Don't Know What to Do! I'm Stumped

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by And1mixtape88, Dec 14, 2004.

  1. And1mixtape88

    And1mixtape88 Private E-2

    I've followed the steps and still cannot lose this pestering adware/trojan, I think its the ISTbar or something of that nature. Can anyone at all help me? I'm do not no what to do anymore, and I figure one of the great people at this forum can help me out.
     
  2. spacedustM

    spacedustM Private E-2

    Which steps? was it the thread Read this before by major attitude? or the one How to protect yourself from malware, it seems to me I had Istbar as well but, after following the steps in the Read sticky It is gone. Ill go double check and post back if I find it.
     
  3. spacedustM

    spacedustM Private E-2

    I checked back on my information and it seems that the ISTbar trojan/spyware was destroyed after using the macaffe advert stinger and about:buster you might jump ahead to those steps but, if you do end up taking a look at my tread Where to begin you'll notice I didn't make much headway until the steps were acomplished in order. breaking off to do about:buster may make a world of difference, but I'm definately not an expert. (had some unwilling programs for some reason, so we skiped around a bit)
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have followed ALL the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal > and you still have a problem, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.
     
  5. And1mixtape88

    And1mixtape88 Private E-2

    Heres my logfile, I really hope you guys can help me out, I hope I did this right, if not let me know.
     

    Attached Files:

  6. PhilliePhan

    PhilliePhan Guest

    Hi And1mixtape88,

    You have an absolute BOATLOAD of Worms and Trojans!
    I would strongly suggest dumping ARES – It only invites more headaches.
    Also, the next time you scan with HijackThis, please make sure that there is no IE or Windows Command Prompt running as you had before. They can interfere with the fix.

    NOW:
    Please look in Add or Remove Programs for the following and Uninstall it:

    Ares

    Please print out these instructions so that you can operate with All Browser Windows CLOSED.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

    ndis.exe
    nvsc32.exe
    lass32.exe
    winlogin.exe
    msa.exe
    axqvdu.exe
    Ares.exe
    istsvc.exe


    Now scan with HijackThis and Check the Boxes for the following:

    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [NvCplScan] nvsc32.exe
    O4 - HKLM\..\Run: [MSN Messenge] winlogin.exe
    O4 - HKLM\..\Run: [Microsoftkeysds] lass32.exe
    O4 - HKLM\..\Run: [Windows Media Player] msa.exe
    O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
    O4 - HKLM\..\Run: [PUBS] C:\WINDOWS\axqvdu.exe
    O4 - HKLM\..\Run: [Windows Compliant] uogjvq.exe
    O4 - HKLM\..\Run: [Starting up] wvsvc.exe
    O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\Run: [NDIS Adapter] ndis.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [NvCplScan] nvsc32.exe
    O4 - HKLM\..\RunServices: [MSN Messenge] winlogin.exe
    O4 - HKLM\..\RunServices: [Microsoftkeysds] lass32.exe
    O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
    O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
    O4 - HKLM\..\RunServices: [Windows Compliant] uogjvq.exe
    O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
    O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\RunServices: [NDIS Adapter] ndis.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] nvsc32.exe
    O4 - HKLM\..\RunOnce: [Microsoftkeysds] lass32.exe
    O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\RunOnce: [NDIS Adapter] ndis.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [NvCplScan] nvsc32.exe
    O4 - HKCU\..\Run: [Microsoftvirus] sysoverload.exe
    O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
    O4 - HKCU\..\Run: [Microsoftkeysds] lass32.exe
    O4 - HKCU\..\Run: [MSN Messenge] winlogin.exe
    O4 - HKCU\..\Run: [Starting up] wvsvc.exe
    O4 - HKCU\..\Run: [NDIS Adapter] ndis.exe
    O4 - HKCU\..\Run: [Windows Media Player] msa.exe
    O4 - HKCU\..\RunServices: [MSN Messenge] winlogin.exe
    O4 - HKCU\..\RunOnce: [Microsoftkeysds] lass32.exe
    O4 - HKCU\..\RunOnce: [NDIS Adapter] ndis.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] nvsc32.exe
    O23 - Service: ZESOFT - Unknown - C:\WIN


    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode and navigate to and DELETE the following if they should remain. Note the spellings CAREFULLY so that you do not remove a legitimate file:

    C:\WINDOWS\System32\ndis.exe
    C:\WINDOWS\System32\nvsc32.exe
    uogjvq.exe --> Use Windows Explorer to search for this one
    C:\WINDOWS\System32\lass32.exe
    C:\WINDOWS\System32\winlogin.exe
    C:\WINDOWS\System32\msa.exe
    wvsvc.exe --> Use Windows Explorer to search for this one
    mssupdate.exe --> Use Windows Explorer to search for this one
    C:\WINDOWS\axqvdu.exe
    C:\Program Files\Ares ---> The Folder
    systemwin32s.exe --> Use Windows Explorer to search for this one
    C:\Program Files\ISTsvc ---> The Folder
    sysoverload.exe --> Use Windows Explorer to search for this one

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now. Chaslang or I will try to check back when time permits.

