Member Avatar for Sassy

Ok hi. Well id say im glad to be back, but under the circumstances, I'm not lol

I hate to be annoying, and i thought my virus was killed, but it seems its little friend has joined my computer, or an update or something? For the past week or so, my internet browser has been constantly showing "Cannot find server" etc. and by deletin the files from HJT worked at the time. I also got rid manually of a virus called winlogins.exe. But now, the whole CMD.exe is loading webpage spam and the IE is runnin as a system process again, clogging up my computer. Also, my Windows folder, has been deleted somehow! I cant find it anywhere.
So i guess im just hoping that maybe theres been new info. released about my virus? AVG isnt helping either ... heres my HJT log!

Logfile of HijackThis v1.98.2
Scan saved at 5:36:32 PM, on 3/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [RpcxWindows Extensions] rpcxwinex.exe
O4 - HKLM\..\Run: [Rpcx Intelligent Security] rpcxis.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\Run: [RPCMicrosoft Original Windows Updater] rpcxmowu.exe
O4 - HKLM\..\RunServices: [RpcxWindows Extensions] rpcxwinex.exe
O4 - HKLM\..\RunServices: [Rpcx Intelligent Security] rpcxis.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [RPCMicrosoft Original Windows Updater] rpcxmowu.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RpcxWindows Extensions] rpcxwinex.exe
O4 - HKCU\..\RunServices: [RpcxWindows Extensions] rpcxwinex.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

Thanks!

  • 4 Contributors
  • 6 Replies
  • 236 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by DMR
Member Avatar for DaveSW

Check the following:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [RpcxWindows Extensions] rpcxwinex.exe
O4 - HKLM\..\Run: [Rpcx Intelligent Security] rpcxis.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\Run: [RPCMicrosoft Original Windows Updater] rpcxmowu.exe
O4 - HKLM\..\RunServices: [RpcxWindows Extensions] rpcxwinex.exe
O4 - HKLM\..\RunServices: [Rpcx Intelligent Security] rpcxis.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [RPCMicrosoft Original Windows Updater] rpcxmowu.exe
O4 - HKCU\..\Run: [RpcxWindows Extensions] rpcxwinex.exe
O4 - HKCU\..\RunServices: [RpcxWindows Extensions] rpcxwinex.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Choose fix checked, reboot in safe mode by repeatedly pressing f8 during bootup, then delete the following files. (probably located in C:\windows\system32)
sysconf.exe
rpcxsys.exe
rpcxis.exe
rpcxmowu.exe
rpcxwinex.exe

You may need to go to tools -> folder options -> view to show hidden and system files.

Then search for all those filenames in the windows find feature, and delete any of those files that it finds in the prefetch folder.

Then reboot and post a new log.

PS you may want to wait for someone else to independantly confirm this.

Member Avatar for DMR

...you may want to wait for someone else to independantly confirm this.

Looks to me like you've got it right. :)


Sassy, the "nasties" indicated in your log are associated with at least two known trojans/viruses; I'm surprised AVG didn't catch them. Is your version of AVG absolutely up-to-date on its virus definitions?

You should probably get a free online virus scan from the following two sites just to get a "second opinion":

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/active...n_principal.htm

Member Avatar for Sassy

Heyy! Thanks so much for both ur replies and help! I unhid my Windows File (That i had actually hidden by accident the night before :o ) and got rid of most of the virus' threads (or whatever theyre called) manually in Safe Mode, but the rpcxwinex.exe remained, as i forgot to delete the sysconfig.exe in HJT! AVG is also updated, but didnt find anything :eek: and Panda instead found 5 infected files, fixing them. So according to the following HJT file, i think im cured?

Logfile of HijackThis v1.98.2
Scan saved at 7:26:01 PM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

Thanks!!!!!!!!!!!!!

Member Avatar for dlh6213

This isn't really a problem, but you can have HJT fix this:
R3 - Default URLSearchHook is missing

Other then that, your log looks okay to me. Anyone else see anything I missed?

Member Avatar for DaveSW

Looks to me like you've got it right. :)

cheers ;)

It looks clean to me too.

Member Avatar for DMR

Yup- that's a clean one. Glad we could help! :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.