Can anything destroy this?

pete.dakota

pete.dakota

Donator
Donator
Joined
Mar 23, 2008
Messages
621
Reaction score
2
Points
0
Location
Surrey, UK
My PC has a virus, or spyware, or adware, or SOMETHING. I've no idea, technically, what it is. All I know is that it's there, it re-creates itself, and it cannot be removed by any of the methods I have tried so far.

Since being infected, every time I have booted my PC there have been two "rundll32.exe" processes running in task manager, and msconfig shows there to be two random startup items called things like "qyyienja" which runs with the command
Code: 
Rundll32.exe "C:\WINDOWS\system32\qyyienja.dll",s
or "bffestbr" with the command
Code: 
rundll32.exe "C:\WINDOWS\system32\bffesrbr.dll",b
If even if I end the processes, untick the startup items, delete the files in the system32 folder AND delete the respective registry entries, there will still always be two "rundll32.exe" processes running and two new startup items in msconfig after restarting. They still claim to be "Rundll32" but have a different arrangement of letters as their name.

I have ran Ad-aware and SpyBot several times. They always seem to find something, but it never kills the problem.

Whatever I've been infected with, it has targeted IE. Whenever an IE window is opened, lots of pop-ups appear advertising spyware removers and PC boost tools. Luckily I use Firefox so it's not a huge problem. Infact, this 'virus' doesn't actually appear to be of any real harm. My internet still works fine and I haven't lost any data. It's simply VERY annoying that it keeps on re-creating itself and cannot appear to be stopped.

Do you guys have any advice as to what I can do?

I am considering re-installing Windows with a fresh re-format. But this would be a last resort. Thanks in advance for any replies.
 
Well, you might want to install an antivirus, spyware scanner only gets you so far (curiously enough, however, installing antivirus doesn't mean you don't need spyware scanner - you need both).

Also, what exactly are you deleting from system32? Just those two files? You might want to do a global search for all DLLs, in all system folders, that were created recently - "native" DLLs will be dated as created several years ago (on XP at least), whereas spyware usually has much more recent timestamp on it. Of course if you delete a wrong .dll you'll probably have to reinstall Windows, but without installing an antivirus it's probably your only option anyways.

If anything, you can always download a demo antivirus, which will be good for a month or two (it will only work once for every antivirus, but it's still an option too).
 
tomek said:
Well, you might want to install an antivirus, spyware scanner only gets you so far (curiously enough, however, installing antivirus doesn't mean you don't need spyware scanner - you need both).

Also, what exactly are you deleting from system32? Just those two files? You might want to do a global search for all DLLs, in all system folders, that were created recently - "native" DLLs will be dated as created several years ago (on XP at least), whereas spyware usually has much more recent timestamp on it. Of course if you delete a wrong .dll you'll probably have to reinstall Windows, but without installing an antivirus it's probably your only option anyways.

If anything, you can always download a demo antivirus, which will be good for a month or two (it will only work once for every antivirus, but it's still an option too).
Click to expand...

I hadn't thought of anti-virus. I use Windows firewall, which seems to work well enough. That, with spyware remover, I figured would be all I need, maybe I'll purchase McAfee again.

Yes, I only ever delete from system32 the two files that appear every new session in msconfig's startup tab. I did think about searching for all recently created DLLs in system32. In fact, I did start randomly deleting some just earlier. I decided to stop, though, in case I accidentally deleted something crucial and wasn't able to back up any of my data before being forced to re-install Windows.

Whilst typing I have been running Spybot for about the third time today. Every time I have run it, it has found an entry called "Virtumonde.dll" which hosts system32 "Library" entries either exactly the same, or very similar to the files that have been created in system32 every time I start Windows (vtsqp.dll, apktjeil.dll). "Virtumonde.dll" also hosts "Browser Help Object" and "Class ID" registry entries.
 
Hi. Try this:

Download and install this: http://ccollomb.free.fr/unlocker/

Unlocker assistant allows you to free up resources that are using a given file, so you can delete the virus executable even if it's already running.

Boot inside safe mode, and go inside your registry. Check both :
HKEY_LOCAL_MACHINE->SOFTWARE->MICROSOFT->WINDOWS->CURRENT VERSION->RUN and HKEY_CURRENT_USER->SOFTWARE->MICROSOFT->WINDOWS->CURRENT VERSION->RUN, and look for suspicious entries. Google them to confirm. If you find an entry with a weird illegible name, and google doesn't return any results, most likely its a virus that makes it's name randomly. The entry will contain the path to the binary, and you can delete it. Also, viruses these days are quite clever, they overwrite some of the commonly used programs such as realplayer, so every time you launch it you infect yourself again.
 
What would happen, if you replace the DLLs by a idle DLL of your own? for example, you could take a DLL from orbiter and overwrite the DLL referred. In the worst case, you should get a CTD of the RunDLL32 process, but the system should be stable.

I also think, you should not pay too much attention on the DLLs, they are just secondary problem. What if your PC gets infected again AFTER you removed the virus?
 
Right and/or maybe that :

http://www.bleepingcomputer.com/forums/topic18610.html

I play with such process sometimes :):

1- in syst 32, i select the file.
2- right click delete ( but without confirmation yes/no in the prompt window that i let opened)
3- control/alt/suppr to see the process
4- i select it and press stopit
5- and if i'm fast enough, i have some chances to confirm the delete in the first prompt window before that it ( the process...) reload itself.

Really amazing sometimes, but sometimes only...:P
 
computerex said:
Hi. Try this:

Download and install this: http://ccollomb.free.fr/unlocker/

Unlocker assistant allows you to free up resources that are using a given file, so you can delete the virus executable even if it's already running.

Boot inside safe mode, and go inside your registry. Check both :
HKEY_LOCAL_MACHINE->SOFTWARE->MICROSOFT->WINDOWS->CURRENT VERSION->RUN and HKEY_CURRENT_USER->SOFTWARE->MICROSOFT->WINDOWS->CURRENT VERSION->RUN, and look for suspicious entries. Google them to confirm. If you find an entry with a weird illegible name, and google doesn't return any results, most likely its a virus that makes it's name randomly. The entry will contain the path to the binary, and you can delete it. Also, viruses these days are quite clever, they overwrite some of the commonly used programs such as realplayer, so every time you launch it you infect yourself again.
Click to expand...

This seems to have worked, computerex. I found one entry in LOCAL_MACHINE that was appearing as Rundll32 and had a randomly generated name. I deleted it, and after a couple of test boots into normal mode, no new processes or startup items have appeared.

I'm still not too comfortable knowing that the files are still on my PC, though. What can I do to remove this thing entirely, and not simply stop it's operation?

Thanks for the help.
 
I usually copy the DLL and let the dev tool play with it... dependency walker, COFF Viewer, Disassembler, decompressors... A new virus is a new riddle for me. I even collected them some time ago, but now, I only store really special exemplars as data dump. Some use really sophisticated calculations of the initial jump addresses, together with the usual ways to kill disassemblers, that they are more fun for people like me, than a large Soduko book.
 
OK, computerex, your method actually hasn't worked. I had real high hopes then. Since posting last, two rundll32.exe processes have appeared in taskmanager. I was able to stop one, however, the second, when stopped, immediately re-appears. Two new startup entries have also appeared, sporting "rundll32.exe" and "Rundll32.exe".

This is without a restart, they came from no where.

Relentless, devious little bugger this virus be. I may just re-install Windows. It's probably about time anyway.
 
Might consider picking up a copy of AVG afterwards. It sometimes gives false positives, but has kept me clean so far (knock wood).
 
pete.dakota said:
Relentless, devious little bugger this virus be. I may just re-install Windows. It's probably about time anyway.
Click to expand...

Well, I would instead make sure, BOTH processes don't get started at all. Reboot and enter the service mode. I know how to do such maintenance with Windows 2K, I think Windows XP has a similar function.
 
Urwumpe said:
Well, I would instead make sure, BOTH processes don't get started at all. Reboot and enter the service mode. I know how to do such maintenance with Windows 2K, I think Windows XP has a similar function.
Click to expand...

Service mode?
 
tomek said:
He probably means maintenance mode.
Click to expand...

Wouldn't that only allow me to uninstall/change programs that have been installed using the Windows based installer? Which can be done with Add/Remove Programs anyway.
 
tomek said:
Well, he's basically suggesting that you delete both DLLs, which I understand you already tried anyway...
Click to expand...

Deleted the DLLs does nothing. Two or more new ones simply pop up in their place after restarting.

I've decided I'm going to dig around for an old hard drive, back up my stuff and do a complete re-format and Windows re-install. Looking through my registry I've realised I have installed a LOT of random crap over the last 4 years and it's probably time for a fresh start.

I'll be sure to get some Anti-virus software this time :)
 
You should try what Bill Gates does in this case......
Format and Reinstall Windows, again.:P
 
Try to run Avast in safe mode. The problem with some viruses (Virii?) is that they do not allow you to install or run any anti-malware program if they are already present in the system. You could try to run the latest ClamAV version from a read-only device such as a CD-ROM. Get an uninfected machine, go to PortableApps.com, download PortableClamAV, install it on an USB drive, update it then burn the program on a CD-ROM. Run ClamAV from the CD-ROM on the infected machine. It could work.
 
tomek said:
Well, he's basically suggesting that you delete both DLLs, which I understand you already tried anyway...
Click to expand...

yes, but with the maintenance console, the DLLs are not loaded and active.
 
Urwumpe said:
yes, but with the maintenance console, the DLLs are not loaded and active.
Click to expand...

The DLLs only seem to be the creation of the virus, which, in itself, I've no idea where to look for. Deleting the DLLs simply means there will be at least two new ones the next time I boot. I've no idea where the actual module is that is causing this to happen, and nothing can seem to find it.
 
You must log in or register to reply here.

Similar threads

A
Problem HELP! Can't download Orbiter 2024. 0 B/s. on download
Replies
0
Views
301
azpaleo
A
Adrian
Software Orbiter launcher taking ages to load (sometimes)
Replies
9
Views
4K
Urwumpe
Urwumpe
dgatsoulis
Project Orbiter MediaPlayerMFD open for testing [CLOSED]
Replies
12
Views
5K
dgatsoulis
dgatsoulis
DecoFox
Problem My vessel DLL crashes on launch, but only sometimes
2
Replies
34
Views
9K
Blake
B
S
Software Orbiter 2024 does not open
Replies
2
Views
3K
CurlSnout
CurlSnout
Back
Top