I seem to have come across some problems lately. It started, just about 2 days ago, when my windows notified me that my Dr.Watson post-mortem had encountered an error. Didn't think anything about it, and later when I looked, the application folder is empty. After that I was surfing the net when random exe programs began to ask for internet access. Their file names consisted of numbers. Of course, I denied these, but they just keep coming. I thought I had it fixed for a few moments until I received a registry edit notification from Spybot S&D.
Anyway, to start off, I had recently run a game that had some issues. In order to uninstall this game, you had to run a registry edit entry to remove it, and the rest of the files were to be deleted. However, when I ran the regedit file, the error came up "registry editing has been disabled by your administrator." Now, this confused me, considering I'm the only person who uses this computer (lol). Now, of course, to anyone with a bit of computer skills, this is bad news. Normally, the regedit options can only be changed by admins...or trojans. I ran a scan with Zone Alarm for spyware and trojans. There were about 2 or 3 trojan entries and around 7 spyware entries. The 3 trojan entries were backdoors, but the spyware were the usual, so, I figured I was done.
Instead, about 5 minutes later, the same events continued to reoccur. So I ran ad-aware and found about 24 spyware entries. I was a little miffed that this free-ware security program had found a lot more than my paid for one. Again, thought nothing of it. Again, problems came back. I figured I would run CCleaner since I hadn't run it for awhile. The windows and application scans showed 30 or so issues, but nothing looked out of place (cookies, recycling bin files, the usual). The registry went nuts though. I had about 60 entries. Things leading to nowhere, about 3 or 4 windows components of some sort were missing. This is not good. So, I restarted my comp and went into straight safe mode. Ran scans with CCleaner, Zonalarm, and Adaware.
CCleaner found about 40 odd files I wasn't even sure of in the windows section. Registry came up with a bunch of stuff I had no clue about. Adaware fell short and gave me the normal burstmedia and other tracking cookie junk. Zone alarm said there were 7 trojans, and 39 infected files of spyware. Ran the fixes and seemed good...for about 10 or 15 minutes.
I looked around and found Spybot S&D. I'd run it a few times before on some previous computers, but had moved on to other programs. I ran S&D and got some really exotic result. I had a unpacker, 3 backdoors, a Smitfraud C, and some registry edited items. Odd thing is, I've had Smitfraud C before, and I haven't had any of the symptoms. No changed background, no psguard. Nothing. I found this odd but let S&D do its thing. It fixed quite a bit, I think. I ran the immunize option and had all files immunized. Looking good.
Once again, wrong. Will the problems ever cease? So, I checked my computer for anything unusual manually looking through as many folders and files I felt like. Low-and-behold, when I got to the temp folder I found some files. I use a lot software and what-not's, so when I found some stuff in there, I thought I would go ahead and delete it manually. A few of the items in there confused me though. The file names were something like "Perflib_Perfdata_1b0, Perlib_Perfdata_1e5" and some other odd names. They wouldn't let me delete them. The rtdrvmon would, but when I searched that, I got a result of a driver for my lexmark 1150 printer. Now why the heck is that there, I asked. Anyway, I had run another scan or two, deleted the items again from the temp folder, emptied the recycle bin what felt like a hundred times, and now my temp still has Perflib_Perdata_1b0, rtdrvmon, WMP54Gv4_(I1, S2, and 51), and ZLTO6d47.tmp. The WMP's are gif files with what look like router based images. The perflib, however, is being read by nero as a video cd movie .dat file that's 16kb. Obviously, that can't be right. So, here is where I am now. I fixed most of the problems (I think) and I am left with the single entry edit that I had pop-up when I just ran windows again. I also still have Smitfraud C, and a registry value of some sort called "PWS.LDPinchIE", which I thought was a password stealer. But here is what S&D says, "Functionality-Supposed to be an update for the Internet Explorer. Description-This trojan horse pretends to be an update for Internet Explorer. It massively connects to the internet in background. It hijacks the host file to block security sites and redirects banking websites to a fixed IP address. The trojan downloads other malicious software and adds them to the winlogon and system start. There are also services to have additional ways of starting the trojans. Variants start themselves in winlogon as "parnershipreg" without giving the user a possibility to cancel that process. Also user profile settings (desktop icons, mapped drives, etc.) get deleted upon initial boot."
When I just read this, I was reminded about a few times IE was bugging me about a Adobe Flash Player update. I downloaded it without thinking twice. This is probably where it got me good. I've only had 2 icons be disconnected with their programs though, one of which I can't even find the actual program folder anymore, but will run if I run the installer .exe .
So, sorry for the long explanation, but I hope and wish for the best help. I hope you can pull enough info to make sense of it. Thanks ahead of time.
Edit:12:07am I am now getting registry edit pop-ups from S&D, I can deny the first, but not the second, which with the second comes a invalid float point(?).
Edited by Qlaxis, 07 December 2008 - 01:08 AM.