Hello, afew days ago I tried to install a game I downloaded of the net what seemed to be safe, after burning the image, windows directly asked for a programe requesting to access the internet - I denied and the installation crashed. I tried again and this time I thought I'd let it connet since it would require it to check my system first - my biggest mistake.
Soon after I let it connect, I started playing the game etc etc (anyone interested it was GTA san andreas demo:X)
Before this happened I had the following protection softwares;
Mcfae Security suite with AntiVirus and Firewall.
Soon after I loaded firefox and tried to use my favourites, I noticed that they were gone. So I decided to search some stuff on google from the top corner and it would NEVER load. I had to reinstall firefox and it would work once before not working again - googled and found it was spyware. I soon ran my mcfae anti virus full scan and it found nothing.
I downloaded SEVERAL software to remove this after this occured, such as
- Google's reccomended PC Tools Spyware Doctor full version (got it from a friend) It picked up afew virus's and spyware but I'll tell you what happened in the end (also found critical virus that was causing this)
- SuperAntiSpyware - found barely none of the most critical, useless
- UniBlue RegistryBooster - dont know what this did ._. it showed up with 1k++ infections but not useful at all
- SpyBot S&D - found only cookies and such, useless
-Finally the most useful, ESET Smart Security which also picked up several virus's and spyware
So out of several others and these, only ESET and PC Tools Spyware doctor showed what he real problem was (well I actually found out the problem from Spybot/Superantispyware, since something was creating a registry, I blocked it and it continued to create registry and block, create and block etc for hours on end and noticed this was probably the cause for this whole mess, it was a RunDLL32.exe and creating DIFFERENT dlls which where run with different names whenever I reboted.
The ESET and Spyware doctor did detect this but it just kept coming back after it deleted it, taking several hours to take the scan also... I soon thought I have to block the incoming/outgoing traffic I had acepted from Mcfae firewall to stop this first, but infact this stupid mcfae firewall had no way to find out what I had acepted to have full access, only showed the logs of what I blocked ._. so I had to reset the firewall but since then the file stil hasnt tried to connect to the internet... funny.
Soon after I downloaded hijackthis and ran some scans and did the auto logging from one of the sites and found that the dll was infact said to be safe (obviously not) but I tried to remove it but it would just keep jump straight back into my computer after a restart.
So conclusion: This RunDLL32.exe is running a dll which created DIFFERENT FILES with DIFFERENT names every now and then. An example of the name can be (right now)
[BMdb4bee88] Rundll32.exe "C:windows\system32\jrykqlqy.dll" (Taken from hi9jackthis)
several others such as nvpcl.dll, sryqyls.dll etc with random letters basically...
I searched for days and still found no solution onto finding a cure for this problem, so thinking I'm the first, I'm asking for help now
I also have another problem with my hardware... I believe.
Obviously with all this happened, I thought I would just clear my pc and rebot, my computer is a 2000 windows XP pent 4 HP 7945 - which has a built in recovery system therefore I recieved no recovery CD. last time I reboted was probably a year ago. I tried to rebot today but it came up with an error when trying to start saying "User Partition not found", I used programs such as Partision Table docter and ARAX Disk Doctor to locate the problem but no use. I was able to VIEW the partition (about 2.8GB) and my main hard drive, but when I tried to reformat it would still say User Partition not found... I looked ont he internet for this problem and found no solution also...
Could it be the wires? I tried to remove and reconnect what ever wires where inside my tower since I know a few months back I had a problem which kept losing connection to my main hard drive, I had to simply plug out the cable from my main hard drive and plug it back in to fix it... dont know what he problem was but it was fixed straight, not for this though...
So basically I cant reformat nor get rid of this problem >.>
This problem stops most of my websites from being viewable and whatever I type gets keylogged (although none of the softwares detected a keylogger) and brings up advertising depending on what I type...) This spyware must be old since the file I downloaded was probably 2006-2007ish)
Sorry for this VERY long post, I'm tired, sleepy and its 11PM
been trying to get rid of this dam problem since 1PM today and for 8hrs++ yesterday and the day before >.<
I'll post a HiJackThis log just in case;
I'll post the virus's found from my ESET anti virus 2moro when I run a full scan (AGAIN!!!)
Thank you for reading this.
BTW sometime earlier I though I had this problem fixed, google was loading and everything seemed fine (Although I still knew something was wrong since my comp was kinda slow...) but it seems its back again now
I left one of the google searchs on and its still loading.... ._. 1hr+ and still loading, no error messages or nothing.
Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:30:34, on 13/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\RAMASST.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\SYSTEM32\Restore\rstrui.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [BMdb4bee88] Rundll32.exe "C:\WINDOWS\system32\jrykqlqy.dll",s
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\SYSTEM32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1201905555092
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: DVD-RAM_Service - Matsu@@@@a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 6517 bytes
|
