Trojan.generic.1027635

desarae@123mail.org · November 2008

Since last week, my computer became infected with malware and trojans that BitDefender promptly identified, but could do nothing about.

Today, I was able to delete all but one - most of which I was able to delete after adding them to the quarantine and sending them into the lab. However, this one still remains and I know where it is - C:Windows\System32\d3dramp32.dll - but I cannot delete, unlocker can't even help me. I was in safe mode, I have used msconfig in both regular and safe mode but it keeps popping up. Please help me, I am so sick and tired of going through the same steps over and over with no success!!! Here is my hijack this file:

Logfile of HijackThis v1.99.1

Scan saved at 6:41:31 PM, on 11/16/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

\BITDEF~1.2\bdmcon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

\BitDefender Professional Edition 7.2\vsserv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SoftwareDistribution\Download\Install\WindowsXP-KB905474-ENU-x86.exe

e:\7bb0a4fc24e66892d1a99164\update\update.exe

\hijackthis\HijackThis.exe

e:\7bb0a4fc24e66892d1a99164\wgatray.exe

O4 - HKLM\..\Run: [bDMCon] \BITDEF~1.2\bdmcon.exe

O4 - HKLM\..\Run: [bDNewsAgent] \BitDefender Professional Edition 7.2\bdnagent.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O20 - AppInit_DLLs: sockspy.dll,C:\WINDOWS\System32\d3dramp32.dll

O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - \BitDefender Professional Edition 7.2\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Theoracle117 · November 2008

nothing is wrong with your hijackthislog except for the file you just named. You can try running another hijackthis scan and when it finishes, check the checkbox next to

O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)

press fix. see if that helps.

rootkit · November 2008

Please post another log made with Hijackthis 2.0.2

desarae@123mail.org · November 2008

Hi - when I select the file and type Fix, nothing happens. The list clears in its entirety and when I re-scan the files still show up.

here is a new log in v2.0.2 as suggested. Thanks.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:49:31 PM, on 11/30/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\WINDOWS\Explorer.EXE

\BITDEF~1.2\bdmcon.exe

C:\WINDOWS\system32\ctfmon.exe

\BitDefender Professional Edition 7.2\vsserv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

\hijackthis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKLM\..\Run: [bDMCon] \BITDEF~1.2\bdmcon.exe

O4 - HKLM\..\Run: [bDNewsAgent] \BitDefender Professional Edition 7.2\bdnagent.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O20 - AppInit_DLLs: C:\WINDOWS\System32\d3dramp32.dll

O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)

O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - \BitDefender Professional Edition 7.2\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

Theoracle117 · December 2008

scan again with hijackthis and check the little checkbox next to

O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)

and press fix.

If the files are still there then report back

desarae@123mail.org · December 2008

I tried it 3 times just now...I hit 'fix checked' and a warning box pops up saying:

Fix 1 selected items? This will permanently delete and/or repair what you selected.

So I hit Yes and the screen clears. I hit scan again and the file is STILL there.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:39:40 PM, on 12/3/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

\BitDefender Professional Edition 7.2\vsserv.exe

d:\bitdef~1.2\bdmcon.exe

d:\bitdef~1.2\bdlite.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Autoruns\autoruns.exe

\hijackthis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - \Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [bDMCon] \BITDEF~1.2\bdmcon.exe

O4 - HKLM\..\Run: [bDNewsAgent] \BitDefender Professional Edition 7.2\bdnagent.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - \Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - \Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)

O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - \BitDefender Professional Edition 7.2\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--

End of file - 3019 bytes

Theoracle117 · December 2008

Maybe its time to use combofix

read this guide carefully http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and after finishing

download combofix and run it. the artical should include the download link

desarae@123mail.org · December 2008

Thank you VirusPING.

I read the tutorial on combofix, downloaded the program, watched it delete a few files, restart my computer and then when bitdefender came on told me I still had the virus!!!!!!!!

So, I was going through some other topics in this particular forum and saw an answer you gave to someone else about using File Assassin. Well believe it or not, that worked, it got rid of my virus. I had previously installed the Unlocker program, which of course is similar, but it could not remove this pesky thing.

File assassin is my new best friend. Thanks for your help and advice.

A further restart, virus scan and a hijack this log showed no sign of the d3dramp32.dll file that has been plaguing me! Hopefully this is the last malware I will get for some time.

Theoracle117 · December 2008

Your welcome

rootkit · December 2008

Download Malwarebytes' Anti-malware from here:

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

Once the download is complete, run the install program, and accept all of the default options. Make sure that the options to Update and Launch the software is checked when you click Finish.

Now, let's make sure that it has all of the latest anti-spyware definitions: click on the Update tab and click the Check for Updates button.

After the updates have been loaded, click on the Scanner tab and choose the Perform Complete Scan option, then click the Scan button.

When the scan is complete, it will show you all of the potentially harmful files on your computer - click the button to remove them automatically.

Paste the scan log here.

Trojan.generic.1027635

Comments

All Time Leaders

Categories

Defenders of the month