    Best luck :)
    PP
     
  7. And1mixtape88

    And1mixtape88 Private E-2

    REALLY APPRECIATE This PhilliePhan, I had no troubles with the instructions. Here is the new logfile.
     

    Attached Files:

  8. PhilliePhan

    PhilliePhan Guest

    Happy to help :)

    You still have a few remnants and a few new entries. Please follow the same procedure as my previous instructions and have HJT FIX the following:

    O4 - HKLM\..\Run: [cyg updates] cygcfg32.exe

    O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe

    O4 - HKLM\..\Run: [start uploading] crsss.exe

    O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe

    O4 - HKLM\..\RunServices: [NDIS Adapter] ndis.exe

    O4 - HKLM\..\RunServices: [cyg updates] cygcfg32.exe

    O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe

    O4 - HKLM\..\RunServices: [start uploading] crsss.exe

    O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe

    O4 - HKLM\..\RunOnce: [cyg updates] cygcfg32.exe

    O4 - HKCU\..\Run: [cyg updates] cygcfg32.exe

    O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe

    O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe

    O4 - HKCU\..\RunOnce: [cyg updates] cygcfg32.exe

    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)


    Make sure ALL Browser Windows are Closed when you FIX.

    Then, boot to Safe Mode and find and Delete the following:

    C:\WINDOWS\System32\ndis.exe
    C:\WINDOWS\System32\cygcfg32.exe
    systemwin32s.exe --> You'll have to track this one down
    C:\WINDOWS\System32\mssupdate.exe
    mssupdate.exe --> You'll have to track this one down

    crsss.exe ----> NOTE: When you search for this one, Do not confuse it with the legitimate CSRSS


    Next, you should revisit these steps:

    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

    I am going to crash, so I'll have to check back Thursday night. Chas may look in sooner.

    PP :)
     
    Last edited by a moderator: Dec 16, 2004
  9. And1mixtape88

    And1mixtape88 Private E-2

    I wasn't able to find the crsss file. Heres the new logfile. My computer definately is better, but still not running up to par.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have new problems popping up. Like Windows ControlAd. Were you surfing around anywhere?

    Was notepad (C:\WINDOWS\system32\NOTEPAD.EXE) running because you had it open? Malware sometime does this. That is why we ask to shut everything down. So we don't have to guess.

    Please download the following tool: Pocket KillBox Don't run it yet, just unzip it to where you can find it later.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\System32\crsss.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
    O4 - HKLM\..\Run: [Windows Compliant] udfuyg.exe
    O4 - HKLM\..\Run: [start uploading] crsss.exe
    O4 - HKLM\..\RunServices: [Windows Compliant] udfuyg.exe
    O4 - HKLM\..\RunServices: [start uploading] crsss.exe

    Run Pocket Killbox and choose the Delete on Reboot option. Enter the following into the box for Full Path of File to Delete C:\WINDOWS\System32\crsss.exe
    Select the Delete on Reboot button.
    and press the Delete button (red X) and then Yes or OK until your machine reboots.

    After your machine reboots, use Windows Explorer to navigate to C:\WINDOWS\system32 and make sure the crsss.exe file is gone.

    Now post a new HJT log and let us know if you had any problems doing these steps.
     
  11. And1mixtape88

    And1mixtape88 Private E-2

    You guys are the greatest, once again I really appreciate you helping me out. This was really killing me. Here is the new logfile.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    You have some problems that keep reoccurring That trojan that pretends to Windows Media Player. Are you doing any surfing or running any particular programs in between fixing here? Some is strange that this keep reoccurring. Have you installed SpyBot and used it's Immunize feature. It also does not look like the full READ ME FIRST was every completed I see no traces of the online scanners being run. You should do those scans because you may have a hidden virus/trojan somewhere. I also do not see traces of SpyBot being installed. Install it, Immunize, use the SDhelper function but not the Teatimer. (These are found fromt the Mode, Advanced Mode, Tools, Resident selection)

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\System32\msa.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [Windows Media Player] msa.exe
    O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
    O4 - HKCU\..\Run: [Windows Media Player] msa.exe

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\msa.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    If you have a problem deleting that file, use Pocket Killbox to do it on reboot like in my last message.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds