785584CF.dll - eating CPU and HDD space

[bbone]

After disabling swap and cloning my Win2k SP4 from 120G Maxtor C: 2G partition on 320G Hitachi C: 2G partition the boot become extremely slow after winlogon kick in. Took like 10 minutes and about 20 sec one has to wait for every single click to get recognized, etc. System act very slow.

All speed problems went away when using ProcView I changed the priority of winlogon.exe from High to Below Normal.

But not ALL problems.

Drive C: has ZERO free space - a huge problem. All the space is consumed by file 785584CF.dll in C:\WinNT\Temp directory. Any attempts to delete the file failed miserably. The file is locked by winlogon.exe and killing this process cause instant freeze. Using ProceXP I tried to close the file handle, to be able to delete it, yet once again - message invalid descriptor stopped me.

It is possible to kill the file in DOS (Zip boot, C: is FAT32) but after new reboot - there we go again. Any free space on C: I managed to free get consumed again and very quickly...

In short - it suxx.

What is weird is, that any time I can boot using the old drive and it works w/o any these troubles. Now that is WEIRD.

I tried SpyBoot (updated), Ad-Aware (updated) and Avast and Kaspersky (updated) to help me get rid of the virus/problem or what the hell this is, but none of them are successful. Avast, tough, find some ntkros.dll file the BSplayer put in my machine, witch make the old version of BSplayer finally run (the new one suxx badly) - but that is probably not related...

Any ideas are welcome!

[bbone]

Guys! It would be a lifesaver, if anyone can tell me, how to modify the cursed Winblows to the winlongon.exe will start and run with at least Normal priority, if not Below Normal

That would make my day, because booting and testing "if this or that" finally fixed my problem will be so much faster... Anyone can help me with that?

Meanwhile, there is log from latest RunScanner version 1.03:

http://ax2.old-cans.com/Win2K_SP4_autoruns.zip

Will it help someone to determine WTF is going on there?

[Fungus]

Judging by your posts on another forum, I would say you have a seriously compromised system.

You should take all suspicious files and upload them to http://www.virustotal.com and allow sending them to different av companies for inspection.

IMO, that install is wasted completely, and you should start over from a secure source (original win2k disc).

I would most likely securely wipe that drive clean as well.

Edited September 15, 2007 by Fungus

[bbone]

Problem found and fixed.

I find that after replacing hal.dll file with nonstandard size of 82 176 bytes - while hal.dll is still 66 848 bytes long, even after IE6 and DX9.0c updates for Win2k SP4 - I can now use the ProceXP sucesfully to close the hadle and hence delete the file. Hoooray! And it does not re-create - till next reboot, ****.

The major cause is pmxgl32.dll file, witch is likely a trojan virus. After running HijackThis.exe I get recommened to take a look at this file and that was it.

Google find this link: http://forum.kaspersky.com/lofiversion/index.php/t47534.html

According to witch I removed it - and viola - problems are gone! Hoooray!

Dunno how much bad files are still on my HDD, but at least no apparent problem is visible - till new reinstall

Neverless I probably have to STOP using IE even for sites I think are safe

Uploaded the file with this thing too Thanks for the link.

There is the file, if anyone are interesed:

http://rapidshare.com/files/56065674/785584CF_virus.zip

Edited September 16, 2007 by bbone

[Idontwantspam]

So are there still problems or not...

If so, I'd do a reinstall. Sounds like you got something nasty.

[Tarun]

Scanning the system with anti malware tools and then doing an sfc /purgecache will also help.