Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hijackthis log

Unread postby paugey » November 5th, 2005, 3:24 pm

(thanks in advance!!)


Logfile of HijackThis v1.99.1
Scan saved at 12:36:49 PM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\ddcyx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
paugey
Active Member
 
Posts: 3
Joined: November 5th, 2005, 3:20 pm
Advertisement
Register to Remove

Unread postby Noviciate » November 5th, 2005, 4:08 pm

I am in the process of reviewing your log - I will post a reply as soon as I am able.
User avatar
Noviciate
MRU Master
MRU Master
 
Posts: 6282
Joined: May 25th, 2005, 4:41 pm
Location: Numpty HQ

Unread postby Noviciate » November 5th, 2005, 4:12 pm

IMPORTANT

Anti-Virus.
You log does not show an anti-virus program installed - this leaves your PC at increased risk of infection.
There are a couple of free anti-virus programs available.
AVG 7: Available here.
Avast: Available here.

While you can download both to see which one you prefer, only install one at a time - running two or more anti-virus programs simultaneously can cause conflicts resulting in less, not more, protection.

Firewall

Your log doesn't show a firewall installed - this also leaves your PC at increased risk of infection.
If you are using the firewall that comes with Service Pack 2, you should replace it. It doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
There are a couple of free firewalls available.
Zone Alarm: Available here.
Sygate: Available here.

Again, while you can download both to see which one you prefer, only install one at a time - running two or more firewalls simultaneously can cause conflicts resulting in less, not more, protection.

--------------------------------------------------------------------------------------------------------------

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or 'Copy and Paste' them into Notepad.

Preparation

1) Download VundoFix.exe from here and save it to your Desktop.
Double click VundoFix.exe to extract the files.
In the 'VundoFix Setup' window, click on Install and then Close - This will create a folder called VundoFix on your Desktop.

IMPORTANT
If you already have a copy of VundoFix on your PC, please delete it and download a new copy. This file may have been updated since you downloaded your copy.

2) You will need to know how to boot into Safe Mode.
Instructions can be found here.

3) Log off from the internet and disconnect your modem cable.

IMPORTANT
Some real-time protection programs may warn you of a possibly malicious script being detected when you run VundoFix. Please allow it to run - it is necessary to complete the fix. Alternatively, disable any script blocking software you have running before you start.

Removal

1) Boot into Safe Mode.

2) Open the VundoFix folder and double click on KillVundo.bat

3) You will first see:
VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

Press <ENTER> to continue with the fix.

4) Next you will see:
Please Type in the filepath as instructed by the forum staff
and then press enter:

Please type the following file path, making sure to enter it exactly as below:

    C:\WINDOWS\system32\ddcyx.dll
Press <ENTER> to continue with the fix.

5) Next you will see:
Please type in the second filepath as instructed by the forum
staff then press enter:

Please type the following file path, making sure to enter it exactly as below:

    C:\WINDOWS\system32\xycdd.*

Press <ENTER> to continue with the fix.

6) The fix will run then HijackThis will open - if it does not open automatically, you will need to open it yourself.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\ddcyx.dll

O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll


Then click on Fix checked

7) After you have fixed these items, close Hijackthis and press <ENTER> to exit the program.

8) Reboot your PC.

9) Reconnect your modem cable and run the following online scan: Panda ActiveScan.

**Please note that IE is required to run this scan**

Copy and paste the result of the above scan into your next reply along with the vundofix.txt file from the VundoFix folder, a fresh HJT log AND a description of how your PC is running.
User avatar
Noviciate
MRU Master
MRU Master
 
Posts: 6282
Joined: May 25th, 2005, 4:41 pm
Location: Numpty HQ

results

Unread postby paugey » November 5th, 2005, 6:23 pm

thank you for your speedy reply. here are the results of the scans.


******PANDA******

Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0


********VUNDO FIX*********

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\ddcyx.dll

The second filepath entered was C:\WINDOWS\system32\xycdd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 144 'smss.exe'

Killing PID 900 'explorer.exe'
Killing PID 900 'explorer.exe'


Killing PID 220 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\ddcyx.dll Deleted sucessfully.
C:\WINDOWS\system32\xycdd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


******HIJACKTHIS******

Logfile of HijackThis v1.99.1
Scan saved at 4:21:57 PM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\ddcyx.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
paugey
Active Member
 
Posts: 3
Joined: November 5th, 2005, 3:20 pm

Unread postby Noviciate » November 5th, 2005, 6:30 pm

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\ddcyx.dll (file missing)

O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

As long as all goes well with the above, run your PC as normal for a few days. When you are happy that everything is fine, do the following:

Update your anti-virus program,
Disable System Restore,
Boot into Safe Mode,
Scan your computer for viruses.
When you get the all clear, reboot into Normal Mode.
Re-enable System Restore,
Create a Restore Point.
This will give a clean Restore Point should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

If you have any questions/problems then please post them.
User avatar
Noviciate
MRU Master
MRU Master
 
Posts: 6282
Joined: May 25th, 2005, 4:41 pm
Location: Numpty HQ

all clear!!

Unread postby paugey » November 13th, 2005, 1:27 am

thank you very much for your help. i'm back running smoothly again.
paugey
Active Member
 
Posts: 3
Joined: November 5th, 2005, 3:20 pm

Unread postby Noviciate » November 13th, 2005, 3:22 pm

:)
User avatar
Noviciate
MRU Master
MRU Master
 
Posts: 6282
Joined: May 25th, 2005, 4:41 pm
Location: Numpty HQ

Unread postby Nellie2 » November 25th, 2005, 7:12 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware