TechSpot

The devil should get the souls of malwares creators

By -Cult-
Jul 11, 2006
  1. Here goes. I've had forum help here fixing malware before. I've run adaware SE (full/deep scan) and it gets to about 500 files scanned and force reboots the pc. So thats apparently out of the question. Ran spybot S&D and that didn't stop the pop up tide from coming again. I can't even get ewido to load on IE or Firefox. Going to try some of the webpage based scanners although I doubt those are going to have anymore success.

    If anyone has any idea why adaware would be self rebooting the pc I'd like to know. Also if you think I should put an HJT log up let me know. Im just taking this one step at a time so in the meanwhile im going to do a webscanner.

    Any help would be appreciated.

    Thanks in advance.
    `Cult
     
  2. -Cult-

    -Cult- TS Rookie Topic Starter

    Additonal note...Now anytime I try to download something such as hijack this the browser closes (IE & Firefox) -.-

    Thanks
    `Cult
     
  3. Peddant

    Peddant TS Rookie Posts: 1,446

    Go HERE follow the instructions,and then post an HJT log.

    You should able to do the scans in safe mode with networking HERE
     
  4. -Cult-

    -Cult- TS Rookie Topic Starter

    I just updated above with a hjt log. Ill try safe mode and running scanners though.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That system is heavily infected with all sorts of crap.

    Go HERE and follow the instructions carefully.

    Then, go HERE and do likewise.

    Finally, go HERE and follow the instructions for Ewido.

    Post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
     
  6. -Cult-

    -Cult- TS Rookie Topic Starter

    Ran them and heres an updated hjt.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please run the Ewido scan and post a fresh HJT log along with the Ewido log.

    Regards Howard :)
     
  8. -Cult-

    -Cult- TS Rookie Topic Starter

    Ewido/HJT logs. Ewido is two because it kept saying file size was too large. Sorry if that causes a problem.

    Let me know what to do.

    Thanks

    `Cult
     
  9. -Cult-

    -Cult- TS Rookie Topic Starter

    Csrss

    Whenever windows begins I get an error for Csrss multiple times probably about 4 of them saying its unable to locate it. I checked system config and it shows 3 of them on my startup list what the hell is with that? One just says CSRSS-Startup with no command. The other two appear to be in system(32) from all I've been able to guess.

    Any info on this would be helpful as always.

    Thanks once again.
    `Cult
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    3067ef0e.exe
    HKNTFS~1.EXE
    msconfig.exe
    rdgUS2404.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

    R3 - URLSearchHook: (no name) - {18C249E1-AD54-80F5-5B94-F24A33DBF1BC} - C:\WINDOWS\system32\bclr.dll (file missing)

    F3 - REG:win.ini: load=C:\WINDOWS\system32\devedn\csrss.exe
    F3 - REG:win.ini: run=C:\WINDOWS\system32\devedn\csrss.exe

    O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll (file missing)
    O2 - BHO: (no name) - {18C249E1-AD54-80F5-5B94-F24A33DBF1BC} - C:\WINDOWS\system32\bclr.dll (file missing)

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

    O4 - HKLM\..\Run: [3067ef0e.exe] C:\WINDOWS\system32\3067ef0e.exe

    O4 - HKCU\..\Run: [Surs] "C:\PROGRA~1\ICROSO~1\msconfig.exe" -vt ndrv

    O4 - HKCU\..\Run: [Pjirq] C:\PROGRA~1\COMMON~1\WNSXS~1\HKNTFS~1.EXE

    O4 - HKCU\..\Run: [3067ef0e.exe] C:\Documents and Settings\Emilie Scott\Local Settings\Application Data\3067ef0e.exe

    O4 - Startup: csrss.lnk = ?

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

    O11 - Options group: [INTERNATIONAL] International*

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - AppInit_DLLs: spool32.dll C:\WINDOWS\system32\spool32.dll C:\WINDOWS\system32\nslookup.dll

    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g3172015.dll (file missing)

    O20 - Winlogon Notify: winhoo32 - winhoo32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\Emilie Scott\Local Settings\Application Data\3067ef0e.exe
    C:\WINDOWS\system32\3067ef0e.exe
    C:\PROGRA~1\COMMON~1\WNSXS~1\HKNTFS~1.EXE

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)
     
  11. -Cult-

    -Cult- TS Rookie Topic Starter

    I didn't get that csrss thing this time. Heres the fresh HJT log.

    Thanks again.
    `Cult
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - Startup: csrss.lnk = ?

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\system32\devedn\csrss.exe

    Then, go and delete the following.

    C:\Documents and Settings\your logon name here\Start Menu\Programs\Startup and delete the file csrss.lnk manually.

    If you can`t delete this file, please let me know the exact path to this file and I will give you further instuctions.

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...