Log Assistance - 8:30pm EST, 9/1/07

[jholland1964]

In SAFE MODE I want you to run AVG again following these instructions;
Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine. (this includes cookies)
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop

I also want you to Generate a Start Up listing using HiJackThis;
In order to do this go into the Config option when you start HijackThis and then click on the Misc Tools button at the top.
You will then click on the button labeled "Generate StartupList Log"
the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into a message and submit it along with the new AVG scan log.

[PhilliePhan]

Btw, go Phils

They're hanging in there despite the myriad of injuries this year!


-- Do you know what this entry is?
O4 - HKLM\..\Run: [gdccw] "C:\PROGRA~1\COMMON~1\SECURE~1\GDCcw.exe" -start


-- In addition to what Judy requested, you can probably go ahead and do the following:
Scan with HijackThis and Check the Boxes for the following, if they remain:

O2 - BHO: MSVPS System - {F4CF814F-970F-405D-A42C-0CE06EB97373} - C:\WINDOWS\mxduo.dll

O21 - SSODL: wmpdev - {0ADBCBB0-6816-4B76-BFC2-782D9814C633} - C:\WINDOWS\wmpdev.dll
O21 - SSODL: wmphost - {11FB4783-C8C2-4D03-9BC8-79A67403D27D} - C:\WINDOWS\wmphost.dll

Make sure All Browser Windows are Closed and then Click FIX.

THEN:
Please Boot to Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\mxduo.dll
C:\WINDOWS\wmpdev.dll
C:\WINDOWS\wmphost.dll

You should have the Viewing of Hidden Files enabled as per the sticky thread instructions.
Your logs are surprisingly clean, save for the baddie above. The items Judy requested will let us know more....

Let us know if you have any trouble removing these.


Cheers
PP

[jholland1964]

After doing what I requested, Please follow the instructions given by PP

O4 - HKLM\..\Run: [gdccw] "C:\PROGRA~1\COMMON~1\SECURE~1\GDCcw.exe" -start

I "think" after searching for several days I may have found this same entry on a German anti-malware forum. Had to use BabelFish to translate but I believe this may be SecurePCCleaner another form of the rogue spyware remover Ultimate Cleaner. Just found this this evening after looking for info on this file since the first HJT log. From what I have found, and now have found several links, all are dated AFTER August 17, 2007. Alas, none of them give a removal instruction, just what it is.

[DrWebs]

For some reason I thought I put that in the first post, but like an idiot I didn't. Assuming the Ultimate Cleaner pop ups were a scam I ignored them, but I couldn't take the constant pop ups and bit on the Secure PC Cleaner one. Ran the scan, it obviously fixed nothing and I knew I was screwed. I immediately tried to remove it, but I doubt it's all gone. I just ran the AVG scan again before quarantining the detected, and checking to save a report after every scan. For whatever reason I rebooted w/o actually saving the report as a separate .txt file, and when I looked at the reports tab, the only one I see was from the other day. I'll try and get the rest of your requests done by tomorrow morning. Sorry for my ineptitude

-DRWebs

[PhilliePhan]

For some reason I thought I put that in the first post, but like an idiot I didn't. Assuming the Ultimate Cleaner pop ups were a scam I ignored them, but I couldn't take the constant pop ups and bit on the Secure PC Cleaner one. Ran the scan, it obviously fixed nothing and I knew I was screwed. I'll try and get the rest of your requests done by tomorrow morning. Sorry for my ineptitude

No worries - It was my fault I read the post, but never made the connection . . . I'm slipping in my old age.

Anyhoo, see if you are able to uninstall Ultimate Cleaner via Add/Remove Programs. We'd like to remove that one cleanly, if possible, rather than ripping it out with brute force.

My first instinct with this was Vundo - looks similar to what we have seen from the Vundo family of trojans in the past. Heck, it may well be Vundo - I've been away from malware for a while and I'm not on top of it like I used to be....
Judy is much more up to date on the baddies than I these days.

-- Let us know if you have any problems with the removal.

Cheers
PP

[DrWebs]

-- In addition to what Judy requested, you can probably go ahead and do the following:
Scan with HijackThis and Check the Boxes for the following, if they remain:

O2 - BHO: MSVPS System - {F4CF814F-970F-405D-A42C-0CE06EB97373} - C:\WINDOWS\mxduo.dll

O21 - SSODL: wmpdev - {0ADBCBB0-6816-4B76-BFC2-782D9814C633} - C:\WINDOWS\wmpdev.dll
O21 - SSODL: wmphost - {11FB4783-C8C2-4D03-9BC8-79A67403D27D} - C:\WINDOWS\wmphost.dll

Make sure All Browser Windows are Closed and then Click FIX.

THEN:
Please Boot to Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\mxduo.dll
C:\WINDOWS\wmpdev.dll
C:\WINDOWS\wmphost.dll

This may be a stupid question, but how do I navigate to the bottom three files you posted? Just find them through My Computer and then delete them that way?

Good news, the report was saved but don't know why it didn't show up at first. For some reason I can view it in Safe Mode, but not here. I just went ahead and saved it again. As for removing the Secure Cleaner, I guess I did it already. Not sure if anything else looks fishy. Everything new is attached as usual.

-DRWebs

[jholland1964]

This may be a stupid question, but how do I navigate to the bottom three files you posted? Just find them through My Computer and then delete them that way?

No question is stupid.
Hate to tell you, but according to your AVG scan "No action taken" shows on everything and the nasties we want to get rid of are not showing at all
I think it is time, after you run the VundoFix as instructed, save the log of course and post it here.
But AFTER that, I think we are going to have to try to apply some of that" ripping it out with brute force" that PP mentioned.

Please print out these instructions so that you will have them to refer to....

I want you to download Pocket Killbox
When you start the down load you will get a box with the choices Open, Save, or Cancel. Choose SAVE.
I suggest you go with saving this to the desktop, so click the 'desktop button on the left of the next window, leave the filename as default and click the SAVE button.

That will leave a icon on your desktop - double click that icon (Killbox.zip)

A new window will open, choose the 'Extract all files' button on the left.

This will start the Extraction Wizard in Windows XP.

Select a place for it to extract to - or use the default which is the same folder the zip file is in (The desktop) with a folder name the same as the zip's file name (Killbox).

Then click Next.

With winXP it will tell you when fully extracted with a window which says Extraction Complete

Leave the check mark in 'Show extracted files' it will open a window of the folder just created next. Then click finished.

Once the files are extracted you will see the killbox.exe icon which is a Red Circle with a White X in the middle.

You can now double click the 'killbox.exe' icon to start the program.

If your security setting are set correctly a window will pop up to warn of this programs start - for you to agree or not.

UNCHECK the 'Always ask before opening this file' and click Run to allow it to start (and not give this security warning in future.)


Now you are going to use the Delete on reboot kill and you are going to delete multiple files. Follow these instructions;

You are going to request the files be deleted on the next reboot so please put a dot in the Delete on Reboot position. Which is the second choice down.

In the window where it says Full Path of File to Delete type or copy the following and be sure you do it exactly;

C:\PROGRAM FILES\COMMON FILES\SECUREPCCLEANER\GDCcw.exe

It will provide a window for your to confirm the delete. Click Yes.
Next it will ask if you now wish to reboot, Since you have more files to delete at the same time say NO -

Now continue with the next files one at a time. Each time you will follow the procedure above. Here are the rest of the files you must enter in the box, exactly as written here;

C:\WINDOWS\mxduo.dll

C:\WINDOWS\wmpdev.dll

C:\WINDOWS\wmphost.dll

Once you have entered that last file name, there should be four total, after you have entered the last one say YES and let the system reboot and delete the files.

Once you have run Killbox and the system has rebooted I want you to run a new Kaspersky scan and save the log. Then run a new HJT scan and save the log.

Post back here with the VundoFix log, the new Kaspersky log and the new HJT log.