UDConn.dll Error

Discussion in 'adware, spyware & hijack cleaning' started by obsession69, May 30, 2004.

Thread Status:
Not open for further replies.
  1. obsession69

    obsession69 Registered Member

    Joined:
    May 30, 2004
    Posts:
    4
    Hi guys,

    first of all I want thank you all you are doing a great job as I see.

    Since I still do not feel as an expert in many IT areas, I would like to ask you for a small help.

    My brother was a bit faster than me - and went to the "i-net jungle" before I had installed some useful software - and of course - our computer has been attacted by spyware.

    I used ad-aware, spy-bot and also CWShredder to clean up my comp, (installed all windows security updates), but the error message after computer startup is still remaing to pop-up.

    I have also found a program called "supervideospornosk" among installed components (in add/remove program tool in control panel). My attempts to uninstall have all finished at the same error message.

    Guys, please send me some hints how to get rid of it.
    Here is my Hijack This log file (after cleaning, rebooting system, closing all windows):

    Logfile of HijackThis v1.97.7
    Scan saved at 16:37:12, on 30.5.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\internat.exe
    D:\software\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINNT\udpmod.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [supervideospornosk-htm] RunDll32 UDConn.dll,RunAsIcon supervideospornosk
    O4 - HKLM\..\Run: [inter love] C:\PROGRA~1\2 Loud\DeadGram.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/sk/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Many thanks in advance.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi obsession69,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINNT\udpmod.dll

    O4 - HKLM\..\Run: [supervideospornosk-htm] RunDll32 UDConn.dll,RunAsIcon supervideospornosk
    O4 - HKLM\..\Run: [inter love] C:\PROGRA~1\2 Loud\DeadGram.exe

    Then reboot and let us know how it goes.
    Please don't delete anything yet I may need a copy.

    Regards,

    Pieter
     
  3. obsession69

    obsession69 Registered Member

    Joined:
    May 30, 2004
    Posts:
    4
    Dear Pieter,

    I guess it went well - there was no error message after rebooting. Thank you! ;)

    I have checked the add/remove program tool - "supervideospornosk" is still present.

    As you adviced me I have not deleted anything and I am waiting for the final conclusion (just Hijack indicated that "is about to remove O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINNT\udpmod.dll..."


    here is the log file after rebooting:

    Logfile of HijackThis v1.97.7
    Scan saved at 17:35:34, on 30.5.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\internat.exe
    D:\software\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/sk/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    What is the next step? Or is it OK now?

    Regards,

    obsession69
     
    Last edited: May 30, 2004
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Your log is clean but I am guessing that it annoys you to have that orphaned entry in Add/Remove Software.

    Then click Start > Run > type or copy & paste regedit > OK
    In the Registry editor navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and delete the orphaned key in the right hand pane.

    NOTE: always back up the registry before making manual changes.
    For Windows 2000: http://support.microsoft.com/default.aspx?kbid=322755

    You can delete the entire folder:
    C:\PROGRAM FILES\2 Loud

    Regards,

    Pieter
     
  5. obsession69

    obsession69 Registered Member

    Joined:
    May 30, 2004
    Posts:
    4
    Dear Pieter,

    I made Emergency Recovery Disc and saved the registry Unistall, then removed the register keys.

    But I did not find the directory C:\PROGRAM FILES\2 Loud... (and I have system and hiden files set to be shown...)

    Maybe hijackthis or Spybot or Ad-aware removed it... I do not know...

    Thanks.

    obsession69
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  7. obsession69

    obsession69 Registered Member

    Joined:
    May 30, 2004
    Posts:
    4
    Pieter,

    :D. Of cource I did :) It is a very good guide. It is for sure I will make him read it ;)

    Or maybe as a junior spyware expert, I will make a small lecture for him :)

    Well, I hope the vulnerabity of the computer is now much lower after reading that page (and those linked there) and installing all there mentioned protection tools. And I hope I will not have chance to contact you with some other problem very soon. (Although I always learn something new from you) :)

    Thank you once more.

    All the best.

    obsession69
     
    Last edited: Jun 7, 2004
Thread Status:
Not open for further replies.