Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

recurrent virus infection

Status
Not open for further replies.
kausikdatta

kausikdatta

Technical User
Oct 8, 2003
19
US
I regularly use Spybot S&D and get all the updates. I also use two AV softwares, Norton AV corporate edition and AVG. AVG scans my computer every day, and shows up a downloader trojan virus in the 'System restore' volume of XP. It can heal the virus and remove it, but some other (with a different file name) shows up the next day. I suspect that there is a resident control file which is doing this. I am putting in the HijackThis log file (truncated version, I have removed the entries I am sure of), and I would be very grateful if some one could spot the problem.

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes: (I have removed the entry of ones I am sure of)
C:\WINDOWS\System32\smss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\pilbtmq8.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {00000000-DDBB-0704-0B53-2C8830E9FAEC} - O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - O17 - HKLM\System\CCS\Services\Tcpip\..\{D3DAA47B-8F27-4394-AEC7-A47C59AD2EB6}: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB1EC7C4-4455-4C75-AF58-4A1782FFE30C}: NameServer = 69.57.146.14,69.57.147.175
 
Sort by date Sort by votes
Turn off system restore on your computer its what keeping the virus on your computer and re-infected it. Once you have turned off system restore do your virus scans and remove the virus or use the removal tools you can get.

 
Upvote 0 Downvote
Turning off the system restore and rebooting and turning it back on - one of the few things that I have tried before sending in this post. It did not help. Thanks for your reply, anyway.
 
Upvote 0 Downvote
did you run a virus scan while restore was turned off?
Try an online scan too.
 
Upvote 0 Downvote
I agree with the others. The 'System Restore' folder is a protected volume that can not be cleaned by AVG or any other virus scanner. It must be turned off for real cleaning. See
In addition to that, some virii can propogate through a network using various security flaws. Make sure that you have patched your operating system and IE with all the appropriate security patches.
 
Upvote 0 Downvote
If there was anything there it would most likely show up in the 04 or 016 entries

I would fix these ;-


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p

O16 - DPF: {00000000-DDBB-0704-0B53-2C8830E9FAEC} -
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) -
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) -
If any of the 016 entries are required - you will be prompted to download them at the time.
 
Upvote 0 Downvote
Also run HijackThis and fix these entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{D3DAA47B-8F27-4394-AEC7-A47C59AD2EB6}: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB1EC7C4-4455-4C75-AF58-4A1782FFE30C}: NameServer = 69.57.146.14,69.57.147.175

They are the Trojan.Qhosts domain hijack. Also search for the file C:\Windows\Help\Hosts and delete it if found.
 
Upvote 0 Downvote
The load module for the virus could still be resident in your temp or internet temp files. Try cleaning those areas out.
 
Upvote 0 Downvote
>O16 - DPF: {06C5A25C-0F08-49B1-BD92-192A61B85158} (ddm_download.ddm_control) -
If I were you I would

0) run a microsoft-regclean first (ad-ware and spybot doesn't remove all crapy ad-softwares at all)

1) get rid of everything that has either a "ddm_control", or "ddm_download", or "ddm_" or as whole string "ddm"

2) shift-delete any file named ddm_control.* or ddm_download.* or ddm_d.exe on your harddrive.

Update your antivirus file definition and perform a new scan. It is likely possible that you have been infected by a "Dowloader"-virus-like (such as "downloader-DC").

Just make a search on google with "ddm_dowload.ddm_control" and see that all result are linked to person who have similar problems as you....

Good luck and be careful while you make some search on Astalavista or any Cracker/Warez site....
or make a backup of your PC before to visit those sites...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
285
ChrisHirst
ChrisHirst
diembi
  • Locked
  • Question
McAfee can stop my not virus process?
Replies
0
Views
177
diembi
diembi
RodneyMcSnow
  • Locked
  • Question
computer says windows 2012 has detected a virus
Replies
2
Views
182
kjv1611
kjv1611
Enkrypted
  • Locked
  • Question
SBS 2003 Exchange Virus Scan registry setting
Replies
0
Views
157
Enkrypted
Enkrypted
Leefp2
  • Locked
  • Question
Blueseek virus
Replies
0
Views
183
Leefp2
Leefp2

Part and Inventory Search

Sponsor

Back
Top