So much for not following security precautions...

Discussion in 'Malware Help (A Specialist Will Reply)' started by markslade, May 10, 2007.

  1. markslade

    markslade Private E-2

    Got infected with several items on Monday after accepting an active x that was on a web site that I have frequented much. Don't know if that caused the problem....but I got a warning from windoze an hour or so later that I had spyware and registry changes.
    I have followed all of the read and run me steps.Tried to take notes as it was all going....but may have missed a few items....fixed msconfig....got new sun java.....
    1.. reboot to safe mode. Internet explorer would not stop running. It wasn't visible but showed up in task manager. Something kept trying to connect. Couldn't click on it to stop it as it was bouncing all over the task manager screen.....so I ran everything with it running.
    2.. ran ccleaner
    3...ran spybot. Could not find anything related to sdhelper other than a dll in the folder. It found a bunch of stuff....among the notables...brave sentry....spysheriff....rootkit.win.32.agent.cf......trojan-proxy.win32.wopla.ac......trojan.clicker.win32.spywad.o.....trojan-proxy.win32.xorpix.fam.backdoor.....spamtool.win32.agent.h.trojan.....the rest were tracking cookies. It could not remove brave sentry.
    4.. Ran counter spy. Whew....17 hours later it was done....but couldn't find any way to save a log. I did later after booting back in normal mode open it and found the log and saved it.
    5..counter spy said I had to re-boot after it finished...which I did with networking to do the next step. Wouldn't boot in safe mode. Finally tried normal and got a message....anti spyware boot time cleaner. Appeared to be a microsoft thing. It ran through a bunch of stuff....and finished while I was on the phone so I didn't see the final results if any were displayed. The machine then booted. Of note is that now internet explorer was no longer running by itself and the windoze spyware message was gone. I re-booted into safe mode with networking. While running bitdefender I got a message that a buffer overrun was detected in c:windows\explorer.exe. Since bitdefender was still scanning...I ignored the message and let BD run. Then ran Panda active scan.
    6.. Boot in normal...ran getrunkey and shownew.
    I don't remember what I initially did when the problems started...but I found from the symantec site that I had virtumonde and had tried running their fixer. It said it stopped it from running but did not delete anything....so I continued on with your Special removal Procedures...ran vundofix...and it found and deleted files. Did a search on the site for brave sentry....found a post that related it to the smit removal tool....so I followed those instructions...ran hijack this and smitrem....nothing found in the hijack this matching the entries in the post....and I let smitrem do it's thing.
    Now spybot does not show brave sentry....but it keeps coming up with smitfraud-c.toolbar888
    Major problems "seem" to be fixed..........but I'm concerned that there may still be something lagging behind because of the smitfraud thing....the one notable thing is that my wireless is not working anymore.....don't know if that is a result of anything done.
    And I'm updating my pccillian....and getting a new router .....and other steps in the how to not do this stupid thing again sticky....
    Thanks for any help
    Mark
     

    Attached Files:

    markslade, May 10, 2007
    #1
  2. markslade

    markslade Private E-2

    rest of the logs....hope I did all this correct!!
    Is it OK to post the hijack this log....or do you need it??
    Thanks
    Mark
     

    Attached Files:

    markslade, May 10, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes....please attach the HJT log as directed in the instructions.....while I look at your other logs.
     
    TimW, May 10, 2007
    #3
  4. markslade

    markslade Private E-2

    here ya go....
    thanks
    Mark
     

    Attached Files:

    markslade, May 10, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    Viewpoint Media Player
    Then look for and if present delete these folders:
    C:\Documents and Settings\All Users\Application Data\Viewpoint
    C:\Program Files\Viewpoint

    Run CCleaner and delete all temp files!

    Continue by downloading a tool we will need -
    Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Now
    1. Download this file -Combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\ddcywvw.dll
    O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\mbklntrp.dll (file missing)
    O2 - BHO: (no name) - {E4FD753E-3337-413A-97E8-487EC6116CAA} - C:\WINDOWS\system32\ddaya.dll
    O20 - Winlogon Notify: ddaya - C:\WINDOWS\system32\ddaya.dll G
    O20 - Winlogon Notify: ddcywvw - C:\WINDOWS\SYSTEM32\ddcywvw.dll G
    O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So
    when you do the below, if some files do not show in the list after pasting them in, just
    continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and
    pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ddcywvw.dll
    C:\WINDOWS\system32\ksys.sys
    C:\WINDOWS\system32\nmorrxpl.dll
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\winupd_KB77461293.exe
    C:\wmplayer.dll
    C:\Windows\System32\ddaya.dll
    C:\Windows\System32\dzgtactx.dll
    C:\Windows\System32\MabryObj.dll
    C:\Windows\System32\ayadd.bak1
    C:\Windows\System32\ayadd.ini
    C:\Windows\System32\lpxrromn.ini

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click the box to unregister.dll's. Click
    Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.
    * ComboFix
    * GetRunKey
    * ShowNew - please download the current version first!
    * HJT
     
    TimW, May 10, 2007
    #5
  6. markslade

    markslade Private E-2

    OK....
    deleted viewpoint media player and C:\doc and settings\all users\app data\viewpoint.
    C:\program files\viewpoint not found

    Ran ccleaner

    Ran combo-fix. Machine re-booted then did log.

    merged registry

    Ran HJT. Only thing found was 02-BHO.......\ddaya.dll Fixed

    Ran killbox. Only thing found was c:windows\system32.ddcywvw.dll
    Got PendingFileRenameOperations prompt. Had to manually re-boot.

    Also...don't know if your note to download current version of shownew was directed at me or just something you always put in.
    I had downloaded the version that is on the use shownew sticky...but went ahead and downloaded it again just in case.
    Thanks for your help Tim
    Mark
     

    Attached Files:

    markslade, May 10, 2007
    #6
  7. markslade

    markslade Private E-2

    And the HJT log....
     

    Attached Files:

    markslade, May 10, 2007
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run HJT again and have it fix this item (it's still showing in the log):

    O2 - BHO: (no name) - {E4FD753E-3337-413A-97E8-487EC6116CAA} - C:\WINDOWS\system32\ddaya.dll (file missing)

    Otherwise you are looking pretty good ....please tell me how things are running or if you are having any problems.
     
    TimW, May 11, 2007
    #8
  9. markslade

    markslade Private E-2

    Hmmmmm didn't show up ....

    sorry...forgot to add that everything seems to be Ok. It's been running pretty good. On another note....it looks like ccleaner will do for me what I was using cookie wall for....that is keep from deleting some cookies I want to keep. Is that correct??
    Thanks
    Mark
     

    Attached Files:

    markslade, May 11, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes to CCleaner ...very useful program!

    Your logs look clean. You may uninstall any programs we had you download.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, May 11, 2007
    #10
  11. markslade

    markslade Private E-2

    Thanks a bunch Tim. I'll work through the last steps. Have already gone through the how to prevent!!
    Haven't been to the home page to look....do you guys accept doantions or something?
    Thanks Again
    Mark
     
    markslade, May 11, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome ....and no to donations.....but you can buy me a pint the next time I'm in town...:D
     
    TimW, May 12, 2007
    #12
  13. markslade

    markslade Private E-2

    I'm an hour south of Wash DC...if you're ever in the area give a shout!!
     
    markslade, May 12, 2007
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds