URGENT Spyware that hides from all forms of detection

CaptainCHeerios · April 5, 2005

I got this spyware or virus..........its blocked my add remove hardware, disabledm y sound.........it runs in the background but hides from taskmanager.........its called rlrmvr.exe when ever you start up taskmanager you see it for a split second then it dissapears............its in my system32 folder but i cant see it in the folder, but when i search for it, it shows up there.........never was tehre before......but i got sent to a fake link with loads of spyware i removed the spyware and now after i restarted my comp i got this problem PLEASE HELP........ive tried installing norton but its giving me an error.............................need help................

CaptainCHeerios · April 5, 2005

Add onto previous post:

Its modifying settings and everything............its working with dcdp.exe and it hides to...........I have set all view file types set but its not there.............NEED HELP.........im installing mcafee right now.........................................please if anyone has any ideas for help please tell me.............

The spyware actually is hidding.........ive never had it happen like this before..........you fix it in msconfig it says its right but 10 minutes later it changes it.......................you delete all the files do end process and everything i can think of.........still not helping....HELP ME PLEASE

CaptainCHeerios · April 5, 2005

oh yeah addin my hijackthis log........keep forgetting stuff

Logfile of HijackThis v1.99.1

Scan saved at 8:46:43 PM, on 4/4/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Mixer.exe

C:\WINDOWS\system32\rlrmvr.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\cidaemon.exe

C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\Messenger\msmsgs.exe

c:\program files\mcafee.com\vso\mcmnhdlr.exe

c:\program files\mcafee.com\shared\mghtml.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\Mike\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redvsblue.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing

O15 - Trusted Zone: *.morwillsearch.com

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c11.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1106857067593

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0F6BB9C4-48D2-4C25-BCD3-CBA6E1057C0B}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{0F6BB9C4-48D2-4C25-BCD3-CBA6E1057C0B}: NameServer = 192.168.1.1

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Wilhelmus · April 5, 2005

This is for XP PROfessional.

Download Adaware, Spybot - Search and Destroy, Stinger and program called LSPFix.

Update Adaware and Spybot -S&D.

Adaware:http://www.lavasoftusa.com/software/adaware/

Spybot:http://security.kolla.de/

Stinger:http://vil.nai.com/vil/stinger/

LSPFix:http://www.cexx.org/lspfix.htm

First:

You should use Group Policy to enhance the environment settings, adding power to the available file operations. To do so:

1) Click Start, click Run, type "gpedit.msc"

2) Click Local Computer, click Finish, and then click Close to return to the Add/Remove Snap-in dialog box.

3) Click OK to return to the Console window.

4) Expand the Local Computer Policy object to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

5) Select the Security Options object in the Console pane to display the security policies in the Details pane.

6) In the Details pane, double-click the "Recovery Console: Allow Floppy Copy And Access To All Drives And Folders" policy.

7) Click Enabled, and then click OK.

8) Quit the MMC.

Now:

To run the Recovery Console from the Windows XP startup disks or the Windows XP CD-ROM, use the following steps:

1) Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

2) Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.

3) When you're prompted to press F6 for mass storage devices - press F10 instead. This will automatically start the Recovery Console.

3.1) Alternatively, when the "Welcome to Setup" screen appears, press R to start the Recovery Console.

4) If you have a dual-boot or multiple-boot computer, choose the installation that you need to access from the Recovery Console.

5) When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.

Now:

Type:

set AllowAllPaths = TRUE

set AllowRemovableMedia = TRUE

For the prompt, change your path to windows\system32.

For example, if your are in "C:\" , type: cd windows\system32

Make sure you are in your system32 folder.

Then type del rlrmvr.exe.

This will delete the file.

Remove XP CD and type exit to reboot your PC.

Physically unplug from Internet (unplug modem cable, turn of adsl modem,etc.)

Now boot into safe mode.

Run hijackthis, scan.

Fix these.

Quote:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing

O15 - Trusted Zone: *.morwillsearch.com

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c11.cab

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab

Do you have installed Window blinds(sp?)? If NOT, fix this.

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

Now do complete scan with adaware,spybot and stinger. Run these all on same time, so the pest cannot hide so well...

