Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ctfmon.exe and csrss.exe infection? - Can't start spybot, HJT or ad-aware


  • Please log in to reply
29 replies to this topic

#1 SciFunk

SciFunk

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 14 February 2011 - 06:10 PM

I've tried every search and internet solution possible, and I still haven't fixed the problem. I was able to run Spybot and Ad-Aware once, and then something prevented either of them from starting. HJT won't run anymore either. When I try to start these programs, they show up briefly in the task manager and then go away without loading anything else. I deleted all the malware each program found that first time. When I ran HJT, and deleted some files, they mostly kept coming back when I re-scan. The regedit fixes sprinkled around the internet do nothing. When I disconnect my computer from the internet and boot it into safe mode, the task manager shows csrss.exe and ctfmon.exe. I can end the ctfmon.exe process, but the csrss.exe forces my computer to shut down. No matter what I do in the task manager, those two processes come back every time I reboot. My internet searches are being redirected to bogus sites, my computer randomly blue screens and reboots, and it's just generally very sad times.

ETA: I'm running Windows 7 64-bit.
ETA: All programs only load for a second in task manager, and then disappear. I can load some things in explorer (like the manage accounts section in the control panel), but won't let me do very much (like actually create another account). If I need to install a program, I'll have to do it by flash drive, and I guess I'll need instructions on how to clean the flash drive to make sure the virus doesn't transfer over to a good computer.

Edited by SciFunk, 14 February 2011 - 10:15 PM.
Moved from Win7 ~BP


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 14 February 2011 - 11:45 PM

Try downloading and using the SUPERAntiSpyware Portable Scanner in Safe Mode. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 SciFunk

SciFunk
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 15 February 2011 - 12:09 AM

I downloaded it, renamed it, and tried to run it in safe mode from USB -- to no avail. At this point, I don't think the virus/trojan/malware is just blocking scanner applications. I can't open most things, including Chrome. It's still the same thing, anything I open will briefly show up in the task manager and then disappear. After a quick trial, I found out I can still open notepad, but not Media Player Classic or winamp. Thanks for the suggestion, though.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 15 February 2011 - 12:14 AM

See if you can get RKill to run.

http://www.bleepingcomputer.com/forums/topic308364.html
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 SciFunk

SciFunk
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 15 February 2011 - 01:51 AM

Nope. Like the link suggested, I ran it over and over and over again. It appeared in the processes section of the task manager like other programs, but never in the applications section. I renamed it random things as well as the name of processes already running.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,599 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:09 AM

Posted 15 February 2011 - 06:05 AM

When I ran HJT, and deleted some files, they mostly kept coming back when I re-scan.

Do you still remember what you have deleted with HJT?
Note that HJT is a 32 bit scanner; it will not work correctly on 64 bit systems and can display erroneous information when used there.

Please restart your computer and tap F8 until the Advanced Boot Options menu comes up. Select "repair windows" and press enter.
After the recovery environment has loaded, enter your keyboard layout and login details and click Startup Repair. After it finishes, reboot in windows and let me know how things are.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 SciFunk

SciFunk
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 15 February 2011 - 06:39 AM

Oh, how I wish I knew what I deleted with HJT. I have a supposedly computer knowledgeable friend who told me to run HJT and use an autoanalyzer to delete things. I definitely know better now. I mostly deleted R0 prefixed files that came up red, but I know I told it to fix a few other things as well.

When I choose "Repair my computer" and ran the Startup repair, it said no errors found. After rebooting, everything seems to be just as broken as before.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,599 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:09 AM

Posted 15 February 2011 - 07:44 AM

In that case I recommend you to do a system restore to before the HJT fix so we can work from there on any problems.

You can do a system restore at the choices menu where you also see Startup Repair.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 SciFunk

SciFunk
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 15 February 2011 - 07:56 AM

When I load up system restore, it only gives me two options, both of which are from 10:30p last night. I ran HJT a couple days ago, so that's not far enough. I check the Show more restore points box, but no other options come up.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,599 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:09 AM

Posted 15 February 2011 - 08:17 AM

Before you fixed the lines with HJT, did you have this same problem? Or only afterwards?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 SciFunk

SciFunk
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 15 February 2011 - 08:35 AM

The problem has definitely worsened. Before "fixing" with HJT, I was getting BSoD frequently and audio ads would randomly start playing while I was doing other things. My google searches were also being redirected at that time. I feel like there was a time after I ran HJT that I was still opening programs okay, but I'm no longer sure.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,599 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:09 AM

Posted 15 February 2011 - 09:06 AM

Please see if you can run the following. Try to download it on a working computer and transfer it using a flash drive.

Use Flash disinfector on your clean computer to protect it from possible autorun malware.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 SciFunk

SciFunk
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 15 February 2011 - 10:25 PM

Nope, I am unable to run TDSSkiller.

ETA: I tried both merging and just double clicking to import several of the .reg files (for .exe, folder fixes, directory fixes, and drive fixes) from here: http://www.winhelponline.com/blog/file-asso-fixes-for-windows-7/. All but the .exe successfully completed. The .exe gives me the following error: Cannot import. Not all data was successfully written to the registry. Some keys are open by the system or other processes. I still can't open anything in safe mode or normal mode.

Edited by SciFunk, 16 February 2011 - 01:29 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,599 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:09 AM

Posted 16 February 2011 - 02:26 AM

Try to rename the Hijackthis executable from hijackthis.exe to hijackthis.com. The program saves some backups of what it deleted, which we can use to restore whatever you deleted.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 SciFunk

SciFunk
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 16 February 2011 - 02:47 AM

I renamed the HJT executable to a .com, but it doesn't even open in the processes when I try to run it. I can open a command prompt as well as most folders. Could I find the HJK backups from either of those?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users