Click here to get back home

csrss.exe causing problems.
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.security.virus    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
csrss.exe causing problems. Frank Martin 07-15-2008
Get Chitika Premium
Posted by Frank Martin on July 30, 2008, 4:01 am
Please log in for more thread options
"David H. Lipman"
message
>
> | I have been trying to solve this problem
> for
> | some time, and when I use the Virus
> checker
> | "F-Secure Internet Checker" this confirms
> | that the files:
>
> | C:\Windows\Config\csrss.exe
> | C:\Windows\Config\supdate.exe
>
> | are causing the problem, and this
> F-Secure
> | renames the files which fixes the
> problem.
>
> | Unfortunately, these files are also
> essential
> | windows files, therefore I ask:
>
> | Can I copy across the clean and
> uninfected
> | files from the original WindowsXP pro
> disks?
> | And how can I do this, and will this fix
> it.
>
>
> | Regards, Frank
>
>
> The name csrss.exe may be legitimate bu the
> file is not. The malware is using the
> legitimate file name csrss.exe to obfuscate
> its malicious intent.
>
> The legitimate file belongs and execute
> from; %windir%\system32
>
> Now go post in one of the Expert Forums
> like I suggested to you two weeks ago.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV -
> http://www.pctipp.ch/downloads/dl/35905.asp
>
>

I have joined "Castlecops" but for the life
of me I cannot see where to post a message.
There is no area to type into. What button
should I
push?

Frank



Posted by Malke on July 30, 2008, 9:16 am
Please log in for more thread options
 Frank Martin wrote:


> I have joined "Castlecops" but for the life
> of me I cannot see where to post a message.
> There is no area to type into. What button
> should I
> push?

If Castle Cops doesn't work for you, choose a different place. But do it
now; your computer is infected.

http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25Look
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ


Posted by Frank Martin on July 30, 2008, 7:59 pm
Please log in for more thread options
I tried "aumha.net" but where here is the
"HijackThis forum" button on which to click.




message
> Frank Martin wrote:
>
>
>> I have joined "Castlecops" but for the
>> life
>> of me I cannot see where to post a
>> message.
>> There is no area to type into. What
>> button
>> should I
>> push?
>
> If Castle Cops doesn't work for you, choose
> a different place. But do it
> now; your computer is infected.
>
> http://aumha.net/ - Click on the HijackThis
> forum. Read the announcement and
> the stickies *first*.
> http://www.atribune.org/forums/index.php?showforum=9
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25Look
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://spywarewarrior.com/viewforum.php?f=5
> http://forums.techguy.org/54-security/
> http://forums.tomcoyote.org/
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers - Don't Panic!
> FAQ -
> http://www.elephantboycomputers.com/#FAQ
>



Posted by Malke on July 30, 2008, 8:53 pm
Please log in for more thread options
Frank Martin wrote:

> I tried "aumha.net" but where here is the
> "HijackThis forum" button on which to click.

Both PA Bear and I gave you links. If you can't get to where you need to,
then take the machine to a computer repair shop. I have no idea how to tell
someone "click here" in writing. In any case, if you seriously cannot
figure out how to post in one of those forums, you shouldn't be working on
the computer yourself. I say that not to hurt your feelings but simply as a
practical matter.

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ


Posted by Frank Martin on July 31, 2008, 2:49 am
Please log in for more thread options

message
> Frank Martin wrote:
>
>> I tried "aumha.net" but where here is the
>> "HijackThis forum" button on which to
>> click.
>
> Both PA Bear and I gave you links. If you
> can't get to where you need to,
> then take the machine to a computer repair
> shop. I have no idea how to tell
> someone "click here" in writing. In any
> case, if you seriously cannot
> figure out how to post in one of those
> forums, you shouldn't be working on
> the computer yourself. I say that not to
> hurt your feelings but simply as a
> practical matter.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers - Don't Panic!
> FAQ -
> http://www.elephantboycomputers.com/#FAQ


Well I did get into the "AumHa" site, and I
followed a few posts which gave me a clue how
to fix it; see following:-.

I have since discovered the problem was
caused by a pernicious worm masquerading as
csrss.exe in the C:\Windows\Config folder.

It was probably a spambot because it was
causing so much outflow from my computer that
I couldn't get to use the internet at all.

I cannot imagine what was being sent out!

I got rid of it by running the "HijackThis"
software and identifying the registry string
that was causing the trouble, and deleting
it.

Then I deleted csrss.exe and all is well so
far.

Now I always check the "Windows Task Manager"
(networking tab) to observe any activity when
I'm not using the internet, and now there is
zero activity unless I'm using it.

I found the Virus checker "F-Secure" was the
only one of many that actually identified the
location of the worm; Computer Associates &
ZoneAlarm flopped badly. This "F-Secure"
actually unzips files to check for malware,
although a complete scan takes a long time -
like overnight.

Regards, Frank









Similar ThreadsPosted
windows 2000, have a virus that is causing pop ups all over the pl July 23, 2005, 4:58 pm
Suspected virus causing windows temp to fill up January 30, 2008, 4:07 pm
Cursor problems August 3, 2006, 2:39 am
Problems with Multi-AV January 16, 2007, 12:01 am
Virus Problems need help! January 17, 2008, 10:26 pm
Trojan-Win.32 problems October 21, 2008, 1:40 am
Problems with RPC, networks and possible virus December 4, 2005, 10:20 am
SpyWare or Virus Problems? December 18, 2005, 10:46 pm
Vundo Trojan Problems June 11, 2008, 9:11 am
Cleaning up a 2nd Computer w/Virus Problems? August 26, 2005, 6:59 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap