Solved: Worm problem! Can't delete csrss.exe file!

Zri · Jul 14, 2006

Hi, everybody. I need some help here in deleting a worm. Ok, here is the problem:

- One day, after full scan, scanner(the scanner is 'eScanWin') detected about a hundred worms named 'Email-Worm.Win32.Scano.ac'.

- Kept on doing many scans, but always detected one worm left. The infected file's name will always be 'csrss.exe'.

- File located in C:\WINDOWS .

- When file deleted, it will appear very fast in C:\WINDOWS !

- Because of 'very fast' appearing file, computer cannot be fully clean of this worm.

- It seems the 'csrss.exe' file spreads the worms in the computer.

- Recently, I found a folder in C:\WINDOWS named 'LastGood' .

- I guess that file has something to do with the worms, because whenever I deleted the folder, the folder will at once reappear again, just like the 'csrss.exe' file!

- Also, whenever I delete the 'csrss.exe' file, the whole computer will start loading something and slow down!

- The 'winlogon.exe' process will start to take up a lot of resources whenever I delete the 'csrss.exe' file!

- And now my Windows Security Center cannot open my Windows firewall!

Please help me if you know the solution. Thank you.

Blink182 · Jul 14, 2006

Howdy Zri !

1. Csrss.exe= Critical System File. If that file is infected you need to format. It reappears because Windows needs that file and cannot function correctly with out it. Windows simply restores it from C:\i386
2. Dont delete LastGood. That file is for Last Know Good Recovery. Again Windows will restore it because its a part of Windows.

Cookiegal · Jul 14, 2006

Hi and welcome to TSG,

csrss.exe is a valid file when running from system32. This one is not. We cannot diagnose the problem without seeing a HijackThis log so please do this:

Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.

By default it will install to C:\Program Files\Hijack This.

Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.

Put a check by Create a desktop icon then click Next again.

Continue to follow the rest of the prompts from there.

At the final dialogue box click Finish and it will launch Hijack This.

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.

Click Save to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and Paste the log in your next reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Zri · Jul 14, 2006

Hi, Cookiegal! Thanks for helping me out! Anyway, here is the log you requested:

Logfile of HijackThis v1.99.1
Scan saved at 11:12:58 AM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Tor-TorCP-Privoxy_Bundle\TorCP\torcp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Tor-TorCP-Privoxy_Bundle\Tor\tor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Tor-TorCP-Privoxy_Bundle\Privoxy\privoxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [TorCP] C:\Program Files\Tor-TorCP-Privoxy_Bundle\TorCP\torcp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Privoxy.lnk = C:\Program Files\Tor-TorCP-Privoxy_Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137759416383
O20 - AppInit_DLLs: C:\WINDOWS\system32\msr2ca.dll
O20 - Winlogon Notify: arm32reg - C:\Documents and Settings\All Users\Documents\Settings\arm32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MWTI2 - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

Cookiegal · Jul 15, 2006

I hope you don't mind but I edited the font in your post as I find the HijackThis log difficult to read with the font you used.

Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.

Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run Ewido and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine"

Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.

Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:

Launch Ewido Anti-spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".

Ewido will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions"

Next select the "Reports" icon at the top.

Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close Ewido and reboot your system back into Normal Mode.

Run ActiveScan online virus scan: here

When the scan is finished, save the results from the scan!

Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.

Zri · Jul 16, 2006

Don't worry, I don't mind getting my font edited! I'll stick to the default font for now!

Anyway, I think I have a problem. I can't start in safe mode! Shortly after I enter safe mode, the computer restarts itself!

Looks like we have got to find another way to solve this problem! I hope you can help me, Cookiegal! You seem to be an expert in solving this problem! I hope you can solve this problem. Thanks!

Cookiegal · Jul 16, 2006

You can go ahead and run Ewido in normal mode and then do the Panda Active Scan please.

Zri · Jul 16, 2006

Ok! I shall do as you say now! I'll do the Ewido scan in normal mode. Thanks!

Cookiegal · Jul 16, 2006

Zri · Jul 17, 2006

I have finished all the scans that you have told me to do. Now here are the 3 logs.

Ewido Anti-Spyware log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:57:10 PM 7/16/2006

+ Scan result:

HKU\S-1-5-21-794407143-1412489200-4163059255-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKU\S-1-5-21-794407143-1412489200-4163059255-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\Program Files\Air Assault 3D\NNSUNA3_88.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\readme.txt -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\uninstall3_88.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).
[620] C:\Documents and Settings\All Users\Documents\Settings\arm32.dll -> Proxy.Xorpix.u : Error during cleaning.
C:\Documents and Settings\alifcarr\Cookies\[email protected][2].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\alifcarr\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\alifcarr\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\alifcarr\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\alifcarr\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\alifcarr\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\alifcarr\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\alifcarr\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

::Report end

Zri · Jul 17, 2006

Unfortunately, the log is too long for me to post here. The post did not allow me to put more than 996059 characters into this post. So I uploaded a textfile of the Panda scan log instead. Download the zip attachment and view the Panda scan log.

Blink182 · Jul 17, 2006

ahh, no dont do that. Split the post into to. One thing not to do it to remove items from the log.

Zri · Jul 17, 2006

This is the HijackThis log. I scanned the system with HijackThis after I have finished scanning the computer with the Ewido and Panda scan. The following is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:32:35 PM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\PROGRA~1\eScan\avpm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Tor-TorCP-Privoxy_Bundle\TorCP\torcp.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Tor-TorCP-Privoxy_Bundle\Tor\tor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [TorCP] C:\Program Files\Tor-TorCP-Privoxy_Bundle\TorCP\torcp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Privoxy.lnk = C:\Program Files\Tor-TorCP-Privoxy_Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137759416383
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\msr2ca.dll
O20 - Winlogon Notify: arm32reg - C:\Documents and Settings\All Users\Documents\Settings\arm32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MWTI2 - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

Those were the logs you wanted, Cookiegal. I hope the logs will help you to solve this worm problem. Good luck and thank you for helping me. Thank you.

Zri · Jul 17, 2006

Well, Blink182, unfortunately, the log is SO long that it will take me hours just to finish splitting the posts. And besides that, the log, as I said, had the same info. It is like as though the info repeated itself, but changed location into almost ALL the programmes I have on this computer. But I do hope that the log will help though...

Blink182 · Jul 17, 2006

ok if its SO long then put attachment as txt file or zip it to make smaller.

Log in or Sign up

Solved: Worm problem! Can't delete csrss.exe file!

Zri Thread Starter

Blink182 Banned

Cookiegal Administrator Malware Specialist Coordinator

Zri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Zri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Zri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Zri Thread Starter

Zri Thread Starter

Attached Files:

Panda_Activescan_ Log_File.zip

Blink182 Banned

Zri Thread Starter

Zri Thread Starter

Blink182 Banned

Sponsor

Welcome to Tech Support Guy!

Log in or Sign up

Solved: Worm problem! Can't delete csrss.exe file!

Zri Thread Starter

Blink182 Banned

Cookiegal Administrator Malware Specialist Coordinator

Zri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Zri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Zri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Zri Thread Starter

Zri Thread Starter

Attached Files:

Panda_Activescan_ Log_File.zip

Blink182 Banned

Zri Thread Starter

Zri Thread Starter

Blink182 Banned

Sponsor

Welcome to Tech Support Guy!

Useful Searches