Virus/Spyware Removal Process

Discussion in 'Malware Help (A Specialist Will Reply)' started by omgwtf1980, Feb 12, 2007.

  1. omgwtf1980

    omgwtf1980 Private E-2

    Hello. I've just recently acquired some viruses and/or spyware, and don't really know too much about getting rid of them. It seems as if lately my computer has bent it's evil will on destroying me (and my bank account heh). I just finished installing a new motherboard and PSU after my previous garbage emachines PSU went out, taking the motherboard along with it. Anyway, back on topic, I have followed all of the instructions in the "READ AND RUN ME FIRST. Malware Removal Guide" thread. I think my PC seems a lot better, but I'm still getting some popups, and virus results when I scan. I just want to make sure that my computer is clean, as now I'm a little nervous logging into various accounts because one of the scan results said there was a virus that logged certain keystrokes.

    I have most of the log files required...I ran into a few problems with BitDefender and PandaScan, but I have everything else. Bitdefender would do a full scan, but then after it finished it would say there was some type of error with Internet Explorer or something like that, and would close. I'm not including the log because I've run the scan at least 3 times, and it's taken a few hours each time. I just don't have the time currently to run it again. If it's really required, please let me know and I will have to try again later. On the last scan, when I got the error popup, I disabled a file which it said was causing the problem. That file was: oscan8.ocx. It said it was softwin.

    And then PandaScan would not run. I was able to get up to where you select what you want to be scanned, and selected the C drive, and it would proceed to the scanning window, but after waiting a long time nothing happened. I tried a few times. So I will include the rest of the required log files. Please let me know if this is ok. And I really appreciate any help I receive. Thanks!
     

    Attached Files:

    omgwtf1980, Feb 12, 2007
    #1
  2. omgwtf1980

    omgwtf1980 Private E-2

    And I will include the HijackThis log with this reply.
     

    Attached Files:

    omgwtf1980, Feb 12, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The first thing you need to do is re-run counterspy and have it remove/quarantine everything that it finds, while I look at the rest of your logs.
     
    TimW, Feb 12, 2007
    #3
  4. omgwtf1980

    omgwtf1980 Private E-2

    Alright I'll do that now. Thank you for the quick reply!
     
    omgwtf1980, Feb 12, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    1. First Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply along with all the other logs requested.
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Delete this file:

    C:\WINDOWS\system32\wnsintsu.exe



    Uninstall these items thru add/remove in the control panel:
    Java 2 Runtime Environment Standard Edition v1.3.1"
    Java 2 Runtime Environment Standard Edition v1.3.1_02
    Viewpoint Media Player
    WildTangent GameChannel (remove only)
    WildTangent Web Driver

    Reboot and install:
    Java Runtime 6

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    O2 - BHO: (no name) - {2E66848F-C731-B8FC-046D-0122F5901A85} - C:\WINDOWS\system32\dewrwnn.dll
    O2 - BHO: (no name) - {53F69B2A-4BCD-4138-8CC5-0FDDF5362F8D} - C:\WINDOWS\system32\ddabx.dll
    O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\xcfyikau.dll (file missing)
    O2 - BHO: (no name) - {A22BEDA9-E441-44DD-8007-8FC47C451237} - C:\WINDOWS\system32\ssqrpon.dll
    O20 - Winlogon Notify: ssqrpon - C:\WINDOWS\SYSTEM32\ssqrpon.dll
    O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)

    After clicking Fix, exit HJT.

    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT
    and ComboFix
     
    TimW, Feb 12, 2007
    #5
  6. omgwtf1980

    omgwtf1980 Private E-2

    Should I let CounterSpy finish running before I follow those instructions? It will probably take around another hour and a half or so for it to complete the scan.
     
    omgwtf1980, Feb 12, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes...always let a process finish before going on to another fix.:)
     
    TimW, Feb 12, 2007
    #7
  8. omgwtf1980

    omgwtf1980 Private E-2

    Ok, so CounterSpy found no problem files (besides for registry, I mean) except for Bearshare, which is listed as low risk, and I know isn't a problem since it hadn't been used prior to the malware problem. But when I rebooted, I get this message:

    Buffer overrun detected!

    Program: C:\WINDOWS\Explorer.exe

    A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.

    If I click ok it blanks out the desktop for a moment, which comes back a moment later...and then a few more seconds and the message pops up again. If I ignore it then I can open other programs but I have no idea why this happened? I tried doing a system restore to before the CounterSpy scan and it didn't help. What happened?

    Hopefully that will be fixable, but in the meantime I followed your other directions. There was one key I didn't remove because it wasn't there:

    O2 - BHO: (no name) - {53F69B2A-4BCD-4138-8CC5-0FDDF5362F8D} - C:\WINDOWS\system32\ddabx.dll
     

    Attached Files:

    omgwtf1980, Feb 12, 2007
    #8
  9. omgwtf1980

    omgwtf1980 Private E-2

    And the newfiles.txt.
     

    Attached Files:

    omgwtf1980, Feb 12, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove to uninstall this:
    VSAdd-in for Internet Explorer


    Boot into safe mode and use explorer to delete the following:

    C:\WINDOWS\system32\cnuqqpyj.exe
    C:\WINDOWS\system32\pkgubawf.exe
    C:\WINDOWS\system32\qurvylxy.exe
    C:\WINDOWS\system32\cpibeewl.dll
    C:\WINDOWS\system32\ddabx.dll
    C:\WINDOWS\system32\dewrwnn.dll
    C:\WINDOWS\system32\drvnih.dll
    C:\WINDOWS\system32\ssqrpon.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\xbadd.tmp
    C:\WINDOWS\system32\dsmqsjud.ini
    C:\WINDOWS\system32\lweebipc.ini
    C:\WINDOWS\system32\xbadd.ini
    C:\WINDOWS\system32\xbadd.ini2


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    O2 - BHO: (no name) - {22FBC542-D596-4592-95B6-7E35ABE1AFDE} - C:\WINDOWS\system32\ddabx.dll
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in_1.dl
    O2 - BHO: (no name) - {5675E00D-5120-421A-AB97-179BAA21954B} - C:\WINDOWS\system32\ddabx.dll
    O2 - BHO: (no name) - {A22BEDA9-E441-44DD-8007-8FC47C451237} - C:\WINDOWS\system32\ssqrpon.dll
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in_1.dll
    O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll
    O20 - Winlogon Notify: ssqrpon - C:\WINDOWS\SYSTEM32\ssqrpon.dll

    After clicking Fix, exit HJT.
    Reboot into normal mode and attach new logs for:

    * GetRunKey - please download the current version first!
    * ShowNew
    * HJT

    Be sure to tell us how things are running.
     
    TimW, Feb 12, 2007
    #10
  11. omgwtf1980

    omgwtf1980 Private E-2

    Thank you so much for your help so far, TimW. :)

    These 2 .dll files couldn't be deleted:

    ddabx.dll
    ssqrpon.dll

    It said they were in use, even in safe mode. There were also a few I couldn't find in HJT:

    O2 - BHO: (no name) - {22FBC542-D596-4592-95B6-7E35ABE1AFDE} - C:\WINDOWS\system32\ddabx.dll
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in_1.dl
    O2 - BHO: (no name) - {5675E00D-5120-421A-AB97-179BAA21954B} - C:\WINDOWS\system32\ddabx.dll
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in_1.dll

    Other than that though, everything seems to be working very well again. I haven't gotten any popups yet while using the internet. One thing though: When I log on, I get a notification that says:

    Error loading C:\WINDOWS|system32\cpibeewl.dll
    The specified module could not be found.     Is there a way to fix that? Also, when first starting IE, a window opens for a 'System Integrity Scan Wizard' warning me about critical errors in the windows registry, but I don't think it's a system file..looks more like 3rd party trying to imitate a Microsoft warning.

    This isn't necessarily a problem, but it kind of bugs me; after the last few file deletions, the clock in the tray displays time in military time...I prefer 12 hour, but I don't see a way to change it. Sorry for being annoying.
     

    Attached Files:

    omgwtf1980, Feb 12, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download and run Process Explorer
    Extract them to their own folder somewhere that you will be able to locate them later.

    Reboot in Safe Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of ajckyknd.dll, ddabx.dll and ssqrpon.dll once and then click the kill button. After you have killed all of the ajckyknd.dll, ddabx.dll and ssqrpon.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of ajckyknd.dll, ddabx.dll and ssqrpon.dll and kill it.

    Next double click on iexplore.exe and do the same.

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {3ABA9F17-F30F-44CC-AA5B-D6402F99F404} - C:\WINDOWS\system32\ddabx.dll
    O2 - BHO: (no name) - {A22BEDA9-E441-44DD-8007-8FC47C451237} - C:\WINDOWS\system32\ssqrpon.dll
    O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe


    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

    C:\WINDOWS\system32\ajckyknd.dll
    C:\WINDOWS\system32\ddabx.dll
    C:\WINDOWS\system32\ssqrpon.dll
    C:\WINDOWS\system32\xbadd.ini2
    C:\WINDOWS\system32\xbadd.ini


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Attach new logs for:
    ShowNew
    HJT
     
    TimW, Feb 13, 2007
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds