So I've been getting a massive amount of popups all of a sudden, thankfully I think I've been able to pinpoint it to a specific file. It's awtsrro.dll (filepath: C:\Windows\System32\awtsrro.dll), and Ad-Aware picks it up. Problem is, it's loaded as a module of winlogon.exe, which is one of those processes you can't just turn off (it loads into explorer.exe as well but that one's easy to kill). Anybody know a way of removing it that won't fuck up my computer? I tried doing it via Ad-Aware and it just gave me a blue screen of death, and I had to do a system restore to get my computer functioning properly again.
Doesn't seem to be working. Whatever kind of trojan/worm I've got, it's embedded itself in there pretty deep. At this point, I think I'm just gonna back up whatever I need to keep and format. While I'm at it, I'll probably call someone out here to install SP2 for me because it never worked whenever I tried doing it from the Microsoft Update site.
That was my first instinct, but I was shocked to discover that my only available restore for the entire month of December is yesterday, which was after the infection already occurred. I have my System Restore set to the maximum allocated memory for it, and it hasn't given me a restore point in over 2 weeks...and it doesn't let me click back to November either. I don't have SP2 because I've tried multiple times to install it from the Microsoft Update site and I keep getting some kind of error about lacking permissions midway through the installation, even though I'm on a full-access administrator account. Anyway, here's a screenshot of what I'm looking at with my handy Unlocker program (great tool for deleting otherwise undeletable files): http://i19.photobucket.com/albums/b168/bulletsforthebeautiful/misc stuff/ARGH-1.jpg Whatever this pesky thing is, it's loaded itself into explorer.exe, iexplore.exe, and has 2 entries for winlogon.exe. I can easily unlock it from IE or Windows Explorer, and it also lets me unlock it from the 2nd entry of winlogon.exe (the one with a Handle of 240), but when I try to unlock it from the final winlogon.exe entry and/or delete the file, I just get a BSOD with the message that my Windows Logon Process has been terminated unexpectedly. In short, it's buried so deep into my Windows Logon process that I can't find a way to get rid of it without killing the process as well, and as a result, crashing my system before the file can be deleted. *Edit* Good news! I managed to delete the file by moving it to my desktop before the system crashed, and when I restarted it was still there on my desktop, and it let me delete it with no problem. Now the bad news...I'm still getting the popups. D'oh! Looks like I'll have to do some more tinkering to figure out what the hell it is.
Well, I managed to get rid of any visible trace of whatever was infecting my system, save for a single registry key that Spybot can't remove, and doesn't show up in the scan results when I run the program on startup. I'm not getting anymore popups or unusual processes running in Task Manager, so I think I've done a good job of removing it. The bad news though...I think I completely raped my system in the ass in the process, because everything's running really slow now. I'm not surprised, some of this removal literally involved ripping infected .dll files away from critical system processes...I've seen more BSOD's in the last 2 days than I'd ever seen in my life. So I think I'm just gonna start backing stuff up (thankfully, I can take my time with it now), and then reformat and update to SP2, probably with the help of Geek Squad or something. I hate getting computer help from outside sources (I feel like I'm basically admitting defeat), but at this point, I don't even care, I just want someone to fix my system up properly.