Multi-Spyware/Trojan Attack, need a hand!

[Phoenix2k5]

Majorly infected, followed all steps, please take a look at log, thanks!

I've recently been BOMBARDED by every trojan there is due to one bad website. I've managed to get rid of the ishost, ismini.exe viruses along with many many others. However, there is still something seriously wrong with my PC, there is malicious software I do not recognize running in my start up, and my computer is just simply unable to perform unless in safe mode with networking... I haven't been able to access my proper system for two days now, so it's time for me to ask for help! Here is my most recent hijackthis log, if someone could please help me out, I would greatly appreciate it!

Thanks in advance,

Alex

P.S. If you need a log from my regular start up to see what is wrong, please tell me and I will do my best to get one.

*EDIT*

I've managed to upload my regular start up HJT file.

*EDIT*

I've followed every step in that guide over again and this is my new log.

 

[howard_hopkinso]

Hello and welcome to Techspot.

You have a real nasty infection.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

Sorry for the late reply, I've been trying to do all this but it takes a huge amount of time. I managed to get everything done except getting an Anti-Virus software installed because my system will not open install files in regular mode and will not install in SAFE mode; therefore, I just used the online scanner as instructed. I ran all the programs and followed every step precisely. Everything is a lot better but it is apparent there's still something lurking around. Take a look at my latest HJT file.

P.S. The AVG-Spyware scan came back clean, so there's no log, unless there's another way to export a log then Reports -> Save Reports As?

 

[howard_hopkinso]

Download Vundofix from HERE.

Double-click VundoFix.exe to run it.

Rightclick in the main window and click add more files.

Enter the filepath you wish to remove into the top line and click the add files button, followed by the close window button.

Click the remove vundo button. And let vundofix do it`s stuff.

These are the filepaths you need to enter into Vundofix.

C:\WINDOWS\system32\vorenbj.dll
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\ggxkrdrw.dll
C:\WINDOWS\system32\ixt7.dll
C:\WINDOWS\system32\bcsbqyi.dll

Once done, post a fresh HJT log as well as an AVG Antispyware log.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

Hello,

Followed instructions exactly, tried several times, got the following error : C:\WINDOWS\system32\ddcyw.dll could not be removed. VundoFix will restart your computer and try again.

I click okay, it does, and it gives the same error even though the program starts before my Windows does.

The second time I tried the same error came up but with ixt7.dll.

Thanks for your time,

Alex

 

[howard_hopkinso]

Post the log files I asked for please.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

Here are the most recent logs that you asked for.

Thanks,

Alex

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {2FE405CE-B927-B2DA-7F58-BFCE6CBFBDB1} - (no file)

O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\ggxkrdrw.dll (file missing)

O2 - BHO: (no name) - {4245AD54-482E-402C-8BA5-3CA45A91A4F2} - C:\WINDOWS\system32\ddcyw.dll

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt7.dll (file missing)

O2 - BHO: (no name) - {75E42607-090A-F400-0E7E-08E690200341} - C:\WINDOWS\system32\bcsbqyi.dll (file missing)

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\lserver\server.vbs"

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v48/chess/chess.cab

Fix all 018-Protocol entries.

O20 - Winlogon Notify: ddcyw - C:\WINDOWS\system32\ddcyw.dll

O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - (no file)

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\ddcyw.dll
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp\IEFWBHO.dll
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp\winpgi.dll
C:\WINDOWS\system32\SpOrder.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

Followed everything exactly... The nasty .dll still seems to be there...

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Double-click VundoFix.exe to run it.

Rightclick in the main window and click add more files.

Enter the filepath you wish to remove into the top line and click the add files button, followed by the close window button.

Click the remove vundo button. And let vundofix do it`s stuff.

This is the filepath you need to enter into Vundofix.

C:\WINDOWS\system32\ddcyw.dll

Post a fresh HJT log.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

The program does not work for this file. It tells me it will restart and delete ddcyw.dll, it does and still fails. Sorry to be a pain in the *** but this thing just refuses to die :\. Any other solutions? The HJT remains the same from last post.

Thanks alot for your time,

Alex

 

[howard_hopkinso]

This is obviously some new variant.

Let`s try the following.

Download and run Virtumundobegone and run it, see if that kills it.

Let me know the results.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

[12/01/2006, 18:21:47] - VirtumundoBeGone v1.5
[12/01/2006, 18:21:53] - Detected System Information:
[12/01/2006, 18:21:54] - Windows Version: 5.1.2600, Service Pack 2
[12/01/2006, 18:21:54] - Current Username: Alex (Admin)
[12/01/2006, 18:21:54] - Windows is in NORMAL mode.
[12/01/2006, 18:21:54] - Searching for Browser Helper Objects:
[12/01/2006, 18:21:54] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[12/01/2006, 18:21:54] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/01/2006, 18:21:54] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[12/01/2006, 18:21:55] - BHO 4: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} ()
[12/01/2006, 18:21:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/01/2006, 18:21:55] - No filename found. Continuing.
[12/01/2006, 18:21:55] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/01/2006, 18:21:55] - BHO 6: {C29BAC0B-A102-4C97-9C45-679D7C9EC817} ()
[12/01/2006, 18:21:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/01/2006, 18:21:55] - Checking for HKLM\...\Winlogon\Notify\ddcyw
[12/01/2006, 18:21:56] - Key not found: HKLM\...\Winlogon\Notify\ddcyw, continuing.
[12/01/2006, 18:21:56] - Finished Searching Browser Helper Objects
[12/01/2006, 18:21:56] - Finishing up...
[12/01/2006, 18:21:56] - Nothing found! Exiting...

Guess that didn't work either. Any way I can delete it through a registry + system32 manual deletion method?

 

[howard_hopkinso]

Mmm, try this.

Download the DelinvFile utility, follow the instructions exactly.

See if that`ll delete the C:\WINDOWS\system32\ddcyw.dll file.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

Program didn't work, but I found another updated fix of the Vundo remover that did the job.

Computer is much better but I still wanna make sure it's 100%.
Here's my latest HJT log.

P.S. Should I remove P.C. Cillin? I don't know where this anti-virus came from but it is legit... I'm guessing it's almost as garbage as Norton/Symantec.

Thanks for your time,

Alex

 

[howard_hopkinso]

Your HJT log is now clean.

You should fix all the 018-Protocol entries.

Program didn't work, but I found another updated fix of the Vundo remover that did the job.

Please can you give me the details of the new Vundofix update you used? It`ll help other members with your variant of the infection.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

Glad to hear after 4 days of suffering it's gone.

Thank you for your help, I greatly appreciate your time and effort! What you do is very helpful to everyone!

You can download the VundoFix I used here. http://www.atribune.org/downloads/VundoFix.exe
Glad to help.

Thank you for your time, I'll stick around on the forum, I've learned alot here!

Alex

 

[howard_hopkinso]

That`s exactly the same Vundofix as I asked you to download in post#4 and in the Viruses/Spyware/Malware, preliminary removal instructions.

I wonder why it didn`t work the first time?

Oh well, never mind, it`s fixed now.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phoenix2k5]

Hey Howard,

Thanks again for helping me out, the system is running wonderfully and my C:\ drive is magically recovering gigabytes and gigabytes of space.

I have one final problem though, my Radeon 9800 All in Wonder Pro video card is completely messed up, and always was. I was never unable to uninstall the drivers completely and reinstall them so my TV Tuner etc. would work properly. During start up I always get a "ATI Multimedia Centre was unable to load properly". I've tried uninstalling with little success. It seems the drivers that were reccommended to me way back when are completely incorrect. I'm not sure where to post this problem, so if you could please move this post to the correct forum I'd appreciate it... but if you can help me out I would much rather have you help me resolve this issue .

Thanks for your time,

Alex

 

[howard_hopkinso]

You should post this problem in our Audio and video forum. I`m sure you`ll get lots of help there.

Regards Howard

This thread is for the use of Phoenix2k5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.