URGENT Spyware that hides from all forms of detection

I got this spyware or virus. . . . . . . . . . its blocked my add remove hardware, disabledm y sound. . . . . . . . . it runs in the background but hides from taskmanager. . . . . . . . . its called rlrmvr.

Windows Security 292 This topic was started by ,


data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
I got this spyware or virus..........its blocked my add remove hardware, disabledm y sound.........it runs in the background but hides from taskmanager.........its called rlrmvr.exe when ever you start up taskmanager you see it for a split second then it dissapears............its in my system32 folder but i cant see it in the folder, but when i search for it, it shows up there.........never was tehre before......but i got sent to a fake link with loads of spyware i removed the spyware and now after i restarted my comp i got this problem PLEASE HELP........ive tried installing norton but its giving me an error.............................need help................

Participate on our website and join the conversation

You have already an account on our website? Use the link below to login.
Login
Create a new user account. Registration is free and takes only a few seconds.
Register
This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic


data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
Add onto previous post:
Its modifying settings and everything............its working with dcdp.exe and it hides to...........I have set all view file types set but its not there.............NEED HELP.........im installing mcafee right now.........................................please if anyone has any ideas for help please tell me.............
The spyware actually is hidding.........ive never had it happen like this before..........you fix it in msconfig it says its right but 10 minutes later it changes it.......................you delete all the files do end process and everything i can think of.........still not helping....HELP ME PLEASE

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
oh yeah addin my hijackthis log........keep forgetting stuff
 
 
 
Logfile of HijackThis v1.99.1
Scan saved at 8:46:43 PM, on 4/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\rlrmvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Mike\My Documents\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redvsblue.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c11.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1106857067593
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F6BB9C4-48D2-4C25-BCD3-CBA6E1057C0B}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F6BB9C4-48D2-4C25-BCD3-CBA6E1057C0B}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
 

data/avatar/default/avatar09.webp

1019 Posts
Location -
Joined 2004-12-21
This is for XP PROfessional.
 
Download Adaware, Spybot - Search and Destroy, Stinger and program called LSPFix.
Update Adaware and Spybot -S&D.
 
Adaware: http://www.lavasoftusa.com/software/adaware/
Spybot: http://security.kolla.de/
Stinger: http://vil.nai.com/vil/stinger/
LSPFix: http://www.cexx.org/lspfix.htm
 
First:
 
You should use Group Policy to enhance the environment settings, adding power to the available file operations. To do so:
 
1) Click Start, click Run, type "gpedit.msc"
 
2) Click Local Computer, click Finish, and then click Close to return to the Add/Remove Snap-in dialog box.
 
3) Click OK to return to the Console window.
 
4) Expand the Local Computer Policy object to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
 
5) Select the Security Options object in the Console pane to display the security policies in the Details pane.
 
6) In the Details pane, double-click the "Recovery Console: Allow Floppy Copy And Access To All Drives And Folders" policy.
 
7) Click Enabled, and then click OK.
 
8) Quit the MMC.
 
 
Now:
To run the Recovery Console from the Windows XP startup disks or the Windows XP CD-ROM, use the following steps:
 
1) Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
 
2) Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
 
3) When you're prompted to press F6 for mass storage devices - press F10 instead. This will automatically start the Recovery Console.
 
3.1) Alternatively, when the "Welcome to Setup" screen appears, press R to start the Recovery Console.
 
4) If you have a dual-boot or multiple-boot computer, choose the installation that you need to access from the Recovery Console.
 
5) When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
 
Now:
Type:
set AllowAllPaths = TRUE
set AllowRemovableMedia = TRUE
For the prompt, change your path to windows\system32.
For example, if your are in "C:\" , type: cd windows\system32
Make sure you are in your system32 folder.
Then type del rlrmvr.exe.
This will delete the file.
 
Remove XP CD and type exit to reboot your PC.
 
Physically unplug from Internet (unplug modem cable, turn of adsl modem,etc.)
Now boot into safe mode.
Run hijackthis, scan.
 
Fix these.

