# computer restarts randomly, hjt log



## palmmann (Sep 23, 2006)

i have run ewido, superantisyware and cc cleaner in safe mode, but no dice on fixing my problem. any help please? heres the hijack this log(from safe mode, as i cant run it in normal because it restarts before i can):

Logfile of HijackThis v1.99.1
Scan saved at 2:49:09 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundtownkc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;;localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - K:\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - K:\PartyPokerNet\RunPF.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124666844875
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_m8.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WASHData - C:\WINDOWS\system32\jt6m07j1e.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Freenet 0.7 darknet (freenet-darknet) - Unknown owner - C:\Program Files\freenet\bin\wrapper-windows-x86-32.exe" -s ../wrapper.conf (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## soccerdude (Sep 23, 2006)

Try running ad-aware, spybot search and destroy and also Spyware terminator.  If those don't fix your problem, post back.


----------



## PC eye (Sep 23, 2006)

How often do you see the systems restarts? Are you running particular at that time? Generally spywares, adwares, and other malwares don't see sudden restarts. If you are having a temp or supply problem you would be looking at hardware not software.


----------



## Arm_Pit (Sep 23, 2006)

[Content Removed]​


----------



## palmmann (Sep 24, 2006)

PC eye said:


> How often do you see the systems restarts? Are you running particular at that time? Generally spywares, adwares, and other malwares don't see sudden restarts. If you are having a temp or supply problem you would be looking at hardware not software.





> download Memtest86+ and run it overnight imo, ram will cause this often.



it's not overheating and i know it's software because safe mode runs fine. i've run speed fan, and my temps are around 40*C in safe mode, except a bad reading of 123*(it's always been bad).

thanks soccerdude, i'll run those and post back when they're done.


it restarts a couple minutes after it boots into normal mode


----------



## PC eye (Sep 24, 2006)

Have you tried anything like AVG, Avast, or Antivir? How old is the board? If it is a new board you have to get a bios update. On boards that have been in use for a few years an update or even a battery are the usual things to look at. The idea here is to first rule out any hardware problem.


----------



## palmmann (Sep 24, 2006)

ok ok... i gotcha. i've run avast with it finding barely anything, but no avg or antivir. no clue on the age of the board, but a bios update is pretty much out since this is in an emachines computer, not my old sig rig. just incase it matters,  i got the comp about 1.5-2 years ago, it's an athlon 64 3200+ with 512 megs of ram, 128 being taken by the radeon 200 express. would it be worth the wait to take the comp back to best buy? it's under 3 year warrentee, so i can't take it apart.

EDIT
btw, i've run adaware and spybot, terminator is running now. adaware found nothing, and spybot found 83 things, 3 of which will be fixed when i next restart.


----------



## PC eye (Sep 24, 2006)

If you are under a warranty you could see if they could determine the problem for you and not void anything on it. They would probably get the bios updated for you at the same time. The support staff usually has to provide you with a link for anything like that unlike Dell or HP with updates, drivers, and other items readily available online.


----------



## edifier (Sep 24, 2006)

He has a trojan infection.


----------



## palmmann (Sep 24, 2006)

PC eye said:


> If you are under a warranty you could see if they could determine the problem for you and not void anything on it. They would probably get the bios updated for you at the same time. The support staff usually has to provide you with a link for anything like that unlike Dell or HP with updates, drivers, and other items readily available online.



i'll take it in in a day or two i guess, i was just hoping that it was something that i could fix so i didn't have to.



> He has a trojan infection.



interesting, not trying to say anything mean or sarcastic, but may i have more info, like maybe how to get rid of it or something?


----------



## edifier (Sep 24, 2006)

Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.

  Run HijackThis and put a check by the following entries, close all open windows and browsers except HijackThis and click 'Fix Checked'.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundtownkc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ams-server*;;localhost
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - K:\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - K:\PartyPokerNet\RunPF.exe (file missing)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bej...ploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_m8.dll
O20 - Winlogon Notify: WASHData - C:\WINDOWS\system32\jt6m07j1e.dll (file missing)
O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)

  Open HijackThis. Select 'Misc.Tools/Delete a File on Reboot"

  Navigate to the following.

C:\WINDOWS\system32\tmp_m8.dll
C:\WINDOWS\system32\jt6m07j1e.dll 
C:\WINDOWS\csrss.exe

Do them one at a time. Click open.Okay.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Decline the reboot until after you have completed the 3rd one. Then Click Yes/ok
Your system must reboot now.

Once back in windows, reboot into safemode and run the Ewido scan again.

Run CCleaner from safemode.

Reboot into normal windows and post a fresh 'HJT' log.


----------



## palmmann (Sep 24, 2006)

edifier said:


> Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.


i had done that previously for other reasons.


			
				edifier said:
			
		

> Run HijackThis and put a check by the following entries, close all open windows and browsers except HijackThis and click 'Fix Checked'.
> 
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundtownkc.com/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
> ...


i love you. in a thank you oh so much way, not a homosexual way. 

if your still on- should i stop the avast scan that's been goin on for the past like 5-8 hours? it hasn't found anything. it's on like 150000 and i have over 200000


----------



## edifier (Sep 24, 2006)

Yeh, stop it. We'll use some other scans if necessary.


----------



## palmmann (Sep 24, 2006)

okey dokey.stopped and did the fixes. maybe it was what i ran after i did the hjt log, but none of the three things you said to do a delete after restart were there. it still restarts 

i'll run ewido and cc cleaner and post a log in however long that takes.


----------



## edifier (Sep 24, 2006)

Please post the Ewido log also.

Once you've posted the Ewido and HJT log, immediately proceed here and run this free online dianogstic scan from 'Kaspersky' http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
To save time, click Folder, then C drive only and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop. Post a copy of it here.


----------



## PC eye (Sep 24, 2006)

5-8 hrs. is too long for any antivirus or antispyware program to be running. If something isn't found in the first 5 minutes it's time to run something else. A trojan downloader will often be found right at the root of C with an "exe" file extension on it. That loads along with the system without need for anything in the system registry. The following leave a doorway open for a number things.

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

 If you want to give AVG a run you can download it free at http://free.grisoft.com/doc/2/lng/us/tpl/v5  If it detects anything it will point out where it's located for manual removal. A trojan usually tries to log onto some site to see more things downloaded while a virus or similar malware is there to trash everything especially Windows.


----------



## palmmann (Sep 24, 2006)

thanks pc eye, got rid of those 5, i don't use them anyway. new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:51 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;;localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124666844875
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Freenet 0.7 darknet (freenet-darknet) - Unknown owner - C:\Program Files\freenet\bin\wrapper-windows-x86-32.exe" -s ../wrapper.conf (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

and EWIDO LOG

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:	10:33:51 PM 9/23/2006

 + Scan result:	



:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Burstbeacon : No action taken.
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end

it says no action taken, but i saved the log before i deleted the cookies. i'll start kaspersky in a minute.


----------



## edifier (Sep 24, 2006)

This entry which is from a trojan is still present- O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)

Did you forget to remove it last time with 'HJT'?.


----------



## PC eye (Sep 24, 2006)

Csrss.exe is the user mode portion of the Win32 subsystem. That's a system file that should be in the "C:\ Windows\system32 sub folder" and has to be running at all times. There's a virus that simulates that same file. The following link has information on that.
http://www.auditmypc.com/process/csrss.asp


----------



## palmmann (Sep 24, 2006)

edifier said:


> This entry which is from a trojan is still present- O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)
> 
> Did you forget to remove it last time with 'HJT'?.



i thought i did...

anyways, the kas log:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Sunday, September 24, 2006 1:18:52 AM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 24/09/2006
 Kaspersky Anti-Virus database records: 225991
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - Folders:
	C:\

Scan Statistics:
	Total number of scanned objects: 100667
	Number of viruses found: 14
	Number of infected objects: 54 / 0
	Number of suspicious objects: 2
	Duration of the scan process: 01:22:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\QuickTime\Installer.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite.zip/backWeb-8876480.exe	Suspicious: Password-protected-EXE	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite.zip	ZIP: suspicious - 1	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\cert8.db	Object is locked	skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\flashgot.log	Object is locked	skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\formhistory.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\history.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\key3.db	Object is locked	skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\parent.lock	Object is locked	skipped
C:\Documents and Settings\Owner\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\BSINSTALL.exe/WISE0024.BIN	Infected: not-a-virus:AdTool.Win32.WhenU.a	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\BSINSTALL.exe	WiseSFX: infected - 1	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\BSINSTALL.exe	WiseSFX Dropper: infected - 1	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\mirc617(2).exe/data0001.bin	Infected: not-a-virus:Client-IRC.Win32.mIRC.617	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\mirc617(2).exe	mIRC: infected - 1	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\mirc617.exe/data0001.bin	Infected: not-a-virus:Client-IRC.Win32.mIRC.617	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\mirc617.exe	mIRC: infected - 1	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\XBINS-TIRC.rar/Xbins.exe	Infected: not-a-virus:Client-IRC.Win32.mIRC.603	skipped
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\XBINS-TIRC.rar	RAR: infected - 1	skipped
C:\Documents and Settings\Owner\Desktop\palmm\Halo 2 LPE Beta v0.2.3.6\LPE\Compile Halo 2 LPE.exe/data.rar/Config/SHELL.EXE/1	Infected: not-a-virus:RiskTool.Win32.HideWindows	skipped
C:\Documents and Settings\Owner\Desktop\palmm\Halo 2 LPE Beta v0.2.3.6\LPE\Compile Halo 2 LPE.exe/data.rar/Config/SHELL.EXE	Infected: not-a-virus:RiskTool.Win32.HideWindows	skipped
C:\Documents and Settings\Owner\Desktop\palmm\Halo 2 LPE Beta v0.2.3.6\LPE\Compile Halo 2 LPE.exe/data.rar	Infected: not-a-virus:RiskTool.Win32.HideWindows	skipped
C:\Documents and Settings\Owner\Desktop\palmm\Halo 2 LPE Beta v0.2.3.6\LPE\Compile Halo 2 LPE.exe	RarSFX: infected - 3	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Apr 05).dbx/[From aw-confirm@ebay.com][Date Thu, 14 Apr 2005 06:12:12 -0700]/UNNAMED/text	Infected: Trojan-Spy.HTML.Bayfraud.ib	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Apr 05).dbx/[From aw-confirm@ebay.com][Date Thu, 14 Apr 2005 06:12:12 -0700]/UNNAMED	Infected: Trojan-Spy.HTML.Bayfraud.ib	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Apr 05).dbx/[From aw-confirm@ebay.com][Date Tue, 19 Apr 2005 05:00:13 -0700]/UNNAMED/text	Infected: Trojan-Spy.HTML.Bayfraud.ib	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Apr 05).dbx/[From aw-confirm@ebay.com][Date Tue, 19 Apr 2005 05:00:13 -0700]/UNNAMED	Infected: Trojan-Spy.HTML.Bayfraud.ib	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Apr 05).dbx	Mail MS Outlook 5: infected - 4	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Jun 05).dbx/[From "eBay Member: lbipper" <member@ebay.com>][Date Mon, 06 Jun 2005 10:19:54 -0700]/UNNAMED/text	Infected: Trojan-Spy.HTML.Bayfraud.ib	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Jun 05).dbx/[From "eBay Member: lbipper" <member@ebay.com>][Date Mon, 06 Jun 2005 10:19:54 -0700]/UNNAMED	Infected: Trojan-Spy.HTML.Bayfraud.ib	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Jun 05).dbx	Mail MS Outlook 5: infected - 2	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Mar 06).dbx/[From webform@paypal.com][Date Thu, 23 Mar 2006 16:58:14 -0600]/text	Infected: Trojan-Spy.HTML.Paylap.cf	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Mar 06).dbx/[From Member-Services-Team@eBay.com][Date Thu, 30 Mar 2006 12:59:56 -0500]/html	Infected: Trojan-Spy.HTML.Bayfraud.gw	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Ebay (Mar 06).dbx	Mail MS Outlook 5: infected - 2	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Palm Pilot.dbx/[From aw-confirm@ebay.com][Date Wed, 27 Apr 2005 15:05:36 -0700]/text	Infected: Trojan-Spy.HTML.Bayfraud.ib	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Palm Pilot.dbx	Mail MS Outlook 5: infected - 1	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\Cache\_CACHE_001_	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\Cache\_CACHE_002_	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\Cache\_CACHE_003_	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\pg2dg5ic.default\Cache\_CACHE_MAP_	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012006092320060924\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\a-squared Free\Quarantine\000dc6fca6f4f98a1a6acf0620659090.a2q/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/RNZO2YT3/applyc3[1].gif/loadadv552.exe	Infected: Trojan-Downloader.Win32.Small.dnt	skipped
