Trojan.generic.1027635

Since last week, my computer became infected with malware and trojans that BitDefender promptly identified, but could do nothing about.


Today, I was able to delete all but one - most of which I was able to delete after adding them to the quarantine and sending them into the lab. However, this one still remains and I know where it is - C:Windows\System32\d3dramp32.dll - but I cannot delete, unlocker can't even help me. I was in safe mode, I have used msconfig in both regular and safe mode but it keeps popping up. Please help me, I am so sick and tired of going through the same steps over and over with no success!!! Here is my hijack this file:


Logfile of HijackThis v1.99.1


Scan saved at 6:41:31 PM, on 11/16/2008


Platform: Windows XP SP3 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16735)


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\csrss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\Explorer.EXE


C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


D:\BITDEF~1.2\bdmcon.exe


C:\WINDOWS\system32\ctfmon.exe


C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


D:\BitDefender Professional Edition 7.2\vsserv.exe


C:\WINDOWS\System32\alg.exe


C:\Program Files\Mozilla Firefox\firefox.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\wuauclt.exe


D:\Unlocker\UnlockerAssistant.exe


C:\WINDOWS\system32\wuauclt.exe


C:\WINDOWS\system32\wuauclt.exe


C:\WINDOWS\SoftwareDistribution\Download\Install\WindowsXP-KB905474-ENU-x86.exe


e:\7bb0a4fc24e66892d1a99164\update\update.exe


D:\hijackthis\HijackThis.exe


e:\7bb0a4fc24e66892d1a99164\wgatray.exe


O4 - HKLM\..\Run: [bDMCon] D:\BITDEF~1.2\bdmcon.exe


O4 - HKLM\..\Run: [bDNewsAgent] D:\BitDefender Professional Edition 7.2\bdnagent.exe


O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


O20 - AppInit_DLLs: sockspy.dll,C:\WINDOWS\System32\d3dramp32.dll


O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)


O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll


O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)


O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\BitDefender Professional Edition 7.2\vsserv.exe" /service (file missing)


O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Comments

  • nothing is wrong with your hijackthislog except for the file you just named. You can try running another hijackthis scan and when it finishes, check the checkbox next to


    O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)


    press fix. see if that helps.

  • Please post another log made with Hijackthis 2.0.2

  • Hi - when I select the file and type Fix, nothing happens. The list clears in its entirety and when I re-scan the files still show up.


    here is a new log in v2.0.2 as suggested. Thanks.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 3:49:31 PM, on 11/30/2008


    Platform: Windows XP SP3 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16735)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\WINDOWS\Explorer.EXE


    D:\BITDEF~1.2\bdmcon.exe


    C:\WINDOWS\system32\ctfmon.exe


    D:\BitDefender Professional Edition 7.2\vsserv.exe


    C:\WINDOWS\System32\alg.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    D:\hijackthis\HijackThis.exe


    C:\WINDOWS\system32\wbem\wmiprvse.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


    O4 - HKLM\..\Run: [bDMCon] D:\BITDEF~1.2\bdmcon.exe


    O4 - HKLM\..\Run: [bDNewsAgent] D:\BitDefender Professional Edition 7.2\bdnagent.exe


    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE


    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O20 - AppInit_DLLs: C:\WINDOWS\System32\d3dramp32.dll


    O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)


    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\


    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\BitDefender Professional Edition 7.2\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

  • Theoracle117
    edited December 2008

    scan again with hijackthis and check the little checkbox next to


    O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)


    and press fix.


    If the files are still there then report back

  • I tried it 3 times just now...I hit 'fix checked' and a warning box pops up saying:


    Fix 1 selected items? This will permanently delete and/or repair what you selected.


    So I hit Yes and the screen clears. I hit scan again and the file is STILL there.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 7:39:40 PM, on 12/3/2008


    Platform: Windows XP SP3 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16735)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\System32\alg.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    D:\BitDefender Professional Edition 7.2\vsserv.exe


    d:\bitdef~1.2\bdmcon.exe


    d:\bitdef~1.2\bdlite.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Autoruns\autoruns.exe


    D:\hijackthis\HijackThis.exe


    C:\WINDOWS\system32\wbem\wmiprvse.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll


    O4 - HKLM\..\Run: [bDMCon] D:\BITDEF~1.2\bdmcon.exe


    O4 - HKLM\..\Run: [bDNewsAgent] D:\BitDefender Professional Edition 7.2\bdnagent.exe


    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE


    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot - Search & Destroy\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot - Search & Destroy\SDHelper.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O20 - Winlogon Notify: 58625298502 - C:\WINDOWS\System32\d3dramp32.dll (file missing)


    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\


    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\BitDefender Professional Edition 7.2\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 3019 bytes

  • Maybe its time to use combofix :)


    read this guide carefully http://www.bleepingcomputer.com/combofix/how-to-use-combofix


    and after finishing


    download combofix and run it. the artical should include the download link

  • Thank you VirusPING.


    I read the tutorial on combofix, downloaded the program, watched it delete a few files, restart my computer and then when bitdefender came on told me I still had the virus!!!!!!!!


    So, I was going through some other topics in this particular forum and saw an answer you gave to someone else about using File Assassin. Well believe it or not, that worked, it got rid of my virus. I had previously installed the Unlocker program, which of course is similar, but it could not remove this pesky thing.


    File assassin is my new best friend. Thanks for your help and advice.


    A further restart, virus scan and a hijack this log showed no sign of the d3dramp32.dll file that has been plaguing me! Hopefully this is the last malware I will get for some time.

  • Your welcome :)

  • Download Malwarebytes' Anti-malware from here:


    http://www.malwarebytes.org/mbam/program/mbam-setup.exe


    Once the download is complete, run the install program, and accept all of the default options. Make sure that the options to Update and Launch the software is checked when you click Finish.


    Now, let's make sure that it has all of the latest anti-spyware definitions: click on the Update tab and click the Check for Updates button.


    malwarebytes1.png


    After the updates have been loaded, click on the Scanner tab and choose the Perform Complete Scan option, then click the Scan button.


    a5163075fd548685aa01c10a88346d17.png


    When the scan is complete, it will show you all of the potentially harmful files on your computer - click the button to remove them automatically.


    Paste the scan log here. :)