Thread: Newby Bombarded With Spyware Pop-ups
View Single Post
Old 04-30-2007, 07:39 AM   #7 (permalink)
Clark76
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,650
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Apologizes for the delay in replying. I was unexpectedly occupied all day yesterday.


Quote:
One thing, when I did the HJT Scan I did not delete anything from the log it produced, should I have ??
No, at that point I simply wanted to see the log.

======================================================

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the running icon of Spywareguard located in the system tray
  • Go to Menu > File > Exit and confirm the programs close.

======================================================

Before fixing anything, Please download the Suspicious File Packer --> http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\swkjhpnb.dll

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site --> http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

=======================================================

I see you already have AVG Antispyware. You will need to update AVG Anti-Spyware to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

========================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following program (if it exists):

J2SE Runtime Environment 5.0 Update 3

=====================================================

Reboot

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

=====================================================

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {23E381E5-8478-41AF-A278-F6C212F45F9C} - (no file)
O2 - BHO: (no name) - {308385CC-A3C9-4840-876A-A09D8361E824} - (no file)
O2 - BHO: (no name) - {6C679AA8-2AA7-46A9-BEA7-52E8F46CF21C} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {7E7CF20E-AAC3-4698-91F3-4CE05D055AAd} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\uipnaitx.dll (file missing)
O2 - BHO: XBTP00788 - {F4674901-44F3-436d-A4E6-B1849CFFA72E} - (no file)
O2 - BHO: (no name) - {F6F8094A-7159-400E-9BA3-0BA01D206126} - (no file)
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\swkjhpnb.dll",realset
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: hgghffc - hgghffc.dll (file missing)
O20 - Winlogon Notify: ssttu - C:\WINDOWS\System32\ssttu.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

=======================================================

Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\swkjhpnb.dll

=======================================================

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program and reboot back into safe mode when prompted.

=======================================================

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware

======================================================

Reboot

Reboot your system in Normal Mode.

======================================================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

=======================================================

Run Deckard's System Scanner (DSS) again
  1. Close all applications and windows.
  2. Double-click on DSS.exe to run it, and follow the prompts.
  3. When the scan is complete, one text file will open - main.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your reply.

=======================================================

Please provide the following logs with your next post:

AVG Anti-Spyware report
Kaspersky report
C:\Deckard\System Scanner\main.txt
new Hijackthis log

Also include an update on how your system is running
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Last edited by Ried; 04-30-2007 at 08:10 AM.
Clark76 is offline