Sending out an SOS.

Oh, yay me. After reboot with the cable plugged in, EVERYTHING came back. The temp folder, the isrvs folder, the boln.dll, EVERYTHING.

*Sigh* ...I don't think we'll be able to find the cause of this. I'm getting thoughts of just going ahead and reformatting at this rate.

Also, it seems as though my Avast! Resident Protections got diabled. I don't see them at the taskbar anymore. I didn't even disable them.

 

PestPatrol has a write-up - have a look here: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090748 then read my trials.

I fought the same battle for about 4 days! Exactly the same symptoms. I just kept plugging away at the command prompt and safe mode without network support. Finally after I found and removed the delprot items (now discussed at the web page above) along with its coherts, I rebooted to safe mode again. I killed spawned errant services, cleaned until the highjackthis reports were looking good, ran Trend AV, and let MS AntiSpyware reset IE settings. I then noticed several of the system ddl's and exe progams used by Windows XP did not appear to have the proper time/date stamps compared to the other Windows XP files (shell32.dll and explorer.exe among others). I quickly rebooted to a command prompt and did a DIR /OD (sort by date) on each of the WinXP primary system directories. Including \, \windows, \windows\system32, \windows\system among a few others. I then renamed executables, dll's, and subdirectories that were recent and had names that were not associated with Windows or the installed programs. They were rather obvious after all the time I had spent studying what was going on. I then booted to the WinXP SP2 CD and did an install/repair. This refreshed all of the Windows system files. The rest is history.

Hope this helps...

 

Well, I did as you asked, and it didn't come out pretty.

I went on deleting things rather liberally, and ended up disabling my Word program and my Sygate Firewall, which I'm reinstalling right now. I also disable my Killbox, and I believe many more programs as well through this.

I don't have a WinXP SP2 CD available.

However, it did nothing. After going through the folders with a fine-toothed comb, the minute I was connected again, all the files stuck back on, and the dddd.exe file took a step inside my system32 folder instead of the usual documents and settings\owner folder.

While looking in my add/remove programs in desperation, I found one selection which appeared to be my problem: "Best Search Engine!!!". That's what it was called. Upon trying to remove it that way, the uninstall stopped because it couldn't read from one file: boln.dll.

So... I'd have to say this infestation has a name. Unless, of course, this has already been found out.

Aslo, I recently just recleaned my computer of this thing, again, so if you want me to get re-infested to try something else out, just say the word. Its as easy as a simple reboot for me.

EDIT: I take that back. My computer is re-re-infested without even a reboot. So, whats the next suggestion to pull?

 

Actually, I've been thinking (And after looking at Sygate Firewall some more)...

Explorer.exe sends out a periodic send to admin2cash.biz. I think this is linked to the virus my explorer has on it, and since it can't be removed, the problem will continue to persist.

By using Sygate, and blocking everything besides Mozilla, I've found the problem disappears. But if I do allow explorer.exe the ability to send messages agian, or reboot for that matter, when Sygate isn't up before explorer.exe can make its move, the problem comes back. Its just simple trial and error.

...I think the best way to fix this would be to re-format the hard-drive, unless there is a way to replace the explorer file.

EDIT: Forgot to mention; After being infected once more, I tried removal through add/remove programs, but it did nothing, as I thought.

 

I had this very same thing. In searching for an answer this is the only thing I found on a google search so here I am.

I read most of this thread- except the first few pages.....

My AOL would not work- kept freezing. This started at the exact same time this virus appeared.
Avast said my memory was infected.

I had Avast force move the desktop.exe on start up since all of the problem files for me are write protected and I could do nothing with them.

I also had a file called r.exe located at C:r.exe
No matter what I did before nothing worked and this was one of the files that kept coming back.

I overwrote that file in notepad, force moved the desktop.exe and all is well after a reboot. My AOL has even started working again and I was able to delete the entire isrvs folder with no problem.

Now the only problem I have- I am missing a .dll file that I really need.
msvcrt.dll how can I replace this? when I reboot I get a Windows explorer error and as soon as I click ok I will not be able to do anything until I replace this file.

I do not have a windows disk or cd as windows came already installed in my computer. I am running Windows XP if that makes a difference.

I am by no means a computer expert. And I can not guarantee that my problem is fixed. But it seems to be so far.

Thank you guys for all the help- I have been trying to get rid of this bugger for a few days now.

And I hope what I said can help someone else out.

 

Well, I know I need to replace my explorer file; Its just finding a replacement is whats difficult. I can't seem to find one.

Got a suggestion as to where to find it?

 

Have you tried using a p2p like dc++ to retrieve files you might need....just a thought.
I had something like that ...and I used avg to delete it ..nothing else would look at it..

 

I followed everything you said, and I tried rebooting into normal mode with the cable in.

...It seems normal. I'm gonna go ahead and try rebooting a couple more times, and checking certain registry keys for any changes. I'll give you final results soon.

 

...I'm going to hazard a guess... and say that... I'm finally fixed.

I don't see any more adware popping up after replacement, and I gained control of my Windows Firewall once more (And its disabled now, thankfully), and I have Avast! and Sygate now, both under strict protection, along with Spybot, Ad-aware, and SpywareBlaster. My registry is unchanged, and no files are re-appearing in my system folder. In fact, nothing is coming back.

Everything is back to normal!

I can't give you enough thanks for all the help you've given me thus far. In fact, its six pages worth of help! I'm surprised you still kept trying to help me, despite how half-***ed I was toward you.

This problem was very difficult to finish, and I'm just happy its finally over. If you can find a use for this thread, and make something out of it to help other people with the same problem as me, then that would be downright amazing.

Thank you, Chaslang. Thank you!

 

(Final!) HJT log posted.

Yes, the soft.exe has been deleted, and everything is truly back to normal. I still can't thank you enough for how much you've helped me!