Oooh nooo...
Man this is really buggin me! ITs back again...i manually deleted it again but its back..i reckon its related to tha rpcxsys.exe file...as that is the only "virus" remaining on my puta after the microsoftx.exe and ns.exe have gone now... I wonder, is there any other virus scanners out there u know about? I'm so sorry to hafta keep buggin you Crunchie! :cry:

Not buggin' me . Turn off system restore. You will lose all previous restore points! Go to Start>Run and type msconfig Press enter. When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left. Check the box labeled Turn off System restore.
Clear out your prefetch folder.

Reboot.

Post another hijackthis log.

Hii..
well I did what u said, and cleared my whole Prefetch folder...then I restarted and MiCr0s0ft.exe was running again but not as a system process, and I found the MiCr0s0ft.exe file in my system32 folder..so I deleted it, but its still showing in the HJT log...

Logfile of HijackThis v1.98.2
Scan saved at 4:11:46 PM, on 29/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

Do i just "fix selected" in HJT? its not runnin atm in Task Manager at all, so hopefully thats a good sign!! :o

Yes. Just fix these lines and reboot and check to see what is running again .

O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe

Okkk well i did that and deleted them..
I think i need to rescan again just to make sure theyre all gone, but it all looks good!!! So thanks again Crunchie, you rule! :mrgreen:

You can do that I reckon . You should be able to recognise it now .
I responded to another of your threads regarding Messenger Plus that you were going to reinstall. Do not install the 3rd party sponsor with it or you will get infected by LOP.

*Screams at computer*
AHHHHHH.. :o
Ok I was hoping my post would be the last one for a while (at least!) but noooo... I've noticed since yesty that there are "Internet Explorer"'s being run in my Task Manager as System Processes! Yesterday there was up to 10 running at once...And im saying this now because I just got bombarded by them all starting...ahh this is so annoying lol... :mad:
But also, that program "rpcxsys.exe" is still in my HJT log...Maybe thats whats causing this all :mad: I'm about ready to throw my computer through my window...lol...
Sorry for having to keep asking for ya help! :o

Ok wellll...just thought it might help if i told you that now every now and then "CMD" is opening and something happens in the (i think its a command prompt?) and then a web page loads with random things which I close but they still run as a System Process...so im guessing its that virus still..grrr.. :eek:

The rpcxsys.exe file is a virus. Our company was attacked by it this morning and it brought our network to a standstill. We worked with Symantec and their engineers determined it was a previously unknown variant of the spybot.worm virus. If you happen to use Symantec/Norton antivirus products you can download the rapid-release virus signature update from here to detect and quarantine the file until the file's signature is added to their regular definition files:
ftp://ftp.symantec.com/public/englis...ease/sequence/

We struggled in frustration all-night trying to determine the culprit and resolve what this file does. This site was the only site that made mention of it on the entire www. Thanks for letting us know we weren't crazy when we thought 'how can we be the only people to have a brand-new virus?' There's nothing like being at ground-zero for a new undetected virus. Nobody can really help you prevent reinfection. We could remove the process manually but we couldn't prevent it from coming back once an infected pc attacked it again. So far we have not determined how it got into our network but it looks like it requires user interaction (opening an infected attachment) and passes itself around a network through weak administrator passwords. It determines what network segment it is on and performs a complete network port scan on all ip addresses looking for vulnerable ports/services that are running and reports the compromised machines back to various sites. Our version was non-destructive at this point. Only settinging up a backdoor and it's own account for re-entry. The program would peg the cpu on the affected pc to near 100% and flood the network with traffic that wreaked havoc on all of our routers. The only file we saw in our case was the rpcxsys.exe, we did not have the "MiCr0s0ft.exe", "Microsoftx.exe" & "ns.exe" files appear.

Glad it's over though.

Hope this helps people in this group.

briandoc. Thank you very much for posting .