Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Restictive program usage


  • This topic is locked This topic is locked
11 replies to this topic

#1 wellzy4eva

wellzy4eva

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 13 June 2005 - 06:14 PM

Hey there,

I have been trying to clean up this pc for a friend as it was a total mess, removed viruses via using stinger.exe, however you cannot open programs like regedit and hijackthis.

I don't want to install a virus checker on a still corrupted system, here is my log (fought hard to get it to save one)

Logfile of HijackThis v1.99.1
Scan saved at 00:10:56, on 14/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\iqlyrjjo\csrss.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Walpaper\jlpaper.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\David\Desktop\231\132.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bt.com/btbroadbandstart?src=cdr
F3 - REG:win.ini: load=C:\WINDOWS\system32\iqlyrjjo\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - Startup: csrss.lnk = C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - Startup: delstart.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\Walpaper\jlpaper.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094671796739
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe


Thanks in advance.

Dave :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:29 AM

Posted 14 June 2005 - 09:39 AM

If you still need help, could you post a fresh HijackThis log please?

#3 wellzy4eva

wellzy4eva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 14 June 2005 - 02:23 PM

Here is a reprint of the hijackthis, sorry for the delay I am in the UK.

The program itself automatically closes after it's loaded, thankfully if I persist sometimes it saves a log (Which I can only view if I rename) (BTW, 1213.cmd is the renamed hijackthis, renaming it makes it stay open a bit longer)

Logfile of HijackThis v1.99.1
Scan saved at 20:19:55, on 14/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\iqlyrjjo\csrss.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Walpaper\jlpaper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\1213.cmd

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bt.com/btbroadbandstart?src=cdr
F3 - REG:win.ini: load=C:\WINDOWS\system32\iqlyrjjo\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - Startup: csrss.lnk = C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - Startup: delstart.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\Walpaper\jlpaper.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094671796739
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

Dave :thumbsup:

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:29 AM

Posted 14 June 2005 - 02:36 PM

No need to apologize. Thank you for being so patient. IF you would, I would like to have you submit a file. Go to this page:
http://www.bleepingcomputer.com/submit-malware.php
And in the submission box, paste in the following text: C:\WINDOWS\system32\iqlyrjjo\csrss.exe

That's the only thing I see wrong, but I would like to know what it is before we try to remove it.... it's a bit unusual. As soon as you submit that, I'll get back to you. :thumbsup:

#5 wellzy4eva

wellzy4eva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 14 June 2005 - 03:03 PM

Submitted.

I also noticed this, although I was unable to stop it running nor delete it.

The directory just showed a ini file (That regenerates itself) which contains.

[Uptime]
Current=F%7:@;:\)P``
Best=F%7:@;:\)P``

After showing hidden files and windows protected files, it also shows a exe and a 1kb dat file, but the computer rehides the icons after a refresh.

Hope that helps?

Dave :thumbsup:

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:29 AM

Posted 14 June 2005 - 05:23 PM

It wasn't anything new, but it was new to me anyway.

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

F3 - REG:win.ini: load=C:\WINDOWS\system32\iqlyrjjo\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - Startup: csrss.lnk = C:\WINDOWS\system32\iqlyrjjo\csrss.exe
O4 - Startup: delstart.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\Walpaper\jlpaper.exe

***********************************************************************

Once you do that, you can boot into safe mode, and you should be able to delete that file (along with the iqlyrjjo directory). Here isa description of what you have:
http://www.trendmicro.com/vinfo/virusencyc...WORM%5FCHOD%2EA

Reboot and post a new log when you are done. Could I suggest a free AntiVirus? Do a Search for AntiVir Personal... or AVG. Either one would have prevented you from being infected. :thumbsup:

#7 wellzy4eva

wellzy4eva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 15 June 2005 - 03:53 PM

Thanks for the advice, but do you know any other programs other then hijackthis which could do this?

I only ask because after 1-4 seconds the program automatically closes itself (I barely got the log done) even after me renaming it to something like 1213.cmd

Dave :thumbsup:

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:29 AM

Posted 15 June 2005 - 04:08 PM

I'm sorry, you lost me. Any other programs that can do waht... remove that from the registry? Regedit will work, but you need to be very careful with what you are doing there.

What program are you renaming to 1213.cmd?? :thumbsup:

#9 wellzy4eva

wellzy4eva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 16 June 2005 - 04:56 PM

I'm sorry, I thought I'd already mentioned it.

My biggest problem is programs like regedit and hijackthis and even Winamp for some reason automatically close when opened, even when I did the hijackthis log, it would automatically close it until I renamed it to something else.

So I can't use hijackthis, nor regedit, this is my main problem otherwise I'd have tried removing thing that looked dodgy in my registry like that csrss.exe in a strange folder.

Hope that explains it well and makes some of the things I said before make more sense.


Dave :

#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:29 AM

Posted 17 June 2005 - 08:07 AM

We need to figure out what is causing all of those to close when running then, because they shouldn't all be closing. At any rate, you can ty using reglite to remove those entries from the registry, you will just need to do a search for iqlyrjjo\csrss.exe.
http://www.resplendence.com/reglite.

With that .ini file you were talking about, delete the contents, then set the file properties to read only.

Let me know if reglite stays worling for you, otherwise we can use a .reg file.

#11 wellzy4eva

wellzy4eva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 17 June 2005 - 05:24 PM

Ah sorted...

After trying to delete the registry keys multiple times, something dawned on me, 'Would hijackthis work in safe mode?'

Reinstalled MSN plus so the installshield can properly remove the spyware it installed (Then uninstalled and adaware/spyboted it)

In Safe mode found the four instances of csrss startup and that pesky hidden startup icon in the all users settings.

Now installed AVG free edition and all is well (AFAIK)

Thanks a lot!

Dave :thumbsup:

#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:29 AM

Posted 17 June 2005 - 06:37 PM

Doh!! I can't believe I didn't suggest that in the first place.... sometimes we overlook the most simple things.

Glad you got is sorted out...good job!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users