HELP!!! Nasty Virus is a real mess (ddayy and no control panel) etc.

[IH8viri]

Hopefully someone can help with this nasty virus I got from the net. It came from some music tablature site.

It has disabled my access to control panel. Control panel Icon is gone, and I get a message that says: This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator.

I loaded CA security, and it immediately disabled that.

I know that ddayy.exe and ddayy.dll are in there (in c:\windows\system32) I have use remove on boot and they keep coming back.

Internet is disabled and I can’t get into setting because it says I don’t have rights, just like when I try to get into control panel.

The computer keeps trying to connect to the internet to run its multiple popups that started this whole mess.

SUPERANTISPYWARE keeps finding many problems and says it corrects them, but then they come back right away, without even having to reboot.

Refresh in explorer doesn’t seem to work. I create a file with a command prompt, and it is there but explorer doesn’t show it.

HAAALP!

HiJackThis.log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:13 AM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe
C:\Documents and Settings\Max\Desktop\anti virus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayy.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 3200 bytes

 

[electronicsfreak]

Load in safe mode and run these. Install them in safe mode. Log on to the administrator account from there and install these.

http://www.ccleaner.com/download

http://www.ewido.net

http://www.download.com/Eusing-Free-Registry-Cleaner/3000-2094_4-10750305.html?tag=lst-1

Run ccleaner first, then avg anti spyware, then your antivirus, then the registry cleaner. Disable system restore.

disconnect cat 5 cable from computer. Restart computer and load in normal and try running the programs again in there.

Once done, post back with results and another logfile. The only thing in this logfile is the file you mention that keeps coming back.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

By the way you get into control panel as follows

Restart computer, start pressing F8 immediately till you are brought to a black screen with options, choose load windows in safe mode.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[IH8viri]

I can't log into safe mode as administrator I get a message that says Unable to log you on because of an account restriction. The virus must have done this as well, I can't log into safe mode as myself either. This looks really bad. What do you think I could try next ?
Thanks again!

 

[2ffat]

I wonder if this is the new rootkit people have been talking about. I can't find much info on it yet.


James P. Cottingham
-----------------------------------------
^{I'm number 1,229!
I'm number 1,229!}

 

[electronicsfreak]

First try this page.

1. Start Windows, and then log on to an account that is a member of the Administrators group.
2. Click Start, and then click Run.
3. In the Run dialog box, type regedit, and then click OK.
4. In Registry Editor, locate the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
5. In the right pane, click AutoAdminLogon under Name.
6. On the Edit menu, click Modify.
7. In the Edit String dialog box, type 0 in the Value data box, and then click OK.

http://support.microsoft.com/kb/316385/en-us

Then try getting into safe mode. If that does not work then follow below

well at this point you have 2 choices. You can slave the hard drive on to another computer and run scans through it. Or you can make a bartpe cd from a windows installation cd and find the bad files and remove them that way. I think bartpe has a way of adding virus scans to it although I have not did that yet.

http://www.nu2.nu/pebuilder/

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

Its possible its a rootkit but I figure its another one of those trojans that change the registry value to restrict safe mode login. Ive ran across a few that do that lol.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[diogenes10]

If you are locked out of regedit too, you can try the free version of registrar registry manager:

http://www.resplendence.com/downloads

 

[IH8viri]

OK, I got past the logon through some help from a great person at password-reset.com, had to kill the password file using a boot cd, and stuff from the repair directory, (then I had to re-register windows through the phone.... grrr) and will try the steps in safe mode from electronicsfreak, I WILL keep you posted!

 

[IH8viri]

OK, I have done all the stuff that electronicsfreak said here is the log I have registry reminants looking for ddayy.exe still. The virus is still trying to run bad popups.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:21 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\anti virus\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayy.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 1217 bytes

 

[electronicsfreak]

ok download antivir from the location below. Install it on your computer in safe mode and do a full system scan with it.

http://www.free-av.com

Configure it as follows

This is to setup antivir after it has been installed.

Right click on the logo in the taskbar(a red square with a white umbrella), then left click configure. Towards the top left, you will see a box beside expert mode. Check this box. Now click the + beside scanner, and now the + beside scan. This will expand them.

Now click on scan itself to where it is highlighted. Now to the right under files, select the circle beside all files. Now click on action for concerning files. To the right, click the circle beside automatic. Now to the right of that, set primary action to repair and secondary action to delete. DO NOT check the box that says "copy file to quarantine before action".

Now click on archives to where it is highlighted. Make sure all boxes on this page are checked, if not check them. Now click on heuristic. To the right under win32 file heuristic, check the box beside "win32 file heurisitic", then click the circle beside medium detection level.

Now click the + beside guard and the + beside scan to expand them. Now click on scan to where it is highlighted. To the right under scan mode, check "scan when reading and writing". To the right of that under files, click the circle beside "all files".

Now click on heuristic to where it is highlighted. Check the box beside win32 file heuristic, and then click the circle beside medium detecion level. Now click ok and antivir is now setup for scanning.

________________

If you have any problems running in normal mode this with your current antivirus, then just uninstall it in safe mode.

Once you have finish scanning with it, download avg anti rootkit from the link below and run it.

http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0

Post back with results

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[IH8viri]

This is saying I have to buy it to clean the items, did you want to just use this as a scan? I already bought spy sweeper, and while that quarenteened the virus(s) they keep coming back. I really don't want to buy another thing that won't really work.

 

[IH8viri]

edit to above: looks like I grabbed the wrong thing getting the right one now.......

 

[IH8viri]

Well, this is very not good , after I installed antirootkit my computer does a hard power off while trying to boot into windows, windows prompts me to go to safe mode but it still powers off.

I don't think free-av found the thing, and it the report said it still moved files after I configured it to delete them.

I have a boot cd, should I use that to get rid of te root fix thing? Now I cant even get the computer to finish booting up at all. It just keeps shutting off.

 

[IH8viri]

Wow this is really bad noew, antirootkit really messed my computer up! Now it won't even boot up from a cd I am much worse off than I was before. Hopefully someone knows what I can do. I would suggesxt that no one ever use antirootkit.

 

[IH8viri]

I have acronis true image on this computer, it won't even let me run that now without shutting down. I really need an expert here now.

 

[IH8viri]

ok the startup looked different right from the begining so I pulled the battery and power from the computer (music xpc laptop), and I just got it to boot to the ultimate boot cd, I will try windows again now.

 

[IH8viri]

OK, I got into windows and ran the antiroot thing but it said congrats I have no root kits. I know thats wrong. I think the present culprit is the vtuts.exe

Here be the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:03 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Owner\Desktop\anti virus\HiJackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\vtuts.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 1606 bytes

 

[electronicsfreak]

Go to folder options, go to view, uncheck the box to hide windows system files. Search and delete all of these files

PMNNK.EXE

PMNLK.0XE

PMNLJ.EXE

MLLJH.EXE

MLLII.EXE

JKKJI.EXE

JKHFG.EXE

GEEDE.EXE

GEEDB.EXE

GEEDA.EXE

GEBYW.EXE

DDCYA.EXE

DDABB.EXE

AWVVU.EXE

AWTSR.EXE

Also, avg anti rootkit is a good program, I think you had a conflict or the trojan caused this. You have a trojan from my research. Also antivir is free. If you are comfortable with messing with registry , search for those in the registry and find any files associated with it, and check on google with another computer to see if the files are legit or not. This can help you trace the main files. In safe mode with system files showing, run antivir and then avg anti spyware again after deleting those.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[IH8viri]

I think you are right about antirootkit, something weird happened with the computer or temporarily with the bios settings, and when I pulled the battery and power for a minute, all went back to the way it was as far as being able to boot up again.

I wanted to edit the post about that but I don't think the site allows that.

Thanks for not giving up on me

I will try what you said and post the results. I believe that this vtuts.exe is causing W32/VirtInf-B virus now I swear i got multiple viruses in this computer from that darn web site. I have not so far seen ddayy.exe but the registry values are still persistent.