TechSpot

Multiple prolems today, please help

By cball75
Apr 13, 2008
  1. Was nailed today by TROJAN.KILLAV, fake spyware desktop back ground, and System Integrity scan wizard box. Now I get pop-up ads for about everything. I am also seeing about 2-3 command windows upon restarting with invalid parameter warnings.

    I have ran alot of the programs mentioned prior to finding this site so here is my HJT log as of now.

    Programs tried today.
    CCleaener
    HouseCAll, IE failed several times doing this, unbale to delete these 2 files with HC ddbaipe.dll and ddcDWOGX.dll
    My own Norton
    Adware 2007 updated today
    Malwarebytes updated today
    SMitfraudFix in safemode

    Thank in advance for any help
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you run this Hijackthis scan after the other programs?

    Lets look deeper
    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  3. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    Yes, HJT was last thing I ran.

    Just completed running CF, log attached
    Ran HJT after CF, log attached

    Thanks for quick response
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder



    Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
    I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
    1. Click Start, point to Settings, and then click Control Panel.
    2. In Control Panel, double-click Add or Remove Programs.
    3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.

      How to prevent it from being recreated every time you run the AOL software:
      • Open AOL
      • Go to Help on the toolbar
      • Select About AOL
      • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.



    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply



    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {335BEAA2-52D6-4024-939E-AC5BA6745834} - C:\WINDOWS\system32\ljJddCUM.dll (file missing)
      O2 - BHO: (no name) - {72E8FDF4-BD45-4208-9FED-68777A65885C} - C:\WINDOWS\system32\cbXQkhEx.dll (file missing)
      O20 - Winlogon Notify: vtUmLbXO - vtUmLbXO.dll (file missing)
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    Afterwards scan again with Hijackthis and post the new log for me
     
  5. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    Okay, I completed all those tasks.

    New logs attached. I can not turn ON - Norton AV since I ran CF the first time, would this be normal?
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Not normal, it should clear up when we remove combofix shortly

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  7. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    Here is the K ONLINE log
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.



    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
     
  9. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    New logs...
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Everything looks good. How is the computer running? any more problems?

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    ---------------------------------------------------------------------------
    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)


    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
     
  11. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    OTmove keeps hanging up, must use END task to kill it???
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you already turn Norton back on?
     
  13. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    No, icon is Sys tray idicates still OFF.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    ok, we can do it manually then.

    Go to add/remove programs to uninstall Hijackthis, check for SDFix. I think SDFix needs to be remove from the desktop by dragging to the recycle bin. Go ahead and delete OTMoveit as well. Smitfraudfix can be dragged to the recycle bin also

    Then proceed with the clean up.
     
  15. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    Thanks alot. It looks like I need to reinstall my Norton to fix the Auto-protect and phishing protection. Do you see any problems with doing that right now?
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    No, I think that is a great idea. Here is the best way to do it.


    1)Write down your product license # for the reinstall.

    2)Make sure that you have the installation CDs or download the installation files for any Norton products that you want to reinstall.

    3)Completely remove Norton using the following tool http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

    4)Run the installation files from Step 1


    If downloading the new install, make sure you download the installation files first, but don't actually run the installers until you have removed your current install
     
  17. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    Alright. All is completed including full system scan from Norton. Thank you very much for all the help. I am getting a uistub.exe dll failure window upon restarting, any ideas. This just started.
     
  18. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    nevermind, found answer on nortons page.
     
  19. cball75

    cball75 TS Rookie Topic Starter Posts: 34

    Is there anything else I should do today?

    Thanks again.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Just let me know if you have any more issues pop up. Everything looks good from this end.

    Regards,

    BD
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...