Sponsored By

tony_15

My Vundofix Results[INACTIVE]

Recommended Posts

Alright, no clue how i got it or anything. I told my friend that my Limewire wouldnt stop resurfacing after i closed it, and that my ctrl+alt+delete was not working. Anyway he recomended you guys...

So i went to copy the text and every time it would close in about two seconds, so i had to be all sneaky and

right click + a, ctrl + c

here it is

Logfile of HijackThis v1.99.1

Scan saved at 4:11:20 PM, on 2/14/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rcnoke\csrss.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\rcnoke\smss.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Updater.exe

C:\WINDOWS\system32\454f66a6.exe

C:\Program Files\winupdates\winupdates.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Microsoft Works\WkDStore.exe

C:\Warcraft III\Maps\Download\hjakths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messengersite.net/forum/portal.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

F3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\system\drvimg.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe

O4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exe

O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - Startup: csrss.lnk = ?

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.coolwebsearch.com

O15 - Trusted Zone: *.musicmatch.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: drvimg - C:\WINDOWS\system\drvimg.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

Share this post


Link to post
Share on other sites

Hi lolocaust,

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Share this post


Link to post
Share on other sites

VundoFix V4.2.22

Scan started at 10:10:21 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

VundoFix V4.2.22

Scan started at 10:15:44 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

VundoFix V4.2.22

Scan started at 10:16:02 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

Attempting to delete C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\drvimg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system\gmivrd.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\req.dll

C:\WINDOWS\system32\req.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.

Performing Repairs to the registry.

Done!

Share this post


Link to post
Share on other sites

Sorry, me again. What happened there was, i was too lazy and it took more than five minutes so i went ahead and did it without checking the box. about a minute or two later, when i had booted my computer back up. i realized it was still not working... ie. limewire kept popping up and control alt delete wasn't working... I retried the program to clean my computer of the virus, this time checking the box, it popped up in about twenty seconds, and seemed to be going smoothly. It found no virus, or infected files.... :(

Share this post


Link to post
Share on other sites

Hi lolocaust,

Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine.

After it disappears, reboot back into normal mode, and post a fresh HijackThis Log and contents of C:\vundofix.txt in this thread using the "Add Reply" button.

Edited by tj416

Share this post


Link to post
Share on other sites

hmm it doesnt apear to have worked...although it did manage to scare me by deleting like four files in system32 heres rhe c:\vundofix.txt

VundoFix V4.2.22

Scan started at 10:10:21 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

VundoFix V4.2.22

Scan started at 10:15:44 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

VundoFix V4.2.22

Scan started at 10:16:02 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

Attempting to delete C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\drvimg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system\gmivrd.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\req.dll

C:\WINDOWS\system32\req.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.

Performing Repairs to the registry.

Done!

VundoFix V4.2.22

Scan started at 10:25:24 PM 2/14/2006

Listing files found while scanning....

No infected files were found.

VundoFix V4.2.22

Scan started at 10:31:03 PM 2/14/2006

Listing files found while scanning....

No infected files were found.

VundoFix V4.2.22

Scan started at 2:53:29 PM 2/15/2006

Listing files found while scanning....

No infected files were found.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 11:54:44 AM, on 2/16/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Updater.exe

C:\WINDOWS\system32\454f66a6.exe

C:\Program Files\winupdates\winupdates.exe

C:\PROGRA~1\mcafee.com\agent\McAgent.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Warcraft III\Maps\Download\hjakths.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messengersite.net/forum/portal.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

F3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe

O4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exe

O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.coolwebsearch.com

O15 - Trusted Zone: *.musicmatch.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

Share this post


Link to post
Share on other sites

Hi lolocaust,

Let us try this again....

Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine.

After it disappears, reboot back into normal mode, and post a fresh HijackThis Log.

Share this post


Link to post
Share on other sites

VundoFix V4.2.22

Scan started at 10:10:21 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

VundoFix V4.2.22

Scan started at 10:15:44 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

VundoFix V4.2.22

Scan started at 10:16:02 PM 2/14/2006

Listing files found while scanning....

C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system32\req.dll

C:\WINDOWS\SYSTEM\gmivrd.bak1

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\gmivrd.bak2

C:\WINDOWS\SYSTEM\gmivrd.tmp

C:\WINDOWS\SYSTEM\gmivrd.ini

C:\WINDOWS\SYSTEM\gmivrd.ini2

C:\WINDOWS\SYSTEM\drvimg.dll

Attempting to delete C:\WINDOWS\system\drvimg.dll

C:\WINDOWS\system\drvimg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system\gmivrd.ini

C:\WINDOWS\system\gmivrd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.bak1

C:\WINDOWS\system\gmivrd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.bak2

C:\WINDOWS\system\gmivrd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.ini2

C:\WINDOWS\system\gmivrd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system\gmivrd.tmp

C:\WINDOWS\system\gmivrd.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\req.dll

C:\WINDOWS\system32\req.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM\drvimg.dll

C:\WINDOWS\SYSTEM\drvimg.dll Could not be deleted.

Performing Repairs to the registry.

Done!

VundoFix V4.2.22

Scan started at 10:25:24 PM 2/14/2006

Listing files found while scanning....

No infected files were found.

VundoFix V4.2.22

Scan started at 10:31:03 PM 2/14/2006

Listing files found while scanning....

No infected files were found.

VundoFix V4.2.22

Scan started at 2:53:29 PM 2/15/2006

Listing files found while scanning....

No infected files were found.

VundoFix V4.2.22

Scan started at 11:52:01 AM 2/16/2006

Listing files found while scanning....

No infected files were found.

Share this post


Link to post
Share on other sites

my msn ver. also, just incase it could help...

Log of MsnVirRem by Skate_Punk_21

Fri 02/17/2006

09:09 AM

Setting Allowances for Registry Tools...

Editing Registry...

Rewriting Host File...

Finding/Killing local link...

---Infection Files Removed---

ECHO is off.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 8:09:50 PM, on 2/17/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Updater.exe

C:\WINDOWS\system32\454f66a6.exe

C:\Program Files\winupdates\winupdates.exe

C:\PROGRA~1\mcafee.com\agent\McAgent.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Anthony\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messengersite.net/forum/portal.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

F3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe

O4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exe

O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.coolwebsearch.com

O15 - Trusted Zone: *.musicmatch.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

Share this post


Link to post
Share on other sites

Hi lolocaust,

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:

The Spy Killer Forum

  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\rcnoke\csrss.exe"
  • Put a link to this Besttechie topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
    • C:\WINDOWS\system32\rcnoke\csrss.exe (If you can't find the file, skip this step and proceed to the next step)

    [*]Click Open.

    [*]Click Post.

Then, download and run CWShredder:

  • Download CWShredder.
  • Save CWShredder.exe to a convenient location.
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".

Then, please download Brute Force Uninstaller.

Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\p2pnetwork.bfu

Press execute and let it do it’s job.

Wait for the complete script execution box to pop up and press OK.

Press exit to terminate the BFU program.

Then, go to Add/Remove Programs and uninstall (if present):

IST Service

Then please run HijackThis, click Scan, and check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.html

F3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exe

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O15 - Trusted Zone: *.coolwebsearch.com

Close all open windows and click Fix Checked.

Then, reboot in Safe mode. To reboot in Safe mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Then, delete this file:

C:\WINDOWS\system32\454f66a6.exe

Then, delete these folders (if present):

C:\Program Files\ISTsvc

C:\WINDOWS\system32\rcnoke

Then, clean out temporary files:

  • Start | Run | type cleanmgr | OK
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.

Then, reboot (in the normal mode).

Then, please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Then, open Hijackthis, click "Open the Misc Tools section"

Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete).

Then click "Generate StartupList log"

Click "Yes" to the box that pops-up.

Then copy and paste the notepad text that appears to this topic and also post your ActiveScan report and also a fresh HijackThis log in this thread.

Share this post


Link to post
Share on other sites

I got to CWS remover and stopped for i could not find a way using the internet to download it. everytime i clicked the link you gave me i was directed to some gay msn search engine. I'm assuming this is what you were trying to help me remove... How ironic... Should i leave that step till later or what? I'm sorry i did not reply sooner, i have been away... and it seems the virus has progressed :(

Share this post


Link to post
Share on other sites

Hmm,

News: I went to uninstall some crap...like tool bars i got somehow... And i came across "legacy 6.0" a tool i had downloaded for a geography report to make a family tree. I went to uninstall it and it said a whole bunch of stuff like "do you want to uninstall blahahaha.system32/xg//rrs" and so on.... should i try to uninstall it or is that dangerous or something...?

Share this post


Link to post
Share on other sites

Hi lolocaust,

I'd like to see a fresh HijackThis log because a lot could have changed since my last post. Legacy 6.0 looks Ok to me. Is there any paticular reason that you think it is dangerous?

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 3:27:18 PM, on 3/6/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Updater.exe

C:\WINDOWS\system32\454f66a6.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\DOCUME~1\Anthony\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vgcats.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

F3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {C8F21DFE-B35C-4274-82EC-1E072D09025E} - C:\WINDOWS\SYSTEM32\winbrume.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe

O4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exe

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.coolwebsearch.com

O15 - Trusted Zone: *.musicmatch.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553543256} - http://www.teensburn.com/videos/toolbar.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{236E5315-EEEB-4576-9F75-B716DA4E7593}: NameServer = 24.226.10.119,24.226.1.93

O17 - HKLM\System\CS1\Services\Tcpip\..\{236E5315-EEEB-4576-9F75-B716DA4E7593}: NameServer = 24.226.10.119,24.226.1.93

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Legacy 6.0 just creeped me out becasue when i went to uninstall it it said a whole bunch of stuff about wanting me to remove a whole bunch of system 32 components that were no longer in use.

Share this post


Link to post
Share on other sites

Hi lolocaust,

Sorry for the delayed reply, I seemed to have missed this topic. Please post a fresh HijackThis log and I will have a look at it ASAP.

Share this post


Link to post
Share on other sites

Inactive topic...

If you still need help on this problem, contact me or one of the Moderators to re-open this up.

Topic closed.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.