I'm slowly dying, Isnotify, win??.tmp.exe, and others

[rjenkins]

I saw a similar post and ran the recommended tools, smitfraud, virtumundo, vindofix, look2me, as well as trojan hunter, adaware, spybot, AVG and a slew of others.

They always find things to clean and they always come back. Mostly I get win???.tmp.exe and Pakes.U and Generic.WUE I also get Isnotify, Issearch etc.

They are getting more and more aggressive. After trying to run virtumundo my system crashed and I could no longer start in Safe Mode. Please help, and thanks in advance!

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions exactly.

Post fresh HJT and Ewido logs into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rjenkins]

Thanks for replying!. I ran the tools & uploaded the new hijack and ewido report. I did have a problem with the 2nd tool virtumundo. When I ran it my system locked up. I did a hard boot into safe mode. However I couldn't get my desktop or any windows functions to load. I was able to run of the suggested tools out of the Task Manager window though (except virtumundo). Here's what I got!

So am I hopeless?

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Delete the files in Ewido quarantine.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint\Viewpoint Manager
Symantec\LiveUpdate

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Automatic LiveUpdate Scheduler
LiveUpdate

Close the services window.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ALCXMNTR.EXE
ViewMgr.exe
ALUSchedulerSvc.exe
LUCOMS~1.EX

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab

O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://vpn.wpi.edu/nortel_cacheable/NetDirect.cab

O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://vpn.wpi.edu/nortel_cacheable/iewiper.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab

O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Symantec

ALCXMNTR.EXE search your system for this file and delete all instances of it.

C:\Program Files\Viewpoint

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Rename the HijackThis.exe file to HijackThis1991.exe. Run a fresh scan with HJT and post the log please. This is because new malware is hiding from HijackThis.exe, but not from Hijackthis1991.exe.

Regards Howard

This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rjenkins]

All as instructed. New Hijack post after saving as hijackthis1991

 

[howard_hopkinso]

That`s better, now the nasties are revealed.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {69883F62-7202-4405-ABFF-6C7683730386} - C:\WINDOWS\system32\ddcya.dll

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)

O2 - BHO: MSEvents Object - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\urqpmki.dll (file missing)

O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll

O20 - Winlogon Notify: winyvo32 - C:\WINDOWS\SYSTEM32\winyvo32.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filpaths you need to enter into Killbox.

C:\WINDOWS\SYSTEM32\winyvo32.dll

C:\WINDOWS\system32\ddcya.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rjenkins]

No Joy with getting rid of the ddcya.dll file. After fixing with Hijack it kept coming back (I was in Safe Mode). Using kiilbox I got this message
"PendingFileRemovalOpeartions Registry Data has been removed by External Process!" When trying to delete manually it said something was running which prevented me access to it.

 

[howard_hopkinso]

Download and run this tool. Follow the instructions for using the tool.

Tool1

Post a fresh HJT log after doing the above.

Regards Howard

 

[rjenkins]

I ran it but it said it didn't find anything.

 

[howard_hopkinso]

This is one hell of a stubborn bugger.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
Select “[7b]Add More Files?” from the menu that comes up. This will open a new VundoFix window.
In the Window: copy and paste next in the first field: C:\WINDOWS\system32\ddcya.dll
Click the “Add Files” button.
Click the "Close Window" button.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

See if that helps.

Post a fresh HJT log after doing the above.

Regards Howard

This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rjenkins]

Man, I feel bad making you work this hard but believe me when I say thanks. I don't have an option to run as a task. Only a scan and remove button. (the Look2me tool however has this box available)

 

[rjenkins]

oh wait, I ran it again & it found it plus many of his friends, I'll try to get rid of 'em an post a new log.

 

[howard_hopkinso]

It`s obviously a new version of Vundofix. Do the following.

Run vundofix and right click in the window, select add more files.

Copy and paste this into the top window box.

C:\WINDOWS\system32\ddcya.dll

Click the add files button. Click the close window button and click the remove vundo button.

See if that helps. If not, repeat the above, but after you`ve closed the window, click the scan for vundo button.

Post a fresh HJT log.

Regards Howard

EDIT: Just seen your last post.

I look forward to seeing your fresh HJT log.

This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rjenkins]

Ok before I get giddy, it found it, rebooted and reran before anything was able to load. It found it again & this time was able to remove it. I ran a new hijack and saw it there but this time it said "file missing". So i fixed it, ran hijack again & this is my post.

 

[howard_hopkinso]

That`s excellent news.

Your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rjenkins]

Dude you're my hero. Who do I write to to recommend you for a raise? Seriously thanks for the rapid replies. I was expecting to have to wait days between posts. This was an enjoyable recovery!

Randy