tony_15 Posted February 14, 2006 Report Share Posted February 14, 2006 Alright, no clue how i got it or anything. I told my friend that my Limewire wouldnt stop resurfacing after i closed it, and that my ctrl+alt+delete was not working. Anyway he recomended you guys...So i went to copy the text and every time it would close in about two seconds, so i had to be all sneaky and right click + a, ctrl + chere it is Logfile of HijackThis v1.99.1Scan saved at 4:11:20 PM, on 2/14/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rcnoke\csrss.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\system32\rcnoke\smss.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Updater.exeC:\WINDOWS\system32\454f66a6.exeC:\Program Files\winupdates\winupdates.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Program Files\Microsoft Works\WkDStore.exeC:\Warcraft III\Maps\Download\hjakths.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messengersite.net/forum/portal.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comF3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exeF3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\system\drvimg.dllO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exeO4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [iRiver Updater] \Updater.exeO4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exeO4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCANO4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /autoO4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exeO4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exeO4 - Startup: csrss.lnk = ?O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.coolwebsearch.comO15 - Trusted Zone: *.musicmatch.comO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: drvimg - C:\WINDOWS\system\drvimg.dllO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe Link to post Share on other sites
tj416 Posted February 14, 2006 Report Share Posted February 14, 2006 Hi lolocaust,Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.Put a check next to Run VundoFix as a task.You will receive a message saying vundofix will close and re-open in a minute or less. Click OKWhen VundoFix re-opens, click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will shutdown your computer, click OK.Turn your computer back on.Please post the contents of C:\vundofix.txt and a new HiJackThis log. Link to post Share on other sites
tony_15 Posted February 15, 2006 Author Report Share Posted February 15, 2006 VundoFix V4.2.22Scan started at 10:10:21 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllVundoFix V4.2.22Scan started at 10:15:44 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllVundoFix V4.2.22Scan started at 10:16:02 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dll Attempting to delete C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\drvimg.dll Could not be deleted. Attempting to delete C:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.ini Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system\gmivrd.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\req.dllC:\WINDOWS\system32\req.dll Has been deleted! Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted. Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.Performing Repairs to the registry.Done! Link to post Share on other sites
tony_15 Posted February 15, 2006 Author Report Share Posted February 15, 2006 Sorry, me again. What happened there was, i was too lazy and it took more than five minutes so i went ahead and did it without checking the box. about a minute or two later, when i had booted my computer back up. i realized it was still not working... ie. limewire kept popping up and control alt delete wasn't working... I retried the program to clean my computer of the virus, this time checking the box, it popped up in about twenty seconds, and seemed to be going smoothly. It found no virus, or infected files.... Link to post Share on other sites
tj416 Posted February 15, 2006 Report Share Posted February 15, 2006 (edited) Hi lolocaust,Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YETRestart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine. After it disappears, reboot back into normal mode, and post a fresh HijackThis Log and contents of C:\vundofix.txt in this thread using the "Add Reply" button. Edited February 15, 2006 by tj416 Link to post Share on other sites
tony_15 Posted February 16, 2006 Author Report Share Posted February 16, 2006 hmm it doesnt apear to have worked...although it did manage to scare me by deleting like four files in system32 heres rhe c:\vundofix.txtVundoFix V4.2.22Scan started at 10:10:21 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllVundoFix V4.2.22Scan started at 10:15:44 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllVundoFix V4.2.22Scan started at 10:16:02 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dll Attempting to delete C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\drvimg.dll Could not be deleted. Attempting to delete C:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.ini Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system\gmivrd.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\req.dllC:\WINDOWS\system32\req.dll Has been deleted! Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted. Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.Performing Repairs to the registry.Done!VundoFix V4.2.22Scan started at 10:25:24 PM 2/14/2006Listing files found while scanning....No infected files were found.VundoFix V4.2.22Scan started at 10:31:03 PM 2/14/2006Listing files found while scanning....No infected files were found.VundoFix V4.2.22Scan started at 2:53:29 PM 2/15/2006Listing files found while scanning....No infected files were found. Link to post Share on other sites
tj416 Posted February 16, 2006 Report Share Posted February 16, 2006 Hi lolocaust,Post a HijackThis log. Link to post Share on other sites
tony_15 Posted February 16, 2006 Author Report Share Posted February 16, 2006 Logfile of HijackThis v1.99.1Scan saved at 11:54:44 AM, on 2/16/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Updater.exeC:\WINDOWS\system32\454f66a6.exeC:\Program Files\winupdates\winupdates.exeC:\PROGRA~1\mcafee.com\agent\McAgent.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\LimeWire\LimeWire.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\WINDOWS\system32\winlogon.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Warcraft III\Maps\Download\hjakths.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messengersite.net/forum/portal.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comF3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exeF3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exeO4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [iRiver Updater] \Updater.exeO4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exeO4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCANO4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /autoO4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exeO4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.coolwebsearch.comO15 - Trusted Zone: *.musicmatch.comO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe Link to post Share on other sites
tj416 Posted February 17, 2006 Report Share Posted February 17, 2006 Hi lolocaust,Let us try this again....Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YETRestart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine. After it disappears, reboot back into normal mode, and post a fresh HijackThis Log. Link to post Share on other sites
tony_15 Posted February 17, 2006 Author Report Share Posted February 17, 2006 VundoFix V4.2.22Scan started at 10:10:21 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllVundoFix V4.2.22Scan started at 10:15:44 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllVundoFix V4.2.22Scan started at 10:16:02 PM 2/14/2006Listing files found while scanning....C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system32\req.dllC:\WINDOWS\SYSTEM\gmivrd.bak1C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\gmivrd.bak2C:\WINDOWS\SYSTEM\gmivrd.tmpC:\WINDOWS\SYSTEM\gmivrd.iniC:\WINDOWS\SYSTEM\gmivrd.ini2C:\WINDOWS\SYSTEM\drvimg.dll Attempting to delete C:\WINDOWS\system\drvimg.dllC:\WINDOWS\system\drvimg.dll Could not be deleted. Attempting to delete C:\WINDOWS\system\gmivrd.iniC:\WINDOWS\system\gmivrd.ini Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.bak1C:\WINDOWS\system\gmivrd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.bak2C:\WINDOWS\system\gmivrd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.ini2C:\WINDOWS\system\gmivrd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system\gmivrd.tmpC:\WINDOWS\system\gmivrd.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\req.dllC:\WINDOWS\system32\req.dll Has been deleted! Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted. Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dllC:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.Performing Repairs to the registry.Done!VundoFix V4.2.22Scan started at 10:25:24 PM 2/14/2006Listing files found while scanning....No infected files were found.VundoFix V4.2.22Scan started at 10:31:03 PM 2/14/2006Listing files found while scanning....No infected files were found.VundoFix V4.2.22Scan started at 2:53:29 PM 2/15/2006Listing files found while scanning....No infected files were found.VundoFix V4.2.22Scan started at 11:52:01 AM 2/16/2006Listing files found while scanning....No infected files were found. Link to post Share on other sites
tony_15 Posted February 17, 2006 Author Report Share Posted February 17, 2006 my msn ver. also, just incase it could help...Log of MsnVirRem by Skate_Punk_21Fri 02/17/2006 09:09 AMSetting Allowances for Registry Tools...Editing Registry...Rewriting Host File...Finding/Killing local link...---Infection Files Removed---ECHO is off. Link to post Share on other sites
tj416 Posted February 17, 2006 Report Share Posted February 17, 2006 Hi lolocaust,Please post a fresh HijackThis log. Link to post Share on other sites
tony_15 Posted February 18, 2006 Author Report Share Posted February 18, 2006 Logfile of HijackThis v1.99.1Scan saved at 8:09:50 PM, on 2/17/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Updater.exeC:\WINDOWS\system32\454f66a6.exeC:\Program Files\winupdates\winupdates.exeC:\PROGRA~1\mcafee.com\agent\McAgent.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exeC:\Program Files\LimeWire\LimeWire.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeC:\WINDOWS\system32\winlogon.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Internet Explorer\iexplore.exeC:\DOCUME~1\Anthony\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messengersite.net/forum/portal.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comF3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exeF3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exeO4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [iRiver Updater] \Updater.exeO4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exeO4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCANO4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /autoO4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exeO4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.coolwebsearch.comO15 - Trusted Zone: *.musicmatch.comO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe Link to post Share on other sites
tj416 Posted February 20, 2006 Report Share Posted February 20, 2006 Hi lolocaust,CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILESPlease go here:The Spy Killer ForumClick on "New Topic"Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\rcnoke\csrss.exe"Put a link to this Besttechie topic in the description box.Then next to the file box, at the bottom, click the browse button, then navigate to this file:C:\WINDOWS\system32\rcnoke\csrss.exe (If you can't find the file, skip this step and proceed to the next step) [*]Click Open.[*]Click Post.Then, download and run CWShredder:Download CWShredder.Save CWShredder.exe to a convenient location.Double-click on CWShredder.exe.Click "Fix ->" and click "OK" at the prompt.CWShredder will scan and clean your system of CWS files.Click "Next->" and then "Exit".Then, please download Brute Force Uninstaller.Unzip it to it’s own folder (c:\BFU)RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exeIn the scriptline to execute field copy and paste c:\bfu\p2pnetwork.bfuPress execute and let it do it’s job.Wait for the complete script execution box to pop up and press OK.Press exit to terminate the BFU program.Then, go to Add/Remove Programs and uninstall (if present):IST ServiceThen please run HijackThis, click Scan, and check the following:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.htmlF3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exeF3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exeO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exeO4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /autoO4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exeO15 - Trusted Zone: *.coolwebsearch.comClose all open windows and click Fix Checked.Then, reboot in Safe mode. To reboot in Safe mode:Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. Then, delete this file:C:\WINDOWS\system32\454f66a6.exeThen, delete these folders (if present):C:\Program Files\ISTsvcC:\WINDOWS\system32\rcnokeThen, clean out temporary files:Start | Run | type cleanmgr | OKLet it scan your system for files to remove.Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Click "OK" to remove them.Click "Yes" to confirm the deletion.Then, reboot (in the normal mode).Then, please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.Then, open Hijackthis, click "Open the Misc Tools section"Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete).Then click "Generate StartupList log"Click "Yes" to the box that pops-up.Then copy and paste the notepad text that appears to this topic and also post your ActiveScan report and also a fresh HijackThis log in this thread. Link to post Share on other sites
tony_15 Posted March 2, 2006 Author Report Share Posted March 2, 2006 I got to CWS remover and stopped for i could not find a way using the internet to download it. everytime i clicked the link you gave me i was directed to some gay msn search engine. I'm assuming this is what you were trying to help me remove... How ironic... Should i leave that step till later or what? I'm sorry i did not reply sooner, i have been away... and it seems the virus has progressed Link to post Share on other sites
tony_15 Posted March 3, 2006 Author Report Share Posted March 3, 2006 Hmm, News: I went to uninstall some crap...like tool bars i got somehow... And i came across "legacy 6.0" a tool i had downloaded for a geography report to make a family tree. I went to uninstall it and it said a whole bunch of stuff like "do you want to uninstall blahahaha.system32/xg//rrs" and so on.... should i try to uninstall it or is that dangerous or something...? Link to post Share on other sites
tj416 Posted March 4, 2006 Report Share Posted March 4, 2006 Hi lolocaust,I'd like to see a fresh HijackThis log because a lot could have changed since my last post. Legacy 6.0 looks Ok to me. Is there any paticular reason that you think it is dangerous? Link to post Share on other sites
tony_15 Posted March 6, 2006 Author Report Share Posted March 6, 2006 Logfile of HijackThis v1.99.1Scan saved at 3:27:18 PM, on 3/6/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Updater.exeC:\WINDOWS\system32\454f66a6.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\DOCUME~1\Anthony\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vgcats.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comF3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exeF3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {C8F21DFE-B35C-4274-82EC-1E072D09025E} - C:\WINDOWS\SYSTEM32\winbrume.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exeO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [iRiver Updater] \Updater.exeO4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exeO4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.coolwebsearch.comO15 - Trusted Zone: *.musicmatch.comO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553543256} - http://www.teensburn.com/videos/toolbar.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{236E5315-EEEB-4576-9F75-B716DA4E7593}: NameServer = 24.226.10.119,24.226.1.93O17 - HKLM\System\CS1\Services\Tcpip\..\{236E5315-EEEB-4576-9F75-B716DA4E7593}: NameServer = 24.226.10.119,24.226.1.93O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeLegacy 6.0 just creeped me out becasue when i went to uninstall it it said a whole bunch of stuff about wanting me to remove a whole bunch of system 32 components that were no longer in use. Link to post Share on other sites
tj416 Posted April 18, 2006 Report Share Posted April 18, 2006 Hi lolocaust, Sorry for the delayed reply, I seemed to have missed this topic. Please post a fresh HijackThis log and I will have a look at it ASAP. Link to post Share on other sites
Matt Posted June 2, 2006 Report Share Posted June 2, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts