Author Topic: Csrss.new.exe (again :D) (Read 1970 times)

c0vert7 · « **on:** November 19, 2005, 11:57:30 PM »

Ok here is the logs for it, hijackthis, please help me guys and girls.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Defender Pro Anti Spam\dpantispam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\cody\Local Settings\Temporary Internet Files\Content.IE5\6RKFKTC1\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F3 - REG:win.ini: load=C:\WINDOWS\system32\anueavkezq\csrss.new.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\anueavkezq\csrss.new.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUp.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ML1HelperStartUp] C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
O4 - HKCU\..\Run: [DefenderProAutoRun] "C:\Program Files\Defender Pro Anti Spam\dpantispam" -D "C:\Program Files\Defender Pro Anti Spam\conf"
O4 - HKCU\..\Run: [ntvdms] C:\WINDOWS\NR\ntvdms.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.2.7.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114480590263
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: AOL Instant Messenger - {E42D9906-3146-97B9-D480-B3E6F3E85DD5} - (no file)
O21 - SSODL: System - {48434A7B-BD56-4E79-BF6C-B8DD4CE8B260} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

guestolo · « **Reply #1 on:** November 20, 2005, 12:58:19 AM »

Can you please redownload hijackthis and save it too a permanent folder on your harddrive
ONLY run hijackthis from this new location

Afterwards, come back here and post a fresh hijackthis log
Include the WHOLE log, which also includes the top header
Eg... Hijackthis version, Operating system, etc...

c0vert7 · « **Reply #2 on:** November 20, 2005, 01:17:01 AM »

ok here you go.

Logfile of HijackThis v1.99.1
Scan saved at 12:16:18 AM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Defender Pro Anti Spam\dpantispam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F3 - REG:win.ini: load=C:\WINDOWS\system32\anueavkezq\csrss.new.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\anueavkezq\csrss.new.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUp.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
O4 - HKLM\..\Run: [ML1HelperStartUp] C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1
O4 - HKCU\..\Run: [DefenderProAutoRun] C:\Program Files\Defender Pro Anti Spam\dpantispam -D
O4 - HKCU\..\Run: [ntvdms] C:\WINDOWS\NR\ntvdms.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.2.7.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114480590263
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: AOL Instant Messenger - {E42D9906-3146-97B9-D480-B3E6F3E85DD5} - (no file)
O21 - SSODL: System - {48434A7B-BD56-4E79-BF6C-B8DD4CE8B260} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

guestolo · « **Reply #3 on:** November 20, 2005, 01:27:30 AM »

Can you do the following and then I'll post some fixes

Can you go to this site
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to the file on your hard drive
C:\WINDOWS\NR\ntvdms.exe <-this file

Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

Are there any other files in the NR folder?

c0vert7 · « **Reply #4 on:** November 20, 2005, 01:30:07 AM »

The folder is blank...

guestolo · « **Reply #5 on:** November 20, 2005, 01:56:35 AM »

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run this yet, we'll need it in a bit

Download SmitRem.exe by Noahdfear and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Disable SpywareDoctor's realtime protections so it won't interfere with any fixes we try

Please Save the rest of these instructions too notepad

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
If the system restarts back to Normal mode you will have to do it again

Go to START>>RUN>>In the Open field
Copy and paste the command in bold below then hit OK

sc stop moto
Then this one
sc delete moto

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete the following files if found in bold
C:\winstall.exe <-file
C:\WINDOWS\system32\anueavkezq\csrss.new.exe <-this file, Don't remove csrss.exe in the system32 folder!!
C:\WINDOWS\svchost.exe <-file, Don't remove svchost.exe in the system32 folder!!

and these folders
C:\WINDOWS\system32\anueavkezq <-folder
C:\WINDOWS\NR <-this folder

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F3 - REG:win.ini: load=C:\WINDOWS\system32\anueavkezq\csrss.new.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\anueavkezq\csrss.new.exe

O4 - HKCU\..\Run: [ntvdms] C:\WINDOWS\NR\ntvdms.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe.exe

O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab

O21 - SSODL: AOL Instant Messenger - {E42D9906-3146-97B9-D480-B3E6F3E85DD5} - (no file)
O21 - SSODL: System - {48434A7B-BD56-4E79-BF6C-B8DD4CE8B260} - (no file)

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Back in Windows
From my signature below, please run an Online Virus scan at Panda's
Use Internet Explorer please to run the scan
It's safe to supply email address and other info
Choose to scan "Local Disks"
When it's done please save a report to desktop
and the come back here

1. Post the report from Panda's
2. Post the Report from Ewido's
3. Post a new Hijackthis log
4. Post the log made from SmitRem located here C:\Smitfiles.txt

c0vert7 · « **Reply #6 on:** November 20, 2005, 12:05:48 PM »

Ok finnaly done with all that and yes it did fix my error and thanks, also that panda link doesnt work

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> but I have my own anti-virus from wal mart

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />. Here are the 3 reports all new logs.

HijackThis:
-----------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:01:28 AM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUp.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ML1HelperStartUp] C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1
O4 - HKCU\..\Run: [DefenderProAutoRun] C:\Program Files\Defender Pro Anti Spam\dpantispam -D
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.2.7.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114480590263
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe

-----------------------------------------------------------------------------------------------------------------------------
Ewido:
-----------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         10:48:42 AM, 11/20/2005
+ Report-Checksum:      F36489F0

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
   C:\WINDOWS\SYSTEM32\navshext1.dll -> Spyware.Chiem : Cleaned with backup
   C:\WINDOWS\SYSTEM32\iasada.dll -> Spyware.Azesearch : Cleaned with backup
   C:\WINDOWS\SYSTEM32\vx.tll -> Adware.SpySheriff : Cleaned with backup
   C:\WINDOWS\crl.exe -> Not-A-Virus.Tool.Messen.103 : Cleaned with backup
   C:\WINDOWS\pumba2.dll -> Spyware.AzeSearch : Cleaned with backup
   C:\Program Files\Common Files\eajhnphc\edpljblare\jlenlrald.exe -> Adware.Gator : Cleaned with backup
   C:\Program Files\Common Files\eajhnphc\edpljblare\lpbralhdld.cab/CMESys.exe -> Adware.Gator : Cleaned with backup
   C:\Program Files\Common Files\eajhnphc\edpljblare\lpbralhdld.cab/CMEIIAPI.dll -> Adware.Gator : Cleaned with backup
   C:\Program Files\Common Files\eajhnphc\edpljblare\lpbralhdld.cab/GMTProxy.dll -> Adware.Gator : Cleaned with backup
   C:\Program Files\Common Files\eajhnphc\ccclhjle\bjepljcp.exe -> Adware.Gator : Cleaned with backup

::Report End

-----------------------------------------------------------------------------------------------------------------------------
SmitRem:
-----------------------------------------------------------------------------------------------------------------------------
smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 11/20/2005
The current time is: 10:49:11.34

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

zlbw.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #7 on:** November 20, 2005, 02:24:08 PM »

The panda link works for me
Or is it you can't run the online scan?

Can you still do the following please

Find and delete this folder if found
C:\Program Files\Common Files\eajhnphc <-this folder

===Download DelDomains.inf
Right click on the link and choose Save Target As or Save Link As
Depending if you use IE or Mozilla
Save it
http://www.mvps.org/winhelp2002/DelDomains.inf and UNZIP it too desktop

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Reboot the computer

This entry in your log
O4 - HKLM\..\Run: [ML1HelperStartUp] C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1
If this is the freeware version I would opt to uninstall it, I'll leave that up to you, but it's not recommended
Here's some company info

Quote

The GAIN Network helps keep many popular software applications and web sites free. These software applications also occasionally display pop up ads on your computer screen based on your online activities.

Post back a fresh hijackthis log

c0vert7 · « **Reply #8 on:** November 20, 2005, 03:59:13 PM »

Ok I deleted the folder and the entry you said and here is a fresh Hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 2:58:25 PM, on 11/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUp.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DefenderProAutoRun] C:\Program Files\Defender Pro Anti Spam\dpantispam -D
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.2.7.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114480590263
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe

guestolo · « **Reply #9 on:** November 20, 2005, 07:00:09 PM »

Some final cleanup
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link
Scroll down too IE-SPYAD (original) or
IE-SPYAD2>>Use one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2

I'm curious about this

Quote

but I have my own anti-virus from wal mart

What AV solution is it? I don't see it running
I see Kapersky's Anti-Spam running
What AV is runnning?

c0vert7 · « **Reply #10 on:** November 20, 2005, 09:01:52 PM »

Ok thxs ill do that, the av is defender pro 2005 its not on because I figured it would interfere with that stuff seeing as you said spyware doctor would

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> but its on now

guestolo · « **Reply #11 on:** November 20, 2005, 09:26:00 PM »

Quote

I figured it would interfere with that stuff seeing as you said spyware doctor would but its on now

Oh ya, silly me
I looked back on your first log and seen it running

Stay safe c0vert7
You can go back and reenable SpywareDoctor's realtime protections too now
You can also go back and Hide hidden files and folders again
I would leave Hide Extensions for known file types unchecked however

TheTechGuide Forum

News:

Author Topic: Csrss.new.exe (again :D) (Read 1970 times)

c0vert7

Csrss.new.exe (again :D)

guestolo

Csrss.new.exe (again :D)

c0vert7

Csrss.new.exe (again :D)

guestolo

Csrss.new.exe (again :D)

c0vert7

Csrss.new.exe (again :D)

guestolo

Csrss.new.exe (again :D)

c0vert7

Csrss.new.exe (again :D)

guestolo

Csrss.new.exe (again :D)

c0vert7

Csrss.new.exe (again :D)

guestolo

Csrss.new.exe (again :D)

c0vert7

Csrss.new.exe (again :D)

guestolo

Csrss.new.exe (again :D)