954,229 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
7 Years Ago
0

"MiCr0s0ft.exe", "Microsoftx.exe" & "ns.exe" viruses?Please Help

Hii me again unfortunately...

Well supposedly there is a new virus going around in an email titled "I'm in Love' or something, well unfortunately I do remember opening an email relating to that title.. and strangely enough these supposed "virus'" are now in my computer.... I ran Panda Scan and it detected 8 viruses, naming the ones I will name, and supposedly fixing them..but "MiCr0s0ft.exe", "Microsoftx.exe" and "ns.exe" are all running in my System, and taking up Memory and my CPU , varying from 3000 k, to 14000k....
So, naturally my computer is running very slowly, and the net is only partly working (Microsoft INternet Explorer is getting the Error Message most of the time..)
SO i was hoping that someone might know what the programs i mentioned are doing on my computer and if they're harmful..and how i can fix them! ohh and here's my Hijack Log!


Logfile of HijackThis v1.98.2
Scan saved at 8:26:42 PM, on 24/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ns.exe
C:\WINDOWS\System32\MiCr0s0ft.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\Microsoftx.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57


It's all in there!^
Thanks!!!!

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Now then. What did I tell you??

Open Task Manager & end process on the following:
ns.exe
MiCr0s0ft.exe
Microsoftx.exe
Then go to C:\WINDOWS\System32 and delete them manually.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe

Do not open strange mail! Guess you know that now :).

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Hi again........
Unfortunately for some strange reason, altho I am system administrator, I can not close the three programs because Access is Denied.
Then, when I looked, there are no virus files in system32 at all...
Also, Hijack this loads and scans, but before I have a chance to click on anything, unless I save the long very quickly, the program shuts itself down.

I somehow have to find a way to be able to shut down the programs in Task Manager.

do you have any ideas please?
Thanks...

And i know, i tried to stay outta trouble! But its just so hard! lol...*sighs*

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Download the Pocket KillBox
Unzip the file to your desktop.
Run KillBox.exe.
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click NO.):

C:\WINDOWS\System32\ns.exe

Run KillBox again.
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click NO.):

C:\WINDOWS\System32\MiCr0s0ft.exe

Run KillBox again.
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click YES.):

C:\WINDOWS\System32\Microsoftx.exe

Your computer should then reboot. Killbox will check to see if the files were deleted.

See if you can get a log from HJT and post it back.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Hiii again... ok well i did what u said; downloaded KillBox and everything, yet still after rebooting, the programs are still in my HJT log...but none of the three programs are currently running in my Task Manager, so hopefully thats a sign! Here's my Log...

Logfile of HijackThis v1.98.2
Scan saved at 3:29:27 PM, on 25/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Do you have Winamp?

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [NS] ns.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [NS] ns.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe

Run a search of your computer and see if you can find any of the above. If you do, you know what to do

Hopefully that will be it :).

Reboot after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Hiii again Crunchie! :mrgreen: And yes, I do have Winamp, its the media player I usually use the most...is there something wrong with it?
I did what you said, and had to manually delete MiCr0s0ft.exe but that was ok...the other two viruses, i actually "fixed" in the HiJack This log last night when i got frustrated, and they didnt reappear, but I searched for them anyways and I deleted the files of them too..so it all looks good so far, actually I'll leave that conclusion to you Doc... ;)


Logfile of HijackThis v1.98.2
Scan saved at 2:31:26 PM, on 26/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

oooh me again...ok welllll Suddenly MiCr0s0ft is back! :sad: darn it.. :eek:
so again I've searched my computer and its in the C:\WINDOWS\Prefetch... file name "MICR0S0FT.EXE-2BF729A4.pf"... :twisted:
does that help anything? lol...should i rescan again? :rolleyes:

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Can you delete it from the prefetch folder, then download sysclean (free) from Trend Micro, allow it to clean up any bad files it finds. It may take a while, so have a cuppa whilst it's running :).

http://www.trendmicro.com/download/dcs.asp

Be sure to download and install the latest pattern file. There's a link to it at the lower left-hand colum of the page. It will not run without the pattern file.

From Trend:

Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Hiii again..okies well I downloaded and ran the scanner you told me to do, but it didnt totally delete the file...except it no longer ran as a System Process, so it was closeable in Task Manager...I then ran KillBox again, and deleted it from the Hijack This log, then rescanned with HJT and posted it here...

Logfile of HijackThis v1.98.2
Scan saved at 6:15:19 PM, on 27/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57


So it does look clean now! I just hope its gonna be gone for good! Does it all look good to you?

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Oooh nooo...
Man this is really buggin me! ITs back again...i manually deleted it again but its back..i reckon its related to tha rpcxsys.exe file...as that is the only "virus" remaining on my puta after the microsoftx.exe and ns.exe have gone now... I wonder, is there any other virus scanners out there u know about? I'm so sorry to hafta keep buggin you Crunchie! :cry:

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Not buggin' me :). Turn off system restore. You will lose all previous restore points! Go to Start>Run and type msconfig Press enter. When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left. Check the box labeled Turn off System restore.
Clear out your prefetch folder.

Reboot.

Post another hijackthis log.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Hii..
well I did what u said, and cleared my whole Prefetch folder...then I restarted and MiCr0s0ft.exe was running again but not as a system process, and I found the MiCr0s0ft.exe file in my system32 folder..so I deleted it, but its still showing in the HJT log...

Logfile of HijackThis v1.98.2
Scan saved at 4:11:46 PM, on 29/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Sarah Adams\Desktop\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFD537E-20E5-4E9F-B9F7-1E2FF9071651}: NameServer = 203.194.56.150 203.194.27.57

Do i just "fix selected" in HJT? its not runnin atm in Task Manager at all, so hopefully thats a good sign!! :o

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Yes. Just fix these lines and reboot and check to see what is running again :).

O4 - HKLM\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\Run: [Microsoft Windows Key] rpcxsys.exe
O4 - HKLM\..\RunServices: [MiCr0s0ft Update Machine] MiCr0s0ft.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Key] rpcxsys.exe
O4 - HKCU\..\Run: [MiCr0s0ft Update Machine] MiCr0s0ft.exe

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Okkk well i did that and deleted them..
I think i need to rescan again just to make sure theyre all gone, but it all looks good!!! So thanks again Crunchie, you rule! :mrgreen:

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

You can do that I reckon :). You should be able to recognise it now :).
I responded to another of your threads regarding Messenger Plus that you were going to reinstall. Do not install the 3rd party sponsor with it or you will get infected by LOP.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

*Screams at computer*
AHHHHHH.. :o
Ok I was hoping my post would be the last one for a while (at least!) but noooo... I've noticed since yesty that there are "Internet Explorer"'s being run in my Task Manager as System Processes! Yesterday there was up to 10 running at once...And im saying this now because I just got bombarded by them all starting...ahh this is so annoying lol... :mad:
But also, that program "rpcxsys.exe" is still in my HJT log...Maybe thats whats causing this all :mad: I'm about ready to throw my computer through my window...lol...
Sorry for having to keep asking for ya help! :o

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Ok wellll...just thought it might help if i told you that now every now and then "CMD" is opening and something happens in the (i think its a command prompt?) and then a web page loads with random things which I close but they still run as a System Process...so im guessing its that virus still..grrr.. :eek:

Sassy
Light Poster
34 posts since Oct 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0
Ok wellll...just thought it might help if i told you that now every now and then "CMD" is opening and something happens in the (i think its a command prompt?) and then a web page loads with random things which I close but they still run as a System Process...so im guessing its that virus still..grrr.. :eek:



The rpcxsys.exe file is a virus. Our company was attacked by it this morning and it brought our network to a standstill. We worked with Symantec and their engineers determined it was a previously unknown variant of the spybot.worm virus. If you happen to use Symantec/Norton antivirus products you can download the rapid-release virus signature update from here to detect and quarantine the file until the file's signature is added to their regular definition files: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/sequence/

We struggled in frustration all-night trying to determine the culprit and resolve what this file does. This site was the only site that made mention of it on the entire www. Thanks for letting us know we weren't crazy when we thought 'how can we be the only people to have a brand-new virus?' There's nothing like being at ground-zero for a new undetected virus. Nobody can really help you prevent reinfection. We could remove the process manually but we couldn't prevent it from coming back once an infected pc attacked it again. So far we have not determined how it got into our network but it looks like it requires user interaction (opening an infected attachment) and passes itself around a network through weak administrator passwords. It determines what network segment it is on and performs a complete network port scan on all ip addresses looking for vulnerable ports/services that are running and reports the compromised machines back to various sites. Our version was non-destructive at this point. Only settinging up a backdoor and it's own account for re-entry. The program would peg the cpu on the affected pc to near 100% and flood the network with traffic that wreaked havoc on all of our routers. The only file we saw in our case was the rpcxsys.exe, we did not have the "MiCr0s0ft.exe", "Microsoftx.exe" & "ns.exe" files appear.

Glad it's over though.

Hope this helps people in this group.

briandoc
Newbie Poster
1 post since Nov 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

briandoc. Thank you very much for posting :).

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed