[dalloway]

hello all.

i've spent today wrestling with a trojan, which isn't nearly as exciting as it sounds. google throws up the relevant geekstogo threads when one googles for 'csrss trojan' so i've taken steps to cleaning my system, but to no avail. i thought i'd post a hijack this log and see if there's anything obvious i'm missing. time and again i've removed a lot of stuff - the main offenders, files like mservice, iau, msqdevl seem to keep popping up. my display has reverted to 'classic style' windows in the last hour or two and my internet's slowed down. i can keep going into safe mode all day long but it doesn't seem to do much. anyway, here's my probably quite compact hijack this log. any help gratefully appreciated; i'm moving house on thursday and am stressed enough without this ... if i get it fixed i might start a celebratory sub-topic about where i can find the person responsible for creating this ..!!

i'm also having problems with 'spysheriff' and my keyboard, but to get internet and desktop sorted first would be a good start. various fixes and restores have disabled/re-enabled programs like ie and windows file search, so i'm still trying to get the balance right. as a possible final solution, would a windows reinstall resolve these problems?

thanks a lot folks ... mark.


Logfile of HijackThis v1.99.1
Scan saved at 13:27:02, on 29/06/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

C:\Program Files\Sitecom\IFR_Share.exe

C:\WINDOWS\System32\dhcpclient.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\msmsngr.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\osk.exe

C:\WINDOWS\system32\MSSWCHX.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\My Downloads\hijackthis\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80

O2 - BHO: RedirectPage Class - {DC8240DF-E60D-4193-B984-5111847DC7E6} - C:\PROGRA~1\WEBLOO~1\WEBLOO~1.DLL (file missing)

O4 - HKLM\..\Run: [atiptext] C:\WINDOWS\System32\atiptext.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe

O4 - HKLM\..\Run: [msmsngr] C:\WINDOWS\System32\msmsngr.exe

O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{E01D5986-8E07-4280-AD5F-19FEC0E66C79}: NameServer = 62.241.162.200 158.43.240.3

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: C2Share - Unknown owner - C:\Program Files\Sitecom\IFR_Share.exe

O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

[Advertisements]

Hi dalloway

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html Update the program then run it.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
C:\WINDOWS\System32\msmsngr.exe
C:\WINDOWS\system32\MSSWCHX.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: RedirectPage Class - {DC8240DF-E60D-4193-B984-5111847DC7E6} - C:\PROGRA~1\WEBLOO~1\WEBLOO~1.DLL (file missing)
O4 - HKLM\..\Run: [atiptext] C:\WINDOWS\System32\atiptext.exe
O4 - HKLM\..\Run: [msmsngr] C:\WINDOWS\System32\msmsngr.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\System32\msmsngr.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\System32\atiptext.exe
C:\WINDOWS\system32\svcnut32.exe home
Let the system reboot.

The next step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc

[dalloway]

apologies for brevity of this response but i'm laboriously typing on a 'virtual keyboard' - both my physical and onscreen ones have siezed up. firstly, thanks ever so for the swift and comprehensive response; i am amazed at the kindness, expertise and dedication of those that reply.

my keyboard troubles - no f8 - meant that entering safe mode was impossible. excluding the final installations of sp1 etc, i have followed the instructions to little avail; a new set of processes, ad programs etc fill my task manager, and a more minor frustration, my win-98 styled desktop still stays as it is, my background/display/theme properties limited.

log-

Logfile of HijackThis v1.99.1
Scan saved at 18:52:51, on 29/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Sitecom\IFR_Share.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll (file missing)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C2Share - Unknown owner - C:\Program Files\Sitecom\IFR_Share.exe
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

[dalloway]

ah, that's terrific, thanks Kc, it's much nicer now. unfortunately, i'm still without the xp style taskbars and such, and i gather that the windows cd is needed to restore them; mine's hundreds of miles away but i'll have to get it posted when i can.

thanks again. any tips on restoring my onscreen keyboard? that and notepad were casualties in my repair efforts, neither will open.

[dalloway]

great stuff, that's that sorted .. notepad up and running.

i wondered if it might be another of those downloadable files that was infected, but i guess not. i wish it would all go away, it's the last thing i need right now.

[dalloway]

hmm, sorry to ask a daft question, but three copies of what? i've resolved the notepad issue. i'm waiting for someone to tell me otherwise, but, as long as csrss is visible in task manager, i'm in trouble, right?

[dalloway]

right, thankyou for that- osk x3 were casualties of my clumsy attempts at fixing things, i think. as soon as i can find a way around the restrictions of sending attachments, or when i can find someone who'll zip it for me, i;ll have osk up and running.

the xp-theme aside, the main problems i'm having at the moment are rogue installations of ad programs amd general slowness. popups are gone but ie's crashing all the time, the internet failing while still apparently connected, and things like filesearch have stopped working. any help appreciated.