Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] csrss.exe- Is it fake? Is it a virus?
New Posts  All Forums:Forum Nav:

[SOLVED] csrss.exe- Is it fake? Is it a virus? - Page 3

post #21 of 38
Can you download Malwarebytes and give it a run? Online scanners such as http://housecall.trendmicro.com are good to run to scan for anything left in this case as well.

The fact that your WoW account got banned and your email compromised definitely makes it sound like you're infected. If it's gmail you can check the last 10 people who accessed your account at the bottom of the page. I wouldn't rub it off just yet. You should assume they stole all the information in your email including bank accounts/logins. First secure your system then change all your passwords.
post #22 of 38
Thread Starter 
See, this is where I get lucky. I have never used my credit card online so even if my accounts are compromised, there isn't much they can do with the details they get

I'll run Malwarebytes' and NOD32 to see if they can find something, and then I'll try some Online scanners like you suggested
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
[Intel] i5 2500K - 4.5GHz @ 1.27v [Asus] P8P67-Pro [Asus] GTX580 DirectCU II 900/1800/2100 @ 1.088v [G.Skill] Ripjaws-X 8GB 1600 CL8 
Hard DriveHard DriveOptical DriveCooling
[Crucial] M4 64GB SSD [Samsung] Spinpoint F3 1TB [Pioneer] DVR-219L [Noctua] NH-D14 
OSMonitorMonitorKeyboard
[Windows] 7 Ultimate 64-bit [Dell] U2711 27" [Dell] 1907FP 19" [Microsoft] Digital Media Keyboard 
PowerCaseMouseMouse Pad
[Corsair] HX-750 [NZXT] Phantom - White [Acer] Generic Mouse Wooden Desk 
AudioAudioAudio
[Soloman] 2.1 Set [Audio-Technica] ATH-M50 [Zalman] ZM-MIC1 
  hide details  
Reply
post #23 of 38
Quote:
Originally Posted by Varrkarus View Post
DLLs csrss.exe is using (Process Explorer):



There are 4 csrss.exe running, 3 of them are the fake ones.
The 3 fake ones are all using the same DLLs.
You got the brontok worm. Its a email worm. Did you run autoruns and verify online by right click and choose verify online on all the entries that is shown not verified?

Did you manage to download combofix and super antispyware?
If you do have the applications I can give you the steps to clean it
post #24 of 38
Quote:
Originally Posted by Varrkarus View Post
Ok, I managed to remove csrss.exe using 'Unlocker Assistant'
Also, now when I plug a USB in, there is no virus created on it
HOWEVER
When I boot up my system, an error message pops up that says

How can I get rid of this message on startup?
It annoys me -__-
See those ^reg entires i posted up there? Those ones with just .exe just look in those locations for the crsss.exe file and delete those entries from the registry. Remember it still in your system restore aswell so its best you start a complete clean from 1 point and go through your system. Im just looking for its dll quick


Do the following. Dont skip any

Enable a firewall

Go to Start->Run-> enter cmd

enter the following

netsh winsock reset
netsh winsock reset catalog
netsh interface ip reset C:\\DAF-interface-resetlog.txt
netsh interface reset all
netsh firewall reset

Close the cmd prompt

CD Emulation Software DISABLE IT!!
Download this http://download.bleepingcomputer.com...f/Defogger.exe

Run it and click on the Disable button to disable your CD Emulation drivers

When it prompts you whether or not you want to continue, please click on the Yes button to continue
When its completed it will show finish

Then if it ask to reboot do it

Then start cleaning your system

Go to your uninstall or use revo uninstaller and look for entries like these

MyWay or MyWay Search Assistant
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
Viewpoint Toolbar (Remove Only)

Uninstall ALL old Sun Java versions because they have vulnerabilities and then get updated
Empty ALL Quarantine type folders for antivirus and antispyware applications.
Enable viewing hidden files, system files and file extensions

Right Click Start.
Select Explore
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click yes to confirm that you really want to do this.
Click Apply.
Click OK.

Empty your Recycle Bin by running Ccleaner

You need the following tools
SUPERAntiSpyware
Malwarebytes Anti-Malware --->Rename the downloaded mbam-setup.exe file to mb.exe

combofix
You MUST save & later run this to from directly from your Desktop not from anywhere else. Do not run it yet. If you are running AVG anti-virus, you will need totally uninstall it in order to run ComboFix:

TDSkiller
http://support.kaspersky.com/downloa...tdsskiller.zip

MGtools
http://forums.majorgeeks.com/chaslang/files/MGtools.exe

OTL
http://otl.sourceforge.net/otlv4_h.zip


Then run them in the following order

SUPERAntiSpyware
Malwarebytes Anti-Malware
combofix
TDSkiller
MGtools

When its all done disable system restore
1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes if you are prompted to restart the computer.

