Hooray for Viruses and Worms! (HELP ME)

I have recently attained some sort of evil oddity. Good old Avast found it, whereas all others failed pretty much. Avast has attempted and succeeded in removing multiple files. “mezzicodec.net” seems to appear in the log. Through a brief search of the internet, I was unsuccessful at finding the locale of this annoying little thing.

The things it does are as follows. One: It reinstalls itself. Two: When using the internet, and not, it makes pop-ups. Firefox is IMMUNE to pop-ups, but this virus is SMART and opens IE. I know my processes, and strike down the ones I know are the cause, but it STILL recovers itself and retains its ability to spam advertisements.

  1. How was it detected? What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?

First it appeared during the running of a self-extracting .exe file, which opened a dos window and began spreading I believe. It has been detected since then multiple times by the scanner, but cannot be removed. I DO delete the files after killing the process, but to no avail.

  1. What was the source of the file, where did the file come from?.: e.g. address, URL, source.

Well, I am a gamer, and I wanted to see if there was a CD-Key of a game called “War Rock” that I could use. It needs a promo code to access stuff if you have the retail CD. It is freeware otherwise, but I wondered if there was a code lying about. So, I Googled “war rock promo code” and out came a link that caught my eye. “Keygen (software keys generator): war rock promo code keygen …” Well, it was late, and I was too sleepy to consider the consequences. (Normally I don’t fall for this bull.) The exact URL is “http: // keygen.name/serial/war_rock_promo_code.html”.

  1. When was it downloaded or received?

I downloaded it a day or so ago.

  1. What is the exact file name with extension.

war_rock_promo_code_keygen.exe

  1. What was the exact wording of the message that the AV program came up with? This is important for later.

Oh, like I would remember this one. It spammed warnings galore when I ran this. At the time, I was thinking, “OH GOD WHAT WAS I THINKING” and immediately closed the dos window it opened. (It must have ran for about three seconds tops… because I had to tell Avast to stop the connections it was trying to make, so I was stalled for a while.) It installed all over the place I think during that time. I hope the log’s record is better.

The warning section since start of problem:
6/2/2007 9:15:38 PM SYSTEM 1836 Sign of “Win32:Alphabet [Trj]” has been found in “http: // l.mezzicodec.net/a412/de.php?b=779[PECompact]” file.
6/2/2007 9:15:56 PM SYSTEM 1836 Sign of “Win32:Agent-FDG [Trj]” has been found in “http: // l.mezzicodec.net/a412/sv.php?m=1&b=779” file.
6/2/2007 9:16:00 PM SYSTEM 1836 Sign of “Win32:Agent-ECD [Trj]” has been found in “http: // l.mezzicodec.net/a412/tr.php?m=1&b=779[PECompact]” file.
6/2/2007 9:16:11 PM SYSTEM 1836 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1162OinAdmin.exe[PECompact]” file.
6/2/2007 9:30:44 PM SYSTEM 1836 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\John\LOCALS~1\Temp\hivhnolj.dll” file.
6/2/2007 9:51:04 PM John 3784 Sign of “Win32:Balloon [Adw]” has been found in “C:\WINDOWS\system32\ascbalo3N.dll” file.
6/2/2007 9:51:20 PM John 3784 Sign of “Win32:Balloon [Adw]” has been found in “C:\WINDOWS\system32\ascbalon.dll” file.
6/3/2007 1:20:53 AM John 2216 Sign of “Win32:Pwdump-B [Tool]” has been found in “C:\Documents and Settings\John\Local Settings\Temp\RarSFX1\pwdump2\pwdump2.exe[UPX]” file.
6/3/2007 1:21:52 AM John 2216 Sign of “Win32:Pwdump [Tool]” has been found in “C:\Documents and Settings\John\Local Settings\Temp\RarSFX1\pwdump2\samdump.dll[UPX]” file.
6/3/2007 1:22:18 AM John 2216 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Documents and Settings\John\Local Settings\Temp\win46.tmp.exe[UPX]” file.
6/3/2007 1:44:06 AM John 2216 Sign of “Win32:Small-AFK [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP120\A0131428.exe” file.
6/3/2007 1:44:12 AM John 2216 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP120\A0131429.exe” file.
6/3/2007 1:44:16 AM John 2216 Sign of “Win32:Nethief-W [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131548.exe” file.
6/3/2007 1:44:16 AM John 2216 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131550.exe” file.
6/3/2007 1:44:16 AM John 2216 Sign of “Win32:Fontra-B” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131556.exe” file.
6/3/2007 1:44:25 AM John 2216 Sign of “Win32:Downloader-AS [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131598.exe” file.
6/3/2007 1:44:26 AM John 2216 Sign of “Win32:Qhost-AI [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131620.exe” file.
6/3/2007 1:44:27 AM John 2216 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131625.exe” file.
6/3/2007 1:44:35 AM John 2216 Sign of “Win32:Agent-FMH [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131649.exe” file.
6/3/2007 1:44:37 AM John 2216 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131681.exe” file.
6/3/2007 1:44:49 AM John 2216 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131770.exe” file.
6/3/2007 1:44:52 AM John 2216 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131817.exe” file.
6/3/2007 1:48:06 AM John 2216 Sign of “Win32:Balloon [Adw]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP125\A0133247.dll” file.
6/3/2007 1:48:11 AM John 2216 Sign of “Win32:Balloon [Adw]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP125\A0133248.dll” file.
6/3/2007 5:45:26 AM John 2188 Sign of “Win32:Ardamax-CG [Trj]” has been found in “C:\Documents and Settings\John\Local Settings\Temp@4E.tmp” file.
6/3/2007 11:24:53 AM SYSTEM 1864 Sign of “Win32:Alphabet [Trj]” has been found in “http: // l.mezzicodec.net/a412/de.php?b=779[PECompact]” file.
6/3/2007 11:25:10 AM SYSTEM 1864 Sign of “Win32:Agent-FDG [Trj]” has been found in “http: // l.mezzicodec.net/a412/sv.php?m=1&b=779” file.
6/3/2007 11:25:21 AM SYSTEM 1864 Sign of “Win32:Agent-ECD [Trj]” has been found in “http: // l.mezzicodec.net/a412/tr.php?m=1&b=779[PECompact]” file.
6/3/2007 11:25:25 AM SYSTEM 1864 Sign of “Win32:Agent-HDR [Trj]” has been found in “http: // l.mezzicodec.net/a412/mc.php?m=1&b=779[UPX]” file.
6/3/2007 11:25:31 AM SYSTEM 1864 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1162OinAdmin.exe[PECompact]” file.

I deleted my system restore due to the aggitation of this find while I ran a scan. Pay attention to the ones that were not in the system restore.

  1. Now go back and do nothing yet. Scan the particular file once again with your AV product.

Heh, found nothing, I scanned it in advance to opening too.

A. The message is in the same wording: maybe positive alert

No message, but I am NOT opening this thing again.

B. If the message is not in the same wording or the scan does not find up anything this could be a false positive.

False positive? … Yeah sure, then EXPLAIN THE POP-UPS!

  1. Check with an on line scanner or update to jotti for a second opinion. Jotti resides at http://virusscan.jotti.org/

I plan to do this momentarily… Installing ClamWin on a USB drive to use.

  1. Go get informed ask a Virus Encyclopedia or Virus Central, put a question on a forum.

I’ll do this as well eventually.

  1. Make an informed decision on the basis of what you have found.

Informed decision? Okay, let’s see… (Insert a crazy man laughing on Normandy Beach.) Hmm, it backs itself up multiple times. Thus far, it has not infected files, just hidden itself and ran. It has hidden as svchost.exe, a few “spam” processes, etc. How to describe it. It seems to send stuff out on occasions, I blocked the locations it wanted to contact with my router. It has been a tad more dormant since Avast pummeled it on occasions. I think it is a keylogger and it sends out information about passwords, etc. Oh, it DOES infect over networks. It managed to infect the other PC, which is being given a final scan, to see if it was properly cleaned. Unfortunately, Avast can’t beat it on this system I am using. (Insert the same man on the beach looking to the sky screaming an elongated “WHY” at the top of his lungs.)

  1. Inform others about what you have learned, if the file came from a reliable source, author, programmer etc. send a friendly e-mail with your findings. This will help us all.

“Inform”? Uh… it’s evil.

Please, remove the live links to infected sites :frowning:

Besides this, welcome to avast forums, can we help you in anything?

The links were created automatically. I did not tell that to happen… what do I put to remove that? (Taken care of…)

Also, thanks for the greeting. The definition of help in this case is, tell me what I did wrong in the removal process, and how can I remove this stupid virus? (I think I gave enough info on it in my first post.) The thing won’t go away, even after tracking down things via dates and connections in processes that are associated and removing those as well.

You need to modify your post and break the links so they arent active/clickable, e.g.:
http :// keygen.name/serial/war_rock_promo_code.html (keygens can often be accompanied by an unwanted gift, trojan)
"http :// l.mezzicodec . net/a412/tr.php?m=1&b=779

That way they can’t be accidentally clicked by the unwary or curious.

There is frequently more than one file to an infection, there could be another running file that restores the infection being detected by avast. Disable system restore and reboot.
The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only really effective way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Windows XP System Restore Guide

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. AVG anti-spyware (formerly Ewido) If using winXP. or a-Squared free if using win98/ME. Or SUPERantispyware Or Spyware Terminator

If a virus is replicant (coming and coming again), you should:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  6. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

keygens: Yes, I KNOW THEY ARE ACCOMPANIED, I was tired and wasn’t thinking straight when I downloaded the blasted thing. (mental fatigue makes one do stupid things)

system restore: I know all about that proceedure, and did it already. I removed every aspect of that before even posting.

#1: Did that prior to posting.
#2: Did that prior to posting.
#3: Did that prior to posting. However, SafeMode is not a good idea… I don’t think I will be safe then. It IS integrated into Windows somewhere… I don’t know where, or I wouldn’t be asking for help.
#4 Still in the works…
#5 Ran a few, not the recommended ones though, and found nothing.
#6 I’ll keep that in mind (if I don’t kill myself removing this thing).

I would like to add that I am not some sub-par PC user. I am not a guru either, but I know my way around the common stuff, in example (because IE would have been a bad pun) what everything in my task manager is for, and does.

We offer advice based on what you tell us and since you didn’t say you had disabled system restore we offered it. It is often easier to simply post a link to a how to disable system restore than make an assumption that the poster knows (it saves time if they would have had to ask). If you did I apologise for missing it, but the post was very long

#3: Did that prior to posting. However, SafeMode is not a good idea... I don't think I will be safe then. It IS integrated into Windows somewhere... I don't know where, or I wouldn't be asking for help.

I don’t know where you get this “I don’t think I will be safe then” from.

Tech offered an avast safe mode scan as an alternative if you weren’t using an OS that supports the boot-time scan (win98x, winME) as you didn’t say what your OS was.

I suggested safe mod for running the anti-spyware apps listed, as I guessed that you are using XP from the C:\System Volume Information.

In safe mode many applications/files don’t, avast doesn’t run by default but must be started, that is the idea to have a minimum of things started to give the anti-spyware tools you are going to run the ability to deal with malware that might otherwise be running.

#5 Ran a few, not the recommended ones though, and found nothing.

Again you don’t say what it is you ran, we don’t know, so we get the same issue as disabling system restore offering things you have tried. The anti-spyware apps we have suggested have proven themselves over time at finding and dealing with undetected trojans and they are best run from safe mode.

Understandable, it was a long post. I assume I did not specify that I turned it off. Rather, I only mentioned deleting it out of rage.

By not safe, I mean that explorer.exe, which runs in SafeMode, unless I am mistaken, is infected, and is not being shown in the scans. Spyware Terminator finished running and found a few things, which proved I was correct, but to no avail. I am going to run it again before I go to sleep.

Yes, my OS is XP.

explorer.exe is definitely infected. SafeMode does load explorer.exe I would assume, so I am really skeptical if that is a good idea.

List of things I ran: (Not necessarily in order.)
Avast
Spyware Terminator
Ad-Aware SE
Spybot
Clam
HiJackThis
Norton (2003)
The Ultimate Troubleshooter
AVG Anti-Rootkit

I browsed for “recently created things” and since I have so much stuff to sort, the search is unreliable. I did delete a few things, but to my disappointment, nothing.

Note: While I was writing this, WinAntiVirus Ads were displayed MANY times. By many, I mean three times. Other things were displayed too. I took about 10 minutes writing this. The problem seems to be progressing into a worse state with the more anti-virus programs I run. (Note to self: STAB the person responsible for WinAntiVirus2006 in the face.)

There is a dim light at the end of the tunnel that is slowly fading… Over it, the blue screen of death is defeated by an overwhelming screen of spam. Oh, Firefox is NOW affected by the virus. (Note: Stuff is infected, so I can certainly call this a virus.) Firefox opens multiple new tabs on occasions. Meanwhile, the frequency is increasing. I am tempted to lock my connection, except when consulting this forum / downloading tools. The other computer seems to be clean for now, so I can denounce the virus as a worm… for now.

Form looking at the code I can confirm that its a virus :frowning:
When downloading exe’s always check www.virustotal.com

Al968

Note: While I was writing this, WinAntiVirus Ads were displayed MANY times. By many, I mean three times. Other things were displayed too. I took about 10 minutes writing this. The problem seems to be progressing into a worse state with the more anti-virus programs I run.

