adriss.exe

Welcome to Majorgeeks!

That's good because it is the last thing that we would want to see any way. You need to run the below steps for us to help you! Otherwise all we could suggest is that you use a program like PocketKillbox to delete the file at reboot. But this may or may not resolve your problems.


Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Just for your interest Adriss.exe is linked/related to this trojan Trojan.Crypt.F.Gen or another named Troj/Lager-O

But as Chaslang mentions, you'll need to not only run the guide but attach all the requested logs as well, so he can assist you in removing this once and for all, as many trojans not only have their own payload, but also download others to multi infect you, which is where all the logs come in.

 

Halo is correct about what the file you named may be, but if you did not spell the name correctly, it could also be:

Adirss.exe -->> Troj/Spamsrv-E backdoor Trojan

 

Yes you do! It is part of Windows!

Boot into safe mode an get three logs (as stated in the READ ME) if possible:

- GetRunKey
- ShowNew
- HijackThis

These are very fast logs to get. Let's see what they show. However if Bitdefender and Panda our showing so many files being infected, you may be in big trouble unless those files being found are not required for your PC or software to run.

 

You are not running GetRunKey and ShowNew properly as instructed in their download pages. You MUST extract ALL of the files from the ZIP file and you must run the .bat files from OUTSIDE of the ZIP as instructed.

Let's try fixing some stuff based only on your HJT log.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2870acebe959fe7a9519/netzip/RdxIE601.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\wservice.exe

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Sounds and looks like someone has been disabling and/or deleting necessary system services. Have you or anyone one else been hacking around doing things on your own? Please be honest as it may help to determine and fix your problems. I see two services (that are required Microsoft system services) in you HijackThis log that show as missing. There could be others and there could also be others that are not missing but that are just disabled.

I may have to refer you to the Software Forum since this is really not a malware issue, but let me see if we can get some other info first.

Download the attached psservice.zip file and extract the psservice.exe file to C:\
Make sure you extract it to where I said or the following procedure will not work.

After extracting the file click Start, Run and copy and paste the below text in the run box:

C:\psservice config > C:\servicelist.txt

and then click OK. This should run the psservice program which will dump a list of all services and their settings into the C:\servicelist.txt file. Upload this file here as an attachment.

Also do the following, click Start, Run and copy and paste the below text in the run box:

regedit /E C:\wow.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW"

and then click OK. This should run the regedit and dump the contents a the WOW registry key into a file named C:\wow.txt file. Upload this file here as an attachment. I want to see if the DisallowedPolicyDefault exists and is set to 1. This could be disabling NTVDM from running.

 

Sorry about that! It is attached here!

Get me those two logs as soon as you can.

Yes if you have your Windows XP boot CD and not just a silly recovery CD from a PC manufacturer. However doing a repair install reverts the PC back to the level of the CD. Thus any updates that may have already been downloaded and installed will be gone.

 

Click Start, RUn, and enter cmd and click OK. This will open a command prompt window. In this window type the below commands.

cd c:\
psservice config > C:\servicelist.txt


Does this work? If not, try just typing

psservice config

Do you see a lot of text scrolling up listing services?



Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

Does that mean you are not getting NTVDM errors anymore?

Can you get the new logs (GetRunKey & ShowNew) then?

 

You did not extract GetRunKey.bat and ShowNew.bat (and all the other files in the ZIP) from the ZIP files. You must follow the directions in the download links. I already said this previously!

 

But you must run the .bat files from outside of the ZIP. According to your GetRunKey log, you did not do that.

 

You don't need to download them again! That is not the problem. The problem is related to how the are run. Are you using Windows Explorer to locate the .bat files and are you double clicking on them from the Windows Explorer window to run them?

If you double click on the ZIP file you are going to run your ZIP file extractor which will show you the file list but you cannot run the .bat files from this window.

 

Here is a another way to try it which cannot be wrong as long as all files are extracted.

Click Start, Run, and enter cmd and click OK. Then enter the below commands in the command prompt window:

cd C:\getrunkey
getrunkey.bat

Do you get any error messages in the command prompt window?

Do similar for ShowNew.bat!

cd C:\shownew
shownew.bat

 

Please give me the exact word for word error message.

Sounds like you have some major non-malware problems.

 

Also from a command prompt, enter the below command

set

Do you get a bunch of text showing environment variables or do you get more errors?

If it shows the environment, type set > env.txt and then upload the env.txt file (that command will create it) here as an attachment.

 

I'll be logging of in a moment! Time to start Thanksgiving activities!

Another thing I want you to do from a command prompt is the below command

sfc /scannow

Does it ask for your CD? If so, put your CD in the CD drive.

 

Happy Thanks giving to you and your family too!

I did not see a snap shot of the NTVDM errors you said you got.

Did you have all other windows closed and no Windows opened (including notepad) with previous newfiles.txt and runkeys.txt logs before running the .bat files?

 

Have you rebooted since doing this? If not, please reboot and see if any behavior has changed.

Also run one of the below that most applies to your OS:

For Windows XP Pro: download and run XPproFix
For Windows XP Home: download and run XPHomeFix

These should be extracted into the c:\windows\system32 folder

That's it! I going now.....this time I mean it.

You enjoy work while I go enjoy some turkey!

 

You're welcome. I'm happy to hear things are working. Everything we recommend is include in the link below after final cleanup instructions.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and ***ociated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
7. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!