PDA

View Full Version : Ddccd.dll ?



wolfgang
2006-04-21, 22:51
In system startup i just found a new value "ddccd" / command line "ddccd.dll"
as "system.ini" .

Here a log :
Logfile of HijackThis v1.99.1
Scan saved at 21:46:00, on 21.04.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\3cmlink.exe
C:\WINNT\SYSTEM32\3cshtdwn.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\cidaemon.exe
C:\Dokumente und Einstellungen\Schink1\Eigene Dateien\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = -
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINNT\system32\ddccd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKCU\..\Run: [Registry Optimierer] C:\Programme\Registry Optimierer\RegOptimierer.exe /d
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D9D7395-1D9D-499D-9EA4-B5F26EC58A57}: NameServer = 195.182.110.132 62.134.11.4
O20 - Winlogon Notify: ddccd - C:\WINNT\SYSTEM32\ddccd.dll
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

Is it spyware ?

illukka
2006-04-21, 23:00
hi

i think so, if not worse..


Please download ewido anti malware (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:

reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.


then launch ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti malware.

reboot back to normal mode, post the ewido report and a log from a fresh hjt scan

wolfgang
2006-04-21, 23:20
Please can i get more information about my malware.

What is the name of my malware ?

What is "DDCCD.DLL" ?

Is there another way to delete it without the software ?

Wolfgang

illukka
2006-04-21, 23:58
hi

yes there is.
its just that there likely is something that is not visible in a hijackthis log


also i dont see an antivirus running. i see no firewalls, i see no antispyware or other security programs :o

download ewido, scan in safe mode with it removing all infected files, then save the report an post it here along with a new hiajckthis log

wolfgang
2006-04-22, 00:49
I think, i just found a solution:

Here is a txt-file:


[04/21/2006, 23:27:47] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\Schink1\Desktop\VirtumundoBeGone.exe" )
[04/21/2006, 23:28:05] - Detected System Information:
[04/21/2006, 23:28:05] - Windows Version: 5.0.2195, Service Pack 4
[04/21/2006, 23:28:05] - Current Username: Wolfgang (Admin)
[04/21/2006, 23:28:05] - Windows is in SAFE mode with Networking.
[04/21/2006, 23:28:05] - Searching for Browser Helper Objects:
[04/21/2006, 23:28:05] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/21/2006, 23:28:05] - BHO 2: {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} ()
[04/21/2006, 23:28:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/21/2006, 23:28:05] - Checking for HKLM\...\Winlogon\Notify\ddccd
[04/21/2006, 23:28:05] - Found: HKLM\...\Winlogon\Notify\ddccd - This is probably Virtumundo.
[04/21/2006, 23:28:05] - Assigning {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} MSEvents Object
[04/21/2006, 23:28:05] - BHO list has been changed! Starting over...
[04/21/2006, 23:28:05] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/21/2006, 23:28:05] - BHO 2: {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} (MSEvents Object)
[04/21/2006, 23:28:05] - ALERT: Found MSEvents Object!
[04/21/2006, 23:28:05] - Finished Searching Browser Helper Objects
[04/21/2006, 23:28:05] - *** Detected MSEvents Object
[04/21/2006, 23:28:05] - Trying to remove MSEvents Object...
[04/21/2006, 23:28:06] - Terminating Process: IEXPLORE.EXE
[04/21/2006, 23:28:06] - Terminating Process: RUNDLL32.EXE
[04/21/2006, 23:28:06] - Disabling Automatic Shell Restart
[04/21/2006, 23:28:06] - Terminating Process: EXPLORER.EXE
[04/21/2006, 23:28:06] - Suspending the NT Session Manager System Service
[04/21/2006, 23:28:06] - Terminating Windows NT Logon/Logoff Manager
[04/21/2006, 23:28:06] - Re-enabling Automatic Shell Restart
[04/21/2006, 23:28:06] - File to disable: C:\WINNT\system32\ddccd.dll
[04/21/2006, 23:28:06] - Renaming C:\WINNT\system32\ddccd.dll -> C:\WINNT\system32\ddccd.dll.vir
[04/21/2006, 23:28:06] - File successfully renamed!
[04/21/2006, 23:28:06] - Removing HKLM\...\Browser Helper Objects\{E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F}
[04/21/2006, 23:28:06] - Removing HKCR\CLSID\{E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F}
[04/21/2006, 23:28:06] - Adding Kill Bit for ActiveX for GUID: {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F}
[04/21/2006, 23:28:06] - Deleting ATLEvents/MSEvents Registry entries
[04/21/2006, 23:28:06] - Removing HKLM\...\Winlogon\Notify\ddccd
[04/21/2006, 23:28:06] - Searching for Browser Helper Objects:
[04/21/2006, 23:28:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/21/2006, 23:28:06] - Finished Searching Browser Helper Objects
[04/21/2006, 23:28:06] - Finishing up...
[04/21/2006, 23:28:06] - A restart is needed.
[04/21/2006, 23:28:25] - Attempting to Restart via STOP error (Blue Screen!)

What do you think about ?

After this, is there no more malware an my system ?

wolfgang
2006-04-22, 00:53
This is the new log from hjt:

Logfile of HijackThis v1.99.1
Scan saved at 23:50:59, on 21.04.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\3cmlink.exe
C:\WINNT\SYSTEM32\3cshtdwn.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\cidaemon.exe
C:\Dokumente und Einstellungen\Schink1\Eigene Dateien\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = -
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKCU\..\Run: [Registry Optimierer] C:\Programme\Registry Optimierer\RegOptimierer.exe /d
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D9D7395-1D9D-499D-9EA4-B5F26EC58A57}: NameServer = 195.182.110.132 62.134.11.4
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

wolfgang
2006-04-22, 08:36
What about the data in "O17" ?

Is it still malware ?

Wolfgang

illukka
2006-04-22, 16:14
download an antivirus from here

http://www.free-av.com
install update and do a full scan
let it remove what it finds

do you have a firewall ?
if not, download the free zone alarm from here:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?lid=zadb_zadown
install it

reboot
post a new hijackthis log

tashi
2006-04-27, 19:01
post a new hijackthis log wolfgang?

tashi
2006-04-30, 10:58
Due to lack of a response this topic will be archived.