HELP!!! Nasty Virus is a real mess (ddayy and no control panel) etc.

[IH8viri]

Hopefully someone can help with this nasty virus I got from the net. It came from some music tablature site.

It has disabled my access to control panel. Control panel Icon is gone, and I get a message that says: This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator.

I loaded CA security, and it immediately disabled that.

I know that ddayy.exe and ddayy.dll are in there (in c:\windows\system32) I have use remove on boot and they keep coming back.

Internet is disabled and I can’t get into setting because it says I don’t have rights, just like when I try to get into control panel.

The computer keeps trying to connect to the internet to run its multiple popups that started this whole mess.

SUPERANTISPYWARE keeps finding many problems and says it corrects them, but then they come back right away, without even having to reboot.

Refresh in explorer doesn’t seem to work. I create a file with a command prompt, and it is there but explorer doesn’t show it.

HAAALP!

HiJackThis.log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:13 AM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe
C:\Documents and Settings\Max\Desktop\anti virus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayy.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 3200 bytes

 

[electronicsfreak]

lol I dont give up. So do not worry about that. My advice is search the registry and find files pertaining to it. Also id delete certain keys to those files but be careful which ones you delete. Sometimes they modify keys you need. So only edit/delete things if you know what you are doing otherwords you can crash windows.

Once you delete the files, run the registry cleaner before you restart/exit windows. Also my advice on this computer, keep the computer disconnect from internet till its clean. use another computer to access the sites and things.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[IH8viri]

Cool, thanks again!

None of those files exist on the computer.

vundofix v6.7.7 finds this and kills it, but when the computer shuts down, just before it goes out of windows, spy sweeper shows an alert saying its back (vtuts.exe) and it quarenteened it, but then it's back next time windows loads. If it is hooked to winlogon or that lss(somthing) windows file. How can I kill it if it is hooked to the very start and stopping of windows?

Thanks again!

 

[electronicsfreak]

Do a search for it as its probably got a backup somewhere such as dllcache folder or something of that nature. Go to windows search and find all locations of it. MIght be a good idea to search registry for it and see what it brings up.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon