Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] csrss.exe- Is it fake? Is it a virus?
New Posts  All Forums:Forum Nav:

[SOLVED] csrss.exe- Is it fake? Is it a virus? - Page 2

post #11 of 38
Thread Starter 
ComboFix doesn't want to run.
I downloaded it from http://www.bleepingcomputer.com/download/anti-virus/combofix
Quote:
Error:
You appear to have a corrupt download.
Please download a fresh copy of ComboFix.exe

You can close ComboFix by clicking the right corner of the progress bar.

I've tried changing the file name but no luck...
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
post #12 of 38
It ain't being run by "SYSTEM" so it's a dodgy one. malwarebytes and hijack this logs, stat!

EDIT: Also, don't use the default admin account for everyday use, and put a password on it. not "admin" either.
Edited by linkin93 - 5/21/11 at 6:13am
post #13 of 38
http://www.neuber.com/taskmanager/process/csrss.exe.html

If this virus is part of a rootkit (and you're on x64), you'll need a scanner that does rootkits. My current favorite for that is VipreRescue. Run it from Safe Mode if you can.
http://live.sunbeltsoftware.com/
    
CPUMotherboardGraphicsRAM
I5-2500k 4.8Ghz @ 1.38v Z68X-UD4-B3 PNY 480 8GB Dominator 1600's 
Hard DriveOptical DriveOSMonitor
Intel 510 + 300GB Velociraptor LG DVD RW Server 2012 HP 25" + HP 20" 
KeyboardPowerCaseMouse
Deck Legend TX850W XClio Coolbox Mamba 
Mouse PadAudio
Dolica HD550's 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
I5-2500k 4.8Ghz @ 1.38v Z68X-UD4-B3 PNY 480 8GB Dominator 1600's 
Hard DriveOptical DriveOSMonitor
Intel 510 + 300GB Velociraptor LG DVD RW Server 2012 HP 25" + HP 20" 
KeyboardPowerCaseMouse
Deck Legend TX850W XClio Coolbox Mamba 
Mouse PadAudio
Dolica HD550's 
  hide details  
Reply
post #14 of 38
Ok.

Don't say its wrong but running a program like Combofix, gmner or any antiroot is a big no no when running cd emulation software. It takes its ability away to detect rootkits.

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe<- this

Upload it to virustotal.com please

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
<- tick it fix

HKLM\..\Run: [MSWUpdate]"C:\Documents and Settings\Administrator\Application Data\csrss.exe" <- virustotal.com

HKCU\..\Run: [MSWUpdate]"C:\Documents and Settings\Administrator\Application Data\csrss.exe" <-here it is again that's not a system folder

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

tick the first to fix. Download and run lspfix

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll <- ????????? Virustotal.com

O23 - Service: Apache2.2 - Unknown owner -C:\xampp\apache\bin\httpd.exe" -k runservice (file missing) <- tick fix

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner- C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

Update your java. REMOVE THE OLDER JAVA VERSIONS!!!!!

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing) <- what and where is this

Ok.

Don't say its wrong but running a program like Combofix, gmner or any antiroot is a big no no when running cd emulation software. It takes its ability away to detect rootkits.

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe<- this

Upload it to virustotal.com please

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
<- tick it fix

HKLM\..\Run: [MSWUpdate]"C:\Documents and Settings\Administrator\Application Data\csrss.exe" <- virustotal.com

HKCU\..\Run: [MSWUpdate]"C:\Documents and Settings\Administrator\Application Data\csrss.exe" <-here it is again that's not a system folder

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

tick the first to fix. Download and run lspfix

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll <- ????????? Virustotal.com

O23 - Service: Apache2.2 - Unknown owner -C:\xampp\apache\bin\httpd.exe" -k runservice (file missing) <- tick fix

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner- C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

Update your java. REMOVE THE OLDER JAVA VERSIONS!!!!!

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing) <- what and where is this

Please download process explorer and Autoruns from filehippo.com

When you got it run Autoruns
Then tick verify entries and hide ms entries. Then tick refresh.
Those that failed verification needs to be looked at.

Process explorer. Go to crss.exe then properties on it. Post all the dll its using. You can copy and paste their names here. Just tick show dll in lower panel

Please use Autoruns and delete the following

Entries named "ServiceTester" .

Entries named "LogonTester" .

Entries named "System Monitoring" and pointing to "<$LOCALAPPDATA>\WINDOWS\LSASS.EXE

Please use Unlocker to delete these
"c:\desktop.ini" .

The file at "<$SYSDRIVE>\desktop.ini
The directory at "<$SYSDRIVE>\<$REGMATCH1>,filename=Folder.htt" .


Remove these with regedit

.Delete the registry value "AlternateShell=<$WINDIR>\<$REGMATCH1>.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\" .

Delete the registry value "AlternateShell=<$WINDIR>\<$REGMATCH1>.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\" .

Delete the registry value "AlternateShell=<$WINDIR>\<$REGMATCH1>.exe" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\" .

Remove ""<$SYSDIR>\shell.exe" " from registry value "" at "HKEY_CLASSES_ROOT\batfile\shell\open\command\" .

Remove ""<$SYSDIR>\shell.exe" " from registry value "" at "HKEY_CLASSES_ROOT\comfile\shell\open\command\" .
Remove ""<$SYSDIR>\shell.exe" " from registry value "" at "HKEY_CLASSES_ROOT\exefile\shell\open\command\" .

Remove ""<$SYSDIR>\shell.exe" " from registry value "" at "HKEY_CLASSES_ROOT\piffile\shell\open\command\" .


Delete the registry value "MSMSGS=<$LOCALAPPDATA>\WINDOWS\WINLOGON.EXE" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\" .


Delete the registry value "Debugger="<$SYSDIR>\Shell.exe"" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\" .

Remove "<$SYSDIR>\IExplorer.exe" from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"
Edited by Spooony - 5/21/11 at 9:05am
post #15 of 38
Thread Starter 
VirusTotal Scans:
csrss.exe VIRUS 3/40 scans
other files were safe

HijackThis Fixed:
All fixes were successful

I'll post the rest as soon as I complete all the steps
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
post #16 of 38
Thread Starter 
desktop.ini doesn't exist...?
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
post #17 of 38
Thread Starter 
DLLs csrss.exe is using (Process Explorer):
Quote:
advapi32.dll
clbcatq.dll
comctl32.dll
comctl32.dll
comres.dll
ctype.nls
dnsapi.dll
gdi32.dll
hnetcfg.dll
imm32.dll
iphlpapi.dll
kernel32.dll
locale.nls
mdnsNSP.dll
mfc42.dll
mpr.dll
msctfime.ime
msimg32.dll
msvbvm60.dll
msvbvm60.dll
msvcp90.dll
msvcr90.dll
msvcrt.dll
mswsock.dll
ntdll.dll
ole32.dll
oleaut32.dll
psapi.dll
rasadhlp.dll
RocketDock.dll
rpchrome10browserrecordhelper.dll
rpcrt4.dll
scrrun.dll
secur32.dll
shell32.dll
shlwapi.dll
sortkey.nls
sorttbls.nls
StylerHelper.dll
sxs.dll
unicode.nls
UnlockerHook.dll
user32.dll
uxtheme.dll
version.dll
wbhelp.dll
wblind.dll
winmm.dll
winrnr.dll
wldap32.dll
ws2_32.dll
ws2help.dll
wshom.ocx
wshtcpip.dll

There are 4 csrss.exe running, 3 of them are the fake ones.
The 3 fake ones are all using the same DLLs.
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
post #18 of 38
Download process manager, and validate it. If it comes up as an invalid Microsoft process, then it is most likely a virus.
Mugendramon
(18 items)
 
  
CPUMotherboardGraphicsRAM
i5 4670k ASrock Z87 Extreme6 R9 290 Crossfire Samsung 8GB DDR3 2133mhz 
Hard DriveHard DriveCoolingCooling
WD Black 1T Samsung Spinpoint F3 1 TB EK Supreme HF Rev 2.0  HW GTX 360 Rad 
CoolingOSMonitorPower
EK Acetal waterblock W7 64 bit Yamakasi Catleap Q270 2560x1440p Corsair AX850 
CaseAudio
Corsair 800D Creative Titanium HD  
  hide details  
Reply
Mugendramon
(18 items)
 
  
CPUMotherboardGraphicsRAM
i5 4670k ASrock Z87 Extreme6 R9 290 Crossfire Samsung 8GB DDR3 2133mhz 
Hard DriveHard DriveCoolingCooling
WD Black 1T Samsung Spinpoint F3 1 TB EK Supreme HF Rev 2.0  HW GTX 360 Rad 
CoolingOSMonitorPower
EK Acetal waterblock W7 64 bit Yamakasi Catleap Q270 2560x1440p Corsair AX850 
CaseAudio
Corsair 800D Creative Titanium HD  
  hide details  
Reply
post #19 of 38
Thread Starter 
Ok, I managed to remove csrss.exe using 'Unlocker Assistant' biggrin.gif
Also, now when I plug a USB in, there is no virus created on it wink.gif
HOWEVER
When I boot up my system, an error message pops up that says
Quote:
"'csrss.exe' could not be found. Please make sure the name is spelt correctly."
How can I get rid of this message on startup?
It annoys me -__-
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
post #20 of 38
Autoruns.
Synthkart
(13 items)
 
  
CPUMotherboardGraphicsRAM
1055T Asus Onboard x4200 2x2GB GeIL DDR 1333 (9-9-9) 
Hard DriveOptical DriveOSMonitor
Seagate 320GB Sata3.0 Liteon iHAS124 Win7 x64 Some old crt 
KeyboardPowerCaseMouse
digital Raidmax-450K Some cheap raidmax Labtec 
Mouse Pad
  hide details  
Reply
Synthkart
(13 items)
 
  
CPUMotherboardGraphicsRAM
1055T Asus Onboard x4200 2x2GB GeIL DDR 1333 (9-9-9) 
Hard DriveOptical DriveOSMonitor
Seagate 320GB Sata3.0 Liteon iHAS124 Win7 x64 Some old crt 
KeyboardPowerCaseMouse
digital Raidmax-450K Some cheap raidmax Labtec 
Mouse Pad
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] csrss.exe- Is it fake? Is it a virus?