Jump to content


- - - - -

Computer infected


  • This topic is locked This topic is locked
66 replies to this topic

#1 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 28 March 2005 - 03:35 PM

well guestolo hows it goin. computer got infected with about:blank.
I followed the instructions u gave others with same problem and have got my homepage fixed but i know my comp is still infected with something cuz i can only open hijackthis, tds3, etc. in safe mode.

i done a few scans and everything, adaware doesnt find anything. Also cant get into custom and default tabs in internet options/security to enable scripting, so i cant get into Email Removed or anything.

Heres my log, hope u can help, cheers guestolo ur a legend


Logfile of HijackThis v1.99.0
Scan saved at 22:19:30, on 28/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKLM\..\Run: [outpost] C:\Documents and Settings\Patrick Deighan\Local Settings\Temp\OutpostProInstall.exe
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [winmgr] C:\WINDOWS\System32\winmgr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#2 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 28 March 2005 - 03:38 PM

p.s. havin trouble logging in which is why im logged in as guest

#3 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 March 2005 - 09:12 AM

Just on my way out Irish, could you do the following while waiting
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and save it too a notepad file

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#4 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 29 March 2005 - 06:59 PM

i already had that mwav but i just downloaded it again heres the results, and thanks again guestolo


File C:\WINDOWS\System32\crmss.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\crmss.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\navapqwa.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\PATRIC~1\MSDIRE~1.SYS infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Gavin Deighan\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Karen Deighan\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000008.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000022.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000032.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001033.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\update\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

#5 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 March 2005 - 07:28 PM

===Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions too a Notepad file and save it too desktop
Close down all other windows, disconnect from the Internet

Disable System Restore

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe


O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [winmgr] C:\WINDOWS\System32\winmgr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System32\crmss.exe

Select the Delete button afterwards
The Red circle and a white X
Do the same for the below entries
For any file that won't delete keep track of them, we'll need those in a bit

Do the same for these file names
C:\WINDOWS\system32\navapqwa.exe
C:\DOCUME~1\PATRIC~1\MSDIRE~1.SYS
C:\WINDOWS\csrss.exe
C:\WINDOWS\killzx.exe
C:\WINDOWS\Messenger2.exe
C:\WINDOWS\rei.exe
C:\WINDOWS\SYSTEM32\file.exe
C:\Documents and Settings\Gavin Deighan\msdirectx.sys
C:\Documents and Settings\Karen Deighan\msdirectx.sys
C:\update\rei.exe
C:\WINDOWS\System32\mqexdlm.srg


For any file that won't delete
Use the Replace on Reboot radio button
Additionally, put a tick in the "Use Dummy"
When prompted to Replace on Reboot>>Click YES
If prompted to Reboot NOW>>Click NO until you have added the last
path to the file name
At which time>>Select YES to Reboot NOW
or Restart anyways

Please try and Restart into Normal mode
Reenable System Restore
Post back a fresh log from there

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#6 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 31 March 2005 - 12:06 PM

deleted them all. this is the only one that didnt delete
C:\WINDOWS\csrss.exe

Used the Replace on Reboot radio button
Additionally, put a tick in the "Use Dummy"


heres new log

Logfile of HijackThis v1.99.0
Scan saved at 19:05:18, on 31/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#7 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 31 March 2005 - 06:40 PM

Are you still having problems signing into the forum?

This file here is a legitimate file, don't try and delete it in the System32 folder
C:\WINDOWS\system32\csrss.exe

We're just after this one
C:\WINDOWS\csrss.exe

It may be confusing because we were also after this bad guy
C:\WINDOWS\System32\crmss.exe

Notice the spelling

Let's try this again
Save these instructions too a Notepad file on the desktop and then leave it open

Disconnect completely from the Internet
Close all other windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe

O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Next: With only Pocket killbox open and
Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\csrss.exe

Select the Delete button afterwards
The Red circle and a white X
If it won't delete or not found
Use the Replace on Reboot>>Use Dummy options
Then click the Red Circle and the whiteX

Restart the computer and post a fresh Hijackthis log

Let me know how things are running

Can you also let me know the following
If I remember correctly you were using Outpost as your Firewall protection
Now I see that you have this entry in your log
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
Which Firewall protection are you running now?
Do you still have Outpost installed?
I see some entries in your log that may be leftovers

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#8 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 01 April 2005 - 09:21 AM

i changed my password but cant remember what i changed it too exactly. got it sent to my Email Removed but cant get into Email Removed because java is not enabled. have tried but cant get into custom on my security tab in internet options. think that has somethin to do with the virus.

used outpost for the free trial period but as soon as that ended my computer got infected. downloaded softperect, dont really know how to use it. its alwaays changing security settings.

heres my new log, everything seems to be ok but just wana get into enable my java so i can get into Email Removed etc.

Are you still having problems signing into the forum?

This file here is a legitimate file, don't try and delete it in the System32 folder
C:\WINDOWS\system32\csrss.exe

We're just after this one
C:\WINDOWS\csrss.exe

It may be confusing because we were also after this bad guy
C:\WINDOWS\System32\crmss.exe

Notice the spelling

Let's try this again
Save these instructions too a Notepad file on the desktop and then leave it open

Disconnect completely from the Internet
Close all other windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe

O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Next: With only Pocket killbox open and
Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\csrss.exe

Select the Delete button afterwards
The Red circle and a white X
If it won't delete or not found
Use the Replace on Reboot>>Use Dummy options
Then click the Red Circle and the whiteX

Restart the computer and post a fresh Hijackthis log

Let me know how things are running

Can you also let me know the following
If I remember correctly you were using Outpost as your Firewall protection
Now I see that you have this entry in your log
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
Which Firewall protection are you running now?
Do you still have Outpost installed?
I see some entries in your log that may be leftovers

#9 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 01 April 2005 - 09:26 AM

oops!!

posted back ur instructions instead of my log :o(

Logfile of HijackThis v1.99.0
Scan saved at 16:15:29, on 01/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 02 April 2005 - 11:24 PM

Can you try something, Microsoft Anti-Spyware Beta is having a good record at resetting
default settings

You can download it from HERE

Follow the steps in the Installation Wizard