Don't Know What to Do! I'm Stumped

[And1mixtape88]

I've followed the steps and still cannot lose this pestering adware/trojan, I think its the ISTbar or something of that nature. Can anyone at all help me? I'm do not no what to do anymore, and I figure one of the great people at this forum can help me out.

[spacedustM]

Which steps? was it the thread Read this before by major attitude? or the one How to protect yourself from malware, it seems to me I had Istbar as well but, after following the steps in the Read sticky It is gone. Ill go double check and post back if I find it.

[spacedustM]

I checked back on my information and it seems that the ISTbar trojan/spyware was destroyed after using the macaffe advert stinger and about:buster you might jump ahead to those steps but, if you do end up taking a look at my tread Where to begin you'll notice I didn't make much headway until the steps were acomplished in order. breaking off to do about:buster may make a world of difference, but I'm definately not an expert. (had some unwilling programs for some reason, so we skiped around a bit)

[chaslang]

If you have followed ALL the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal > and you still have a problem, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.

[And1mixtape88]

Heres my logfile, I really hope you guys can help me out, I hope I did this right, if not let me know.

Hi And1mixtape88,

You have an absolute BOATLOAD of Worms and Trojans!
I would strongly suggest dumping ARES – It only invites more headaches.
Also, the next time you scan with HijackThis, please make sure that there is no IE or Windows Command Prompt running as you had before. They can interfere with the fix.

NOW:
Please look in Add or Remove Programs for the following and Uninstall it:

Ares

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

ndis.exe
nvsc32.exe
lass32.exe
winlogin.exe
msa.exe
axqvdu.exe
Ares.exe
istsvc.exe

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NvCplScan] nvsc32.exe
O4 - HKLM\..\Run: [MSN Messenge] winlogin.exe
O4 - HKLM\..\Run: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\Run: [PUBS] C:\WINDOWS\axqvdu.exe
O4 - HKLM\..\Run: [Windows Compliant] uogjvq.exe
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\Run: [NDIS Adapter] ndis.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [NvCplScan] nvsc32.exe
O4 - HKLM\..\RunServices: [MSN Messenge] winlogin.exe
O4 - HKLM\..\RunServices: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [Windows Compliant] uogjvq.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\RunServices: [NDIS Adapter] ndis.exe
O4 - HKLM\..\RunOnce: [NvCplScan] nvsc32.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\RunOnce: [NDIS Adapter] ndis.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NvCplScan] nvsc32.exe
O4 - HKCU\..\Run: [Microsoftvirus] sysoverload.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [Microsoftkeysds] lass32.exe
O4 - HKCU\..\Run: [MSN Messenge] winlogin.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [NDIS Adapter] ndis.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\RunServices: [MSN Messenge] winlogin.exe
O4 - HKCU\..\RunOnce: [Microsoftkeysds] lass32.exe
O4 - HKCU\..\RunOnce: [NDIS Adapter] ndis.exe
O4 - HKCU\..\RunOnce: [NvCplScan] nvsc32.exe
O23 - Service: ZESOFT - Unknown - C:\WIN

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode and navigate to and DELETE the following if they should remain. Note the spellings CAREFULLY so that you do not remove a legitimate file:

C:\WINDOWS\System32\ndis.exe
C:\WINDOWS\System32\nvsc32.exe
uogjvq.exe --> Use Windows Explorer to search for this one
C:\WINDOWS\System32\lass32.exe
C:\WINDOWS\System32\winlogin.exe
C:\WINDOWS\System32\msa.exe
wvsvc.exe --> Use Windows Explorer to search for this one
mssupdate.exe --> Use Windows Explorer to search for this one
C:\WINDOWS\axqvdu.exe
C:\Program Files\Ares ---> The Folder
systemwin32s.exe --> Use Windows Explorer to search for this one
C:\Program Files\ISTsvc ---> The Folder
sysoverload.exe --> Use Windows Explorer to search for this one

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. Chaslang or I will try to check back when time permits.

Best luck
PP

[And1mixtape88]

REALLY APPRECIATE This PhilliePhan, I had no troubles with the instructions. Here is the new logfile.

Quote:

Originally Posted by And1mixtape88

REALLY APPRECIATE This PhilliePhan, I had no troubles with the instructions. Here is the new logfile.

Happy to help

You still have a few remnants and a few new entries. Please follow the same procedure as my previous instructions and have HJT FIX the following:

O4 - HKLM\..\Run: [cyg updates] cygcfg32.exe

O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe

O4 - HKLM\..\Run: [start uploading] crsss.exe

O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe

O4 - HKLM\..\RunServices: [NDIS Adapter] ndis.exe

O4 - HKLM\..\RunServices: [cyg updates] cygcfg32.exe

O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe

O4 - HKLM\..\RunServices: [start uploading] crsss.exe

O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe

O4 - HKLM\..\RunOnce: [cyg updates] cygcfg32.exe

O4 - HKCU\..\Run: [cyg updates] cygcfg32.exe

O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe

O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe

O4 - HKCU\..\RunOnce: [cyg updates] cygcfg32.exe

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Make sure ALL Browser Windows are Closed when you FIX.

Then, boot to Safe Mode and find and Delete the following:

C:\WINDOWS\System32\ndis.exe
C:\WINDOWS\System32\cygcfg32.exe
systemwin32s.exe --> You'll have to track this one down
C:\WINDOWS\System32\mssupdate.exe
mssupdate.exe --> You'll have to track this one down

crsss.exe ----> NOTE: When you search for this one, Do not confuse it with the legitimate CSRSS


Next, you should revisit these steps:

Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

I am going to crash, so I'll have to check back Thursday night. Chas may look in sooner.

PP

[And1mixtape88]

I wasn't able to find the crsss file. Heres the new logfile. My computer definately is better, but still not running up to par.

[chaslang]

You have new problems popping up. Like Windows ControlAd. Were you surfing around anywhere?

Was notepad (C:\WINDOWS\system32\NOTEPAD.EXE) running because you had it open? Malware sometime does this. That is why we ask to shut everything down. So we don't have to guess.

Please download the following tool: Pocket KillBox Don't run it yet, just unzip it to where you can find it later.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\System32\crsss.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [Windows Compliant] udfuyg.exe
O4 - HKLM\..\Run: [start uploading] crsss.exe
O4 - HKLM\..\RunServices: [Windows Compliant] udfuyg.exe
O4 - HKLM\..\RunServices: [start uploading] crsss.exe

Run Pocket Killbox and choose the Delete on Reboot option. Enter the following into the box for Full Path of File to Delete C:\WINDOWS\System32\crsss.exe
Select the Delete on Reboot button.
and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, use Windows Explorer to navigate to C:\WINDOWS\system32 and make sure the crsss.exe file is gone.

Now post a new HJT log and let us know if you had any problems doing these steps.

[And1mixtape88]

You guys are the greatest, once again I really appreciate you helping me out. This was really killing me. Here is the new logfile.

[chaslang]

You're welcome.

You have some problems that keep reoccurring That trojan that pretends to Windows Media Player. Are you doing any surfing or running any particular programs in between fixing here? Some is strange that this keep reoccurring. Have you installed SpyBot and used it's Immunize feature. It also does not look like the full READ ME FIRST was every completed I see no traces of the online scanners being run. You should do those scans because you may have a hidden virus/trojan somewhere. I also do not see traces of SpyBot being installed. Install it, Immunize, use the SDhelper function but not the Teatimer. (These are found fromt the Mode, Advanced Mode, Tools, Resident selection)

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\System32\msa.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\msa.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

If you have a problem deleting that file, use Pocket Killbox to do it on reboot like in my last message.