When rebooted ^Go back there and enable it again

When all is done

Run OTL
Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.
Manually delete any remaining logs or tools.


Run Ccleaner

Go to start -> run and enter the following with your XP disk in the tray
sfc.exe /purgecache
sfc.exe /scannow

Done
Edited by Spooony - 5/22/11 at 2:44am
post #25 of 38
i got 2 of them running and tast manager says they are "client server runtime process"
RAWR v3
(14 items)
 
  
CPUMotherboardGraphicsRAM
i7 5820k Gigabyte G1 Gaming WIFI 7970 16gb G.Skill Ripjaws 4 
Hard DriveCoolingOSMonitor
intel 730 series 240g (9tb custom NAS) Custom loop Windows 7 x64 catleap q270 
KeyboardPowerCase
thermaltake g1 meka EVGA Supernova g2 850w Corsair 780T 
  hide details  
Reply
RAWR v3
(14 items)
 
  
CPUMotherboardGraphicsRAM
i7 5820k Gigabyte G1 Gaming WIFI 7970 16gb G.Skill Ripjaws 4 
Hard DriveCoolingOSMonitor
intel 730 series 240g (9tb custom NAS) Custom loop Windows 7 x64 catleap q270 
KeyboardPowerCase
thermaltake g1 meka EVGA Supernova g2 850w Corsair 780T 
  hide details  
Reply
post #26 of 38
This is a very common problem, i had people at school with it, work and at my learning institution.

They all vary, but some use a common way to transfer.

Basically it can go onto any USB device with enough storage, i have even cleaned it of a mates ipod.

There are many ways to do it but the simplest is the best.

If you go to the USB device (flash drive,HDD, ipod, video camera, ETC) you should only find your files. Trick is to show hidden files and uncheck "Hide protected operating system files." it warns you, but click "yes".



Now delete any foreign batch files (.bat) or any .exe files that look foreign. sometimes some USB like U3 have legitimate software hidden but deleting these files is not the end of the world.

You should also find a Autorun.inf, this the file telling the .exe to replicate and transfer.
So open it and delete everything inside. You may have to uncheck "read only" in file properties.
Fill the file with random text if you want mine says "Shutup Virus"
save Autorun.inf and then make everything that was hidden invisible again and your sweet.

Your USB device will remain untouched as long as that updated Autorun.inf remains on it as the infected computers need to place it on there to transfer, because you have it, it tricks it into thinking your infected when your not.

This may work for most of you but not all of you.

Hope i helped.

I have personally used this method many times and the only reason i figured it out was because back when i was at school this happened to me. So i devised this way of removing and stopping this type of inconvenience.
Edited by Antistatic12 - 5/22/11 at 2:42am
    
CPUMotherboardGraphicsRAM
3970X Rampage IV Formula EVGA 980Ti SC+ w/ACX BP Corsair Dominator Platinum 1866mhz 16GB 9-11-10-27 
Hard DriveCoolingCoolingOS
3.2TB Samsung/Corsair SSD's Corsair H100i Corsair Air Series SP120 Quiet Edition x2 Win7 64bit 
MonitorKeyboardPowerCase
2xAcer 23" 1080P  Corsair K70 Black (Red LED's) Corsair AX1200i Corsair 760T 
MouseAudioAudioAudio
Corsair M60 Sennheiser HD600 Corsair Void RGB Xonar Essence One 
Other
Corsair sleeved Cables (Red) 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
3970X Rampage IV Formula EVGA 980Ti SC+ w/ACX BP Corsair Dominator Platinum 1866mhz 16GB 9-11-10-27 
Hard DriveCoolingCoolingOS
3.2TB Samsung/Corsair SSD's Corsair H100i Corsair Air Series SP120 Quiet Edition x2 Win7 64bit 
MonitorKeyboardPowerCase
2xAcer 23" 1080P  Corsair K70 Black (Red LED's) Corsair AX1200i Corsair 760T 
MouseAudioAudioAudio
Corsair M60 Sennheiser HD600 Corsair Void RGB Xonar Essence One 
Other
Corsair sleeved Cables (Red) 
  hide details  
Reply
post #27 of 38
Quote:
Originally Posted by newpc View Post
i got 2 of them running and tast manager says they are "client server runtime process"
Is it running from the System folder?
Use process explorer as your task manager. Way better.
post #28 of 38
Quote:
Originally Posted by Spooony View Post
Is it running from the System folder?
Use process explorer as your task manager. Way better.
yep both are

EDIT: did end in task manager, BSOD pc lol
Edited by newpc - 5/22/11 at 2:54am
RAWR v3
(14 items)
 
  
CPUMotherboardGraphicsRAM
i7 5820k Gigabyte G1 Gaming WIFI 7970 16gb G.Skill Ripjaws 4 
Hard DriveCoolingOSMonitor
intel 730 series 240g (9tb custom NAS) Custom loop Windows 7 x64 catleap q270 
KeyboardPowerCase
thermaltake g1 meka EVGA Supernova g2 850w Corsair 780T 
  hide details  
Reply
RAWR v3
(14 items)
 
  
CPUMotherboardGraphicsRAM
i7 5820k Gigabyte G1 Gaming WIFI 7970 16gb G.Skill Ripjaws 4 
Hard DriveCoolingOSMonitor
intel 730 series 240g (9tb custom NAS) Custom loop Windows 7 x64 catleap q270 
KeyboardPowerCase
thermaltake g1 meka EVGA Supernova g2 850w Corsair 780T 
  hide details  
Reply
post #29 of 38
Quote:
Originally Posted by newpc View Post
yep both are
Then is legal.
post #30 of 38
Quote:
Originally Posted by Varrkarus View Post
So I plugged in my USB to tranfer some work I was doing and BAM!
My antivirus, ESET NOD32, comes up with an alert saying a virus was created on my USB.

Here is a screenshot:


There's definitely something going on with csrss.exe but I don't know how to fix it :\\
OK, first of all, turn of that dredded autorun from the control panel it does nothing but allowing viruses.

Second, copy the content that you KNOW isn't infected them format the USB stick.
Uhh.. Thing
(19 items)
 
TERA
(22 items)
 
 
CPUMotherboardGraphicsRAM
4690K Z97-PRO GAMER ASUS STRIX GTX1070 Corsair Vengeance 
Hard DriveHard DriveHard DriveCooling
Samsung 830 Pro Samsung 850 EVO Samsung 830 Noctua D15 
OSMonitorKeyboardPower
Windows 10 x64 Enterprise ASUS VG248QE QPAD MK-50 EVGA 750W G2 
CaseMouseMouse PadAudio
Fractal Design R5 Logitech G502 Some Steelseries thing SupremeFX -> Pioneer VSX-D711-S 5.1 receiver 
AudioAudioOther
Dali Concept 2+SUB E-12F Focusrite Scarlett Solo Logitech G27 
CPUMotherboardGraphicsGraphics
Intel i7 2700k @ 4.5GHz 1.425v with HT enabled ASUS P8Z77-V Gigabyte GTX670 OC Gigabyte GTX670 OC 
RAMHard DriveHard DriveHard Drive
Corsair Vengeanve LP White 16GB Corsair Force GT 120GB WD RED SOHO 3TB WD RED SOHO 3TB 
Hard DriveHard DriveCoolingCooling
WD BLACK 4TB Seagate 5900 LP 2TB XSPC Raystorm D5 XSPC RX480 w/ GT AP-13 
CoolingOSMonitorKeyboard
XSPC RX360 w/ GT AP-15 Windows 7 Ultimate x64 DELL U3011 Logitech K800 
PowerCaseMouseMouse Pad
Corsair HX1000W Corsair 900D Logitech G500 SARGAS 460 
AudioAudio
Denon AVR-2313 Dali Zensor 7, 5, Vocal 
  hide details  
Reply
Uhh.. Thing
(19 items)
 
TERA
(22 items)
 
 
CPUMotherboardGraphicsRAM
4690K Z97-PRO GAMER ASUS STRIX GTX1070 Corsair Vengeance 
Hard DriveHard DriveHard DriveCooling
Samsung 830 Pro Samsung 850 EVO Samsung 830 Noctua D15 
OSMonitorKeyboardPower
Windows 10 x64 Enterprise ASUS VG248QE QPAD MK-50 EVGA 750W G2 
CaseMouseMouse PadAudio
Fractal Design R5 Logitech G502 Some Steelseries thing SupremeFX -> Pioneer VSX-D711-S 5.1 receiver 
AudioAudioOther
Dali Concept 2+SUB E-12F Focusrite Scarlett Solo Logitech G27 
CPUMotherboardGraphicsGraphics
Intel i7 2700k @ 4.5GHz 1.425v with HT enabled ASUS P8Z77-V Gigabyte GTX670 OC Gigabyte GTX670 OC 
RAMHard DriveHard DriveHard Drive
Corsair Vengeanve LP White 16GB Corsair Force GT 120GB WD RED SOHO 3TB WD RED SOHO 3TB 
Hard DriveHard DriveCoolingCooling
WD BLACK 4TB Seagate 5900 LP 2TB XSPC Raystorm D5 XSPC RX480 w/ GT AP-13 
CoolingOSMonitorKeyboard
XSPC RX360 w/ GT AP-15 Windows 7 Ultimate x64 DELL U3011 Logitech K800 
PowerCaseMouseMouse Pad
Corsair HX1000W Corsair 900D Logitech G500 SARGAS 460 
AudioAudio
Denon AVR-2313 Dali Zensor 7, 5, Vocal 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] csrss.exe- Is it fake? Is it a virus?