PDA

View Full Version : CSRSS.exe



Codex
30-01-2005, 10:40 PM
ok, i recently found that a new process was starting on my computer, a virusi believe, because now theres two csrss.exe's, one is located in:
C:\WINNT\system32\plzpygoj\csrss.exe
and the other in:
C:\WINNT\system32\csrss.exe

i have removed all startup information about the C:\WINNT\system32\plzpygoj\csrss.exe one but there is also a registry key that keeps on tryig to install on startup called kill.reg so yea any help wud be great :badpc: :badpc:

bartsdadhomer
30-01-2005, 10:54 PM
You might find a file by the same name in the root of your C drive, that needs to go as well
May have to turn on show all files to see it
If it won't delete you will need to use taskmanager to stop the process
You will have to disable it in msconfig/startup first, but you say you've alraedy done that

Codex
30-01-2005, 10:57 PM
You might find a file by the same name in the root of your C drive, that needs to go as well
May have to turn on show all files to see it
If it won't delete you will need to use taskmanager to stop the process
You will have to disable it in msconfig/startup first, but you say you've alraedy done that
ok i cant run msconfig because parantly it doesnt exist(wat the hell?? lol) so i went and removed al lthe registry keys relating to it manually(god it takes ages lol) so yea

godfather
30-01-2005, 10:58 PM
C:\WINNT\system32\plzpygoj\csrss.exe

Definately malware.

Download HiJackThis (Google will find it for you) and run it, have that clean up that process.
It finds every process, including valid ones, so just take out that one.

Post a copy of your HJT log back here if you need to.

Codex
30-01-2005, 11:15 PM
heres the log

Logfile of HijackThis v1.99.0
Scan saved at 11:07:45 p.m., on 30/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\plzpygoj\csrss.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mindbeat\MPower\MPower.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Web Tools\CKA.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Remote Disconnection Utility\RDServer.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.974\Hi jackThis.exe
C:\WINNT\system32\ipconfig.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O1 - Hosts: 62.93.200.61 irc.westwood.com
O1 - Hosts: 62.93.200.61 servserv.westwood.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MPower] "C:\Program Files\Mindbeat\MPower\MPower.exe"
O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Symantec\Web Tools\CKA.exe
O4 - Startup: Shortcut to Local Area Connection.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Remote Disconnection Server.lnk = C:\Program Files\Remote Disconnection Utility\RDServer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42D9986E-E19D-4D97-8F17-2AE653213469}: NameServer = 203.97.33.14 203.97.37.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC88AA40-3D67-42BE-8BCE-09D18A158283}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

bartsdadhomer
31-01-2005, 09:38 AM
You may have been infected with the Cool WebSearch Trojan at some stage which corrupts msconfig
See this page here & download & install another
http://www.spywareinfo.com/~merijn/winfiles.html
If that doesn't work download & install Spybot & run it in advanced mode & use the tools > startup menu to remove the offending entries

And WOW, Nortons sure has a hold on a heap of your systems resources

Codex
31-01-2005, 12:18 PM
lol yea nortan does take a bit but its all good :D

godfather
31-01-2005, 12:28 PM
Tick this one
C:\WINNT\system32\plzpygoj\csrss.exe

And have HJT fix it, then delete the file and folder. Safe mode if needed.