Malware infection possibly

[siedog]

Hi,

I think i'm infected with something. My system seems to crash, and I would need to reboot more often this month. Usually it would crash just about once a month. I noticed after rebooting, I found this cssrss.exe file in the task manager and looking it up it was considered malware. I stopped the program.

Before going through the cleanup steps, could someone please take a look and let me know if there's a more simpler way to get rid of this or if there is anything else wrong with the hijack this log attached?

Thanks.

 

[siedog]

How do I remove the cssrss.exe file? Does anyone know?

 

[raybay]

This is a dangerous infestation..cssrss.exe is actually W32/Forbot-CE , a trojan. You can read more at http://www.sophos.com/security/analyses/...

you can destroy this with any of a number of the top paid spyware programs. It is not one to mess with using the free junk. Start with something like Spyware Doctor 5.5 as a free scan, then if found, pay for the full version so you can remove it.

This trojan has the potential to do a lot of damage. It is on everybody's list of programs that are misleading and harmful.
After using Spyware Doctor or other top ten rated program, use Adawre 2007, and the free Windows Defender from Microsoft. Update it, then scan.

As soon as all the scans are complete, immediately shut down and reboot to SAFE MODE by depressing the <F8> repeatedly upon a cold boot or reboot. When fully booted, run all the scans once more in SafeMode.

You might want to run a Gurgle search of cssrss.exe and/or W32/Forbot-CE, and read all the studies and solutions online.

 

[Blind Dragon]

We should also warn you that this worm has backdoor functionality, it tries to connect to a remote IRC server and join a predefined channel, then listens on the channel for instructions specified by a remote intruder.

It will also attempt to spread to network computers using various exploits and may try to delete network shares.

Which is why I am suggesting the following thread to read, then follow the next instructions and post back here with logs

However, I do not see the entry you are referring to in your log
---------------------------------------------------------------------

Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

1)MBAM or SAS log
2)Combofix log
3)Hijackthis log (Step 15)

 

[siedog]

Blind Dragon, you didn't see the entry in the log because I stopped the process in the task manager before running hijackthis. Here is another current hj log with the entry after I had rebooted my computer.

Do I really have to pay to get this out? If I really need to then I will but please let me know other options if possible.

I will do the steps, but those steps have taken time to do. Please let me know if there are other options if possible.

 

[Blind Dragon]

K, I see the task but not the startup entry. The instructions in the preliminary removal are there for a reason, yes it takes time but it is cheaper than paying somebody to fix or paying for software to fix. Let's do this for now, you may end up spending just as much time getting me logs, but maybe we will get lucky

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[siedog]

OK, ran combofix. It looked like it deleted the cssrss.exe file along with a couple of others. It does't look like that file is in the task mamanger anymore. I hope this will do the trick. Attached is the combofix and latest hj file.

 

[Blind Dragon]

Will edit this post shortly, didn't realize you had win2000

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINNT\system32\C0ZYR9.syz
C:\WINNT\system32\Tjotm6.syz
C:\WINNT\system32\WJZRLn.syz
C:\WINNT\system32\PpBnfj.syz
C:\WINNT\system32\oSprU9.syz
C:\WINNT\system32\jGv6bX.syz
C:\WINNT\system32\N2d124.syz
C:\WINNT\system32\FEX8yE.syz

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[Blind Dragon]

updated the above post

Afterwards, please run an online scan for us...

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[siedog]

Here are the files after doing all of the above.

 

[siedog]

So the kaspersky results indicate 26 viruses found. Do I need to delete these files? Some infected files were locked and all were skipped.

 

[Blind Dragon]

**P2P programs = Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur.
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation. see http://spywarewarrior.com/viewtopic.php?t=26216

-----------------------------------------------------------------

Uninstall the following through control panel -> add/remove programs -> You can reinstall but please read the warning above.

DivXPro5GAINBundle (Advertising)
EDonkey FTP File Sharing Software
KaZaA Media Desktop
Morpheus
Net Vampire
netants (download manager)

----------------------------------------------

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINNT\system32\mos.exe
  D:\Programs and Cracks\Codecs and Video Programs\DivXPro5GAINBundle (Advertising).exe
  D:\Programs and Cracks\Download Managers\getrt45c.exe
  D:\Programs and Cracks\EDonkey FTP File Sharing Software\eDonkey57.exe
  D:\Programs and Cracks\KaZaA Media Desktop\kmd151_en.exe
  D:\Programs and Cracks\Morpheus\Morpheus32.exe
  D:\Programs and Cracks\Net Vampire\nv4pro_b.zip
  D:\Programs and Cracks\netants (download manager).zip
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

-------------------------------------------------------------

Afterwards please attach a fresh Hijackthis log, then if all looks ok we can cleanup and remove some of these tools

 

[siedog]

Sorry, I've been under the weather recently and haven't gotten to the procedures yet. I'll hopefully perform these soon and get back to you. Thanks a lot Blind Dragon for not forgetting.

 

[Blind Dragon]

no problem, waiting for the logs

 

[siedog]

Ok, I've done the steps and attached is the latest hjt log.

 

[Blind Dragon]

I don't see an actual antivirus product on there

Anti-Virus
AVG 8 Free
Avast Free
Avira Free <- My recommendation



Update your Java Runtime Environment

• Click the following link
  Java Runtime Environment 6 Update 6
• The 5th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

-----------------------------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[siedog]

Sorry for not repolying back sooner. I was preoccupied with other personal issues. Anyways, regarding the steps above:

1. Isn't McAfee an antivirus product because that's what I have now. It's McAfee VirusScan V4.5.1 SP1. I just update the latest virus definitions. Is this ok?
2. When updating the java runtime environment, do I choose Windows or Windowsx64 under the drop down menu?

I just noticed that my firewall program (zonealarm) popped up with a warning that Windows aspimgr.exe is trying to access the internet so I said to Allow. Is that ok or not?

Attached is the latest hjt log. Please answer the above before I go through with your latest steps. Thanks a lot.

Update: I tried your ATF Cleaner step above, but the prefetch option is disabled so I can't select that to execute.

 

[Blind Dragon]

I just noticed that my firewall program (zonealarm) popped up with a warning that Windows aspimgr.exe is trying to access the internet so I said to Allow. Is that ok or not?

No it's not ok.
Microsoft ASPI Manager -> Added by the Troj/Proxy-HS Proxy Trojan

DoubleClick on ZoneAlarm in system tray -> select program control -> Find Microsoft ASPI Manager or aspimgr and click on the green check marks to set them as red X.

-----------------------------------------------------------------------------------------------

I see no sign of Mcafee being installed or active - none of their regular services are there. You may want to reinstall it, if you have a subscribtion - or I can suggest a replacement if yours is expired.

 

[siedog]

No it's not ok.
Microsoft ASPI Manager -> Added by the Troj/Proxy-HS Proxy Trojan

DoubleClick on ZoneAlarm in system tray -> select program control -> Find Microsoft ASPI Manager or aspimgr and click on the green check marks to set them as red X.

Ok, I put the red check marks to block. Now how do I get rid of this? I can't stop the process in the task manager or delete the file from windows/system32 folder.

-----------------------------------------------------------------------------------------------

I see no sign of Mcafee being installed or active - none of their regular services are there. You may want to reinstall it, if you have a subscribtion - or I can suggest a replacement if yours is expired.

Isn't mcafee from Network Associates? I see this in the hjt log:

C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\htpatch.exe

Right now I just updated the virus definitions for the program:

 

[siedog]

Updated post 7/4/08: I used Combofix to get rid of the aspimgr.exe file. Attached is the latest combofix and hjt files.

-So do I choose Windows or Windows x64 under the drop down for updating the Java runtime environment?
-Do I still need to add another Anti-Virus software since for some reason you can't see the Network Associates McAfee I have on this machine? Below is the version I have on this machine:

 

[Blind Dragon]

I see it in your running processes but it didn't create a service or the service is stopped, and it doesn't have a startup entry showing - so I am doubting real time protection. I am not too familiar with Mcafee so suggest that you contact them through their website to see which scan engine you should be using. Your definitions are up to date. But just to be safe it is worth contacting their support to see if you need to update the scan engine. I am pretty sure they ended support for your product in 2003. You may be able to select Auto Upgrade - from the screen shot you posted


-------------------

For Java you want Windows not Windows64

------------------

If you are paying for Mcafee then you should keep it at least until the subsription is up, but just check with them to make sure your version works and that everything is up to date