Logs Attached, Don't think I'm debugged Yet.

[Diamondente]

Antirootkit scan came back clean..Nothing found.

Other logs attached. Please advise where to go from here. Thank you for your help.

I have followed all the preliminary steps, which brings me here to attach my logs. Thank you.

 

[howard_hopkinso]

Hello and welcome to Techspot.

I have followed all the preliminary steps

Not so.

All items in your AVG Antispyware log say "No Action Taken". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

Also, you have attached a VBG.txt log, which isn`t requested and you haven`t attached a Combofix log that is requested.

Please post the requested log files.

Regards Howard :wave: :wave:

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

Thank you.

I don't know why I uploaded the wrong log. I had the combofix.txt file sitting on my desktop. I ran it again anyway.

AVG to follow in a few hours. However, when I look at it, it IS set to quarantine...Because I had followed those instructions.I didn't follow 17 steps and take all day to do them incorrectly :haha:

 

[howard_hopkinso]

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\vtrrpm.dll
c:\windows\system32\ddccded.dll
Folder::
C:\VundoFix Backups
C:\PROGRA~1\IWINGA~1
C:\Program Files\AWS
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B952FB-47D7-4C22-B7A6-A52364B2B5C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86457b37-be84-47dc-a1c6-f2618e6870cc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18a190a2"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mscS32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\ddccded.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

Howard:

I will do that as soon as AVG is done running again. Then I will post all 3 logs together,....New combofix...fresh HJT and the AVG.

thank you for your help.

Here are the new, correct logs

Combofix re-ran with the text you gave me...it went through many many more 'stages' than it did originally.

Thank you for your help.

oops. Uploading HJT in .txt format.

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - Global Startup: AutorunsDisabled

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab

O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyclick.com/Download_Helper/fsloader_v3.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMete r_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab

O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinner.com/games/v49/haunted/haunted.cab

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab

O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v42/paint/paint.cab

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab

O16 - DPF: {F5692A44-3746-4CAE-BAEB-10FB33E38DD4} (VMSwitcher Class) - http://www.seeyouagainsoftware.com/shared/cands.cab

O20 - AppInit_DLLs: c:\windows\system32\ddccded.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

c:\windows\system32\ddccded.dll
C:\qoobox

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

THank you. All seemed to go well.

Attached is new HJT Log.

 

[howard_hopkinso]

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Now, follow the instructions in my post above and post a fresh HJT log when done.

Regards Howard

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

Ok. Trying again

Also, as an aside...Since I followed the 15+ steps yesterday..My spybot S&D doesn't load in the sys tray any longer. Any idea why?

 

[howard_hopkinso]

Temporarily uninstall SS&D.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {53B952FB-47D7-4C22-B7A6-A52364B2B5C3} - (no file)

O2 - BHO: (no name) - {86457b37-be84-47dc-a1c6-f2618e6870cc} - (no file)

O2 - BHO: (no name) - {8CA5ED52-F3FB-4414-A105-2E3491156990} - (no file)

O20 - Winlogon Notify: mscS32 - C:\WINDOWS\

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\system32\mscS32.dll

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

Howard:

The file was actually mscS32.dll.vir. That was all that was there. I deleted it.

New HJT log attached.

 

[howard_hopkinso]

Your HJT log is now clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.

Reinstall SS&D.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

Thank you very much for all your time and attention to this matter.

It is greatly appreciated

BTW, I am unable to uninstall the instances of Java in Add/Remove programs. There is not add/remove button there. For any programs I've had, there are no remove buttons. They have all disappeared.

 

[howard_hopkinso]

Take a look at this and see if it helps with your missing add/remove buttons.

Regards Howard

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

Thank you for the response. I tried this, but none of the programs are listed there. (the ones with the missing buttons..)

Thank you again for your help Much appreciated.

 

[howard_hopkinso]

Are you saying you have no add/remove programme options in your add remove programmes applet?

If so, try doing a Windows repair as per this thread HERE.

Regards Howard

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

No. I have SOME programs in Add/Remove that have the option of being removed. Other programs (a large majority of them) have no remove/change button at all.

When I followed the regedit instructions, the programs i need to remove (ie, old java) are not there. In fact, the only programs showing in the Regedit list are the programs which DO have the add/remove button in control panel.

Whew..It sounds more complicated than it is. I hope this made some sense!

 

[howard_hopkinso]

Yes, that makes sense.

If your only problem is the old version of Java, I suggest you just install the latest version and forget about the old version.

Regards Howard

This thread is for the use of Diamondente only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Diamondente]

Ok. Good.
I installed the newest version per your instructions last night..but was unable to remove the older version(s). Now I don't have to remove them, I won't stress about it any longer.

Thank you again for all of your assistance!

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.