Re: csrss.exe causing problems.
- From: "Frank Martin" <fm@xxxxxxxxxxxxxx>
- Date: Wed, 30 Jul 2008 10:12:40 +1000
I have been trying to solve this problem for
some time, and when I use the Virus checker
"F-Secure Internet Checker" this confirms
that the files:
C:\Windows\Config\csrss.exe
C:\Windows\Config\supdate.exe
are causing the problem, and this F-Secure
renames the files which fixes the problem.
Unfortunately, these files are also essential
windows files, therefore I ask:
Can I copy across the clean and uninfected
files from the original WindowsXP pro disks?
And how can I do this, and will this fix it.
Regards, Frank
"Frank Martin" <fm@xxxxxxxxxxxxxx> wrote in
message
news:O2tbJyw5IHA.2348@xxxxxxxxxxxxxxxxxxxxxxx
"David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote in
message
news:%23Ohd02t5IHA.3420@xxxxxxxxxxxxxxxxxxxxxxx
From: "Frank Martin" <fm@xxxxxxxxxxxxxx>
| I have WindowsXP pro.
| I first noticed a problem when I was
unable
| to connect to my ISP most of the time,
even
| though the "Windows Task Manager"
networking
| tab, and the graph there, showed a lot
of
| traffic leaving my computer and nothing
| coming in.
| Various virus scanners did not fix the
| problem.
| I downloaded a "TCPView" and noticed
that
| when the problem occurred, numerous
entries
| of "csrss.exe" occurred and the location
of
| this was in C:\Windows\Config, and there
was
| another file in this folder called
| "supdate.exe."
| When I close down the "csrss.exe" file
in the
| TCPView window the problem disappears
and my
| internet connection works OK.
| However, it always reappears about once
a day
| requiring the same deletion. My ISP has
said
| that during these periods of outward
traffic
| it is all going to "somewhere in
California".
| I have tried renaming the "csrss.exe",
but
| then the computer does not work
properly.
| Can anyone guide me to fix this problem;
it
| has been occurring for several weeks.
| Regards, Frank
These are illegitimate..
C:\Windows\Config\csrss.exe
C:\Windows\Config\supdate.exe
You are indeed infected with malware.
You said "Various virus scanners did not
fix the problem."
What were the anti virus scanners used and
did they at least find anything in thos
files ?
Chances are there are multiple load points
for the malware and thus if you delete
one, a
"helper" will recreate the process. You
would have to find the Load Points through
software such as AutoRuns and remove the
malware from being loaded by the OS as
well as
kill any running processes and then
reboot.
You can find out what AV comapny detects
them by submitting samples to Virus Total.
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against
many different AV vendor's scanners.
That will give you an idea what it is and
who recognizes it. In addition Virus
Total will provide the sample to all
participating vendors.
You can also submit a suspect, one at a
time, via the following email URL...
mailto:scan@xxxxxxxxxxxxxx?subject=SCAN
When you get the report, please post back
the exact results.
The W32/DeleteMP3.worm is known to use;
C:\WINDOWS\system32\config\csrss.exe
http://vil.nai.com/vil/content/v_142869.htm
I don't think you have the above, based
upon your description of traffic, you may
have a
spambot.
If you can not help yourself through the
above processes, then I suggest guided
help
through an Expert Forum.
1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word
wrap"
3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe
4. Save the scan results (Main.txt and
Extra.txt)
5. And then post the contents of Main.txt
and Extra.txt in your post in one of the
below
expert forums...
{ Please - Do NOT post the HJT and
Deckard's System Scanner Logs here ! }
Forums where you can get expert advice for
HiJack This! (HJT) and Deckard's System
Scanner
Logs.
NOTE: Registration is REQUIRED in any of
the below before posting a log
Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0
Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7
Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV -
http://www.pctipp.ch/downloads/dl/35905.asp
Thank you, I am following this through.
.
- Follow-Ups:
- Re: csrss.exe causing problems.
- From: David H. Lipman
- Re: csrss.exe causing problems.
- References:
- csrss.exe causing problems.
- From: Frank Martin
- Re: csrss.exe causing problems.
- From: David H. Lipman
- Re: csrss.exe causing problems.
- From: Frank Martin
- csrss.exe causing problems.
- Prev by Date: Re: DNS Randomness Test
- Next by Date: Re: csrss.exe causing problems.
- Previous by thread: Re: csrss.exe causing problems.
- Next by thread: Re: csrss.exe causing problems.
- Index(es):
Relevant Pages
|
