HIJAAKTHIS LOG as requested (Pls Help!)

We have guidelines about posting HJT log that must be followed.

Please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


NOTE: You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message.

Update! Due to Hijack This logs destroying search engine and web site searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your log file, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

 

He simply posted it in a new thread, rather then a response. I asked him to post one. Im working on it, I see some problems immediately.

 

Your is tricky, things I am unsure of are noted for you to decide. Have a backup of Hijack This then there is room for error. I may call in Chaslang for backup here, your makes me nervous, maybe I can learn something here too.

C:\WINDOWS\System32\crsrs.exe
C:\WINDOWS\System32\MSNMSGR5.exe
C:\index.exe

This if you dont recognize it:
O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O4 - HKLM\..\Run: [System Startup] kimochi.exe
O4 - HKLM\..\Run: [Auto updat] crsrs.exe

I suspect this one: (watch out it returns twice below)
O4 - HKLM\..\Run: [Win32 NVIDIA Driver] MSPMSPSU.EXE


O4 - HKLM\..\Run: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\Run: [REEGRUN] C:\index.exe
O4 - HKLM\..\RunServices: [System Startup] kimochi.exe
O4 - HKLM\..\RunServices: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [Win32 NVIDIA Driver] MSPMSPSU.EXE
O4 - HKLM\..\RunServices: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\RunOnce: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [System Startup] kimochi.exe
O4 - HKCU\..\Run: [Win32 NVIDIA Driver] MSPMSPSU.EXE
O4 - HKCU\..\RunOnce: [Auto updat] crsrs.exe

 

I have asked Chaslang to double check this to see if he recognizes anything I dont as theres some questionable items in here I want to be sure. Wait for him to double check please.

 

The O1 - Hosts: 64.91.255.87 www.dcsresearch.com line is actually okay. It is for www.diamondcs.com.au. However I don't see why it needs to be in the hosts file. So it could be fixed anyway.

All of the others items I agree should be fixed and the files themselves should be found and deleted. Most of them are probably in c:\windows\system32

Before fixing those lines with HJT you should shutdown these processes using Task Manager (CTRL-ALT-DEL):
crsrs.exe
MSNMSGR5.exe
index.exe

Also add the below to the list to fix:
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=fbb3f25d3387cad660509216e3ae69adf8c98aef0313a3600255121a1b544a04f68a5dfebee786dd53e373022a7b0f4966920e3a19d4b5c9ddb7b0a1e2aa4d99:18d9855a145f802cd2a921ef7de749b0
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\SuperCD\IntraLaunch.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

MA, The google stuff is okay as far as I have seen.