This is a rogue malware and I would suggest that you try the RogueRemover as that has WinAntiVirus 2006 in its list of rogue apps it can deal with, available here http://www.malwarebytes.org/rogueremover.php.
Also see http://forum.avast.com/index.php?topic=25179.msg206085#msg206085. This particular piece of scumware isn’t likely to be the main cause of the problem, but possibly just something downloaded by the main problem.

If as you say explorer is infected, upload it to virustotal to confirm and if detected show the results as the malware/virus name may aid in its removal. However, I suspect it may be a code injection style infection and until run explorer.exe would appear clean. This again would appear there are other elements to the infection and based on the different tools you have tried I would suggest more of the anti-rootkit tools suggested by Tech.

You say you used Norton 2003, how did you do this ? If installed on your system how did you removed it ?
NAV is notorious for conflict with other AVs and even when uninstalled can leave remnants, avast if it detects NAV will often disable elements to try and avoid conflict.

What is your firewall ?
If you don’t have one that is capable of blocking unauthorised outbound Internet Connections (XP’s firewall doesn’t) more malware could be being downloaded.

Yeah, I know it is from the source, but I wondered if that info could help pinpoint what exactly the problem is.

I am loading tons of suspicious .dll files that I have noticed. One (found) culprit is listen below.

I haven’t the slightest clue how it worked, but Norton did nothing to assist or stop me. After your comments on it, I have removed Norton, since I think it did nothing anyway.

ZoneAlarm is my firewall. I know it isn’t the latest version, but it does block things for me properly.

ZoneAlarm version:6.5.737.000
TrueVector version:6.5.737.000
Driver version:6.5.737.000


New update: I have a “ekfhrawe.dll” that is reported on VirusTotal as an issue. For the record, I cannot figure out what process is protecting it, but it is immune to deletion, and I have stripped my task manager to the bone trying to delete it. No results. Is it intertwined to explorer, hence my assumption to explorer.exe being infected?
(Side note, the scanners I am using did not detect it. JUST GREAT!)

Complete scanning result of “ekfhrawe.dll”, received in VirusTotal at 06.04.2007, 22:07:38 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.04.2007 Win-Trojan/Infostealer.125440
AntiVir 7.4.0.29 06.04.2007 TR/Dldr.ConHook.Gen
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.04.2007 no virus found
AVG 7.5.0.467 06.04.2007 no virus found
BitDefender 7.2 06.04.2007 no virus found
CAT-QuickHeal 9.00 06.04.2007 no virus found
ClamAV devel-20070416 06.04.2007 no virus found
DrWeb 4.33 06.04.2007 no virus found
eSafe 7.0.15.0 06.04.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3690 06.04.2007 no virus found
Ewido 4.0 06.04.2007 no virus found
FileAdvisor 1 06.04.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 suspicious
F-Prot 4.3.2.48 06.04.2007 no virus found
F-Secure 6.70.13030.0 06.04.2007 Packed.Win32.Morphine.a
Ikarus T3.1.1.8 06.04.2007 MalwareScope.Trojan-Spy.BZub.1
Kaspersky 4.0.2.24 06.04.2007 Packed.Win32.Morphine.a
McAfee 5045 06.04.2007 no virus found
Microsoft 1.2503 06.04.2007 VirTool:Win32/Obfuscator.E
NOD32v2 2307 06.04.2007 probably a variant of Win32/Adware.BHO.V
Norman 5.80.02 06.04.2007 W32/BHO.QG
Panda 9.0.0.4 06.04.2007 Suspicious file
Prevx1 V2 06.04.2007 no virus found
Sophos 4.18.0 06.01.2007 Mal/BHO-C
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 06.04.2007 no virus found
TheHacker 6.1.6.129 06.04.2007 no virus found
VBA32 3.12.0 06.04.2007 Adware.Crew
VirusBuster 4.3.23:9 06.04.2007 no virus found
Webwasher-Gateway 6.0.1 06.04.2007 Trojan.Dldr.ConHook.Gen

Aditional Information
File size: 125460 bytes
MD5: 8f111a360bb6d056ffcd1d5de8dea897
SHA1: 961645648e68885351df1bd91e2963a963bafb3a
packers: MORPHINE


Also, “iexplore.exe” keeps asking to connect to the internet.
I believe this to be a tad strange, since it has never asked that before.

(Might I say, my internet speed has decreased lately, but not because of the cable company or downloading. Maybe the new programs I just installed are all screaming at each other, “HEY! I WANNA SCAN THAT! NU! I DEW! MY TURN!” Meanwhile, I am stranded WAITING for them to make up their mind.)

I am severely considering backing the files I know are safe to a usb drive, and reloading from an image I made a few months ago.

Hi pirate1337,

Whenever you have to click an actual link behind which there could be malware lurking, you have to be protected. If you not on trustful terrain you should have the NoScript add-on installed, and enabled. It protects you against all sorts of devious away to infect you through various script. Then before you try to click a link you do not trust, install the DrWeb’s hyperlink pre-scanner add-on inside the Firefox browser, and you can feel rather protected. In the line of things you do B.I.S.S. IP List Management Tool also seems valuable for you to block various sites that track or could infect you.

Now Position: Home>Tech Articles>Adware/Spyware Removal>InfoStealer
How to Remove InfoStealer Trojan?
InfoStealer Description: Free Download Registry Booster

InfoStealer is a Trojan that monitors system processes and logs user information. It has many variants.

Also known as: Infostealer.Salira, PWS-Mafia, Trojan-PSW.Win32.Bumaf.c

Remove the Trojan Using PestPatrol! More info about PestPatrol.

Sponsored Links:

Free Download Now:

InfoStealer Removal:

To remove InfoStealer, please follow the instruction:

  1. Terminate the processes in Task Manager:
    backup.exe
    winrarshell32.exe
    w32bumaf-c.exe

  2. Click Start > Run. Type REGEDIT. Then click OK. Navigate to and delete the subkeys:
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run winrarshell
    HKEY_CURRENT_USER\software\bgm
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run backup
    Registry management is too hard? Download Registry Mechanic , and you will find it too easy!

  3. Remove the files mentioned above in Explorer.

Surf safe,

polonus

Sorry this is just a quick post, I have some other work to be getting on with. Hopefully Polonus will have given enough to be getting on with also.

Yeah, I know it is from the source, but I wondered if that info could help pinpoint what exactly the problem is.

I doubt that the symptoms or loading of specific software namely the WinAntiVirus 2006 would identify the malware at the root of the problem.

I am loading tons of suspicious .dll files that I have noticed. One (found) culprit is listen below.
Don't delete the ekfhrawe.dll before sending a sample to avast.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

File removal tools:

Have you checked explorer on virustotal as suggested ?

[b]Also, "iexplore.exe" keeps asking to connect to the internet.[/b] I believe this to be a tad strange, since it has never asked that before.

Check the spelling it may not be iexplore.exe but 1explore.exe or iexp1ore.exe or iexpl0re.exe as ZA would only ask if it was a different file or it had changed, it may also be worth checking that on virustotal.

It may be worth a trip into the zone alarm program control and delete all permitted applications and force it to ask permission again and check each request (primarily the explorer.exe and iexplore.exe and others if this doesn’t reveal anything) file name and location to see if is a legit file in the correct location. Youe ZA isn’t the latest version, 7.something curreltly.

This is a losing battle. One step forwards, two steps back… I will send that sample if my computer wills it to be done.

I am backing up my files as I am typing this, knowing what may happen before the end of today. This is not looking good at all. Something else has entered my computer, and the scanners cannot find it.

A slight positive, the pop-ups have stopped for now. However, the OS is having trouble. I can tell, because it takes 10 seconds to right click files, whereas it was instantaneous before the infection. Surprisingly, I am still capable of using this system, but not for any gaming.

Quite literally, the thing has won. I am currently using the last life of this OS’s installation to write this post. Kind of dramatic, but true. My files are finishing their backup after a few long hours of wait.

I have no clue what this thing is anymore, the previous details are no longer relevant. It literally spammed Avast into submission. AVG Anti-Spyware followed in suit. Spyware Terminator somehow is still alive, using 600MB of RAM, and causing a 1.4GB paging file. I doubt it is working anymore. (My keyboard just had a lag spike.) This is seriously becoming a horror film, I am watching the text appear 10 seconds after I type it. Everything is spiking in speed. I sent that sample .dll, but I doubt that has anything to do with this. The downloader must have finally slipped past ZoneAlarm or something.

Well, I tried, you guys tried, thanks for all your help. I plan to redo my install tomorrow. Whatever this thing is, I hope there is a cure for the next poor soul who attains this.

That’s about it.

Hi pirate1337,

Sometimes the thing that happened to you here, cannot be avoided. It is always very sad that you have to say good-bye to an OS in such a manner.
It is a bit of a mournful moment after you have given it the attention you did, but as we say: “R.I.P. to the compromised systems”. Next time around, install full protection, update, and upgrade all your programs, java version, install all the patches when they come available… etc. Make incrimental back-ups of your OS every week or so. And the lesson learnt: “Once bitten - twice shy, and act accordingly”.
Welcome to the forums, stick around, and the next time you can help others.

polonus