Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Needing Professional help


  • Please log in to reply
10 replies to this topic

#1 WynApse

WynApse

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 01 May 2006 - 10:39 PM

I'm seeing some dlls on my wife's system that I'm unwilling to mess with unless told it's safe to do so, specifically awtqp.dll and ddccy.dll

She's getting popups that don't resolve to anything, but when they hit, she gets about 50-60 of them. Other than that, it seems to run fine.

You can see I've installed some things to try to test.. adAware only found cookies, AVG has been running all along, Stinger came up clean, Microsoft Anti SpyWare and Defender both like it. BHODemon sees them, but disabling them with it doesn't help, so after all that, here's the highjack this log...

Thanks a bunch in advance!

Logfile of HijackThis v1.99.1
Scan saved at 9:21:35 PM, on 5/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Pop Blocker\updatedl.exe
G:\Program Files\Dave\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (disabled by BHODemon)
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINNT\system32\awtqp.dll
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINNT\system32\ddccy.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - G:\Program Files\Pop Blocker\Updated.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BHODemon 2.0.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Microsoft Office Workgroup Web Control - file://C:\Documents and Settings\cbyler\My Documents\My Webs\myweb1\common\wkgrpweb.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap...in/myCioAgt.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.5.815.0.dll (file missing)
O20 - Winlogon Notify: awtqp - C:\WINNT\system32\awtqp.dll
O20 - Winlogon Notify: ddccy - C:\WINNT\SYSTEM32\ddccy.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    Advertisements

Register to Remove


#2 WynApse

WynApse

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 01 May 2006 - 11:50 PM

Should I have done something more?

#3 WynApse

WynApse

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 02 May 2006 - 09:26 AM

Let me also say that I've looked far enough to figure out ddccy.dll appears to be associated with Vundo. I ran Symantec's cleaner on this machine 2 days ago, and it said Vundo was not on the machine... So that's why I'm asking for assistance! Thanks... -Dave

#4 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 03 May 2006 - 02:37 PM

Suffice it to say, Symantec's "Vundo Cleaner" leaves a little to be desired...

Please download VundoFix.exe from here:

VundoFix.exe

and save it to your desktop.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Double-click VundoFix.exe to run it.

Checkmark the box "Run Vundo as task"

You will receive a message saying vundofix will close and re-open in a minute or less. Click OK

When VundoFix re-opens, click the Scan for Vundo button

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

The fix will create a log in the following location C:\vundofix.txt

Please post it's contents, along with a new HijackThis! log, into this thread.
:)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#5 WynApse

WynApse

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 03 May 2006 - 02:57 PM

Thanks Micah... It didn't even cross my mind to look for another Vundo cleaner :( I'll do as you suggested when I get home tonight Thanks :) -Dave

#6 WynApse

WynApse

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 03 May 2006 - 07:18 PM

I clicked "Run ask Task", then OK on the message box, and it NEVER comes back! It's been 5 minutes and counting now... I'll reboot and try it again, but could maybe use some advice Thanks! -Dave

#7 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 03 May 2006 - 07:29 PM

Revised instructions:

1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click YES.
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will shutdown your computer, click OK.
7. Turn your computer back on.

Then post the logs as requested in my last post.
:)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#8 WynApse

WynApse

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 03 May 2006 - 08:25 PM

That worked like a champ...

I'll bow to your expertise, but it still looks like there's some crud in there...


VundoFix V4.2.73

Checking Java version...

Sun Java not detected
Scan started at 6:35:34 PM 5/3/2006

Listing files found while scanning....

C:\WINNT\system32\ddccy.dll

C:\WINNT\system32\pqtwa.bak1
C:\WINNT\system32\pqtwa.bak2
C:\WINNT\system32\pqtwa.tmp
C:\WINNT\system32\pqtwa.ini
C:\WINNT\system32\pqtwa.ini2
C:\WINNT\system32\awtqp.dll
C:\WINNT\system32\pqtwa.ini2
C:\WINNT\system32\pqtwa.bak2
C:\WINNT\system32\pqtwa.tmp
C:\WINNT\system32\pqtwa.ini
C:\WINNT\system32\pqtwa.ini2
C:\WINNT\system32\awtqp.dll
Attempting to delete C:\WINNT\system32\ddccy.dll
C:\WINNT\system32\ddccy.dll Has been deleted!

Attempting to delete C:\WINNT\system32\pqtwa.bak1
C:\WINNT\system32\pqtwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\pqtwa.bak2
C:\WINNT\system32\pqtwa.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\pqtwa.tmp
C:\WINNT\system32\pqtwa.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\pqtwa.ini
C:\WINNT\system32\pqtwa.ini Has been deleted!

Attempting to delete C:\WINNT\system32\pqtwa.ini2
C:\WINNT\system32\pqtwa.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\awtqp.dll
C:\WINNT\system32\awtqp.dll Has been deleted!

Performing Repairs to the registry.
Done!


and HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 7:12:34 PM, on 5/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\Dave\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (disabled by BHODemon)
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINNT\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - G:\Program Files\Pop Blocker\Updated.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BHODemon 2.0.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Microsoft Office Workgroup Web Control - file://C:\Documents and Settings\cbyler\My Documents\My Webs\myweb1\common\wkgrpweb.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap...in/myCioAgt.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.5.815.0.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

Thanks!

-Dave

#9 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 03 May 2006 - 08:47 PM

Nothing but a little "housecleaning" left to perform....

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):

O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINNT\system32\awtqp.dll (file missing)

O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab

Then click "Fix checked" and close Hijack This!.

Reboot, and you should be "good to go".

:) :thumbup:

Post Infection Items To Ponder
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#10 WynApse

WynApse

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 03 May 2006 - 09:19 PM

Thanks a bunch, Micah, and everyone else here at TomCoyote...

That all appears to have worked!

:thumbup:

-Dave

#11 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 04 May 2006 - 04:26 PM

This topic is now closed.

If you need this topic reopened, please request this by sending an email to us at the following link

(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.

Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users