    Extract them to there own folder somewhere that you will be able to locate them later.

    Reboot in Safe Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of ddcya.dll once and then click the kill button. After you have killed all of the ddcya.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of ddcya.dll and kill it.

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02C0738F-D62B-423A-B8CB-EAFF8BDAD810} - C:\WINDOWS\system32\ddcya.dll
    O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\ponouxki.dll

    O17 - HKLM\System\CCS\Services\Tcpip\..\{6775B41B-ABAB-41A1-90B9-7AE267C97651}: NameServer = 212.139.132.52 212.139.132.53

    O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll


    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


    C:\WINDOWS\SYSTEM32\aycdd.ini
    C:\WINDOWS\SYSTEM32\aycdd.ini2
    C:\WINDOWS\SYSTEM32\aycdd.bak
    C:\WINDOWS\SYSTEM32\aycdd.bak1
    C:\WINDOWS\SYSTEM32\aycdd.bak2
    C:\WINDOWS\SYSTEM32\aycdd.tmp
    C:\WINDOWS\system32\ddcya.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot post a new HJT log.
     
  19. Curlews

    Curlews Private E-2

    OK. Done all that. The following entry did not appear in the HJT list in safe mode. But I did fix it in normal mode.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{6775B41B-ABAB-41A1-90B9-7AE267C97651}: NameServer = 212.139.132.52 212.139.132.53

    HJT log attached.
    What next?
     

    Attached Files:

  20. Curlews

    Curlews Private E-2

    Had to restore the O17 link as my browser failed to find any websites!
     
  21. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    That's the purpose of backups and why HJT should be ran from it's requested location. Because of the Wareout hijacking those entires in previous post I wanted to be sure it was gone, if that belongs to your internet it's ok.
     
  22. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your HJT log is clean, are you having any further problems?
     
  23. Curlews

    Curlews Private E-2

    Well everything seemed fine for a while but bad stuff is back.

    The internet connection dropped. NAV reported and deleted a dozen or more exe files, designated 'downloader', in the folder C:\!killbox\. This folder contained many of the dll files that we spent so long removing !! I have deleted the folder which hasn't (yet) returned.

    NAV also reorted and deleted a file, designated 'infostealer', which was in the HJT backups folder. This file was named like a backup file but with a dll extension. There are two other similar dll files in the folder both 677Kb in size. I scanned these with NAV which reported clean, but that is little reassurance these days!

    I ran Panda active scan which identified over 1300 spyware files and 6 suspicious files but it locked up when I tried to save the log. I ran it again and this time it identified 40 spyware files and 3 suspicious files. Activescan.txt file attached.

    Computer has slowed to a crawl at least twice. An svchost.exe process runs at 99%cpu for a few minutes.

    I also discovered, by chance, some strange files in 'My Shared Folder'. This is on drive F and is where I store my P2P downloads, music and video etc. I use Azureus which I have not run since several days before this infection. These files were named something like 'album + very long numerical. jpg'. when I deleted them Windows warned that I was deleting a system file.

    Latest HJT log also attached.

    Starting to get worried at this end. What next?

    Graham
     

    Attached Files:

  24. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Those P2P apps or unsafe surfing is most likely the cause for this.

    Go back to my previous post and run the Vundo Removal Tool, afterwards attach the log with a fresh HJT log.
     
  25. Curlews

    Curlews Private E-2

    Hi. I ran Vundofix and it found no infected files so did not generate a log. HJT log attached. Security centre doesn't recognise NAV. No other odd happenings since last post but computer hasn't been on much.

    Graham
     

    Attached Files:

  26. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

    ** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    Next, run CCleaner to clean up cookies and temp files.

    Now, Please boot back into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    C:\VundoFix Backups Delete this whole folder if it exist!

    C:\RECYCLER\NPROTECT <-- Delete everything in this folder, be sure you have hidden files and system files enabled so you can see the contents.

    Once you complete this, reboot back to normal and run a fresh Panda scan.
     
  27. Curlews

    Curlews Private E-2

    Hi. Done all as requested without problem. NPROTECT folder now contains some 97 files not the 1501 it had before. Panda activescan log attached. HJT log appended for good measure. What next?

    Many thanks for your patience and tenacity with this problem.

    Graham
     

    Attached Files:

  28. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Are you removing the contents of that folder?

    Reboot into Safe Mode...

    C:\!KillBox <-- Delete this folder!

    C:\RECYCLER\NPROTECT <-- Delete everything in this folder!

    Run CCleaner once more.

    Reboot back to normal mode, open Norton and empty the Quaratine items.

    After you complete this, reboot once more and let me know how things are runnings.
     
  29. Curlews

    Curlews Private E-2

    Hi. Yes, I am deleting the full contents of the NPROTECT folder and emptying the recycle bin manually immediately afterwords. It still contains about 30 files on start-up.

    Completed all the tasks requested. No files in Norton quarantine but several in backup folder so deleted those.

    Got the following message on reboot. "Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability, Windows must restore the original versions of these files" and requested the Windows XP SP2 disc. I don't have this! My motherboard was replaced about 6 months ago and Windows XP SP2 reinstalled by professionals. My original SP1 disc is not recognised by the system.

    So, what next?

    Regards
    Graham
     
  30. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download Reg Supreme 1.4

    When prompted, run the "Aggressive" scan and fix all found problems. Be sure you create the backup file just in case you have any problems. Reboot once complete and let me know what problems remain.
     
  31. Curlews

    Curlews Private E-2

    Ok. I ran Reg Supreme and it fixed some 600+ entries. No warning about unrecognised files on reboot. But then I had to click to accept these versions to get past the warning and complete the boot up!

    My broadband connection dropped a while back, before this last fix.

    Nothing else apparent (yet!)

    Regards
    Graham
     
  32. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  33. Curlews

    Curlews Private E-2

    Hi bjgarrick.

    Things seem to be running ok. No obvious problems and none of those files have reappeared. Many thanks for all your help. Your time, patience and clear instructions have been greatly appreciated.

    Regards
    Graham

    ps no logs attached!
     
  34. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your Welcome!:)

    Glad things are running better, Surf Safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds