Can't Download HyjackThis!

Please realize it is a holiday for most of the people who spend time help in this forum. So we will not be around much. I'm not sure what your problem with HijackThis is. You keep changing what you are saying. First you said you cannot download it. Then you said you have it downloaded and unzipped but cannot run it. Then you said you cannot download it again. So what exactly is the problem?

Can you download the HijackThis from our link or not?
Can you unzip into a folder like we request?
Can you run Hijackthis.exe?

Please also run this Running HOSTER...

And if no one is around for awhile you may want to give the following items a run to see what they find:

Running Ewido Security Suite

Microworld Antivirus Toolkit Utility 7.4.2

Post the logs too if you can run these tools. Microworld will not fix anything, but it may help us detect some problems to remove manually.

 

Okay! Were are you located if not here in the USA?

Try downloading hijackthis.exe (not in a ZIP file) directly from here:

http://216.180.233.162/~merijn/files/HijackThis.exe

Put it in the proper folder per our instructions in step 7 of the READ ME & also follow those directions on running it. Then attach a log (from normal boot mode) to your next message. I should be popping in again later.

 

If you have actually gotten the HijackThis.exe file downloaded. Just create the c:\Program Files\HJT folder per the instructions in the sticky threads and copy or move hijackthis.exe there. Then continue to run the steps to post the log as an attachment.

The sticky I'm referring to is: Downloading, Installing, and Running HijackThis

By the way you can change FireFox's settings to ask where to download to. Also you can change the default folder too. It's under Tools, Options, Downloads.

 

I don't quite understand what you are saying and doing.

Did you create the C:\Program Files\HJT folder as specified?
If yes, just download the file, and save it to this folder.
At this point you should have hijackthis.exe in the C:\Program Files\HJT folder. The file should be 213 KB in size. Is that what you see?

 

Well the terminology is that you double click on it to run it! It should open up a window where you can select options. You want to select the one that says Do a system scan and save a log

Do you get this far?

 

Maybe not! It could be malware! Try this. Rename (right click on the file and select Rename) hijackthis.exe to myhjt.com

Then try double click on the new file name to run it. Does this stay running?

 

Download GetRunKeys.Zip to your PC someplace you can locate it. Then extract the getrunkeys.bat file from the ZIP. Locate the getrunkeys.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . Unload that file here are an attachment.

By the way, look in the folder you have hijackthis.exe running from. Do you see a filenamed hijackthis.log?

 

Also do the following:

Download Process Explorer

Unzip it and now run ProcessExplorer and lets configure some options first:

Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".

Now click on File and then Save As. And save the process list. Save it to a filename like prlist.txt

Post it back here as an attachment.

 

After posting the prolist.txt file. Run Process Explorer again and see if you can locate a process named XNUR.EXE The Image path column should say: c:\program files\XNUR\XNUR.exe

Right click on it and select Kill Process Tree
Watch the processes for a minute and make sure it does not restart.
If it does not restart, try runing HijackThis now and see if you can save a log.

 

I have no problem with it. So try it again! If it does not work, the problem is on your end. Let me know.

 

You cannot delete it while the process is running. That was why I was trying to kill the process. Let's try this:

Press CTRL-SHIFT-ESC at the same time to bring up Task Manager. Click the Image Name column heading to sort by name. Look for XNUR and right click it and select End Process Tree. If that works, see if you can delete the whole folder named c:\program files\XNUR

 

That's typcial of Task Manager. It is also why we use programs like Process Explorer and HijackThis. Because they show all things that are running unlike Microsoft's stupid Task Manager.

Let's try a different approach.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixbad.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixbad.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Then immediately reboot your PC into safe mode and use Windows Explorer to locate the below folder and delete the whole folder:
c:\program files\XNUR

Then run CCleaner and also goto the c:\windows\Prefetch folder and delete all files in this folder.

Then reboot your system in normal mode and see if you can run HijackThis now.

 

It sounds like two things.
1) did you enable viewing of hidden and system files and also did you uncheck the option to hide extensions for know file types per the READ & RUN ME.

2) did you save the file using Save As and did you change the Save as Type to All Files?

 

It does not reset to defaults by itself. They must be changed manually.

Something must be wrong with how you are saving the file. Just to double check that I did not make a mistake in what I put in there, I followed my instructions just now with the registry patch and it added it into the registry without a problem.

Are you using notepad?
Is the error message still exactly the same?

 

Download the attached ZIP file and save it to the root folder of drive C
Then extract the fixbad.reg file from the ZIP also into the root folder of drive C.
When finish Windows Explorer should show a c:\fixbad.reg file

If you see this file, then click Start, Run, and enter regedit c:\fixbad.reg then click OK!

 

You could try that but I don't think that is the problem. But you even had problems with the ZIPPED version originally.

Run getrunkeys.bat again and get me an new runkeys.txt log. You may need to change the name to runkeys2.txt in order to attach it.

 

Well one item is gone (XNUR) but the other items with "csrss"=- still remain. csrss.exe running from c:\windows\system32 is okay. But these lines in the registry are not okay and it make me wonder what is hiding in the background and bring these back.

Do you still have SpySweeper installed? If so I want you to do the following,
- boot into safe mode and run SpySweeper and save the log. Post here later
- try to run myhjt.com
- try to run some of the other scans that you may have been able to download and install
- try running Process Explorer in safe mode and save that log I requested and post it here

Reboot in normal mode and tell me the results. Gotta run now. I have an early day tomorrow and need! I'll check in during the day if I get time.

You have a real nasty hiding in here and it is difficult not being able to run any tools. Try downloading some of the below. Just download them to a Downloads folder. I want to at least see if you can download them. If so, we may be able to get some to run some how.

avast! Virus Cleaner Tool No installation required! Ready to run as is
McAfee AVERT Stinger..... No installation required! Ready to run as is.
Microsoft Malicious Software Removal Tool

 

Process Explorer does not need a network conection to run in either safe mode or normal mode. It is a process explorer not a network explorer.

 

Boot back into safe mode. And run open Windows Explorer. Locate the below file:

C:\WINDOWS\system32\ukpgqqzlo\csrss.exe

Right click on it and select rename and change the csrss.exe file to csrss.xxx
If you cannot rename it, try right clicking on it and dragging it to the Desktop and when you let go of the mouse button on the Desktop select Move here.
Now see if you can rename it.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions (if any are open):
F3 - REG:win.ini: load=C:\WINDOWS\system32\ukpgqqzlo\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\ukpgqqzlo\csrss.exe
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
After clicking Fix, exit HJT.

Now reboot in normal mode and tell me where things stand. If you can run HJT now, post a new log. Also start running all the steps in the READ & RUN ME.

 

You should now rename myhjt.com back to hijackthis.exe

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions (if any are open):

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O4 - Startup: csrss.lnk = ?

After clicking Fix, exit HJT.

Now after another reboot into normal mode, post a new log HJT log!

How is everything working now?

 

You must remember to post HJT logs from normal boot mode. Do not post a new one yet.

You more than likely have a csrss.lnk file in your Startup folder we need to find and delete.
C:\Documents and Settings\username\Start Menu\Programs\Startup\csrss.lnk

where username is the name of the user. Let's run the below to help us dig further.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.