Unknown Infection Asking to Download Software

[Jacal]

Hey ppl i havnt been here for awhile, school and everything.

My dilema is that a friend of mine, computer is having some sort of infection taking place. I directed them to your site and to follow the steps in your virus (etc.) / removal process and further instructed them to call after they had finished. I am not sure as to whether or not they posted the requested logs but they called me saying that some viruses were still affecting their machine. I have ran Mcafee Virus Scan and AVG Antispyware scan and either quarenteed or deleted whatever was found but the machine is still get some pop-ups leading to the same site over and over again telling them to download some software. If i try to change the IE home page it automatically changes back to the page that the pop-up message is saying they should go too.

Antispyware logs and HJT logs are attached.

 

[howard_hopkinso]

Without seeing the proper log files, it`s impossible for me to do very much.

HJT is being run from the wrong location, see HERE. Make sure you place HJT in the correct directory, before running the fix below.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: The bbrsep - {422CA3AF-86F1-4607-88E2-BBBD4E9371EB} - C:\WINDOWS\bonsws.dll (file missing)

O8 - Extra context menu item: &Search - ?p=ZU

O21 - SSODL: ddkret - {C32322F4-4ACD-470B-B332-F2BF2D2DEE4D} - C:\WINDOWS\ddkret.dll

O21 - SSODL: nopctrl - {1A976C8C-7AC3-409B-BCEA-39AC8808BAD5} - C:\WINDOWS\nopctrl.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\ddkret.dll
C:\WINDOWS\nopctrl.dll

Reboot into normal mode and rehide your protected OS files.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Jacal]

New log files

 

[howard_hopkinso]

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

RichVideoCodec
CyberDefender

Close control panel.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\nopctrl.dll
C:\WINDOWS\ddkret.dll
C:\WINDOWS\sawkip.exe
C:\WINDOWS\nsreg.dat
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\iun6002.exe
C:\WINDOWS\bonsws.dll
C:\WINDOWS\system32\NETSVCS.EXE

Folder::
C:\WINDOWS\privacy_danger
C:\Program Files\RichVideoCodec
C:\Program Files\CyberDefender

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{422CA3AF-86F1-4607-88E2-BBBD4E9371EB}"=-
[-HKEY_CLASSES_ROOT\clsid\{422ca3af-86f1-4607-88e2-bbbd4e9371eb}]
[-HKEY_CLASSES_ROOT\bonsws.ToolBar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2261B65D-0A17-4194-B2F6-E191E6D6618D}]
[-HKEY_CLASSES_ROOT\bonsws.ToolBar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberDefender Early Detection Center"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ddkret"=-
"nopctrl"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4831543c-e097-11db-843f-000c769191c0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4831543c-e097-11db-843f-000c769191c0}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Jacal]

New Logs attached

 

[howard_hopkinso]

All clean.

Click start/run and type combofix /u into the run box and hit the enter key. That should delete Combofix and all it`s folders etc.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Jacal]

thanks much howard