"MiCr0s0ft.exe", "Microsoftx.exe" & "ns.exe" viruses?Please Help

Question

Sassy 0 Light Poster

20 Years Ago

Hii me again unfortunately...

Well supposedly there is a new virus going around in an email titled "I'm in Love' or something, well unfortunately I do remember opening an email relating to that title.. and strangely enough these supposed "virus'" are now in my computer.... I ran Panda Scan and it detected 8 viruses, naming the ones I will name, and supposedly fixing them..but "MiCr0s0ft.exe", "Microsoftx.exe" and "ns.exe" are all running in my System, and taking up Memory and my CPU , varying from 3000 k, to 14000k....
So, naturally my computer is running very slowly, and the net is only partly working (Microsoft INternet Explorer is getting the Error Message most of the time..)
SO i was hoping that someone might know what the programs i mentioned are doing on my computer and if they're harmful..and how i can fix them! ohh and here's my Hijack Log!

Logfile of HijackThis v1.98.2
Scan saved at 8:26:42 PM, on 24/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ns.exe
C:\WINDOWS\System32\MiCr0s0ft.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\Microsoftx.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

It's all in there!^
Thanks!!!!

windows-virus

4 Contributors
28 Replies
768 Views
2 Weeks Discussion Span
Latest Post 20 Years Ago Latest Post by Sunda

crunchie 990 Most Valuable Poster

20 Years Ago

Now then. What did I tell you??

Open Task Manager & end process on the following:
ns.exe
MiCr0s0ft.exe
Microsoftx.exe
Then go to C:\WINDOWS\System32 and delete them manually.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe

Do not open strange mail! Guess you know that now :).

crunchie 990 Most Valuable Poster

20 Years Ago

Download the Pocket KillBox
Unzip the file to your desktop.
Run KillBox.exe.
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click NO.):

C:\WINDOWS\System32\ns.exe

Run KillBox again.
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click NO.):

C:\WINDOWS\System32\MiCr0s0ft.exe

Run KillBox again.
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click YES.):

C:\WINDOWS\System32\Microsoftx.exe

Your computer should then reboot. Killbox will check to see if the files were deleted.

See if you can get a log from HJT and post it back.

crunchie 990 Most Valuable Poster

20 Years Ago

Do you have Winamp?

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe

Run a search of your computer and see if you can find any of the above. If you do, you know what to do

Hopefully that will be it :).

Reboot after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

crunchie 990 Most Valuable Poster

20 Years Ago

Can you delete it from the prefetch folder, then download sysclean (free) from Trend Micro, allow it to clean up any bad files it finds. It may take a while, so have a cuppa whilst it's running :).

http://www.trendmicro.com/download/dcs.asp

Be sure to download and install the latest pattern file. There's a link to it at the lower left-hand colum of the page. It will not run without the pattern file.

From Trend:

Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package.

crunchie 990 Most Valuable Poster

20 Years Ago

Not buggin' me :). Turn off system restore. You will lose all previous restore points! Go to Start>Run and type msconfig Press enter. When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left. Check the box labeled Turn off System restore.
Clear out your prefetch folder.

Reboot.

Post another hijackthis log.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Sassy 0 Light Poster · Answer 1 · 2004-10-24T17:01:35+00:00

Hi again........
Unfortunately for some strange reason, altho I am system administrator, I can not close the three programs because Access is Denied.
Then, when I looked, there are no virus files in system32 at all...
Also, Hijack this loads and scans, but before I have a chance to click on anything, unless I save the long very quickly, the program shuts itself down.

I somehow have to find a way to be able to shut down the programs in Task Manager.

do you have any ideas please?
Thanks...

And i know, i tried to stay outta trouble! But its just so hard! lol...*sighs*

Sassy 0 Light Poster · Answer 2 · 2004-10-25T10:33:05+00:00

Hiii again... ok well i did what u said; downloaded KillBox and everything, yet still after rebooting, the programs are still in my HJT log...but none of the three programs are currently running in my Task Manager, so hopefully thats a sign! Here's my Log...

Logfile of HijackThis v1.98.2
Scan saved at 3:29:27 PM, on 25/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Sassy 0 Light Poster · Answer 3 · 2004-10-26T09:31:59+00:00

Hiii again Crunchie! :mrgreen: And yes, I do have Winamp, its the media player I usually use the most...is there something wrong with it?
I did what you said, and had to manually delete MiCr0s0ft.exe but that was ok...the other two viruses, i actually "fixed" in the HiJack This log last night when i got frustrated, and they didnt reappear, but I searched for them anyways and I deleted the files of them too..so it all looks good so far, actually I'll leave that conclusion to you Doc... ;)

Logfile of HijackThis v1.98.2
Scan saved at 2:31:26 PM, on 26/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Sassy 0 Light Poster · Answer 4 · 2004-10-26T10:06:48+00:00

oooh me again...ok welllll Suddenly MiCr0s0ft is back! :sad: darn it.. :eek:
so again I've searched my computer and its in the C:\WINDOWS\Prefetch... file name "MICR0S0FT.EXE-2BF729A4.pf"... :twisted:
does that help anything? lol...should i rescan again? :rolleyes:

Sassy 0 Light Poster · Answer 5 · 2004-10-27T13:13:27+00:00

Hiii again..okies well I downloaded and ran the scanner you told me to do, but it didnt totally delete the file...except it no longer ran as a System Process, so it was closeable in Task Manager...I then ran KillBox again, and deleted it from the Hijack This log, then rescanned with HJT and posted it here...

Logfile of HijackThis v1.98.2
Scan saved at 6:15:19 PM, on 27/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

So it does look clean now! I just hope its gonna be gone for good! Does it all look good to you?

Sassy 0 Light Poster · Answer 6 · 2004-10-27T14:35:26+00:00

Oooh nooo...
Man this is really buggin me! ITs back again...i manually deleted it again but its back..i reckon its related to tha rpcxsys.exe file...as that is the only "virus" remaining on my puta after the microsoftx.exe and ns.exe have gone now... I wonder, is there any other virus scanners out there u know about? I'm so sorry to hafta keep buggin you Crunchie! :cry:

Sassy 0 Light Poster · Answer 7 · 2004-10-29T11:09:54+00:00

Hii..
well I did what u said, and cleared my whole Prefetch folder...then I restarted and MiCr0s0ft.exe was running again but not as a system process, and I found the MiCr0s0ft.exe file in my system32 folder..so I deleted it, but its still showing in the HJT log...

Logfile of HijackThis v1.98.2
Scan saved at 4:11:46 PM, on 29/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

Do i just "fix selected" in HJT? its not runnin atm in Task Manager at all, so hopefully thats a good sign!! :o

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 8 · 2004-10-29T16:24:16+00:00

Yes. Just fix these lines and reboot and check to see what is running again :).

O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe

Sassy 0 Light Poster · Answer 9 · 2004-10-31T07:55:44+00:00

Okkk well i did that and deleted them..
I think i need to rescan again just to make sure theyre all gone, but it all looks good!!! So thanks again Crunchie, you rule! :mrgreen:

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 10 · 2004-10-31T08:08:42+00:00

You can do that I reckon :). You should be able to recognise it now :).
I responded to another of your threads regarding Messenger Plus that you were going to reinstall. Do not install the 3rd party sponsor with it or you will get infected by LOP.

Sassy 0 Light Poster · Answer 11 · 2004-10-31T08:13:36+00:00

*Screams at computer*
AHHHHHH.. :o
Ok I was hoping my post would be the last one for a while (at least!) but noooo... I've noticed since yesty that there are "Internet Explorer"'s being run in my Task Manager as System Processes! Yesterday there was up to 10 running at once...And im saying this now because I just got bombarded by them all starting...ahh this is so annoying lol... :mad:
But also, that program "rpcxsys.exe" is still in my HJT log...Maybe thats whats causing this all :mad: I'm about ready to throw my computer through my window...lol...
Sorry for having to keep asking for ya help! :o

Sassy 0 Light Poster · Answer 12 · 2004-10-31T08:56:09+00:00

Ok wellll...just thought it might help if i told you that now every now and then "CMD" is opening and something happens in the (i think its a command prompt?) and then a web page loads with random things which I close but they still run as a System Process...so im guessing its that virus still..grrr.. :eek:

briandoc 0 Newbie Poster · Answer 13 · 2004-11-03T03:55:24+00:00

Ok wellll...just thought it might help if i told you that now every now and then "CMD" is opening and something happens in the (i think its a command prompt?) and then a web page loads with random things which I close but they still run as a System Process...so im guessing its that virus still..grrr.. :eek:

The rpcxsys.exe file is a virus. Our company was attacked by it this morning and it brought our network to a standstill. We worked with Symantec and their engineers determined it was a previously unknown variant of the spybot.worm virus. If you happen to use Symantec/Norton antivirus products you can download the rapid-release virus signature update from here to detect and quarantine the file until the file's signature is added to their regular definition files:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/sequence/

We struggled in frustration all-night trying to determine the culprit and resolve what this file does. This site was the only site that made mention of it on the entire www. Thanks for letting us know we weren't crazy when we thought 'how can we be the only people to have a brand-new virus?' There's nothing like being at ground-zero for a new undetected virus. Nobody can really help you prevent reinfection. We could remove the process manually but we couldn't prevent it from coming back once an infected pc attacked it again. So far we have not determined how it got into our network but it looks like it requires user interaction (opening an infected attachment) and passes itself around a network through weak administrator passwords. It determines what network segment it is on and performs a complete network port scan on all ip addresses looking for vulnerable ports/services that are running and reports the compromised machines back to various sites. Our version was non-destructive at this point. Only settinging up a backdoor and it's own account for re-entry. The program would peg the cpu on the affected pc to near 100% and flood the network with traffic that wreaked havoc on all of our routers. The only file we saw in our case was the rpcxsys.exe, we did not have the "MiCr0s0ft.exe", "Microsoftx.exe" & "ns.exe" files appear.

Glad it's over though.

Hope this helps people in this group.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 14 · 2004-11-03T16:12:53+00:00

crunchie 990 Most Valuable Poster

20 Years Ago

briandoc. Thank you very much for posting :).

Sassy 0 Light Poster · Answer 15 · 2004-11-04T09:57:15+00:00

OOOH MANNN...
Thanks tonnes for telling me about my virus briandoc...but now im al flustered! lol unfortunately i dont use Norton or Symantec...but i clicked on ur link anywayz and all these folders and programs from Symantec were there, but i dont know what to open..lol..man im in trouble.. maybe i should stick AVG on my computer ASAP, well thats what im gonna do right now to try and PREVENT other viruses from making my computer worse!
Thanks again...
I dont know what else to do :cry:

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 16 · 2004-11-04T15:42:05+00:00

Sassy. Try the AV in my signature and update it when installed. You can also go here for an online scan;

http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym

Sassy 0 Light Poster · Answer 17 · 2004-11-07T11:06:11+00:00

WELLLLLL looks my viruses are all makin friends and bein happy EATING away at my puta :lol: ..lol :cry: ..theres even a "rpcxupdtsys.exe" now...joy :evil: ....do u reckon theyre in my registry and i could go into safe mode and get rid of them somehow? :sad: AVG isnt helping very much, obviously, and the AV in ur signature didnt work on my computer, neither did the online scan... :cry:

Logfile of HijackThis v1.98.2
Scan saved at 4:06:12 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\Run: [Video Process] MSlti64.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\Run: [Microsoft Windows System Update] rpcxupdtsys.exe
O4 - HKLM\..\RunServices: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\RunServices: [Video Process] MSlti64.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System Update] rpcxupdtsys.exe
O4 - HKCU\..\Run: [Microsoft Windows System Update] rpcxupdtsys.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 18 · 2004-11-07T12:00:02+00:00

Reboot into safe mode and delete these files;

wmmon32.exe
MSlti64.exe
rpcxsys.exe
rpcxupdtsys.exe
wmmon32.exe
MSlti64.exe
rpcxsys.exe
rpcxupdtsys.exe
rpcxupdtsys.exe

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O4 - HKLM\..\Run: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\Run: [Video Process] MSlti64.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\Run: [Microsoft Windows System Update] rpcxupdtsys.exe
O4 - HKLM\..\RunServices: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\RunServices: [Video Process] MSlti64.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System Update] rpcxupdtsys.exe
O4 - HKCU\..\Run: [Microsoft Windows System Update] rpcxupdtsys.exe

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

Sassy 0 Light Poster · Answer 19 · 2004-11-09T12:41:23+00:00

I did what you said Crunchie..and it seemed to get rid of most of the virus' except for "rpcxupdtsys.exe" and i thought i saw tha other one...hmmm this sux :cry: but thankya for helpin me get rid of tha otha virus' :o

Logfile of HijackThis v1.98.2
Scan saved at 5:45:15 PM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Microsoft Windows System Update] rpcxupdtsys.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System Update] rpcxupdtsys.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 20 · 2004-11-09T16:13:01+00:00

Turn off system restore. If you know the full path to rpcxupdtsys.exe (it may be C:\Windows\system32) paste the full path into hijackthis, like so:

Start hijackthis and go to Config\Misc Tools\Delete a File on Reboot and paste it into the line that pops up.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O4 - HKLM\..\Run: [Microsoft Windows System Update] rpcxupdtsys.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System Update] rpcxupdtsys.exe

Reboot and keep the fingers crossed :).

Sassy 0 Light Poster · Answer 21 · 2004-11-10T11:59:37+00:00

Man oh man :eek: ..lol..welllll System Restore was still turned off from last time u told me to turn it off lol...so then i did what u said in Hijack This, but i dont know the full path of it, so i searched my computer for the rpcxupdtsys.exe but it wasnt actually found on my computer anymore! :rolleyes: ...but HiJack this is still picking it up..how strange! :eek: Its not in my system32 or prefetch folder...this really sux.lol :eek: But i know its still there, somehow relating to my CMD because Internet Explorer is still being run as a System Process...and whatever this virus is, loads the webpages through my CMD...ahhh! :eek:

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 22 · 2004-11-10T16:00:58+00:00

Make sure that you have all hidden files\folders set to show and have another peek :).

Sunda 0 Newbie Poster · Answer 23 · 2004-11-11T21:12:57+00:00

Hi ! Can anyone help me? I'm with the same problem i think...

Yesterday I noticed that the leds of my cable modem are ON forever... The 2 leds (receive and send) were ON and i wasn't using teh internet! So I checked the Running process and found rpcxsys.exe ! I've tried to delete it with hjt but it failed, so I deleted it mannually. The problem is that svhost.exe is still running and i think that's it is consuming my internet connection! Yesterday I've noticed up to 21 process svhost running at the same time!!! :evil: 'me trying to delete it, but everytime I do this, the file C:\WINNT\System32\svhost.exe appears again after the reboot!!!

I've also found keys at the windows register named svhost... May I delete it all ?
these are the respective locations:
- HKEY_CURRENT_USER\Software\Miscrosoft\Windows\Current Version\Run
- HKEY_LOCAL_MACHINE\Software\Miscrosoft\Windows\Current Version\Run
- HKEY_LOCAL_MACHINE\Software\Miscrosoft\Windows\Current Version\RunServices
- HKEY_USERS\DEFAULT\Sotware\Miscrosoft\Windows\Current Version\Run

Hey Crunchie help me please! What I have to do to stop svhost.exe and make my connection FREE? :cry: