The devil should get the souls of malwares creators

[-Cult-]

Here goes. I've had forum help here fixing malware before. I've run adaware SE (full/deep scan) and it gets to about 500 files scanned and force reboots the pc. So thats apparently out of the question. Ran spybot S&D and that didn't stop the pop up tide from coming again. I can't even get ewido to load on IE or Firefox. Going to try some of the webpage based scanners although I doubt those are going to have anymore success.

If anyone has any idea why adaware would be self rebooting the pc I'd like to know. Also if you think I should put an HJT log up let me know. Im just taking this one step at a time so in the meanwhile im going to do a webscanner.

Any help would be appreciated.

Thanks in advance.
`Cult

 

[-Cult-]

Additonal note...Now anytime I try to download something such as hijack this the browser closes (IE & Firefox) -.-

Thanks
`Cult

 

[Peddant]

Go HERE follow the instructions,and then post an HJT log.

You should able to do the scans in safe mode with networking HERE

 

[-Cult-]

I just updated above with a hjt log. Ill try safe mode and running scanners though.

 

[howard_hopkinso]

That system is heavily infected with all sorts of crap.

Go HERE and follow the instructions carefully.

Then, go HERE and do likewise.

Finally, go HERE and follow the instructions for Ewido.

Post a fresh HJT log, only after doing the above.

Regards Howard :wave: :wave:

 

[-Cult-]

Ran them and heres an updated hjt.

 

[howard_hopkinso]

Please run the Ewido scan and post a fresh HJT log along with the Ewido log.

Regards Howard

 

[-Cult-]

Ewido/HJT logs. Ewido is two because it kept saying file size was too large. Sorry if that causes a problem.

Let me know what to do.

Thanks

`Cult

 

[-Cult-]

Csrss

Whenever windows begins I get an error for Csrss multiple times probably about 4 of them saying its unable to locate it. I checked system config and it shows 3 of them on my startup list what the hell is with that? One just says CSRSS-Startup with no command. The other two appear to be in system(32) from all I've been able to guess.

Any info on this would be helpful as always.

Thanks once again.
`Cult

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

3067ef0e.exe
HKNTFS~1.EXE
msconfig.exe
rdgUS2404.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R3 - URLSearchHook: (no name) - {18C249E1-AD54-80F5-5B94-F24A33DBF1BC} - C:\WINDOWS\system32\bclr.dll (file missing)

F3 - REG:win.ini: load=C:\WINDOWS\system32\devedn\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\devedn\csrss.exe

O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll (file missing)
O2 - BHO: (no name) - {18C249E1-AD54-80F5-5B94-F24A33DBF1BC} - C:\WINDOWS\system32\bclr.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O4 - HKLM\..\Run: [3067ef0e.exe] C:\WINDOWS\system32\3067ef0e.exe

O4 - HKCU\..\Run: [Surs] "C:\PROGRA~1\ICROSO~1\msconfig.exe" -vt ndrv

O4 - HKCU\..\Run: [Pjirq] C:\PROGRA~1\COMMON~1\WNSXS~1\HKNTFS~1.EXE

O4 - HKCU\..\Run: [3067ef0e.exe] C:\Documents and Settings\Emilie Scott\Local Settings\Application Data\3067ef0e.exe

O4 - Startup: csrss.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - AppInit_DLLs: spool32.dll C:\WINDOWS\system32\spool32.dll C:\WINDOWS\system32\nslookup.dll

O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g3172015.dll (file missing)

O20 - Winlogon Notify: winhoo32 - winhoo32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\Emilie Scott\Local Settings\Application Data\3067ef0e.exe
C:\WINDOWS\system32\3067ef0e.exe
C:\PROGRA~1\COMMON~1\WNSXS~1\HKNTFS~1.EXE

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.


Regards Howard

 

[-Cult-]

I didn't get that csrss thing this time. Heres the fresh HJT log.

Thanks again.
`Cult

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - Startup: csrss.lnk = ?

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\WINDOWS\system32\devedn\csrss.exe

Then, go and delete the following.

C:\Documents and Settings\your logon name here\Start Menu\Programs\Startup and delete the file csrss.lnk manually.

If you can`t delete this file, please let me know the exact path to this file and I will give you further instuctions.

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard