computer restarts randomly, hjt log

S

SirKenin

banned
Ok. Those spyware programs are not going to get rid of that trojan. It is a mass mailer trojan and I'm not quite sure why it is being recommended that you try all those programs to get rid of it... :confused:

Here is the tool you need, courtesy of Symantec:

http://securityresponse.symantec.com/avcenter/FxNetsky.exe

It is entirely possible that the rebooting is caused by the rogue code. That makes the most sense.

Try this and see what happens.

EDIT:

In the future I recommend that you get rid of Norton completely, using their uninstall tool. It is completely useless. In it's place install Avast! 4 Free Edition. Then, only have two spyware programs running memory resident. Ewido and Microsoft Defender. Defender is capable of stopping and killing processes that are "protected". That should keep you quite well protected.
 
Last edited:
palmmann

palmmann

banned
sirkenin- i dont have norton??? and i already have avast.

it just finished, and said that w32.netsky was not found on my computer. damn. any other ideas?

please say i don't have to pay $50 an hour... i'm broke

i'll get defender, and stop all the other stuff i have running all the time(but ewido).
 
S

SirKenin

banned
palmmann said:
sirkenin- i dont have norton??? and i already have avast.

it just finished, and said that w32.netsky was not found on my computer. damn. any other ideas?

please say i don't have to pay $50 an hour... i'm broke

i'll get defender, and stop all the other stuff i have running all the time(but ewido).
Click to expand...

rofl. No, you don't have to pay me shit unless you email me and ask me for help (or add me to MSN, and then start asking me for stuff). That has happened to me quite a few times already. Is there anything wrong with adding me and saying "hi, how's it going?". lol ;)

Ohhhhh. Wait a second.. I just scrolled through the thread again and I missed a crucial piece of information... You already removed that file.. When your log says "file missing" that means there is a registry entry there, but the file itself is gone. That's why my tool didn't work.

I apologize for that. Late night posting. Man, I gotta stop doing that.

Well, still, to be on the safe side, run that Ewido to search for rogue code. If Ewido doesn't get anything (which it probably will), then we can diagnose a hardware problem.

There are also a couple of virii that cause computers to randomly reboot, many of the issues are solved if you have your XP completely up to date with Windows update. Do you?

And don't worry, I only charge according to income. Let me see... What is 10% of 0? lol :D

I'll do some investigating for you when I get some time today.
 
palmmann

palmmann

banned
thanks man. i've been tryin to do windows update, but it stops after i download the updates and tells me they can't install. last few times i ran ewido all it found is cookies, so i don't think it'll find anything. i'll run it anyway, it only takes an hour or so.

EDIT

make an hour more like 10-15 minutes. it's done, all it found was 15 tracking cookies.
 
Last edited:
S

SirKenin

banned
Can't do Windows updates either? Hmmmm. Something is definitely fishy.

Windows Update should have given you an error message telling you why the updates wouldn't install. Do you remember what it was par chance?
 
S

SirKenin

banned
Ok. For your Windows Update problem, try this:

http://djlizard.net/software/dial-a-fix

Also, I still question whether you have a virus. I'm wracking my brain trying to think of which one it could be.

Try doing a scan with Panda. Go to www.pandasoftware.com and look for the ActiveScan link. If Panda doesn't find anything, then you know you don't have any virii.... That scan will find a flee at 100 paces.

Also, I recommend using Software Explorer to see if you can find anything running that shouldn't be. You will find that in Windows Defender.
 
Last edited:
S

SirKenin

banned
Ok. One thing at a time. Are you getting an error message with Windows Update? If so, which one is it?

Let's start there.
 
E

edifier

New Member
Can you run HJT and remove this entry again - O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)

Reboot and run HJT and let me know if it's still present.
 
palmmann

palmmann

banned
from what i remember it said that the updates could not be installed. i'll try again and get it exact.

edifier-i'll do that in a minute.
 
S

SirKenin

banned
palmmann said:
from what i remember it said that the updates could not be installed. i'll try again and get it exact.

edifier-i'll do that in a minute.
Click to expand...

Ok, I need the exact message.

