Hldrrr.exe has just began eating my PC - Please Help

Hi there team,
I'm back again, only with a different need for help. It appears that I have a nasty case of the hldrrr.exe attacking my system. It has taken total control over my CPU usage (98%) and although Ive tried deleting it, it wont.
Other hosts with numerous numbers were also attacking my processes although I did seem to be able to end those and now theyve gone.
I noticed they were in the prefetch folder too so i deleted them there.
The main bug bear is that once again, this has disabled my AVG and my newly installed Online Armor firewall which ironically I only installed today alongside Ccleaner. I cant open any of those programs at all. It also disabled my Hijackthis tool so I downloaded it again and renamed the file 'something else.exe' and managed to get away with it and make a log.
I'm about to re-read the malaware tips page after submitting this thread but wondered if you had any tips regarding this specific issue before I go any further. I dont know if it will allow me to download then more importantly install any programs at the moment and am loathed to reformat my entire hard drive AGAIN .
Any help will be greatly appreciated. Many thanks in advance:
Skinno

 

HI guys,
Regarding my previous entry , Ive followed all the instructions as mentioned in your Malware section and downloaded and installed everything as requested. My findings were as follows:
Superantispyware - - It installed and ran, to a degree. I checked everything which was requested. It ran fine stating there were no problems in the memory or the registry but when it came to inspecting the other files on C; drive, it kept crashing the PC and rebooting whenever it seemed to be searching program files (3 times in total) so no logs were made.
Spybot - - It installed then wouldnt let me run, coming up with the ususal unrecognised win32 application so i couldnt run it.
Cf.exe - - Exactly same as the above. It wouldnt aloow me to run it.
Malwarebyte Anti Malware - - Ran smoothly and found 3 infections (see attachments)
MGTools - - Ran ok but wouldnt start itself. I ran the Getlogs.bat afterwards to make it produce logs (see attachments).
I havent yet rebooted so am sending the logs straight away just incase it doesnt allow me to reboot again. The logs will have to be spanned in this and another post so please excuse me having to use space.
Hope these give can help you to help me resolve the problems Im having.
Many thanks in advance again.
Skinno

 

Hi guys,
Just posting the last two logs from MGTools. Hope these help and are the ones you need. Many thanks.
Skinno.

 

Hi there,
Thanks for the info. I re ran the Super Anti Spy as requested with
Under Scanner Options uncheck the below two options
Use Kernel Direct File Access (recommended)
Use Kernel Direct Registry Access (recommended).
I have enclosed the log and also the MGLogs.zip folder also. Hope this helps.
Skinno

 

P.S - - Many apologies for this post in advance, only after just looking in the MGLogs.zip folder I previously submitted as requested, I noticed that unlike many other members logs, there wasnt a hijackthis log in mine so I have just done a hijackthis 'run' and saved the file which I am enclosing here.
I'm not sure if you actually need this info but thought it may be something that you would need to see - considering it's not in the last file I submitted.
Thanks.
Skinno.

 

Hi Chaslang,
Just downloaded Avenger onto my desktop as requested. Unfortunately, as with some of the other programs, it wont let me run it. It just keeps coming up with the same annoying message about Win32 not recognising it and not allowing me to open it up. :cry:cry:cry

 

Hi Chaslang,
Firstly let me just say there will be two posts here from me,. not one as I needed to do some screen shots for you to see.
I changed The Avenger to Avenger.com from Avenger.exe. This seemed to install it ok. However, once I pasted all the info from your quote box in, things all went wrong and I was left with a series of pop up messages. The first 3 I took screen shots of (enclosed). The fourth message to pop up (after the screenshotes) said:
Error: Could not log error messages to file (error6: the handle is invalid)
Then when I go to 'quit Avenger', it says: 'No action has been queued for next reboot.Are you sure you want to quit Avenger?' I did quit, and that was the end of it. I rebooted, no logs.
I deleted the Tkbell.exe and the Enable LUA in the sections manually.
As for the hldrrr.exe, mdelk.exe, wintems.exe and srosa.sys, they dont appear to be there at all in the system32 / drivers folders. One thing I did notice was that the drivers folder is always set to 'hidden' when I go into system32. I have been going into start\search\system32 to find it then unchecking 'hidden' to allow me to enter it but they appear not to be there.
I did notice something that may be of interest when I looked in the regedit in the Hkey_Current User part which you may like to view (snapshot enclosed in next posting).
I also DID manage to reinstall Ccleaner and ran that (it wouldnt let me last time I tried but has now). Also I ran the MGTools\Getlogs.bat (file enclosed in next post)
One thing I have noticed is that when I am logged on here via my router in I.E and open task manager, there seems to be no hdlrrr.exe running in the processes box yet when I try to run AOL, I keep the processes box open and as it tries to boot up, the hdlrrr.exe sneaks in for a second (i cant delete it from there) then disappears again before coming back at random intervals. Usually another unknown process pops up too (generally a list of numbers) which I can delete. AOL takes ages thereafter to open and doesnt work properly.
Sorry for the long post. Hope some of this info is of help.
Skinno

 

Hi Chaslang,
Here is the new MGLogs.Zip folder and also the regedit screenshot I just took which may (or may not) be of interest to you as mentioned in the previous post. It is only in this screenshot where I can find the hdlrrr.exe and mdelk.exe files (alongside some of the files containing just numbers which pop up in the task managers processes section when trying to run AOL) and nowhere else that I have looked (including the drivers folder in system32). I hope this helps.
Regards:
Skinno.

 

Update:
Hi, sorry for posting more stuff only things seem to have taken a turn for the worse since my last post this morning. Logging onto I.E is now seemingly taking forever just to view my homepage (Majorgeeks). It's now taking approx 2 minutes to even show the page. Seems i'm on a major slowdown here. I checked the processes in task manager when I tried to send an email through AOL. AOL still wouldnt function but I noticed in the processes section there is something named Issas.exe that is now constantly taking up approx 73% of the CPU at any given time. Someone just informed me that this could potentially be a very serious virus so I thought I'd check here first to see if this is normal or not. I also notice now at the top of the list there is WLLoginProxy.exe which I havent seen before (although its not running anything on CPU). The only other thing running except Issas.exe is msiexec.exe.
My system seems to be getting slower by the hour and I now fear I may just have to reformat the hard drive again and start from scratch. cry:cry

 

HI Chaslang,
Yes I do have a bootable copy of windows XP ( my original copy) BUT it is an old one, pre service pack 2 so everytime I have reinstalled XP I always have to go through the L-O-N-G procedure of updating everything :-(.

Regarding the location of the previous mentioned snapshots, I have found that the 'viruses'?? appear to be in both HKEY_CURRENT_USER and HKEY_USERS\S (new snapshots included).
I already thought I had the latest version of MGTools which I downloaded from this site, however, to be on the safe side, I re-downloaded it and ran it. The odd thing was, when I went to run the profram, it wouldn't, so I went into the folder and manually ran the 'getlogs.bat.' - the new zip file enclosed here.
Hope this helps, many thanks - Skinno.
P.S....guess what's back in my task bar processes list........wintems.exe. It's showing as running NO CPU usage but is at the top of the list. :confused

 

Update.
It now appears that wintems is no longer showing in my taskbar. I did find it in prefetch however so managed to delete it from there. Also, I looked in the system32 folder and mdelk.exe is lurking in there and showing up as a 'bunch of keys' icon . I cant delete it though. When I try, it just says cant delete. Cannot read from source file or disk.

 

Hi Chaslang,
Just did everything you requested by booting windows in Recovery mode.
There didn't seem to be any problems deleting the files wintems.exe, mdelk.exe, hldrrr.exe and srosa.sys. However, when I typed in rmdir downld I just got the message 'the directory is not empty'.
Afterwards I rebooted my pc in normal mode.
I ran Superantispyware, MBAM and MGTools/getlogs.bat (see attachments).
I wasnt able to run combofix as it still just comes up with the 'not a valid Win32' box as it always has since I saved it as cf.exe as requested.
Hope the attachments help.
Many thanks.
P.S I've just noticed wintems.exe is back in my task bar processes

 

Hi Chaslang,
I managed to delete ALL the files manually from the C:\WINDOWS\system32\drivers\downld\ folder, no problem. Once again, I had to open the file by going to Start\Run then typing in the location as the drivers folder is always hidden. Even when I mananged to get into the drivers folder there was no 'downld' folder.
Once I deleted all the files, I rebooted the PC and instantly despite clearing the folder, some files were back in it after reboot (see attachment). I then deleted these also.
At the time of posting this though, no more seem present but things are seemingly very slow (internet explorer is anyway).
Do you need me to re run the SuperAS, MBAM and MGTools again now?
Thanks:
Skinno

 

HI there Chaslang,
I downloaded SDFix as suggested and read the info link. It mentions having to use 'safe mode'. All well and good if this works lol. I followed and printed all the instructions on booting in safe mode and running SDFix. Once I tried to boot in safe mode, I was stuck (for 6 hours) on the black screen which just says reboot in
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last known good config...
Start Windows Normally.
NOTHING would work at all with any of these. All that happened was my pc just kept trying to reboot and ending up at the same page over and over again.
I ran my original Xp(1) disc and yes, I could get into Recovery Console but that was of no use as I wasnt given any clues to which command prompt I could use to get me out of this cycle I was in. (This would be useful to know for future reference)
I had no choice but to go into set up and try 'repair xp' (about 12 times). It kept telling me certain files and folders were missing, mainly
WINDOWS\SYSTEM32\CONFIG\SYSTEM. Basically it kept saying on screen that I couldnt boot in safe mode then all it did was take me back to the page with the options of
Safe Mode
Safe Mode with Networking........
etc etc
In the end, after 11 hours of getting nowhere and no other pc or means of getting online, I had no choice but to once again reformat my entire hard drive. I am gutted. Lost everything again.
I am now running a clean, virus free PC with AVGFree v.8 and have already installed MBAM and SuperantiSpyware (thanks for those two recommendations). Thats all though, as of yet.
Are there any other recommendations you would offer regarding software? I'm only running Windows Firewall at the moment. I did have the Online Armor one (on the day I got the virus) but not any more. I havent installed another one yet as I dont know which (free) one is best.
The only BIG issue for me at the moment is that when I boot up Windows and start my PC, it is taking between 20 - 30 minutes. It's just showing the black screen with the small white rectangular strip at the bottom.....very slowly becoming the usual long white strip before booting to Windows main desktop.
I've already rebooted my PC about 10 times since reinstalling Windows but still it's as slow now as it was yesterday after the reformat.
Any idea why this is or any solutions? Or if this isnt the part of the forum I can get help from about this issue, which part is?
Thanks for all the help along the way throughout all this. All of it has been much appreciated.
Skinno

 

Hi Chaslang,
Thanks for the reply. Regarding my reinstallation of windows and reformatting the hard drive:
The copy I have of Windows XP (service pack 1) IS an original copy yes, so no fakes in the disc dept. I did reformat ALL the hard drive, partitions etc then reinstall. Obviously with my disc being kinda old and not a service pack 2 edition, once installed, I had to telephone microsoft for a new installation code (apparently, I had used the original code too often). There didn't seem a problem with this and the person I spoke to gave me a new set of six digit numbers to input, resulting in a 'Thank You' message on screen so Im assuming there's no problems there.
It may be worth pointing out that I do also run another hard drive as a slave drive (on which I store my music, NOT any programs) alongside the newly reformatted drive. I plugged it into my pc (AFTER I'd reinstalled XP on the C drive) and virus/malware scanned it. Theres no infections on it.
I'm about to reinstall Online Armor and disable the current Windows firewall.
At your recommendation, I guess for my boot-up problem (i.e: taking approx 30 mins to boot up) I should take this issue to the software (?) part of the forum and make a posting there.
Meanwhile, I reinstalled MGTools and have enclosed a log for your perusal.
Fingers crossed, all is clean.
Many thanks Skinno.

 

Hi Chaslang,
As requested, I ran hijackthis and deleted the said files. My pc is still booting up at the same snail pace as before.
I also uninstalled SuperAS and Viewpoint. Im now left without a spyware prog, so thinking of installing Spybot.
Two things I have noticed since reformatting are:
On my CDwriter there's a red light (not green) constantly on. Ive not noticed this before. Maybe its normal, I dont know, or perhaps a loose cable????
The other thing is that each time I log OFF I.E7, I get an error message (screenshot enclosed). This definitely didn't happen before.
Im beginning to think it may be an issue with the hard drive cables (??). I have swapped the leads over a couple of times to see if that helps the booting process. It seems the same either way.
I've not (as yet) tried booting in safe mode as I'm worried that I may have a repeat performance of last time and get stuck again with the pc saying 'cant boot in safe mode' and not being able to move from that screen and have to format things again
I guess I could try uninstalling AVG8 and rebooting :confused
Skinno
P.S. It may be worth pointing out that AVGfree8 installed a 'protective' toolbar on my I.E7. Im not sure if this is in conflict with the IE message i get. Just thought id mention it. Thanks

 

Hi Chaslang,
Just an update. I am going to take my 'boot up' problems' to the other part of the forum as suggested, the boot up is still snail pace, thanks for the tip. In the meantime, I installed Online Armor again which seems fine. Also installed Spyware Terminator which is also ok but the toolbar is giving me problems with internet speed etc. I tried to uninstall the toolbar in control panel/add remove programs but it wont let me, so I blocked it with the firewall from operating, things still seem much slower though when browsing. I'm not sure i like this. I also installed spyware blaster which seems content just running in the back ground.
The alarming this is, I updated and ran MBAM this morning and found an infection (log enclosed). I Googled it and on one page there was something about it being the result of spyware blaster installed. Obviously, I dont have a clue about this, nor can I think how t got there. Let me know what you think.
Many thanks
Skinno
P.S. I was wrong, I just have managed to uninstall the Crawler Toolbar.