CaptainCHeerios · April 5, 2005

so far so good except for the gpedit.msc it wont work on my comp says it cant find it.........i got alot of problems....it messed up my hardware....device manager picks up no hardware at all........ive run mcafee,spy doctor, spy bot, adaware...........i think i fixed it the spyware, but my comp wont use sound anymore nor any other hardware.......i need help with this problem.......

Wilhelmus · April 5, 2005

Originally posted by CaptainCheerios:

Quote:

so far so good except for the gpedit.msc it wont work on my comp says it cant find it

Then your OS is Windows XP Home... Home does not have all features as Pro.

Quote:

device manager picks up no hardware at all

Try this:

No Items Appear in the Device Manager List When You Open It

http://support.microsoft.com/default.aspx?scid=kb;en-us;311504

Quote:

i think i fixed it the spyware

That is good.

Jerry Atrik · April 5, 2005

here is another way to remove a nasty spy program once u know what the program is (from xp or 2k):

deactivate simple file sharing

right click the nasty file properties/security tab/advanced

uncheck the "inherit from parent permissions" box

yes to the annoyance popup

apply

remove all users (including system) from the groups/users box

yes to the annoyance popup

reboot

the file is now unable to do anything

u can either leave it or re-take ownership and delete it

(because the system didnt have permission to load it it wont load at boot)

CaptainCHeerios · April 5, 2005

I dont know what is with it...........i dont know what its doing.......but its running with a program called dcdp.exe which is located in my c:/documents and users/all users/startmenu/startup folder...........and they don't show up when u look for them at all........spy bot mcafee stinger, and adaware dont detect them..................im screwed..............its really getting annoying..............................but i fixed the other stuff it was just that the thing turned off plug and play.......if anyone can help please help me im gonna try working on deleting it through safe mode..........wait hijackthis found it

Logfile of HijackThis v1.99.1

Scan saved at 3:02:34 PM, on 4/5/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Mixer.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\system32\rlrmvr.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\mcafee.com\agent\McDash.exe

c:\program files\mcafee.com\shared\mghtml.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Winamp\winamp.exe

C:\Documents and Settings\Mike\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redvsblue.com/

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlrmvr.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Mike\My Documents\HijackThis.exe /startupscan

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1106857067593

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0F6BB9C4-48D2-4C25-BCD3-CBA6E1057C0B}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{0F6BB9C4-48D2-4C25-BCD3-CBA6E1057C0B}: NameServer = 192.168.1.1

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

CaptainCHeerios · April 5, 2005

oh yah quick question is there way to force quit an app.......cause i cant see the prog because its being used right now..............and its being hidden in taskmanager........how can i kill the processes?

CaptainCHeerios · April 5, 2005

yay found the file but i dont seem to have the little security setting.....im using xp home................i dunno........but if you know of a way to lock the file.............like shouldnt encrypting it do the trick.....i mean then it shouldnt be able to be deleted right or anything.........i mean just a thought

CaptainCHeerios · April 5, 2005

OK THIS IS NOT RIGHT........NOW ONLY PREVIOUSLY VISITED PAGES WORK...........I CANT GO TO ANY SITE OTHER THEN Red Vs Blue, Google, here, and zdnet...........no other site works.............i mean 40 sites cant be down........somethings messed up on my comp

CaptainCHeerios · April 5, 2005

WTF ITS USING MY GRAPHICS CARD WHAT THE HECK! oMG ITS RUNNING WITH NTVDM WHICH IS PART OF NVIDIAS DRIVERS

CaptainCHeerios · April 5, 2005

OK THIS IS NOT GONNA HELP AT ALL I DONT KNOW WHAT TO DO IT KEEPS TRYING TO ACCESS THE FILE IF WHEN I RESTART IT IT DOESNT HELP IM SCREWED

CaptainCHeerios · April 5, 2005

great....now that screwed up my network settings........i can't connect to the internet i have to yuse another computer now to reply and i have no clue whats wrong........PLEASE HELP ANYONE............

CaptainCHeerios · April 5, 2005

I deleted code but its still tehre. Deleted file. STILL THERE. Found out its running with nvdia. uninstalled nvidia software STILL THERE. Im gonna reinstall drivers if its still there im gonna be clueless

[Edited by CaptainCheerios on 2005-04-05 16:31:40]

[Edited by CaptainCheerios on 2005-04-05 16:41:28]

theefool · April 5, 2005

If you can only go to certain site, try checking out your hosts file....

c:\windows\system32\drivers\etc

There is a file called hosts

edit that file

It should only have something like this: (default)

C:\WINDOWS\system32\drivers\etc>type hosts

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Not sure if this was said before, but when you run and use Hijackthis, I recommend using it in safe mode.

Since you are using XP Home there is a known Microsoft tweak that allows XP Home to incoporate the security tab.

Goto: http://www.microsoft.com/ntserver/nts/downloads/recommended/scm/default.asp

and download

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/tools/scm/scesp4i.exe

Run this app. Yes, yes, it says NT 4.0. But this does work with XP home. I can't remember if you need to reboot after this is done or not. Also, make sure that "Use simple file sharing" is not checked. There are multiple ways in checking this, but here is one. Click start, settings, Control Panel, and double click folder options, select the View tab, the scroll down till you see "Use Simple file sharing" Uncheck that. Hit okay, then follow Jerry Atrik's instructions (something I'll need to remember).

theefool · April 5, 2005

One other note. Something that many may or may not realize. HiJackThis has a utility to delete files upon reboot. When you run HiJackThis, click the button "Open the Misc Tools section", next click on "Delete a file on reboot..."...navigate to the file you wish to delete. For example that file that is giving you some trouble. Click open, then select Yes (if you want to reboot then and there).

Hope this helps...

Wilhelmus · April 6, 2005

Originally posted by CaptainCheerios:

Quote:

but its running with a program called dcdp.exe which is located in my c:/documents and users/all users/startmenu/startup folder

DHCP.exe ?

Then you got WORM_RBOT.AKW.

1) Disable System Restore.

Log on as Administrator.

Right-click the My Computer icon on the desktop and click Properties.

Click the System Restore tab.

Select Turn off System Restore.

Click Apply > Yes > OK.

Continue with the scan/clean process. Files under the _Restore folder can now be deleted.

Re-enable System Restore by clearing Turn off System Restore.

2) Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

Open Registry Editor.

Click Start>Run, type REGEDIT, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>

Windows>CurrentVersion>Run

In the right panel, locate and delete the entry:

windows dhcp = "DHCP.EXE"

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>

Windows>CurrentVersion>RunServices

In the right panel, locate and delete the entry:

windows dhcp = "DHCP.EXE"

In the left panel, double-click the following:

HKEY_CURRENT_USER>Software>Microsoft>OLE

In the right panel, locate and delete the entry:

windows dhcp = "DHCP.EXE"

Close Registry Editor.

CaptainCHeerios · April 6, 2005

its called DCDP not DHCP. i think i solved it. I started up in safe mode and deleted DCDP and it hasn't come back yet, but when I tried to delete rlrmvr.exe it came back everytime i left the system32 folder, so i used the security tab download thing, which worked, and then disabled the use of rlrmvr and my computer hasnt cried. But i found the exe and renamed it, so that the computer does not run it. so, if my comp wants to run rlrmvr it wont, and then i will submit my copy of rlrmvr.exe that i renamed to mcafee so they can make look at it, and hopefully get a solution for it.

greyghostx · April 6, 2005

Could just try a clean install, backup your files then just reinstall.

CaptainCHeerios · April 7, 2005

i would but i dont have the time lately :-( im gonna do it once i get my laptop.....but i cant buy it now because im not 18 untill june and i cant take the funds out of my savings and put into my checking so i can buy it :-( but its gonna be awesome though a sager 7620, 2gigs ram 3.4ghz p4, ati x800, 80gig hd....im getting it for around 2300 hopefully

URGENT Spyware that hides from all forms of detection

Recommended Posts

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

Wilhelmus 1

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

Wilhelmus 1

Share this post

Link to post

Jerry Atrik 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

theefool 0

Share this post

Link to post

theefool 0

Share this post

Link to post

Wilhelmus 1

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

greyghostx 0

Share this post

Link to post

CaptainCHeerios 0

Share this post

Link to post

Please sign in to comment

Browse

Activity