C:\Program Files\a-squared Free\Quarantine\000dc6fca6f4f98a1a6acf0620659090.a2q/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/RNZO2YT3/applyc3[1].gif/mc-110-12-0000169.exe/stream/data0003	Infected: not-a-virus:AdWare.Win32.Agent.y	skipped
C:\Program Files\a-squared Free\Quarantine\000dc6fca6f4f98a1a6acf0620659090.a2q/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/RNZO2YT3/applyc3[1].gif/mc-110-12-0000169.exe/stream/data0005	Infected: not-a-virus:AdWare.Win32.Softomate.q	skipped
C:\Program Files\a-squared Free\Quarantine\000dc6fca6f4f98a1a6acf0620659090.a2q/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/RNZO2YT3/applyc3[1].gif/mc-110-12-0000169.exe/stream	Infected: not-a-virus:AdWare.Win32.Softomate.q	skipped
C:\Program Files\a-squared Free\Quarantine\000dc6fca6f4f98a1a6acf0620659090.a2q/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/RNZO2YT3/applyc3[1].gif/mc-110-12-0000169.exe	Infected: not-a-virus:AdWare.Win32.Softomate.q	skipped
C:\Program Files\a-squared Free\Quarantine\000dc6fca6f4f98a1a6acf0620659090.a2q/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/RNZO2YT3/applyc3[1].gif	Infected: not-a-virus:AdWare.Win32.Softomate.q	skipped
C:\Program Files\a-squared Free\Quarantine\000dc6fca6f4f98a1a6acf0620659090.a2q	ZIP: infected - 6	skipped
C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\setup.ilg	Object is locked	skipped
C:\Program Files\InstallShield Installation Information\{3CB41017-F5CA-4C56-934C-ED02156251E6}\Setup.ilg	Object is locked	skipped
C:\Program Files\InstallShield Installation Information\{8047B128-4F7D-4264-90F1-555A55E3F735}\Setup.ilg	Object is locked	skipped
C:\Program Files\InstallShield Installation Information\{E258A840-7E9A-443A-B156-67102C48BF17}\setup.ilg	Object is locked	skipped
C:\Program Files\palmOne\_Zirr72\HotSync.Log	Object is locked	skipped
C:\Program Files\SUPERAntiSpyware\Quarantine\Quarantine - 08-15-2006 - 13-21-03\{5A1A90B0-B97A-4AEA-A902-80F14D380A1A}/data0002	Infected: Trojan-Downloader.Win32.Small.ajc	skipped
C:\Program Files\SUPERAntiSpyware\Quarantine\Quarantine - 08-15-2006 - 13-21-03\{5A1A90B0-B97A-4AEA-A902-80F14D380A1A}/data0003	Infected: Trojan-Downloader.Win32.Small.ajc	skipped
C:\Program Files\SUPERAntiSpyware\Quarantine\Quarantine - 08-15-2006 - 13-21-03\{5A1A90B0-B97A-4AEA-A902-80F14D380A1A}	NSIS: infected - 2	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\usb007.exe/loadadv552.exe	Infected: Trojan-Downloader.Win32.Small.dnt	skipped
C:\usb007.exe/mc-110-12-0000169.exe/stream/data0003	Infected: not-a-virus:AdWare.Win32.Agent.y	skipped
C:\usb007.exe/mc-110-12-0000169.exe/stream/data0005	Infected: not-a-virus:AdWare.Win32.Softomate.q	skipped
C:\usb007.exe/mc-110-12-0000169.exe/stream	Infected: not-a-virus:AdWare.Win32.Softomate.q	skipped
C:\usb007.exe/mc-110-12-0000169.exe	Infected: not-a-virus:AdWare.Win32.Softomate.q	skipped
C:\usb007.exe	StarDust Installer: infected - 5	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt	Object is locked	skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\ACEEvent.evt	Object is locked	skipped
C:\WINDOWS\system32\config\Antivirus.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184438.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184442.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184447.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184450.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184453.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184456.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184500.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184502.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184504.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184506.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060923-184507.backup	Infected: P2P-Worm.BAT.Copybat.ap	skipped
C:\WINDOWS\system32\drivers\sptd.sys	Object is locked	skipped
C:\WINDOWS\system32\drivers\sptd7421.sys	Object is locked	skipped
C:\WINDOWS\system32\vmmdiag32.exe	Infected: Virus.Win32.Sality.n	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped

Scan process completed.


----------



## SirKenin (Sep 24, 2006)

Ok.  Those spyware programs are not going to get rid of that trojan.  It is a mass mailer trojan and I'm not quite sure why it is being recommended that you try all those programs to get rid of it... 

Here is the tool you need, courtesy of Symantec:

http://securityresponse.symantec.com/avcenter/FxNetsky.exe

It is entirely possible that the rebooting is caused by the rogue code.  That makes the most sense.

Try this and see what happens.

EDIT:

In the future I recommend that you get rid of Norton completely, using their uninstall tool.  It is completely useless.  In it's place install Avast! 4 Free Edition.  Then, only have two spyware programs running memory resident.  Ewido and Microsoft Defender.  Defender is capable of stopping and killing processes that are "protected".  That should keep you quite well protected.


----------



## palmmann (Sep 24, 2006)

sirkenin- i dont have norton??? and i already have avast.

it just finished, and said that w32.netsky was not found on my computer. damn. any other ideas?

please say i don't have to pay $50 an hour... i'm broke

i'll get defender, and stop all the other stuff i have running all the time(but ewido).


----------



## SirKenin (Sep 24, 2006)

palmmann said:


> sirkenin- i dont have norton??? and i already have avast.
> 
> it just finished, and said that w32.netsky was not found on my computer. damn. any other ideas?
> 
> ...



rofl.  No, you don't have to pay me shit unless you email me and ask me for help (or add me to MSN, and then start asking me for stuff).  That has happened to me quite a few times already.  Is there anything wrong with adding me and saying "hi, how's it going?".  lol 

Ohhhhh.  Wait a second..  I just scrolled through the thread again and I missed a crucial piece of information...   You already removed that file..   When your log says "file missing" that means there is a registry entry there, but the file itself is gone.  That's why my tool didn't work.

I apologize for that.  Late night posting.  Man, I gotta stop doing that.

Well, still, to be on the safe side, run that Ewido to search for rogue code.  If Ewido doesn't get anything (which it probably will), then we can diagnose a hardware problem.

There are also a couple of virii that cause computers to randomly reboot, many of the issues are solved if you have your XP completely up to date with Windows update.  Do you?

And don't worry,  I only charge according to income.  Let me see... What is 10% of 0?  lol 

I'll do some investigating for you when I get some time today.


----------



## palmmann (Sep 24, 2006)

thanks man. i've been tryin to do windows update, but it stops after i download the updates and tells me they can't install. last few times i ran ewido all it found is cookies, so i don't think it'll find anything. i'll run it anyway, it only takes an hour or so.

EDIT

make an hour more like 10-15 minutes. it's done, all it found was 15 tracking cookies.


----------



## SirKenin (Sep 24, 2006)

Can't do Windows updates either?  Hmmmm.  Something is definitely fishy.

Windows Update should have given you an error message telling you why the updates wouldn't install.  Do you remember what it was par chance?


----------



## SirKenin (Sep 24, 2006)

Ok.  For your Windows Update problem, try this:

http://djlizard.net/software/dial-a-fix

Also, I still question whether you have a virus.  I'm wracking my brain trying to think of which one it could be.

Try doing a scan with Panda.  Go to www.pandasoftware.com and look for the ActiveScan link.  If Panda doesn't find anything, then you know you don't have any virii....  That scan will find a flee at 100 paces.

Also, I recommend using Software Explorer to see if you can find anything running that shouldn't be.  You will find that in Windows Defender.


----------



## palmmann (Sep 24, 2006)

computer doesn't crash anymore, but windows update won't run  neither will panda


----------



## SirKenin (Sep 24, 2006)

Ok.  One thing at a time.  Are you getting an error message with Windows Update?  If so, which one is it?

Let's start there.


----------



## edifier (Sep 25, 2006)

Can you run HJT and remove this entry again - O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)

  Reboot and run HJT and let me know if it's still present.


----------



## palmmann (Sep 25, 2006)

from what i remember it said that the updates could not be installed. i'll try again and get it exact.

edifier-i'll do that in a minute.


----------



## SirKenin (Sep 25, 2006)

palmmann said:


> from what i remember it said that the updates could not be installed. i'll try again and get it exact.
> 
> edifier-i'll do that in a minute.



Ok, I need the exact message.

Don't worry about that entry too much for the time being.  It is an entry for a Netski virus that you used to have (you can look it up if you like, or I can provide you some links).  Look in your Windows directory and see if the file is there.  Make sure hidden files are shown.  If it's not there, don't worry about it at the moment.  I can tell you that it's not, though, because HJT reports that the file is gone.

Tell me what that error is and we can clean up your installer troubles.  Did you run the fix I gave you?  And if so have you tried since?


----------



## palmmann (Sep 25, 2006)

csrss.exe is no longer there

i have tried update since i have run the link you gave me, and still no dice. a pic of the error i get:




after that it just shows me the list of what i didn't install with info on each one


----------



## SirKenin (Sep 25, 2006)

You rebooted your computer before you tried to install them again, right?  Because if not it will give you that error message.

Leave it with me.  Right now I have the attention span of a ferret on meth, so it's a little hard for me to concentrate.


----------



## SirKenin (Sep 25, 2006)

Hai, in the meantime, just for your interest's sake, here's the info on the Netski virus:

http://www.symantec.com/security_response/writeup.jsp?docid=2004-042814-2354-99&tabid=2


----------



## SirKenin (Sep 25, 2006)

Try these steps to get Windows Update working:

Click Start, and then click Run. 
In the Open box, type cmd, and then click OK. 
At the command prompt, type the following commands, one at a time:

regsvr32 /u softpub.dll
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll
regsvr32 /u slbcsp.dll
regsvr32 /u mssip32.dll
regsvr32 /u cryptdlg.dll

Click OK if you are prompted.

Restart your computer. 

Go back to your command prompt, type the following commands one at a time:

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 mssip32.dll
regsvr32 cryptdlg.dll

Reboot.

Go back to your command prompt and type the following:

net stop cryptsvc
ren %systemroot%\System32\Catroot2 oldcatroot2 
net start cryptsvc

Reboot and try the updates again.


If that doesn't work, try this:

Go to your command prompt.

Type in:

proxycfg -u

Restart Windows

Run Windows Update again.

It could also be your ISP running an outdated version of Apache.

Thing is, it would be nice to know the precise error code.


----------



## edifier (Sep 25, 2006)

While you guys work on the update matter, i have seen references to malware that add entries to the registry along the lines of - Windows Updates/ DoNotAllowXPSP2.

  Also the Hosts file has been tampered with. Do the following.

  Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.

  Another thing that seems to be forgotton is the 'Kaspersky' report which shows infections still present. Some minor some more serious including one in the System32 folder which seems to be able to manipulate the system to some degree. You should manually delete the following from safemode. Let me know if any entries would not delete.

C:\usb007.exe ( anthing else there connected with this)
C:\WINDOWS\system32\vmmdiag32.exe 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite.zip
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\BSINSTALL.exe
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\mirc617(2).exe
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\mirc617.exe
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\XBINS-TIRC.rar
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\ (contents of this folder)
C:\Program Files\a-squared Free\Quarantine\ (contents of this folder)
C:\Program Files\SUPERAntiSpyware\Quarantine\ (contents of this folder)
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/RNZO2YT3/ (contents of this folder)

Run ATF cleaner - Select all
Open it again. Select Firefox at the top and tick all boxes and run it.

Reboot into normal windows and if everything appears okay, flush system restore. 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

Let me know if any entries would not delete. If everything deleted, run another Kaspersky scan and post the scan log.


----------



## SirKenin (Sep 25, 2006)

Yeah, I'm not working on that one (obviously. lol)..  You take the Kaspersky and I'll try and get his updater working.. Dumb piece of junk.  So many people have problems with that Windows Update.


----------



## palmmann (Sep 26, 2006)

thanks for all the help guys, but i guessihave no options now. some guy from my isp(roadrunner) called andsaid that i have todisconnect my computer from the internet, and cannot reconnect untill i reformat 

i'm typing this from my palm, he let me keep my router connected.


----------



## edifier (Sep 26, 2006)

Those are pretty harsh words!. Is that what your going to do?.


----------



## palmmann (Sep 26, 2006)

edifier said:


> Those are pretty harsh words!. Is that what your going to do?.


i don't think i have any other choice 

i guess so, i'm backing up right now.

THANKS FOR THE HELP!!!!!!!!!!!!!!!!!!!!!!

SIRKENIN AND EDIFIER ESPECIALLY!!!!!

i love you guys, thanks for the effort. i can't pay you, but you have my undying gratitude. if either of you has an xbox you want modded, send it to me and i'll mod it free. it's pretty much the only thing i can do for you that you might not be able to do...

thanks again,
palmmann


----------



## edifier (Sep 26, 2006)

I feel your system can be cleaned just fine but we would want to make sure by running another Kaspersky scan to verify it. You could explain this to them and ask for 1 hour of internet time to run the scan. But that's entirely up to you. I'll keep an eye on this thread just in case and good luck.


----------



## SirKenin (Sep 26, 2006)

You don't owe me anything, I do it for the enjoyment of doing it.  I wish I could be more help though.


----------

