Downloader Virus Removal Help
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 26

Thread: Downloader Virus Removal Help

  1. #1
    Registered User
    Join Date
    Jul 2006
    Posts
    14

    Downloader Virus Removal Help

    Hi,

    I hope someone can help me. My Norton won't let me delete the virus file < c:\windows\system32\rqrrpmn.dll > Norton deleted all the other files related to this (I did update the virus scan before running it), but not this one. I have tried the MoveOnBoot, but it won't move the file.

    Thanks.
    TwinsMom

    This is too long for one post, so I'll include the reminder in the next.

    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\G-VGA.exe
    C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
    C:\Program Files\Icons\Seticon.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 ZA.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\{3C082710-0A34-1033-0801-030309160001}\Update.exe
    C:\PROGRA~1\SecCopy\SecCopy.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Extreme Messenger\ExtremeMessenger.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\TClock\TClock.exe
    C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
    C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    D:\Program Files\Southwest\Ding\Ding.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Documents and Settings\Debbie\Local Settings\Temp\HijackThis.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\rqrrpmn.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
    O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Task Manager] MSTask.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

  2. #2
    Registered User
    Join Date
    Jul 2006
    Posts
    14
    continued...

    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [EPSON PictureMate 2005] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 ZA.EXE /P22 "EPSON PictureMate 2005" /O6 "USB003" /M "PictureMate 2005"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [Task Manager] MSTask.exe
    O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
    O4 - Startup: DING!.lnk = D:\Program Files\Southwest\Ding\Ding.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: Registration Dogz 5 - Catz 5 Compilation Jewelcase.LNK = H:\RegistrationReminder.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
    O4 - Global Startup: ELSBLaunch.lnk = C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
    O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/098537d5...p/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...lInstaller.exe
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
    O20 - Winlogon Notify: rqrrpmn - C:\WINDOWS\SYSTEM32\rqrrpmn.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winezl32 - C:\WINDOWS\SYSTEM32\winezl32.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  3. #3
    Registered User
    Join Date
    Dec 2000
    Location
    Atlanta Ga USA
    Posts
    507
    try rebooting in safe mode (tap the f8 key at power on until you see a menu) choose safe mode, then when you get in to windows, navigate to the folder and delete it manually.......
    "give a man a fish, and he will eat a meal, teach a man to fish...."

  4. #4
    Registered User
    Join Date
    Jul 2006
    Posts
    14
    Thanks, Ahcoraj, but the system won't allow it. It won't allow me to delete the file because it's attached to System32 which is running to access the file. The system reports that the file is currently running and must be quit before the file is can be deleted. Hence, I have tried to delete it using the MoveOnBoot and Killbox, which say that they will delete the file on restart, but have not.
    TwinsMom

  5. #5
    Registered User emr's Avatar
    Join Date
    Sep 2001
    Location
    Amsterdam
    Posts
    1,312
    Quote Originally Posted by TwinsMom
    Thanks, Ahcoraj, but the system won't allow it. It won't allow me to delete the file because it's attached to System32 which is running to access the file. The system reports that the file is currently running and must be quit before the file is can be deleted. Hence, I have tried to delete it using the MoveOnBoot and Killbox, which say that they will delete the file on restart, but have not.
    TwinsMom
    Just to confirm, you definitely booted into safe mode as Ahcoraj suggested and it still wouldn't let you delete it?

    Can you tell us which virus Norton identifies it as?

    emr

  6. #6
    Registered User
    Join Date
    Dec 2000
    Location
    Atlanta Ga USA
    Posts
    507
    have you tried manually unregistering the dll while in safe mode? When i get one that stubborn i usually remove the hard drive, put it in my USB enclosure on another computer and go delete the file, or just grab my important data an reformat/reload....
    "give a man a fish, and he will eat a meal, teach a man to fish...."

  7. #7
    Registered User
    Join Date
    Feb 2006
    Location
    Canada, Eh!
    Posts
    4,091
    gl
    Last edited by CCT; July 28th, 2006 at 06:42 PM.

  8. #8
    Registered User
    Join Date
    Jul 2006
    Posts
    14
    Quote Originally Posted by emr
    Just to confirm, you definitely booted into safe mode as Ahcoraj suggested and it still wouldn't let you delete it?

    Can you tell us which virus Norton identifies it as?

    emr
    Correct. It wouldn't let me delete it. I locate it in Windows Explorer and after I delete it it says: "Error Deleting: Cannot delete rqrrpmn: It is being used by another person or program. Close any programs that might be using the file and try again." So I use "Ctrl_Alt_Delete" and close the only file running, which is system32 and once that's closed I can no longer access the file to delete it.

    Symantec says the Virus is:
    Downloader
    Updated: June 20, 2006
    Type: Trojan Horse
    Note: Virus definitions dated June 1, 2006 or earlier may detect this threat as Download.Trojan

    Symantec's instructions for removal are as follows, which I have done, but have been unsuccessful in deleting this last file.

    1. Disable System Restore (Windows Me/XP).
    2. Update the virus definitions.
    3. Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) or VGA mode (Windows NT).
    4. Run a full system scan and delete all the files detected as Downloader.
    5. Clear Internet Explorer History and files, if needed.

