Tech Support Forum - View Single Post

tetonbob · 02-23-2006, 08:45 PM

Can you please search for this file on your system, copy it to a compressed folder (zip file) and attach it to your next reply. It will help the author of one of the tools we will run. Do this before running the fix, please.

C:\WINDOWS\system32\ddcca.dll

Next...settle in, because this machine is fairly infected still.

This will take some time.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Windows Overlay Components
Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "Service name" & then click on the OK button

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SurfSideKick 3
WildTangent or WildTangentDriver<<<<WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\system32\ddcca.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20002\services.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [sys101952222850] C:\WINDOWS\sys101952222850.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinosai.exe CORN001
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinosai.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\guard.tmp (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll (file missing)
O21 - SSODL: WnncoyzcFx - {745C8E83-DEF6-2429-08CB-ED7683C44A13} - C:\WINDOWS\system32\bscb.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\czccdlo.exe (file missing)

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following Files/Folders if they exist:

c:\secure32.html
C:\Program Files\Jalmp
C:\Program Files\WildTangent
C:\WINDOWS\inet20002
C:\WINDOWS\system32\hpsw.exe
C:\Program Files\SurfSideKick 3
C:\WINDOWS\sys101952222850.exe
C:\WINDOWS\system32\owinosai.exe
C:\WINDOWS\system32\dcom_14.dll
C:\WINDOWS\system32\bscb.dll
C:\WINDOWS\czccdlo.exe

Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

Restart and run a new HijackThis scan. Save the log file and post it here.

Please return with logs from:

vundofix
Ewido
Panda
HJT

02-23-2006, 08:45 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,524 OS: 2000 Pro; XP Pro; XP Home	Can you please search for this file on your system, copy it to a compressed folder (zip file) and attach it to your next reply. It will help the author of one of the tools we will run. Do this before running the fix, please. C:\WINDOWS\system32\ddcca.dll Next...settle in, because this machine is fairly infected still. This will take some time. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Windows Overlay Components Double-click on it to open the Properties dialog. Under the General tab, note down the name of "Service name". We shall need it later. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in "Service name" & then click on the OK button Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SurfSideKick 3 WildTangent or WildTangentDriver<<<<WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\system32\ddcca.dll O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20002\services.exe O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe" O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKLM\..\Run: [sys101952222850] C:\WINDOWS\sys101952222850.exe O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinosai.exe CORN001 O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinosai.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123 O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll O20 - Winlogon Notify: Run - C:\WINDOWS\system32\guard.tmp (file missing) O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll (file missing) O21 - SSODL: WnncoyzcFx - {745C8E83-DEF6-2429-08CB-ED7683C44A13} - C:\WINDOWS\system32\bscb.dll (file missing) O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\czccdlo.exe (file missing) Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following Files/Folders if they exist: c:\secure32.html C:\Program Files\Jalmp C:\Program Files\WildTangent C:\WINDOWS\inet20002 C:\WINDOWS\system32\hpsw.exe C:\Program Files\SurfSideKick 3 C:\WINDOWS\sys101952222850.exe C:\WINDOWS\system32\owinosai.exe C:\WINDOWS\system32\dcom_14.dll C:\WINDOWS\system32\bscb.dll C:\WINDOWS\czccdlo.exe Restart in normal mode. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan Restart and run a new HijackThis scan. Save the log file and post it here. Please return with logs from: vundofix Ewido Panda HJT __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009