Quote:R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c11.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab
 
Do you have installed Window blinds(sp?)? If NOT, fix this.
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

 
Now do complete scan with adaware,spybot and stinger. Run these all on same time, so the pest cannot hide so well...

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
so far so good except for the gpedit.msc it wont work on my comp says it cant find it.........i got alot of problems....it messed up my hardware....device manager picks up no hardware at all........ive run mcafee,spy doctor, spy bot, adaware...........i think i fixed it the spyware, but my comp wont use sound anymore nor any other hardware.......i need help with this problem.......

data/avatar/default/avatar09.webp

1019 Posts
Location -
Joined 2004-12-21
Originally posted by CaptainCheerios:

Quote:so far so good except for the gpedit.msc it wont work on my comp says it cant find it
Then your OS is Windows XP Home... Home does not have all features as Pro.
 

Quote:device manager picks up no hardware at all

Try this:
No Items Appear in the Device Manager List When You Open It
http://support.microsoft.com/default.aspx?scid=kb;en-us;311504
 

Quote:i think i fixed it the spyware

That is good.
 

data/avatar/default/avatar12.webp

694 Posts
Location -
Joined 2002-06-10
here is another way to remove a nasty spy program once u know what the program is (from xp or 2k):
 
deactivate simple file sharing
right click the nasty file properties/security tab/advanced
uncheck the "inherit from parent permissions" box
yes to the annoyance popup
apply
remove all users (including system) from the groups/users box
yes to the annoyance popup
reboot
 
the file is now unable to do anything
u can either leave it or re-take ownership and delete it
(because the system didnt have permission to load it it wont load at boot)
 

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
I dont know what is with it...........i dont know what its doing.......but its running with a program called dcdp.exe which is located in my c:/documents and users/all users/startmenu/startup folder...........and they don't show up when u look for them at all........spy bot mcafee stinger, and adaware dont detect them..................im screwed..............its really getting annoying..............................but i fixed the other stuff it was just that the thing turned off plug and play.......if anyone can help please help me im gonna try working on deleting it through safe mode..........wait hijackthis found it
Logfile of HijackThis v1.99.1
Scan saved at 3:02:34 PM, on 4/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\rlrmvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Mike\My Documents\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redvsblue.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlrmvr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Mike\My Documents\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1106857067593
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F6BB9C4-48D2-4C25-BCD3-CBA6E1057C0B}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F6BB9C4-48D2-4C25-BCD3-CBA6E1057C0B}: NameServer = 192.168.1.1
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
 
 

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
oh yah quick question is there way to force quit an app.......cause i cant see the prog because its being used right now..............and its being hidden in taskmanager........how can i kill the processes?

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
yay found the file but i dont seem to have the little security setting.....im using xp home................i dunno........but if you know of a way to lock the file.............like shouldnt encrypting it do the trick.....i mean then it shouldnt be able to be deleted right or anything.........i mean just a thought

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
OK THIS IS NOT RIGHT........NOW ONLY PREVIOUSLY VISITED PAGES WORK...........I CANT GO TO ANY SITE OTHER THEN Red Vs Blue, Google, here, and zdnet...........no other site works.............i mean 40 sites cant be down........somethings messed up on my comp

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
WTF ITS USING MY GRAPHICS CARD WHAT THE HECK! oMG ITS RUNNING WITH NTVDM WHICH IS PART OF NVIDIAS DRIVERS

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
OK THIS IS NOT GONNA HELP AT ALL I DONT KNOW WHAT TO DO IT KEEPS TRYING TO ACCESS THE FILE IF WHEN I RESTART IT IT DOESNT HELP IM SCREWED

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
great....now that screwed up my network settings........i can't connect to the internet i have to yuse another computer now to reply and i have no clue whats wrong........PLEASE HELP ANYONE............

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
I deleted code but its still tehre. Deleted file. STILL THERE. Found out its running with nvdia. uninstalled nvidia software STILL THERE. Im gonna reinstall drivers if its still there im gonna be clueless
[Edited by CaptainCheerios on 2005-04-05 16:31:40]
 
[Edited by CaptainCheerios on 2005-04-05 16:41:28]
 

data/avatar/default/avatar04.webp

352 Posts
Location -
Joined 2003-03-28
If you can only go to certain site, try checking out your hosts file....
 
c:\windows\system32\drivers\etc
 
There is a file called hosts
 
edit that file
 
It should only have something like this: (default)
 
C:\WINDOWS\system32\drivers\etc>type hosts
# Copyright :copyright: 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
 
127.0.0.1 localhost
 
Not sure if this was said before, but when you run and use Hijackthis, I recommend using it in safe mode.
 
Since you are using XP Home there is a known Microsoft tweak that allows XP Home to incoporate the security tab.
 
Goto: http://www.microsoft.com/ntserver/nts/downloads/recommended/scm/default.asp
 
and download
 
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/tools/scm/scesp4i.exe
 
Run this app. Yes, yes, it says NT 4.0. But this does work with XP home. I can't remember if you need to reboot after this is done or not. Also, make sure that "Use simple file sharing" is not checked. There are multiple ways in checking this, but here is one. Click start, settings, Control Panel, and double click folder options, select the View tab, the scroll down till you see "Use Simple file sharing" Uncheck that. Hit okay, then follow Jerry Atrik's instructions (something I'll need to remember).
 

data/avatar/default/avatar04.webp

352 Posts
Location -
Joined 2003-03-28
One other note. Something that many may or may not realize. HiJackThis has a utility to delete files upon reboot. When you run HiJackThis, click the button "Open the Misc Tools section", next click on "Delete a file on reboot..."...navigate to the file you wish to delete. For example that file that is giving you some trouble. Click open, then select Yes (if you want to reboot then and there).
 
Hope this helps...

data/avatar/default/avatar09.webp

1019 Posts
Location -
Joined 2004-12-21
Originally posted by CaptainCheerios:

Quote:but its running with a program called dcdp.exe which is located in my c:/documents and users/all users/startmenu/startup folder
 
DHCP.exe ?
Then you got WORM_RBOT.AKW.
 
1) Disable System Restore.
 
Log on as Administrator.
Right-click the My Computer icon on the desktop and click Properties.
Click the System Restore tab.
Select Turn off System Restore.
Click Apply > Yes > OK.
Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
Re-enable System Restore by clearing Turn off System Restore.
 
2) Removing Autostart Entries from the Registry
 
Removing autostart entries from the registry prevents the malware from executing at startup.
 
Open Registry Editor.
Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
 
In the right panel, locate and delete the entry:
windows dhcp = "DHCP.EXE"
 
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>RunServices
 
In the right panel, locate and delete the entry:
windows dhcp = "DHCP.EXE"
 
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>OLE
 
In the right panel, locate and delete the entry:
windows dhcp = "DHCP.EXE"
 
Close Registry Editor.
 

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
its called DCDP not DHCP. i think i solved it. I started up in safe mode and deleted DCDP and it hasn't come back yet, but when I tried to delete rlrmvr.exe it came back everytime i left the system32 folder, so i used the security tab download thing, which worked, and then disabled the use of rlrmvr and my computer hasnt cried. But i found the exe and renamed it, so that the computer does not run it. so, if my comp wants to run rlrmvr it wont, and then i will submit my copy of rlrmvr.exe that i renamed to mcafee so they can make look at it, and hopefully get a solution for it.

data/avatar/default/avatar35.webp

1 Posts
Location -
Joined 2005-04-07
Could just try a clean install, backup your files then just reinstall.

data/avatar/default/avatar14.webp

22 Posts
Location -
Joined 2004-11-16
OP
i would but i dont have the time lately :-( im gonna do it once i get my laptop.....but i cant buy it now because im not 18 untill june and i cant take the funds out of my savings and put into my checking so i can buy it :-( but its gonna be awesome though a sager 7620, 2gigs ram 3.4ghz p4, ati x800, 80gig hd....im getting it for around 2300 hopefully