Posted 01 March 2010 - 12:09 PM
I found a number of Symantec programs on the computer. Those programs appeared to be causing the initial errors I saw when the computer booted. I thought the process would be to remove Symantec and, if it was still needed, to reinstall it. I ran the latest Symantec uninstall tool and it would not run because it said Symantec Antivirus 2009 had to be removed first.
The computer seemed to be virtually crippled by Symantec error messages, making it difficult to interact at all. I didnít record the messages, but I did remove the various startup entries and some significant registry entries in order to cripple Symantec and remove the error messages.
I could not remove Symantec AV 2009 because it required a password. I did not know the password. In fact, the owner said he had never installed it, nor had anyone in his company.
I contacted the company and was given permission to remove all Symantec- they were no longer using it. About that time, I opened WORD to begin recording my events and ran into the AntiVirus XP 2010 scareware. So I began the bleepingcomputer script to remove this process.
Eventually I found the following Trojans and other badware on the computer and removed them:
I removed all the Symantec services to remove Symantec from the picture.
I ran combinations of Malwarebytes, GMER, HijackThis, and Windows Security Essentials. Eventually, all came back "clean."
Though these were, technically, removed by the antispyware programs, I continued to get an error loading C:\Windows\etuyawebewahazuy.dll. This means there is a piece of bad code I am missing.
I looked through the running processes and found a possible lemon: csrss.exe
The properties of this process are:
ObjectDirectory =\Windows SharedSection=1024,3072,512,Windows=0...
Memory usage 2,228,224 Byte.
I will continue this discussion with another append containing the Hijackthis log.