Vundo Removal

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

Vundo Removal

#1 bikesh

Member

Group: Members
Posts: 24
Joined: 08-May 08

Posted 16 May 2008 - 08:11 AM

I was trying to open my laptop in normal mode but due to c:\windows\system32\ddcyv.dll TR/Vundo.Gen i coundnt use it,,,,it only displays the dialog box for Vundo,,,,so i opened my laptop in safe mode and got this hijack log:
I would really appreciate this,,,,,,,

Deckard's System Scanner v20071014.68
Run by Saleem_2 on 2008-05-16 08:58:33
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.

-- Last 5 Restore Point(s) --
52: 2008-05-14 04:43:04 UTC - RP52 - Software Distribution Service 3.0
51: 2008-05-14 04:31:31 UTC - RP51 - Restore Operation
50: 2008-05-13 22:00:39 UTC - RP50 - Software Distribution Service 3.0
49: 2008-02-24 17:00:18 UTC - RP49 - System Checkpoint
48: 2008-02-23 03:36:52 UTC - RP48 - System Checkpoint

-- First Restore Point --
1: 2008-01-31 23:04:14 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-16 09:05:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Saleem_2\Desktop\dss.exe
C:\WINDOWS\explorer.exe
F:\SETUP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F0 - win.ini: load=C:\WINDOWS\system32\ddcyv.exe
F3 - REG:win.ini: Load=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4538FA8B-9F6D-4879-A328-137A49CBBD5C} - C:\WINDOWS\system32\ddcyv.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll
O2 - BHO: (no name) - {6061E529-597C-4573-9681-319FB7CA6811} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\iifgfgd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: {d50d8db5-1bbd-dcea-2bb4-41d0f775295a} - {a592577f-0d14-4bb2-aecd-dbb15bd8d05d} - C:\WINDOWS\system32\dapklsrm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [1c066ad2] rundll32.exe "C:\WINDOWS\system32\hvvxsqvw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Mercury Quality Center Service Control.lnk = C:\Program Files\Mercury\Quality Center\bin\Jboss\QCTrayIcon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199340730184
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_12) - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://saleem-88b4ea04:8080/sabin/Spider90.ocx
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: iifgfgd - C:\WINDOWS\system32\iifgfgd.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Mercury Quality Center - Alexandria Software Consulting - C:\Program Files\Mercury\Quality Center\jboss\bin\QCJavaService.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe

--
End of file - 7232 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.10) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.10>
S2 paldrv - c:\windows\system32\pal_drv.sys <Not Verified; Mercury Interactive Corp.; Astra>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
S2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
S2 Mercury Quality Center - c:\progra~1\mercury\qualit~1\jboss\bin\qcjavaservice.exe <Not Verified; Alexandria Software Consulting; JavaService>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-01-03 15:42:42 516 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Saleem at 1 40 PM.job

-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 07:37:57 350208 --a------ C:\WINDOWS\system32\ddcyv.exe
2008-05-16 07:37:45 0 d-------- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Favorites
2008-05-16 07:37:45 0 d-------- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Desktop
2008-05-16 07:37:45 0 d--hs---- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Cookies
2008-05-16 07:37:45 0 dr-h----- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Application Data
2008-05-16 07:37:45 0 d---s---- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Application Data\Microsoft
2008-05-16 07:37:44 0 d--h----- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Templates
2008-05-16 07:37:44 0 dr------- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Start Menu
2008-05-16 07:37:44 0 dr-h----- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\SendTo
2008-05-16 07:37:44 0 d--h----- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Recent
2008-05-16 07:37:44 0 d--h----- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\PrintHood
2008-05-16 07:37:44 524288 --ah----- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\NTUSER.DAT
2008-05-16 07:37:44 0 d--h----- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\NetHood
2008-05-16 07:37:44 0 d-------- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\My Documents
2008-05-16 07:37:44 0 d--h----- C:\Documents and Settings\Administrator.SALEEM-88B4EA04\Local Settings
2008-05-13 23:43:24 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-05-13 23:28:35 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-05-13 23:28:35 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-05-13 23:28:35 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-05-13 23:28:35 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-05-13 23:28:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-13 23:28:34 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-05-16 09:04:35 195742 --ahs---- C:\WINDOWS\system32\vycdd.ini2
2008-02-23 14:30:20 101 --a------ C:\WINDOWS\system32\prsgrc.dll
2008-02-21 20:34:39 346688 --a------ C:\WINDOWS\system32\ddcyv.dll
2008-02-17 17:44:27 296805 --ahs---- C:\WINDOWS\system32\cccdd.ini2
2008-02-17 17:38:24 8 --a------ C:\WINDOWS\system32\1c06785c
2008-02-16 12:36:23 1025 --a------ C:\WINDOWS\system32\u1xijxq.dll
2008-02-16 12:36:02 1024 --a------ C:\WINDOWS\system32\grcauth2.dll
2008-02-16 12:36:02 1024 --a------ C:\WINDOWS\system32\grcauth1.dll
2008-02-16 12:35:55 1025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-02-16 12:35:55 1025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-02-16 12:35:54 73 --a------ C:\WINDOWS\system32\ssprs.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4538FA8B-9F6D-4879-A328-137A49CBBD5C}]
02/21/2008 08:34 PM 346688 --a------ C:\WINDOWS\system32\ddcyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6061E529-597C-4573-9681-319FB7CA6811}]
C:\WINDOWS\system32\ddccc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
01/31/2008 05:58 PM 385536 --a------ C:\WINDOWS\system32\iifgfgd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a592577f-0d14-4bb2-aecd-dbb15bd8d05d}]
C:\WINDOWS\system32\dapklsrm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [04/12/2005 07:17 PM C:\WINDOWS\agrsmmsg.exe]
"1c066ad2"="C:\WINDOWS\system32\hvvxsqvw.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" []
"Windows update loader"="C:\Windows\xpupdate.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Mercury Quality Center Service Control.lnk - C:\Program Files\Mercury\Quality Center\bin\Jboss\QCTrayIcon.exe [2/2/2008 2:31:28 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 6:23:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\iifgfgd.dll [01/31/2008 05:58 PM 385536]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= C:\WINDOWS\system32\ShellHook.dll [02/12/2007 12:19 AM 46080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgfgd]
iifgfgd.dll 01/31/2008 05:58 PM 385536 C:\WINDOWS\system32\iifgfgd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcyv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG511v2 Wireless Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG511v2 Wireless Assistant.lnk
backup=C:\WINDOWS\pss\NETGEAR WG511v2 Wireless Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
C:\Program Files\MalwareAlarm\MalwareAlarm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\setup.exe

*Newly Created Service* - PARPORT

-- End of Deckard's System Scanner: finished at 2008-05-16 09:08:09 ------------

#2 OldTimer

Malware Expert

Group: Malware Response Team
Posts: 11,083
Joined: 28-January 05
Gender:Male
Location:Holland Michigan USA

Posted 16 May 2008 - 10:11 AM

Hello bikesh and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose Select All from the list.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
In the Drivers section click on Non-Microsoft.
Under Additional Scans click the checkboxes in front of the following items to select them:
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

#3 bikesh

Member

Group: Members
Posts: 24
Joined: 08-May 08

Posted 16 May 2008 - 11:49 AM

And i got the attached log file

#4 OldTimer

Malware Expert

Group: Malware Response Team
Posts: 11,083
Joined: 28-January 05
Gender:Male
Location:Holland Michigan USA

Posted 16 May 2008 - 12:28 PM

Hi bikesh. Let's see what we can do with this. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\system32\ddcyv.dll 
%systemroot%\system32\ddcyv.exe
%systemroot%\system32\iifgfgd.dll
%systemroot%\system32\iifgfgd.dll 
%systemroot%\system32\vycdd.ini
%systemroot%\system32\vycdd.ini2
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> 1c066ad2 -> %SystemRoot%\system32\hvvxsqvw.DLL [rundll32.exe "C:\WINDOWS\system32\hvvxsqvw.dll",b]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\iifgfgd.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> iifgfgd -> %SystemRoot%\system32\iifgfgd.dll
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {6061E529-597C-4573-9681-319FB7CA6811} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ddccc.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\iifgfgd.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {a592577f-0d14-4bb2-aecd-dbb15bd8d05d} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\dapklsrm.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {D8ABDD88-010E-4E27-B1F2-6379932345C8} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ddcyv.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {98C53984-8BF8-4D11-9B1C-C324FCA9CADE}[HKEY_LOCAL_MACHINE] -> http://saleem-88b4ea04:8080/sabin/Spider90.ocx[Loader Class v3]
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Spider90.ocx\ -> 
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\ddcyv -> %SystemRoot%\system32\ddcyv.exe
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\uTorrent\uTorrent.exe -> C:\Program Files\uTorrent\uTorrent.exe [C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Veoh Networks\Veoh\VeohClient.exe -> C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Saleem_2\Local Settings\Temp\LRE13.tmp\bin\java.exe -> C:\Documents and Settings\Saleem_2\Local Settings\Temp\LRE13.tmp\bin\java.exe [C:\Documents and Settings\Saleem_2\Local Settings\Temp\LRE13.tmp\bin\java.exe:*:Enabled:java]
[Files/Folders - Created Within 30 days]
NY -> ddcyv.exe -> %SystemRoot%\System32\ddcyv.exe
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> ddcyv.exe -> %SystemRoot%\System32\ddcyv.exe
NY -> vycdd.ini -> %SystemRoot%\System32\vycdd.ini
NY -> vycdd.ini2 -> %SystemRoot%\System32\vycdd.ini2
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Click on Online Services and then Online Scanner
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Click OK
Now under select a target to scan:
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
Just use the default settings.
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #5

Post the following back here by copy/pasting them into the reply:

The Avenger report (c:\Avenger.txt)
The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
The online virus scan report (whichever one you ran)

Attach the following back here in the reply:

The new OTScanIt scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

#5 bikesh

Member

Group: Members
Posts: 24
Joined: 08-May 08

Posted 17 May 2008 - 12:07 AM

avenger report:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\ddcyv.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\ddcyv.exe" not found!
Deletion of file "C:\WINDOWS\system32\ddcyv.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\iifgfgd.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\iifgfgd.dll" not found!
Deletion of file "C:\WINDOWS\system32\iifgfgd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\vycdd.ini" deleted successfully.
File "C:\WINDOWS\system32\vycdd.ini2" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.

Completed script processing.

*******************
the otscanit fix log:
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\1c066ad2 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\ deleted successfully.
File C:\WINDOWS\system32\iifgfgd.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifgfgd\ deleted successfully.
File C:\WINDOWS\system32\iifgfgd.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6061E529-597C-4573-9681-319FB7CA6811}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6061E529-597C-4573-9681-319FB7CA6811}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\ not found.
File C:\WINDOWS\system32\iifgfgd.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a592577f-0d14-4bb2-aecd-dbb15bd8d05d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a592577f-0d14-4bb2-aecd-dbb15bd8d05d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8ABDD88-010E-4E27-B1F2-6379932345C8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8ABDD88-010E-4E27-B1F2-6379932345C8}\ not found.
File C:\WINDOWS\system32\ddcyv.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Starting removal of ActiveX control {98C53984-8BF8-4D11-9B1C-C324FCA9CADE}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{98C53984-8BF8-4D11-9B1C-C324FCA9CADE}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98C53984-8BF8-4D11-9B1C-C324FCA9CADE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Spider90.ocx\ deleted successfully.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\ddcyv deleted successfully.
File C:\WINDOWS\system32\ddcyv.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\uTorrent\uTorrent.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Veoh Networks\Veoh\VeohClient.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Saleem_2\Local Settings\Temp\LRE13.tmp\bin\java.exe deleted successfully.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\ddcyv.exe not found!
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\ddcyv.exe not found!
File C:\WINDOWS\System32\vycdd.ini not found!
File C:\WINDOWS\System32\vycdd.ini2 not found!
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Saleem_2\Local Settings\Temp\~DF6537.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Saleem_2\Local Settings\Temp\~DFD2B6.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\1152 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.14.0 fix logfile created on 05162008_150555

Files moved on Reboot...
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
C:\Documents and Settings\Saleem_2\Local Settings\Temp\~DF6537.tmp moved successfully.
C:\Documents and Settings\Saleem_2\Local Settings\Temp\~DFD2B6.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\hsperfdata_SYSTEM\1152 not found!
File C:\WINDOWS\temp\Perflib_Perfdata_b8.dat not found!

F-Secure Online Scanner log:
Scanning Report
Friday, May 16, 2008 15:14:48 - 16:56:01
Computer name: SALEEM-88B4EA04
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\

--------------------------------------------------------------------------------

Result: 14 malware found
Trojan.Win32.Monder (virus)
System
Trojan.Win32.Monder.af (virus)
C:\WINDOWS\SYSTEM32\STUWVVTC.DLL
Trojan.Win32.Monder.bv (virus)
C:\WINDOWS\SYSTEM32\YTWXTMPG.DLL
Trojan.Win32.Monder.cc (virus)
C:\WINDOWS\SYSTEM32\KPMTLBPW.DLL
Trojan.Win32.Monder.cd (virus)
C:\WINDOWS\SYSTEM32\JNDVNMDO.DLL
Trojan.Win32.Monder.gen (virus)
C:\WINDOWS\SYSTEM32\FFRTSDVT.DLL
C:\WINDOWS\SYSTEM32\GDKBVTOO.DLL
C:\WINDOWS\SYSTEM32\HTURTIXU.DLL
C:\WINDOWS\SYSTEM32\NSGRWQDB.DLL
C:\WINDOWS\SYSTEM32\OUTJHGFA.DLL
C:\AVENGER\DDCYV.DLL
C:\AVENGER\IIFGFGD.DLL (Renamed & Submitted)
Vundo.gen38 (virus)
C:\WINDOWS\SYSTEM32\SGBKVEOD.INI (Submitted)
C:\WINDOWS\SYSTEM32\VPMVHDJP.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 28160
System: 3140
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 13
Submitted: 3
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\1840
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{A8044F7F-6D9F-40E0-876C-736ECE1497B0}.BIN
C:\WINDOWS\PREFETCH\LAYOUT.INI

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-05-16
F-Secure AVP: 7.0.171, 2008-05-16
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Finished! Terminate.

#6 OldTimer

Malware Expert

Group: Malware Response Team
Posts: 11,083
Joined: 28-January 05
Gender:Male
Location:Holland Michigan USA

Posted 17 May 2008 - 10:14 AM

Hi bikesh. That looks pretty good. These should be gone already but let's just make sure.

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> MSMSGS -> %ProgramFiles%\Messenger\msmsgs.exe ["C:\Program Files\Messenger\msmsgs.exe" /background]
YN -> Windows update loader -> %SystemRoot%\xpupdate.exe [C:\Windows\xpupdate.exe]
< Windows NT\\Load [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\load
YY -> C:\WINDOWS\system32\ddcyv.exe -> %SystemRoot%\system32\ddcyv.exe
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {31847822-0899-4681-9C60-1ABB52C4595E} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ddcyv.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Extra Files]
C:\WINDOWS\SYSTEM32\STUWVVTC.DLL 
C:\WINDOWS\SYSTEM32\YTWXTMPG.DLL 
C:\WINDOWS\SYSTEM32\KPMTLBPW.DLL 
C:\WINDOWS\SYSTEM32\JNDVNMDO.DLL 
C:\WINDOWS\SYSTEM32\FFRTSDVT.DLL 
C:\WINDOWS\SYSTEM32\GDKBVTOO.DLL 
C:\WINDOWS\SYSTEM32\HTURTIXU.DLL 
C:\WINDOWS\SYSTEM32\NSGRWQDB.DLL 
C:\WINDOWS\SYSTEM32\OUTJHGFA.DLL 
C:\WINDOWS\SYSTEM32\SGBKVEOD.INI
C:\WINDOWS\SYSTEM32\VPMVHDJP.INI
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

#7 bikesh

Member

Group: Members
Posts: 24
Joined: 08-May 08

Posted 20 May 2008 - 09:51 AM

THis is what i got after last oTSCANIT

#8 OldTimer

Malware Expert

Group: Malware Response Team
Posts: 11,083
Joined: 28-January 05
Gender:Male
Location:Holland Michigan USA

Posted 20 May 2008 - 10:03 AM

Hi bikesh. Everything looks good. Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

#9 bikesh

Member

Group: Members
Posts: 24
Joined: 08-May 08

Posted 25 May 2008 - 11:37 AM

ya,everything is ok but the wireless,,,,its not working

#10 OldTimer

Malware Expert

Group: Malware Response Team
Posts: 11,083
Joined: 28-January 05
Gender:Male
Location:Holland Michigan USA

Posted 25 May 2008 - 05:52 PM

Hi bikesh. If the router settings have been checked and are correct and the wireless settings on the laptop have been checked and are correct then the wireless networking component might need to be reinstalled. If assistance is needed with that then post in the here and they can help with that.

Now let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

My Computer

Properties

System Restore

Turn off System Restore

Apply

2. Restart your computer.

3. Turn ON System Restore.

My Computer

Properties

System Restore

Turn off System Restore

Apply

System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:

OTScanIt

CleanUp

OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.

After that you are good to go.

Cheers and Happy Computing!

OT

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer