Still Infected after following instructions?

[dslunceford]

So, I followed all of the instructions here including the two embedded threads and everything went fine except I couldn't scan using Look2me, as it never restarted after checking the box to have it start as a task.

While my last AVG scan didn't pull anything back, I continue to get a notice from WinPatrol that an IE helper wants to be added to startup: c:\windows\system32\ddcyy.dll -- this was there from the start of my issues, along with a request to add IXT0.dll that seems to have gone away. I continue to deny ddcyy.dll to be added, but WinPatrol pulls it up every 30-45 seconds or so.

Attached is my HJT log. I am currently running Ewido again and will attach that log as well.

Any advice/direction would be appreciated, as my kids not only did this to one machine, but to a second as well (which I have to start the entire process on that machine).

 

[fastco]

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop. from http://www.majorgeeks.com/downloadget.php?id=4954&file=10&evp=441f76946860196bd11870d8d721ed46

* Double-click VundoFix.exe to extract the files
* This will create a VundoFix folder on your desktop.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode:
Turn off system restore
Go to My Computer, Tools, Folder options, View and click Show all hidden files and folders.
open the VundoFix folder and doubleclick on KillVundo.bat
* You will first be presented with a warning.
It should look like this
QUOTE
VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....


* At this point press enter one time.
* Next you will see:
QUOTE
Please Type in the filepath as instructed by the forum staff
and then press enter:

* At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINNT\System32\ddcyy.dll

* Press Enter to continue with the fix.
* Next you will see:
QUOTE
Please type in the second filepath as instructed by the forum
staff then press enter:
* At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINNT\System32\yycdd.*
* Press Enter to continue with the fix.
* The fix will run then HijackThis will open, if it does not open automatically please open it manually.
* In HiJackThis, please place a check next to the following items and click FIX CHECKED:
O4 - Startup: WASTE.lnk = C:\Program Files\WASTE\WASTE.ex
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

* After you have fixed these items, close Hijackthis.
* Press enter to exit the program then manually reboot your computer.
* Once your machine reboots please continue with the instructions below.

Download and install CleanUp! http://www.stevengould.org/software/cleanup/

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Turn System Restore back ON...

 

[howard_hopkinso]

Hello and welcome to Techspot.

I can find nothing nasty in your HJT log.

However, the c:\windows\system32\ddcyy.dll is part of the Vundo infection and needs to be fixed.

Go HERE and follow the instructions.

Once you`ve done that, please let us know how your system is running.

Regards Howard :wave: :wave:

 

[dslunceford]

In response to Fastco: Thanks. Question about VundoFix, I did use it the first go around and it doesn't create a folder on desktop with various files. Just redownloaded from link you posted and get the same thing: Clicking on VundoFix.exe opens a program window that simply has one scan for Vundo and one Remove Vundo buttons to push. There's no folder with the ability to select a .bat file....what am I missing?

 

[howard_hopkinso]

You`re not missing anything, that`s how it works.

If you look at the instructions on the Atribune site, you`ll see there`s no mention of creating folders etc.

Just go ahead and run the vundo fix as per the instructions on the Atribune site.

Then let us know is you still have the same problem.

Regards Howard

 

[fastco]

Yes the newest version of Vundofix doesn't create folders, sorry for that.

 

[dslunceford]

Hello and welcome to Techspot.


Go HERE and follow the instructions.

Howard, same issue as I had with Look2Me, I select "run as task," but the app never re-opens.

Saved Vundo to Desktop, click run as task and will then see a second VundoFix.exe icon appear on the desktop, but nothing opens (this icon is just a typical windows icon, not the VF icon Vundo uses for its exe file). If I click on the new icon I get an error message: "not a valid win32 application"

 

[howard_hopkinso]

Yes the newest version of Vundofix doesn't create folders, sorry for that.

Hey no problem mate.

You might want to edit your post to reflect the new vundo fix.

Regards Howard

 

[dslunceford]

I think WinPatrol might be interfering with Vundo running... I just received 4 notes in a row (about how many times I just tried VundoFix) asking if it was ok to add VundoFix to task scheduler. Should I exit WinPatrol? I'm assuming the ddcy.dll will automatically be added to startup if I do, but hopeufully it will allow VF to run properly.

 

[howard_hopkinso]

Ok. Download the Pocket killbox programme from HERE.

Extract it, but don`t run it yet.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

c:\windows\system32\ddcyy.dll

Once your system has rebooted, turn system restore back on.

Let us know if that helps.

Edit: yes exit winpatrol and run the vundo fix again.

Regards Howard

 

[dslunceford]

Having issues. Boot into safe mode and my desktop doesn't come up. Just black screen with the safemode notices at the corners. Have to ctl-alt-del to get tasks up and exit.

Try to run killbox from regular windows mode. Enter the path and delete; with reboot checked. It starts checking registry and then I get an error: "pendingFileRename Operations Registry Data Has been removed by External Process!" And no reboot occurs.

Should I allow winpatrol to add the dll as an IE helper? Is that causing the error? And any idea as to why safe mode now doesn't work? I'm wondering if it has something to do with Windows Genuine, as the earlier file deletion work seems to have removed the genuine files I have. Though I can go to the genuine site and click through and have it approve, I still have the non-genuine star in the sys tray and an unknown error when it trys to validate on it's own

 

[howard_hopkinso]

When you booted into safe mode, you did log on under your normal username and not the administrator didn`t you?

Yes, allow winpatrol to add the file as an IE helper.

Then post a fresh HJT log from normal mode.

Regards Howard

 

[dslunceford]

When you booted into safe mode, you did log on under your normal username and not the administrator didn`t you?

Yes, allow winpatrol to add the file as an IE helper.

Then post a fresh HJT log from normal mode.

Regards Howard

Yes, I did log in to normal username. Also tried admin and had same thing -- no desktop. Really strange, as I had been in safe mode all day with the various other instructions...

 

[dslunceford]

OK, allowed Winpatrol to add the .dll as an IE helper. Tried safemode again, and while desktop didn't show up, brought up task manager and hit file then run and browsed to open killbox. received same error as above following hitting delete. Also tried to run VF again and had same issue, no restart of program.

 

[howard_hopkinso]

Post a fresh HJT log.

Regards Howard

 

[dslunceford]

Post a fresh HJT log.

Regards Howard

Here you go. Also, would this be worth a shot? http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

 

[howard_hopkinso]

Your HJT log is clean.

By all means give the Symantec site a shot. BTW I can`t get your link to work.

I`m starting to have my doubts about the Winpatrol programme. Maybe you should consider uninstalling it.

Regards Howard

 

[dslunceford]

Direct link to exe: http://securityresponse.symantec.com/avcenter/FixVundo.exe

 

[howard_hopkinso]

Thanks for that.

Give it a shot and let us know the results. In fact you can post the log file if you wouldn`t mind.

Regards Howard

 

[dslunceford]

Thanks for that.

Give it a shot and let us know the results. In fact you can post the log file if you wouldn`t mind.

Regards Howard

Symantic tool said Vondu not found, log attached; winpatrol shows the .dll still there, however, and I just got a popup (I'm running FF and this is an Explorer window) stating:

Warning: Your computer may have critical errors in registry and file system!
These errors can lead to computer crashes, instability, slowness, and full system failure.

Immediate repair may be required.

To scan your computer for errors click the "Next" button below.

top bar shows http:\\scanner.sysprotect.com and toolbar stopped activex install of "spyprotectscannerinstall.cab"

new hjt log attached

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.htm

Go to add remove programme in your control panel and uninstall anything to do with(if there).

winpatrol.

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

WinPatrol.exe
WinPatrolEx.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm

O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
WinPatrolEx.exe

Reboot into normal mode and turn system restore back on.

Let us know the outcome please.


Regards Howard

 

[dslunceford]

done. ddcyy.dll is still in c:\windows\system32 And I just got a popup for "Winantiviruspro2006" using IE...

 

[howard_hopkinso]

Somehow, we need to get rid of that .dll file.

Try running the Atribune vundo fix again.

If that doesn`t help, maybe you have some kind of new variant.

If that`s the case, you could be in serious trouble, that requires a format to get rid of it.

I must admit, I`m running out of ideas right now.

I don`t normally have any problem in getting someones system clean, but in your case it`s proving very difficult.

Regards Howard

 

[dslunceford]

Somehow, we need to get rid of that .dll file.

Try running the Atribune vundo fix again.

Already ahead of you. Continued to get error with the file DL'd to desktop. It never restarted. Deleted that file and reverted to using another instance of VF in another folder and this time it restarted. Scanning now....

As it's 3:30 in the a.m. here and I've been at this since 9 a.m. yesterday, I may just let this scan do it's thing and post back after some sleep. Thanks for the help...

EDIT: Done Searching Files No Infected found

 

[howard_hopkinso]

No problem mate.

I`ll look forward to hearing from you later.

Good luck.

Regards Howard