Sign in to follow this  
ldeanjames

Please Help-- I Have An Unknown Infection On My System.

Recommended Posts

In over ten years of computing, I have never had a virus on my system until now. When I upgraded from 98SE to XP Media Center, I immediately installed Lavasoft's Ad-Aware, and later, after trying several popular firewalls, I installed Lavasoft's personal firewall and recently added XoftSpy, too, which did a great job of finding those odd things that Lavasoft might miss.

 

I noticed, though, that the more time I spent doing research, using Google as my search engine, the more nasties would show up as blocked by my firewall. About two weeks ago, I suddenly had pop-up advertising windows jump up constantly, whether I had a browser open or not. The title bar on these pop-ups always started with CiD:

 

I ran my scanners, had Ad-Watch running in the background all the time, but they could find nothing. I tried Google to see if there might be a fix available, but found nothing on pop-ups with CiD:

 

A little over a week ago, Lavasoft's personal firewall began throwing up screens telling me that certain files were asking permission to take control of other functions. One was an executable called 01Cake.exe whose path was C:\Documents and Settings\Owner\Local Settings\Application Data\does dog two city.

 

That was the beginning of the end. I tried downloading scanners and system cleaners I found on Google. The first two attempts loaded applications that were malware in their own right. The third try was Avast!, which ran it's first scan from the blue screen before Windows loaded. It found virus after virus and trojan after trojan. But 01Cake was still in the same place and still would not stay deleted.

 

Suddenly I could no longer access the internet, getting server errors, on both my I.E. and Firefox browsers, but found if I ended the Ashwebsv and Ashmaisv processes from Avast!, then set I.E. Advanced to default, I could get back online.

 

I went to msconfig and unchecked 01Cake from startup processes, as well as anything else that didn't really need to run in the background at startup. Another suspicious app called byte name multi I unchecked, then searched for it in the system. I noted this in my Suspicious Activities note pad: BYTE NAME MULTI DIRECTORY W/ "USELESS INFO COMPUTER" FILE AND "BYTE NAME MULTI.EXE." I could delete the folder, but it didn't stay deleted.

 

I found the TEMP directory under my Owner account filled with .tmp files that gave me "Access Denied" when I tried to delete them.

 

I checked on Google for both 01Cake and byte name multi and got no hits. It wasn't until Divxcodecchecker.exe showed up in Lavasoft's firewall under anti leak exclusions, along with several other long Divx exe's, that I got a hit on Google. Divxcodecchecker.exe was malware first detected in Hong Kong on September 17th, this year. No other mention was found then or since.

 

I started searching for something that would help me delete Acess Denied files and came across one mention at a Geekstogo forum. The fix was for all kinds of known malware as well as ridding a system of access denied files. By now, Lavasoft kept asking me if I wanted to give permission to RUNDLL32.exe to control other programs. I found dozens of RUNDLL32.exe all over my system.

 

Downloading the one folder called smitrem proved almost impossible because my system was beginning to act up constantly. It took 5 tries but I got it. It involved running one batch file from Safe Mode. But it worked, it wiped all the access denied files off my system.

 

And here's where my story comes to an abrupt end. My system is still infected. I have no clue how to go forward. I have to run the smitrem batch file nearly every day, that's how fast my system fills with RUNDLL32.exe's and loads of .tmp's. Not even an online scan by Panda could find any virus or trojan profiles. I'm at my wit's end. And I need serious help.

 

I emailed Lavasoft support and explained all this and got a email back stating that the tech would begin research into my issue, and was told to come to this forum and start a topic. Haven't heard anything since.

 

I don't understand how this can go on so long without a hint of other systems being infected showing up on some site or other. Can anyone help me? I finally managed to get HiJackThis downloaded onto my system. I'll be glad to run it and post the results, if it will help. I ran it about four days ago and while I don't know the first thing about reading the results, I didn't see anything out of the ordinary.

 

Thanks.

Share this post


Link to post
Share on other sites

This sounds like a LOP infection which is very difficult for scanners to detect because it changes so frequently.

 

If that is the case, I can help you remove it manually.

 

Are you still needing help?

I'm now subscribed to this topic so I will receive a notice from the board as soon as you reply, so I can be here much more quickly than it has taken to get to your new topic.

 

If you still need help, please post a fresh HijackThis log so I can see where you are at this point

 

Also be sure you have run a full system scan with Ad-aware with the latest definition updates. It may already be in detection by now.

Share this post


Link to post
Share on other sites
Sign in to follow this