Thread: Crazy Popups and Spyware now no Desktop
View Single Post
Old 05-10-2007, 09:10 PM   #3 (permalink)
tetonbob
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,594
OS: 2000 Pro; XP Pro; XP Home


Re: Crazy Popups and Spyware now no Desktop
Quote:
Is a little better since the beginning, but I'd like to make sure I can get rid of all my problems, then format my harddrive.
If you format, all your problems should be resolved, assuming you save all data you want and have all drivers you need ahead of time. There would be no need to fix anything, as format, killdisk, and clean install means all is wiped from the disk.

This does, seem like a fixable situation, should you want to try to clean the machine and not format. However, there is sign of some backdoor infections, so you may want to format instead of cleaning. If you choose format, cleaning is really unneccessary.

If you decide you want to try to clean...here's what to do:

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------



Download combofix.exe to your desktop.


* IMPORTANT !!! Place it on your Desktop. We'll use this shortly.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
  • See this link for a tutorial

Run ComboFix

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\combofix.exe" /v winrvc32
When finished, it shall produce a log for you. Post that log in your next reply, at the end of this fix.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {20C18254-E44C-468D-B564-C0C80AABF138} - C:\WINDOWS\system32\ddcca.dll (file missing)
O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
O4 - Startup: .protected
O4 - Global Startup: .protected
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\lt0027dmg.dll (file missing)

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Run HijackThis again, and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please post logs from:

ComboFix(C:\ComboFix.txt)
SmitfraudFix(C:\rapport.txt)
HJT
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 05-10-2007 at 09:13 PM.
tetonbob is offline