Don't worry about that entry too much for the time being. It is an entry for a Netski virus that you used to have (you can look it up if you like, or I can provide you some links). Look in your Windows directory and see if the file is there. Make sure hidden files are shown. If it's not there, don't worry about it at the moment. I can tell you that it's not, though, because HJT reports that the file is gone.

Tell me what that error is and we can clean up your installer troubles. Did you run the fix I gave you? And if so have you tried since?
 
palmmann

palmmann

banned
csrss.exe is no longer there

i have tried update since i have run the link you gave me, and still no dice. a pic of the error i get:
theNewBitmapImage.jpg

after that it just shows me the list of what i didn't install with info on each one
 
Last edited:
S

SirKenin

banned
You rebooted your computer before you tried to install them again, right? Because if not it will give you that error message.

Leave it with me. Right now I have the attention span of a ferret on meth, so it's a little hard for me to concentrate. :p
 
S

SirKenin

banned
Try these steps to get Windows Update working:

Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following commands, one at a time:

regsvr32 /u softpub.dll
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll
regsvr32 /u slbcsp.dll
regsvr32 /u mssip32.dll
regsvr32 /u cryptdlg.dll

Click OK if you are prompted.

Restart your computer.

Go back to your command prompt, type the following commands one at a time:

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 mssip32.dll
regsvr32 cryptdlg.dll

Reboot.

Go back to your command prompt and type the following:

net stop cryptsvc
ren %systemroot%\System32\Catroot2 oldcatroot2
net start cryptsvc

Reboot and try the updates again.


If that doesn't work, try this:

Go to your command prompt.

Type in:

proxycfg -u

Restart Windows

Run Windows Update again.

It could also be your ISP running an outdated version of Apache.

Thing is, it would be nice to know the precise error code.
 
E

edifier

New Member
While you guys work on the update matter, i have seen references to malware that add entries to the registry along the lines of - Windows Updates/ DoNotAllowXPSP2.

Also the Hosts file has been tampered with. Do the following.

Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.

Another thing that seems to be forgotton is the 'Kaspersky' report which shows infections still present. Some minor some more serious including one in the System32 folder which seems to be able to manipulate the system to some degree. You should manually delete the following from safemode. Let me know if any entries would not delete.

C:\usb007.exe ( anthing else there connected with this)
C:\WINDOWS\system32\vmmdiag32.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite.zip
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\BSINSTALL.exe
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\mirc617(2).exe
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\mirc617.exe
C:\Documents and Settings\Owner\Desktop\palmm\firefox down\XBINS-TIRC.rar
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\ (contents of this folder)
C:\Program Files\a-squared Free\Quarantine\ (contents of this folder)
C:\Program Files\SUPERAntiSpyware\Quarantine\ (contents of this folder)
C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/RNZO2YT3/ (contents of this folder)

Run ATF cleaner - Select all
Open it again. Select Firefox at the top and tick all boxes and run it.

Reboot into normal windows and if everything appears okay, flush system restore. 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

Let me know if any entries would not delete. If everything deleted, run another Kaspersky scan and post the scan log.
 
S

SirKenin

banned
Yeah, I'm not working on that one (obviously. lol).. You take the Kaspersky and I'll try and get his updater working.. Dumb piece of junk. So many people have problems with that Windows Update.
 
palmmann

palmmann

banned
thanks for all the help guys, but i guessihave no options now. some guy from my isp(roadrunner) called andsaid that i have todisconnect my computer from the internet, and cannot reconnect untill i reformat :(

i'm typing this from my palm, he let me keep my router connected.
 
palmmann

palmmann

banned
edifier said:
Those are pretty harsh words!. Is that what your going to do?.
Click to expand...
i don't think i have any other choice :(

i guess so, i'm backing up right now.

THANKS FOR THE HELP!!!!!!!!!!!!!!!!!!!!!!

SIRKENIN AND EDIFIER ESPECIALLY!!!!!

i love you guys, thanks for the effort. i can't pay you, but you have my undying gratitude. if either of you has an xbox you want modded, send it to me and i'll mod it free. it's pretty much the only thing i can do for you that you might not be able to do...

thanks again,
palmmann
 
You must log in or register to reply here.
Top