    To Delete all files detected as Downloader:

    If any files are detected as infected with Downloader, click Delete. If your Symantec antivirus program detects any infected files that it cannot delete, record the location of the file and the file name. Then do one of the following:
    * If the file is in a location other than the Temporary Internet Files folder, restart the computer in Safe mode a second time. Then use Windows Explorer, browse to and delete that particular file. Once this is done, restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document, "How to start the computer in Safe Mode."
    * If the file is in the Temporary Internet Files folder, write down the entire path and file name. Then go on to section 5.

    5. Clearing the Temporary Internet Files folder
    1. Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document "How to start the computer in Safe Mode."
    2. Log onto the computer using the name that was shown in the path that you wrote down in step 4c.
    For example, if the path was:
    C:\Documents and Settings\Linda\Local Settings\Temporary Internet Files\qrwmqczd.dll
    log on to the computer as Linda.
    3. Start Internet Explorer.
    4. Click the Tools menu > Internet Options.
    5. In the Temporary Internet Files section, click the Delete Files button.
    6. Check "Delete all offline content," and then click OK.

  9. #9
    Registered User
    Join Date
    Jul 2006
    Posts
    14
    Quote Originally Posted by Ahcoraj
    have you tried manually unregistering the dll while in safe mode? When i get one that stubborn i usually remove the hard drive, put it in my USB enclosure on another computer and go delete the file, or just grab my important data an reformat/reload....
    I am unfamiliar with "manually unregistering the dll" and do not have another computer that I can put the hard drive into.

  10. #10
    Registered User
    Join Date
    Dec 2000
    Location
    Atlanta Ga USA
    Posts
    507
    here's a MS KB article that explain it http://support.microsoft.com/default...b;EN-US;249873 but basically at a command prompt in safe mode, type regsvr32 -u rqrrpmn.dll It should tell you something like DLL successfully unloaded. Make sure to have the file up in an explorer window as you do this so you can switch to it and rt cllik and delete it as fast as possible. ive seen some have another process running that looks and sees that it's unloaded and loads it again in about 10 secs or so..... I still recommend a reload but good luck, i hope this works.....
    "give a man a fish, and he will eat a meal, teach a man to fish...."

  11. #11
    Registered User
    Join Date
    Jul 2006
    Posts
    14
    Quote Originally Posted by CCT
    gl
    Looks like you edited your reply, but I just tried (to no avail) to remove the virus using HijackThis. I used HijackThis to scan without log, then I went into config and then to Misc Tools and chose "Delete a file on Reboot", browsed for the file, selected it and restarted, but it restarts with the virus still in place.

    I asked HijackThis to generate a Startuplist Log and it has the virus in this section:
    Enumerating Browser Helper Objects:
    (no name) - C:\WINDOWS\system32\rqrrpmn.dll - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

  12. #12
    Registered User
    Join Date
    Aug 2000
    Location
    Saltburn, Cleveland, United Kingdom
    Posts
    632
    This is one of those times a Bart PE CD comes in useful. If you follow the instructions in the link, or get some else to make one for you, use one of its file manager tools to delete the offending file.
    I think I know just enough to know how much I don't know... I think...

  13. #13
    Registered User
    Join Date
    Dec 2000
    Location
    Atlanta Ga USA
    Posts
    507
    Great idea jeff, heres a link to the howto on my favorite PE cd http://www.ubcd4win.com/howto.htm Twinsmom, Did you try the regsrv32 that i suggested, or do you need more info?
    "give a man a fish, and he will eat a meal, teach a man to fish...."

  14. #14
    Registered User
    Join Date
    Jul 2006
    Posts
    14
    Quote Originally Posted by Ahcoraj
    here's a MS KB article that explain it http://support.microsoft.com/default...b;EN-US;249873 but basically at a command prompt in safe mode, type regsvr32 -u rqrrpmn.dll It should tell you something like DLL successfully unloaded. Make sure to have the file up in an explorer window as you do this so you can switch to it and rt cllik and delete it as fast as possible. ive seen some have another process running that looks and sees that it's unloaded and loads it again in about 10 secs or so..... I still recommend a reload but good luck, i hope this works.....
    What 'command prompt' do I look for in safe mode?

  15. #15
    Registered User
    Join Date
    Jul 2006
    Posts
    14
    Quote Originally Posted by Jeff the Brit
    This is one of those times a Bart PE CD comes in useful. If you follow the instructions in the link, or get some else to make one for you, use one of its file manager tools to delete the offending file.
    I will look into this tomorrow. Thanks for your suggestions and help.

Similar Threads

  1. virus in my registry kills me after i format
    By xacebop in forum Spyware & Antivirus - Security
    Replies: 21
    Last Post: April 8th, 2008, 04:45 PM
  2. Downloader Virus
    By ashsly843 in forum Spyware & Antivirus - Security
    Replies: 15
    Last Post: August 9th, 2006, 02:06 PM
  3. downloader virus frustration
    By jjacmom in forum Spyware & Antivirus - Security
    Replies: 3
    Last Post: July 26th, 2006, 04:43 PM
  4. MTX virus removal troubles
    By SavagePenguin in forum Tech-To-Tech
    Replies: 14
    Last Post: July 21st, 2001, 07:57 PM
  5. I love you virus
    By Danrak in forum Tech-To-Tech
    Replies: 21
    Last Post: May 12th, 2000, 07:18 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •