-
July 27th, 2006, 08:06 PM
#1
Downloader Virus Removal Help
Hi,
I hope someone can help me. My Norton won't let me delete the virus file < c:\windows\system32\rqrrpmn.dll > Norton deleted all the other files related to this (I did update the virus scan before running it), but not this one. I have tried the MoveOnBoot, but it won't move the file.
Thanks.
TwinsMom
This is too long for one post, so I'll include the reminder in the next.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Program Files\Icons\Seticon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 ZA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\{3C082710-0A34-1033-0801-030309160001}\Update.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Extreme Messenger\ExtremeMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\TClock\TClock.exe
C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Southwest\Ding\Ding.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\Debbie\Local Settings\Temp\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\rqrrpmn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Task Manager] MSTask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
-
July 27th, 2006, 08:07 PM
#2
continued...
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON PictureMate 2005] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 ZA.EXE /P22 "EPSON PictureMate 2005" /O6 "USB003" /M "PictureMate 2005"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Task Manager] MSTask.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: DING!.lnk = D:\Program Files\Southwest\Ding\Ding.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Registration Dogz 5 - Catz 5 Compilation Jewelcase.LNK = H:\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: ELSBLaunch.lnk = C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/098537d5...p/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...lInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O20 - Winlogon Notify: rqrrpmn - C:\WINDOWS\SYSTEM32\rqrrpmn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winezl32 - C:\WINDOWS\SYSTEM32\winezl32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-
July 27th, 2006, 09:01 PM
#3
try rebooting in safe mode (tap the f8 key at power on until you see a menu) choose safe mode, then when you get in to windows, navigate to the folder and delete it manually.......
"give a man a fish, and he will eat a meal, teach a man to fish...."
-
July 28th, 2006, 12:56 AM
#4
Thanks, Ahcoraj, but the system won't allow it. It won't allow me to delete the file because it's attached to System32 which is running to access the file. The system reports that the file is currently running and must be quit before the file is can be deleted. Hence, I have tried to delete it using the MoveOnBoot and Killbox, which say that they will delete the file on restart, but have not.
TwinsMom
-
July 28th, 2006, 01:22 AM
#5
Registered User
Originally Posted by TwinsMom
Thanks, Ahcoraj, but the system won't allow it. It won't allow me to delete the file because it's attached to System32 which is running to access the file. The system reports that the file is currently running and must be quit before the file is can be deleted. Hence, I have tried to delete it using the MoveOnBoot and Killbox, which say that they will delete the file on restart, but have not.
TwinsMom
Just to confirm, you definitely booted into safe mode as Ahcoraj suggested and it still wouldn't let you delete it?
Can you tell us which virus Norton identifies it as?
emr
-
July 28th, 2006, 06:30 AM
#6
have you tried manually unregistering the dll while in safe mode? When i get one that stubborn i usually remove the hard drive, put it in my USB enclosure on another computer and go delete the file, or just grab my important data an reformat/reload....
"give a man a fish, and he will eat a meal, teach a man to fish...."
-
July 28th, 2006, 02:05 PM
#7
Last edited by CCT; July 28th, 2006 at 06:42 PM.
-
July 28th, 2006, 06:39 PM
#8
Originally Posted by emr
Just to confirm, you definitely booted into safe mode as Ahcoraj suggested and it still wouldn't let you delete it?
Can you tell us which virus Norton identifies it as?
emr
Correct. It wouldn't let me delete it. I locate it in Windows Explorer and after I delete it it says: "Error Deleting: Cannot delete rqrrpmn: It is being used by another person or program. Close any programs that might be using the file and try again." So I use "Ctrl_Alt_Delete" and close the only file running, which is system32 and once that's closed I can no longer access the file to delete it.
Symantec says the Virus is:
Downloader
Updated: June 20, 2006
Type: Trojan Horse
Note: Virus definitions dated June 1, 2006 or earlier may detect this threat as Download.Trojan
Symantec's instructions for removal are as follows, which I have done, but have been unsuccessful in deleting this last file.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) or VGA mode (Windows NT).
4. Run a full system scan and delete all the files detected as Downloader.
5. Clear Internet Explorer History and files, if needed.
To Delete all files detected as Downloader:
If any files are detected as infected with Downloader, click Delete. If your Symantec antivirus program detects any infected files that it cannot delete, record the location of the file and the file name. Then do one of the following:
* If the file is in a location other than the Temporary Internet Files folder, restart the computer in Safe mode a second time. Then use Windows Explorer, browse to and delete that particular file. Once this is done, restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document, "How to start the computer in Safe Mode."
* If the file is in the Temporary Internet Files folder, write down the entire path and file name. Then go on to section 5.
5. Clearing the Temporary Internet Files folder
1. Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document "How to start the computer in Safe Mode."
2. Log onto the computer using the name that was shown in the path that you wrote down in step 4c.
For example, if the path was:
C:\Documents and Settings\Linda\Local Settings\Temporary Internet Files\qrwmqczd.dll
log on to the computer as Linda.
3. Start Internet Explorer.
4. Click the Tools menu > Internet Options.
5. In the Temporary Internet Files section, click the Delete Files button.
6. Check "Delete all offline content," and then click OK.
-
July 28th, 2006, 06:40 PM
#9
Originally Posted by Ahcoraj
have you tried manually unregistering the dll while in safe mode? When i get one that stubborn i usually remove the hard drive, put it in my USB enclosure on another computer and go delete the file, or just grab my important data an reformat/reload....
I am unfamiliar with "manually unregistering the dll" and do not have another computer that I can put the hard drive into.
-
July 28th, 2006, 06:56 PM
#10
here's a MS KB article that explain it http://support.microsoft.com/default...b;EN-US;249873 but basically at a command prompt in safe mode, type regsvr32 -u rqrrpmn.dll It should tell you something like DLL successfully unloaded. Make sure to have the file up in an explorer window as you do this so you can switch to it and rt cllik and delete it as fast as possible. ive seen some have another process running that looks and sees that it's unloaded and loads it again in about 10 secs or so..... I still recommend a reload but good luck, i hope this works.....
"give a man a fish, and he will eat a meal, teach a man to fish...."
-
July 28th, 2006, 07:01 PM
#11
Originally Posted by CCT
gl
Looks like you edited your reply, but I just tried (to no avail) to remove the virus using HijackThis. I used HijackThis to scan without log, then I went into config and then to Misc Tools and chose "Delete a file on Reboot", browsed for the file, selected it and restarted, but it restarts with the virus still in place.
I asked HijackThis to generate a Startuplist Log and it has the virus in this section:
Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\system32\rqrrpmn.dll - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
-
July 28th, 2006, 08:24 PM
#12
This is one of those times a Bart PE CD comes in useful. If you follow the instructions in the link, or get some else to make one for you, use one of its file manager tools to delete the offending file.
I think I know just enough to know how much I don't know... I think...
-
July 28th, 2006, 10:43 PM
#13
Great idea jeff, heres a link to the howto on my favorite PE cd http://www.ubcd4win.com/howto.htm Twinsmom, Did you try the regsrv32 that i suggested, or do you need more info?
"give a man a fish, and he will eat a meal, teach a man to fish...."
-
July 29th, 2006, 03:14 AM
#14
Originally Posted by Ahcoraj
here's a MS KB article that explain it http://support.microsoft.com/default...b;EN-US;249873 but basically at a command prompt in safe mode, type regsvr32 -u rqrrpmn.dll It should tell you something like DLL successfully unloaded. Make sure to have the file up in an explorer window as you do this so you can switch to it and rt cllik and delete it as fast as possible. ive seen some have another process running that looks and sees that it's unloaded and loads it again in about 10 secs or so..... I still recommend a reload but good luck, i hope this works.....
What 'command prompt' do I look for in safe mode?
-
July 29th, 2006, 03:15 AM
#15
Originally Posted by Jeff the Brit
This is one of those times a Bart PE CD comes in useful. If you follow the instructions in the link, or get some else to make one for you, use one of its file manager tools to delete the offending file.
I will look into this tomorrow. Thanks for your suggestions and help.
Similar Threads
-
By xacebop in forum Spyware & Antivirus - Security
Replies: 21
Last Post: April 8th, 2008, 04:45 PM
-
By ashsly843 in forum Spyware & Antivirus - Security
Replies: 15
Last Post: August 9th, 2006, 02:06 PM
-
By jjacmom in forum Spyware & Antivirus - Security
Replies: 3
Last Post: July 26th, 2006, 04:43 PM
-
By SavagePenguin in forum Tech-To-Tech
Replies: 14
Last Post: July 21st, 2001, 07:57 PM
-
By Danrak in forum Tech-To-Tech
Replies: 21
Last Post: May 12th, 2000, 07:18 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks