Thanks ITshop360! I hadn't noticed that taskmanager has a menu at the top!
I spent some fitful hours eradicating this nasty virus - also the worst that I have seen. Avast didn't seem to catch it, sadly. It likely came from a questionable download of all2mp3.exe using utorrent. (I've seen other references to this issue with this download too - after I contracted the virus of course).
It has the effect of interfering with internet usage, so it gets very difficult to find a fix using that particular computer. It also incessantly pops up full-screen web sites, often for ads to do with your google search, or just porn when its bored. I ran various registry cleaners and virus scanners, and nothing caught it. I did a system restore, and it worked once, but on the mext reboot the problem re-surfaced! Ouch!!
So here's what it does and HOW TO GET RID OF IT:
It adds a RUNDLL32.exe startup command to load a (8 gibberish lettered name).dll such as jkknSycS.dll. I am guessing, but it doesn't appear as a process in task manager, so it must hook itself to other tasks to cause its interference, and to get a hook into the internet. By this means, it can also mess up inituser.exe as well as any program that wants to use rundll32.exe (such as a firewall - note that it turns off your firewall, so it may also open back doors into your PC - I recommend that once you finish reading this message, that you print the instructions below, and then physically DISCONNECT YOUR PC FROM THE INTERNET UNTIL YOU ERADICATE THE VIRUS!
It also makes another randomly-named copy of itself and re-installs a startup command to run the new copy on the next bootup. This has the curious effect of working after EVERY delete of the offending startup line using HiJackThis.exe (By the way, it appears as a -O4 type command 'RUNDLL32 'gibberish'.dll). So every time that you delete the line and then re-scan with hijackthis, and it just re-appears with a fresh name!
To remove it:
1. Before you start, check 2 places - Use Startup|Run to run MSCONFIG.EXE - in the startup tab, you ought to see the 'RUNDLL32 (8 gibberish lettered name).dll in the list. Make a note of the .dll name. Close MSCONFIG. Then open Windows Explorer and take a look in C:\Windows\System32. Sort by date modified, newest at the top. You will see a couple of 'StBcWXYZ-like'.ini and ini2 files - about 500KB in size, with a somewhat random-looking name with the datestamp of the moment when you got infected. Also, you will see several (8 gibberish lettered name).dll files with lengths between 60KB and 250KB. They will also have a similar creation date - note that some will be newer (these are the copies that I mentioned above). Erase all that you can - note that some of the .DLLs will refuse to be erased (since they are in use or otherwise protected).
2. Now, WRITE DOWN THE EXACT NAMES OF ALL OF THESE FILES!. Note that there are a few recent files made by Windows - they are wpa.dbl, fntcache and config.nt - Oh, BTW, I'm using Windows XP SP2.
3. Restart your computer using a floppy or CD that boots you into DOS!!!!! If you don't have one, use Windows Explorer (or some other computer) to make a bootable floppy or CD.
4. In DOS, navigate to C:\windows\system32 and erase the offending files. If you don't know how, use DIR /? and ERASE /? for help. I think one of them is marked as a system/read-only file, so you may have to use the DIR /A options to get at it.
5. Once you're sure that they have ALL been deleted, restart your PC from C:
6. It should startup ok, give you a taskbar, and complain that it couldn't run the .DLL that held the virus.
7. NOW - reopen MSCONFIG.EXE and uncheck the line that tries to load the (now-missing) virus file.
8. Re-boot and go have a drink of success!!
AND PROMISE TO BE MORE CAREFUL NEXT TIME!
I'm documenting this before I forget, and who knows, I may be looking for this solution some years from now myself :-( !
Edited by KaZoom, 03 August 2008 - 11:14 AM.