IM not 100% sure Ruzhyo but i think using the VX2 cleaner ad-on that lavasoft provide could help out, you ca get info on it and download it here
Also your log looks suspicious, but im no expert on the hijackthis logs, so ill leave it to Eddy.
–lee
You haven’t fixed the things I told you.
eg:
c:\windows\rundll32.exe is a harmfull process.
Your IE is out of date and most likely you also don’t have ALL security patches/updates installed.
I also see no software firewall. Do you have a hardware one?
Sorry, I fell asleep, XD. No, I do not have a fire wall. I never bothered to sue one since I heard they kill your ISP speed. I’ll download the patch tihng and kill Rundll.
Well, I saw the On Access came up and I saw the Trojan-gen tihng again, and like 7 other things (I clicked on Window Media Player). And my comp like overloads with pop ups and like just freezes. I’m over a friend’s house atm (He lives half a mile away) And he’s the closet friend with an ISP and a computer. I think It would be easier for me to do a complete system restore to factory state and update everything at thsi point. I’ll try and scan everytihng offline once more, and ocme back and check if I egt nay replies.
I do not have a fire wall. I never bothered to sue one since I heard they kill your ISP speed.
If you configer the firewall properly you should be fine. Also wouldn’t you rather a little slower connection to lossing your pc totaly to some hacker.
And my comp like overloads with pop ups and like just freezesThe popups seem to be nasty spyware to me.
Also " C:\WINDOWS\RUNDLL32.EXE" doesn’t seem to be comming from the system32 folder as it should, as Eddy said, remove it using hijackthis.
And these look bad to me (the 014 is ok if its your isp homepage)
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
But really necessary is to update your windows ME via windows update.
–lee
I complete restored the computer to facotory state, updated using Windows Update, and reinstalled Avast, Ad-aware, ect.
When I opened up Window Media Player Avast picked a a virus called “Trojana” or osmetihng to that name, and I got a pop up that I received (liek an error/confirm thing, I ahd to restart form it before) before statign sometihng aobut a weather but, and any website I tried to go to redirected me to adult material. And I also got a pop up every 5 seconds or so. It got to the point where the computer lagged and eventually froze.
I’ll just my HiJackThis log in a little bit, atm I’m jsut checking the forums while I wait for a party on my game.
(Please excuse the mass typos, I’m trying fast on no sleep, xD)
Restoring to factury state normally means you don’t have all security patches installed, no firewall etc. That means you go online unprotected and that is how you got infected again.
After a clean installation always install a firewall and av software before going online. Then get ALL security patches/updates.
Know a good free wire wall?
ZoneAlarm and Kerio are the ones most used.
I got Zone alarm going, here’s the current HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 8:45:39 AM, on 10/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\VERIZON ONLINE\BIN\MPBTN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\MY DOWNLOADS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.0&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tibia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM..\Run: [Tour] C:\WINDOWS\wincool.exe /30m
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM..\RunServices: [Yahoo HP Reminder 1.0] C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE
O4 - HKLM..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\Money Express.exe”
O4 - HKCU..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
Plz give em a compelte lsit of what to egt rid of, thanks for all yoru help, XD.
EDIT
A Got a program tyr to access the internet called “Motive Chorus Daemon” MAD.EXE, can you tell em if I should allow it? xD.
Remove rundll.exe from the \windows\ folder and remove the entire \program files\backweb\ folder
1st one is a virus, second one is spyware.
I deleted Rundll32.exe also. When I choose “Customize my desktop” it says:
Windows cannot find C:\WINDOWS\rundll32.exe. YOu may have typed the name incorrectly in Run dialog, or another open program cannot find system file, click the start button, and then click search.
I know I delted it, is there any way I can replace it? xD. Sorry for all the trouble.
Extract rundll32.exe from the windows cd.
start > run > msconfig > general tab > extract file
In the restore from box, browse to your windows me cd
Thanks, I finally got it working, lol. I selected the wrong thing to extract from. It already had the “Extract from” destination set up, so if I would have jsut hit “okay” the first time I would’ve gotten it right away. I tried selecting the M:\ but it wouldn’t work.
THANK YOU FOR EVERYTHING!!!
No problem 
I have this virus on my computer. The only thing that I could do was to move the infected files to the chest.
The files are: bi(2).dll ;bi(3).dll ; bridge.dll ; and imscan.dll
I don’t know if I can simply delete these files. Please help.
Thanks.
Logfile of HijackThis v1.98.2
Scan saved at 1:27:37 PM, on 10/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\The Weather Channel\The Weather Channel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LimeWire\LimeWire 4.1.5\LimeWire.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\wisptis.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Documents and Settings\Patricia Ribeiro.RIVER-WQ64QVEHY\Desktop\hijackthis_198\HijackThis.exe
There is more but it doesn’t fit here