[RESOLVED] Annoying Problem At Startup

[wiccaan]

This problem has just started occuring today. I dont know what caused it any its starting really "piss" me off. Ive been running this copy of windows for about a half a year now without problems until now. (Windows XP Pro)

This morning I come back to my computer and everything was fine. I talked to a few friends online over TeamSpeak and was playing a game (FFXI) without any problems. Then when I tried to open FireFox it wouldnt open.

First thing I did was Ctrl + Alt + Delete to see if it was running and had crashed.

Task manager pop'd up, and closed instantly. I tried again, same result. It opened for about all of 1-2 seconds and closed instantly.. so I took a screen shot as it opened and got what was running.

I noticed a few new process's on this list that I have never run / seen before. So I did a google scan on these processes and found some where basic adware and spy ware and got them removed.

So I restarted my computer and logged on. The first thing to happen was Internet Explorer pop'd up. Mind you, I NEVER use IE cause it sucks and is crappy for protection and stuff..

It pop'd open with this site:

( CAUTION!! DO NOT CLICK THIS LINK IF YOU ARE ABLE TO!!!!! )

hXXp://XXX.gurlstuff.info/dr.html

(I replaced the TT and WWW with X's to prevent it as showing up as a real link.)

The name of the site is captioned, "Microsoft Windows Update". I immediatly closed the window and searched the site on Yahoo to try to find anyone posting about this site. The only thing that showed up as this site saying it was part of Microsoft.

The other thing thats annoying about this site is, is as soon as I start my computer, it pops up everytime and then downloads something to my computer.

In the direct C:\ folder I find these new files:

dr.exe
newspamz.exe
drsmartload1.exe

And Im guessing they all start themselves after they download.

Im able to delete all of them but when I restart they all come back.

Now the tricky part...

TaskManager, Regedit, and msconfig are all disabled from opening now cause of this. Anytime I try to open any of them, they open for about 2 seconds then close immediatly. Making any editing impossible.

Ive run numerous virus scans with diffrent programs, and HiJackThis can only find a search bar program named:

SearchSideKick 3

Which was never there before either. And I cant remove it without it coming back itself.

Ive done a lot of searching already today and cant find anything to remove these process's from autostarting and coming back. And I cant get rid of any of them either.

This is becoming rather annoying, and I dont know what these programs are doing to alter my computer and I really dont want to take the chance of other security risks.

Im asking if anyone else has had / seen this problem before and knows how to rid of it perminity. Or if they know of any info on it at all. I want this gone now

Please.. any help at all.

===== EDIT =====

Some more things to add to this:

I just noticed that HiJackThis, StartUpWatcher, AdAware, Win32DASM, and a few other programs CAN NOT run without their initial exe name being changed.

This virus / trojan / what ever it is is blocking this programs from running to try to stop them from ridding of it..

Win32DASM String References...

If any of you have used this dissassembler this is the string references in the drsmartload1.exe I did it on this file cause it has the inital VB6 icon.

Code:

"  "
"*‡KÓ©z"
"!!f@"
""@"
"$$"
"$@"
"%%0"
"%%²@"
"&&id="
"&&land="
"//donotdelete.asp"
"//smartload_stats.asp?a=a_n_u&exe="
"//smartload_stats.asp?a=a_u&exe="
"//smartload_stats.asp?exe="
"//smartload_stats_d.asp?naam="
"|||"
"Ä$@"
"bbody"
"cc:\"
"cc:\windows\drsmartload.dat"
"ccontent.dollarrevenue.com/bundle"
"Уµ
¶åЫõ"
"hhttp://"
"hhttp://content.dollarrevenue.com/bundle/smart"
"hhttp://promo.dollarrevenue.com/bundle/smartlo"
"IID"
"iinnertext"
"IInstalled"
"l$@"
"RREGEDIT.EXE /S ""
"RREGSVR32.EXE /S ""
"SScripting.FileSystemObject"
"SSoftware\Microsoft\drsmartload"
"VB5!6&*"
"ÿ%¬@"
"ÿ%Œ@"

The attached file can be opened in Wordpad. Its the disassebled file log of that exe if it helps =/

==== Another Edit ====
Other processes found that were never running before:

notpad.exe
dr.exe
timesquare.exe

And anothing one I cant remember the name of I closed it instantly after getting through HiJackThis's process list. (I had to renamed the HiJackThis.exe to aaa.exe to be able to run it..)

[dglienna]

Start up in "Safe Mode with Networking", and then go to www.trendmicro.com using IE. Run their online virus check. Let it scan your disks. If that doesn't work, run Adaware in safe mode.

Alternately,

If you can get to msconfig, choose Selective Startup, click the Services tab, check the box that says "Hide all Microsoft Services" and then disable all. Click Apply then OK. Restart the machine. Then you have a chance to delete it.

[The Phoenix]

Ive run numerous virus scans with diffrent programs, and HiJackThis can only find a search bar program named:

SearchSideKick 3

What AV programs have you used?

And HijackThis only searches for changes made to IE, not for actual viruses, so in this case, its not terribly helpful at eliminating the problem.

However, HijackThis does have some advanced features that might help. Fore example, did you know about the Config button in the lower right? From there, you go to Misc Tools, and you can chesck for hidden data streams and it also has a TaskManager-like window from which you can close running applications.

If you can get to msconfig, choose Selective Startup, click the Services tab, check the box that says "Hide all Microsoft Services" and then disable all. Click Apply then OK. Restart the machine. Then you have a chance to delete it.

Do try that, but also make sure that it worked. Sometimes, even if you delete the files after doiing that, they'll still come back, because another file you haven't found yet will create them.

[dglienna]

And if all else fails, format and reinstall!

[dark_shadow]

This problem has just started occuring today. I dont know what caused it any its starting really "piss" me off. Ive been running this copy of windows for about a half a year now without problems until now. (Windows XP Pro)

This morning I come back to my computer and everything was fine. I talked to a few friends online over TeamSpeak and was playing a game (FFXI) without any problems. Then when I tried to open FireFox it wouldnt open.

First thing I did was Ctrl + Alt + Delete to see if it was running and had crashed.

Task manager pop'd up, and closed instantly. I tried again, same result. It opened for about all of 1-2 seconds and closed instantly.. so I took a screen shot as it opened and got what was running.

I noticed a few new process's on this list that I have never run / seen before. So I did a google scan on these processes and found some where basic adware and spy ware and got them removed.

So I restarted my computer and logged on. The first thing to happen was Internet Explorer pop'd up. Mind you, I NEVER use IE cause it sucks and is crappy for protection and stuff..

It pop'd open with this site:

( CAUTION!! DO NOT CLICK THIS LINK IF YOU ARE ABLE TO!!!!! )

hXXp://XXX.gurlstuff.info/dr.html

(I replaced the TT and WWW with X's to prevent it as showing up as a real link.)

The name of the site is captioned, "Microsoft Windows Update". I immediatly closed the window and searched the site on Yahoo to try to find anyone posting about this site. The only thing that showed up as this site saying it was part of Microsoft.

The other thing thats annoying about this site is, is as soon as I start my computer, it pops up everytime and then downloads something to my computer.

In the direct C:\ folder I find these new files:

dr.exe
newspamz.exe
drsmartload1.exe

And Im guessing they all start themselves after they download.

Im able to delete all of them but when I restart they all come back.

Now the tricky part...

TaskManager, Regedit, and msconfig are all disabled from opening now cause of this. Anytime I try to open any of them, they open for about 2 seconds then close immediatly. Making any editing impossible.

Ive run numerous virus scans with diffrent programs, and HiJackThis can only find a search bar program named:

SearchSideKick 3

Which was never there before either. And I cant remove it without it coming back itself.

Ive done a lot of searching already today and cant find anything to remove these process's from autostarting and coming back. And I cant get rid of any of them either.

This is becoming rather annoying, and I dont know what these programs are doing to alter my computer and I really dont want to take the chance of other security risks.

Im asking if anyone else has had / seen this problem before and knows how to rid of it perminity. Or if they know of any info on it at all. I want this gone now

Please.. any help at all.

===== EDIT =====

Some more things to add to this:

I just noticed that HiJackThis, StartUpWatcher, AdAware, Win32DASM, and a few other programs CAN NOT run without their initial exe name being changed.

This virus / trojan / what ever it is is blocking this programs from running to try to stop them from ridding of it..

Win32DASM String References...

If any of you have used this dissassembler this is the string references in the drsmartload1.exe I did it on this file cause it has the inital VB6 icon.

Code:

"  "
"*‡KÓ©z"
"!!f@"
""@"
"$$"
"$@"
"%%0"
"%%²@"
"&&id="
"&&land="
"//donotdelete.asp"
"//smartload_stats.asp?a=a_n_u&exe="
"//smartload_stats.asp?a=a_u&exe="
"//smartload_stats.asp?exe="
"//smartload_stats_d.asp?naam="
"|||"
"Ä$@"
"bbody"
"cc:\"
"cc:\windows\drsmartload.dat"
"ccontent.dollarrevenue.com/bundle"
"Уµ
¶åЫõ"
"hhttp://"
"hhttp://content.dollarrevenue.com/bundle/smart"
"hhttp://promo.dollarrevenue.com/bundle/smartlo"
"IID"
"iinnertext"
"IInstalled"
"l$@"
"RREGEDIT.EXE /S ""
"RREGSVR32.EXE /S ""
"SScripting.FileSystemObject"
"SSoftware\Microsoft\drsmartload"
"VB5!6&*"
"ÿ%¬@"
"ÿ%Œ@"

The attached file can be opened in Wordpad. Its the disassebled file log of that exe if it helps =/

==== Another Edit ====
Other processes found that were never running before:

notpad.exe
dr.exe
timesquare.exe

And anothing one I cant remember the name of I closed it instantly after getting through HiJackThis's process list. (I had to renamed the HiJackThis.exe to aaa.exe to be able to run it..)

i had those exact programs and they were annoying to get rid of there's a program that is like taskmanger its called process explorer its actually better than task manager you can give it a try it may help when i comes to ending the processes. what happened to me was that there was an exploit running somewhere on my computer called tftp.exe ( inthe system32 i beleive i'm pretty sure its a valid windows process that was being exploited by a trojan but if you delete tftp.exe it wont cause anything bad dont worry) it kept going to random ip and downloading a bunch of sypware if you have any type of firewall (zone alarm is a good one) block the programs from acessing the internet

[The Phoenix]

Another option I just thought of; Can you run the Repair function from your XP Pro CD? That'd probably help alot, at least once you got rid of most of the viruses spawn.

[dark_shadow]

if you can find the location of the files ( provinding your hardrive is not formated in NTFS) you can try using a DOS Boot Disk and delete them that way

[k1ll3rdr4g0n]

@wiccaan
Try all sorts of anti spyware programs, like spybot search and destory. Then if its still there, do some clean up with a resuce CD such as bart PE or knoppix(if you can't get bart pe working). You can even try a windows reinstall (a repair of it, not a format of it).

@dark_shadow
Someone acctually made a DOS boot disk for NTFS, but I don't know how good it is.
I think FreeDOS can handle NTFS don't know.

[dark_shadow]

they did interesting i'll look into it thanks happy new years

[wiccaan]

@dark_shadow

Yes they did. Ive seen it before, I dont have it though.

== Edit ==
http://www.bootdisk.com/
http://www.pcworld.com/downloads/fil...tfg,tfg,00.asp
http://www.ntfs.com/
http://support.microsoft.com/?kbid=301680
========

@Everyone else...

Thanks for the replies everyone. I got most of this problem gone. SurfSideKick 3 is gone now and Im down to 3 single files that keep coming back:

notpad.exe
Drivxp.exe
newspamz.exe

I ran my computer in safe mode this morning and let all of this run:

- HiJackThis (Found a few BHO's and other things that were involved)
- SpyDoctor (Found a few reg problems.)
- Spyware Search and Destroy (Found a bunch of crap dealing with these files)
- Adaware

and did a few other programs like stinger and some online scans. All of them found everything and ridded of it. I restarted the computer back into safe mode again and did the scans all over. All of them came back clean. I was happy then.

So I restarted back into normal mode, and there again was these three files showing back up:

notpad.exe
Drivxp.exe
newspamz.exe

And these three have something to do with the task manager, msconfig, and regedit (as well as other programs) from opening. I used HiJackThis's process list to close them and get access to my programs again, but I cant find out how these things are coming back after my comp just said it was clean..

Any idea's of where these things may reside else where, or how they are getting back onto my system?

[dglienna]

MSCONFIG should tell you what is starting up. If they aren't on the list, then they must have hooked into a system file. Run SFC to replace the system files that may have been affected. SFC /ScanNow

[dark_shadow]

MSCONFIG should tell you what is starting up. If they aren't on the list, then they must have hooked into a system file. Run SFC to replace the system files that may have been affected. SFC /ScanNow

he said msconfig cannot open

these three have something to do with the task manager, msconfig, and regedit (as well as other programs) from opening

try using what i mentioned its called process explorer by Sysinternals its will serve as a task manager until the problem is fixed and try deleting them in DOS like i mentioned b4 that what i did when i had it and that seemed to work

[wiccaan]

It seems that SurfSideKick is hooked into IE now too.. when ever IE is opened it redownloads them. I dont use IE but some programs dont open the default browser and open IE instead and it redownloads itself.

The other programs are easily closed with HiJackThis's process list and I can delete them but when ever I restart they just come back. Its a tad bit annoying...

Wish I could find the source of these files and sue the people doing this crap..

[dark_shadow]

as i mentioned before do you have any firewall software? if so block the main domain of the pop up windows and dont let the programs access the internet

[wiccaan]

I dont want to just block the things from getting the files. I want the perminitly remove them from my system, without having to format, or do a "over" install of windows.

[dglienna]

Did you run SFC (System File Checker) from the command prompt? It may ask for the Windows CD if it finds changed files.

[The Phoenix]

Also, look in your Windows and System32 folders. Arrange the files by modifed date, and look for files with created dates that match the date of your infection. If they have names similar to the files you're trying to get rid of, they're probably connected. Or if they have names that consist of random numbers and letters.

However, don't just go around deleting them of course, cause they could be legit. Google their names and see if that helps.

I've had to do that to a friends computer. It was a pain, but after I deleted all those files from the System32 folder, no other files were ever re-created at startup.

[dark_shadow]

no but in blocking them fro mthe net it isolates the infection and whith them on the interent who know how much more stuff you could be downloading with out your knowledge

[wiccaan]

Ok I got this problem resolved and sorted out. Used a program called Spy Sweeper from Webroot to fix the problem. Was a rootkit that installed a dll into explorer and ran as soon as explorer started. Its gone now and Im happy again

Thanks for the feed back and support guys.