Symptoms/HijackThis Log

My computer has a virus. What else is new. It will not allow me to view specific URL's such as...

*=wildcard

- grisoft.com/*
- trendmicro.com/*
- sophos.com/*
- *agobotgh*
- I can't download the CWshredder...
- I cannot log into hotmail or log onto MSN Messenger
- I cannot use GoogleTalk or check my email anymore because I cannot go to mail.google.com/*
- I cannot log onto AIM
- I cannot log onto YIM
- I don't use ICQ but I am sure I can't go onto it either

It disabled Norton AutoProtect and will not let me enable it.
I cannot remove "Altnet" with Spybot
If Norton detects something when I scan the remove will always fail
Ad-Aware detects DataMminers and other small things but not what I am looking for

Due to it disallowing me to go to any url containing "agobotgh" and the fact that I have the process "csrss.exe" (Backdoor.IRC Trojan I think but am not sure) I have come to beleive I have the AGOBOT.GH worm but I'm not certain.

I cannot end "csrss.exe" because it is a critical process and I also cannot stop it from loading on startup either because it says it is in use. It shows as a process in safemode as well.

This is one hardcore virus it seems...

PS: These smileys are extremely similar to those on DeviantArt... The eye roll is a combination of the :no: smiley and the eye rolling smiley... The Big Grin and Confused smileys are recolors...

 

Also, Cannot use any Mozilla browser... Firefox, Deer Park Alpha 1/2, etc.

 

I got an error. I couldn't fix the csrss.exe shortcut...

See for yourself...

Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard.

And...

Unable to delete the file
O4 - Startup: crss.Ink = ?

This file may be in use. Use Task Manager to shutdown the program and run HijackThis again to delete the file.

I can't end because it is a critical process. Whatpulse is a program I installed. It tracks mouseclicks and key strokes...

It's a HUGE community of people that use it.

Anyways...

Here is my log file...

 

Nope... Nothing. This is all I found:

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[hkjhk]
nnhjhkj15=1102786513
[hkjhkW]
nnhjhkj15=1102786558
[MSUCE]
Advanced=0
CodePage=Unicode
Font=Arial
[PCDRWIN]
CurrentLanguage=0

 

Nothing...

 

UPDATE!

Ever since I did that host thing, I can access grisoft.com again and housecall.trendmicro, etc. I cannot access email sites such as mail.google.com or log into hotmail.com though.... At least the problem isn't as big now!

 

Hmm...

When I ran HijackThis in safe mode, csrss.exe was not there at all. It did not run this time. I had previously deleted a folder called ykzljbhjj or something with two files called csrss except with different extensions. One had a .ini extension and the other was a shortcut. I found those files along with a startup shortcut and another shortcut in the backup of Hijack This. I deleted them. I'll attach my log anyways.

Okay, I'm scanning with WinPFind now...

Another thing I forgot to add which is REALLY bad is the fact that it changed my Windows Validation so now I cannot download certain microsoft files. It uninstalled my MS Antispyware...

WinPFind popped up and said FILE NOT FOUND or something similar wgile I was typing... It says it is now scanning registry... I'll post the log ASAP.

 

Okay, I'm going to bed now.... It never really finished so I just copied the status log... It's attached. Thanks for the help so far! It's better than it was before so I'm sure it will get fixed. Especially with your expertise. Thanks again and good night!

 

It didn't finish the scan so I restarted (the scan). It's back at the same spot. I did however find the shortcut and delete it... I'm going to restart my computer and see if it still runs it.

 

"Runner Error

Runner file name (Compaq Connections.exe) lacks a '-' (the app id separater)"

That happens at the beginning of startup. Compaq Connections is a feature my computer has but I dodn't know why it wouldn't work now...

Anyways...

The log is attached. I will re-scan and see if it works. I'll keep you updated...

 

Okay, it changed my windows certification so that it seems unregistered. I can't log onto hotmail/messenger or any other mail/instant messaging...

Btw, what was that one file?

 

No I can't restore it and about my indows, it says it's not a registered copynow. I can't downlaod the programs of microsoft where you need the validation anymore...

 

My dad decided that he is going to reformat the computer... Sorry for wasting your time but thanks anyways... Now I have to research on Anti-Virus programs to replace Norton...