Results 1 to 19 of 19

Thread: [RESOLVED] Annoying Problem At Startup

Threaded View

  1. Dec 31st, 2005, 11:11 AM #1
    wiccaan
    wiccaan is offline

    Thread Starter
    Hyperactive Member wiccaan's Avatar
    Join Date
    Apr 2004
    Location
    127.0.0.1
    Posts
    475

    Resolved [RESOLVED] Annoying Problem At Startup

    This problem has just started occuring today. I dont know what caused it any its starting really "piss" me off. Ive been running this copy of windows for about a half a year now without problems until now. (Windows XP Pro)

    This morning I come back to my computer and everything was fine. I talked to a few friends online over TeamSpeak and was playing a game (FFXI) without any problems. Then when I tried to open FireFox it wouldnt open.

    First thing I did was Ctrl + Alt + Delete to see if it was running and had crashed.

    Task manager pop'd up, and closed instantly. I tried again, same result. It opened for about all of 1-2 seconds and closed instantly.. so I took a screen shot as it opened and got what was running.

    I noticed a few new process's on this list that I have never run / seen before. So I did a google scan on these processes and found some where basic adware and spy ware and got them removed.

    So I restarted my computer and logged on. The first thing to happen was Internet Explorer pop'd up. Mind you, I NEVER use IE cause it sucks and is crappy for protection and stuff..

    It pop'd open with this site:

    ( CAUTION!! DO NOT CLICK THIS LINK IF YOU ARE ABLE TO!!!!! )

    hXXp://XXX.gurlstuff.info/dr.html

    (I replaced the TT and WWW with X's to prevent it as showing up as a real link.)

    The name of the site is captioned, "Microsoft Windows Update". I immediatly closed the window and searched the site on Yahoo to try to find anyone posting about this site. The only thing that showed up as this site saying it was part of Microsoft.

    The other thing thats annoying about this site is, is as soon as I start my computer, it pops up everytime and then downloads something to my computer.

    In the direct C:\ folder I find these new files:

    dr.exe
    newspamz.exe
    drsmartload1.exe

    And Im guessing they all start themselves after they download.

    Im able to delete all of them but when I restart they all come back.

    Now the tricky part...

    TaskManager, Regedit, and msconfig are all disabled from opening now cause of this. Anytime I try to open any of them, they open for about 2 seconds then close immediatly. Making any editing impossible.

    Ive run numerous virus scans with diffrent programs, and HiJackThis can only find a search bar program named:

    SearchSideKick 3

    Which was never there before either. And I cant remove it without it coming back itself.

    Ive done a lot of searching already today and cant find anything to remove these process's from autostarting and coming back. And I cant get rid of any of them either.

    This is becoming rather annoying, and I dont know what these programs are doing to alter my computer and I really dont want to take the chance of other security risks.

    Im asking if anyone else has had / seen this problem before and knows how to rid of it perminity. Or if they know of any info on it at all. I want this gone now

    Please.. any help at all.

    ===== EDIT =====

    Some more things to add to this:

    I just noticed that HiJackThis, StartUpWatcher, AdAware, Win32DASM, and a few other programs CAN NOT run without their initial exe name being changed.

    This virus / trojan / what ever it is is blocking this programs from running to try to stop them from ridding of it..

    Win32DASM String References...

    If any of you have used this dissassembler this is the string references in the drsmartload1.exe I did it on this file cause it has the inital VB6 icon.
    Code:
    "  "
"*‡KÓ©z"
"!!f@"
""@"
"$$"
"$@"
"%%0"
"%%²@"
"&&id="
"&&land="
"//donotdelete.asp"
"//smartload_stats.asp?a=a_n_u&exe="
"//smartload_stats.asp?a=a_u&exe="
"//smartload_stats.asp?exe="
"//smartload_stats_d.asp?naam="
"|||"
"Ä$@"
"bbody"
"cc:\"
"cc:\windows\drsmartload.dat"
"ccontent.dollarrevenue.com/bundle"
"Уµ
¶åЫõ"
"hhttp://"
"hhttp://content.dollarrevenue.com/bundle/smart"
"hhttp://promo.dollarrevenue.com/bundle/smartlo"
"IID"
"iinnertext"
"IInstalled"
"l$@"
"RREGEDIT.EXE /S ""
"RREGSVR32.EXE /S ""
"SScripting.FileSystemObject"
"SSoftware\Microsoft\drsmartload"
"VB5!6&*"
"ÿ%¬@"
"ÿ%Œ@"
    The attached file can be opened in Wordpad. Its the disassebled file log of that exe if it helps =/

    ==== Another Edit ====
    Other processes found that were never running before:

    notpad.exe
    dr.exe
    timesquare.exe

    And anothing one I cant remember the name of I closed it instantly after getting through HiJackThis's process list. (I had to renamed the HiJackThis.exe to aaa.exe to be able to run it..)
    Last edited by wiccaan; Dec 31st, 2005 at 11:28 AM.
    If my post was helpful please rate it
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width