Seems like I caught something

whatthewhatthe · Nov 26, 2008

Righto.
So, the other night I got a warning from norton about some file accessing something or other... csrssc.exe
I had a look and a heap of applications were now present in my c:\ directory.
I've deleted them and ran a scan on Malwarebytes and 'repaired' a bunch of things it found.
After restarting my computer, I've found that norton is completely disabled (application files deleted), and I can't connect to the internet (though I can connect to my modem and router).
Whatever this thing is, it's edited my internet settings and 'unchecked' the "show pictures" option in the advanced settings.
Can anyone help? I can post logs from whatever application if that'd help
cheers.

whatthewhatthe · Nov 26, 2008

OK, I've attached my most recent HJT, ComboFix and MBAM logs.

Just checked something out, and my norton files hadn't been deleted (I was looking in the wrong folder :-o), though NIS no longer loads on startup. Don't know if that helps, just thought I'd mention it.

Thanks guys

TimW · Nov 26, 2008

We need you to run the MGTools program and attach the C:\MGLogs.zip.

whatthewhatthe · Nov 27, 2008

Cool. Thanks.
Latest logs are attached.
Search and Destroy didn't find anything.
Internet connection is still down so there's something interfering there...
All help appreciated.
Ta.

TimW · Nov 27, 2008

Yes, your logs are clean. I would suggest that, if running a router, you reset it to factory settings, check your network properties and be sure that dns and ip are set to auto detect.
Also go to your IE settings and reset security to default.

If this does not work, please post in the software or networking section.

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

whatthewhatthe · Dec 1, 2008

Thanks TimW,

Turns out this thing edited my network settings and deleted my DNS specifics, disabling my internet access. It also locked my task-bar, cleared out my start-up folder, disabled viewing images in internet explorer, plus probably a whole heap of other things which I haven't worked out yet.

My Norton internet security monitored some of the activity that was attempted and/or performed:
"payload was blocked from accessing your network resources"
"firewall rules were automatically created for naoe"
"firewall rules were automatically created for ocvugtko"
"firewall rules were automatically created for services"
"cohdejrg.exe modified your program startup settings"
"2684403242.exe modified your windows atartup settings"
"csrssc was blocked from accessing your network resources"
"winlogin was blocked from accessing your network resources"
"winlogin detected by norton internet security"
.... then it gets a bit confusing as I began to install some anti-spyware applications at that stage.

Anyway, all seems well here for now.

I guess it serves me right for attempting to download an application via a torrent, rather than the author's website.

Thanks for your help, and the verification that the logs are clean (otherwise I'd likely be fretting).

Cheers.

TimW · Dec 1, 2008

Yes....it is a nasty that resets your router setting and then causes havoc within your system.

Good to know you are back running.

Log in or Sign up

Seems like I caught something

whatthewhatthe Private E-2

whatthewhatthe Private E-2

Attached Files:

ComboFix Log 20081126.txt

hijackthis 20081126.log

mbam-log-2008-11-26 (22-56-43).txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

whatthewhatthe Private E-2

Attached Files:

MGlogs.zip

SUPERAntiSpyware Scan Log - 11-27-2008 - 01-29-35.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

whatthewhatthe Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member