Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Feel like a noob, can't beat virus
New Posts  All Forums:Forum Nav:

Feel like a noob, can't beat virus

post #1 of 14
Thread Starter 
My friend got a trojan on a Windows 7 laptop. He has both csrss.exe and winlogon.exe. Neither process can be killed in task manager, they can't be deleted from Sys32, and I've tried some kill-process programs that also failed to stop them from running. Safe mode was also no help for trying the same things. Spybot failed to pick them up as problems and fix them. I don't wanna nuke his laptop, he has too much data to back up (it's a DJing laptop, so ALL of his music is there).


Any ideas OCN? Please and thank you!
The Space Heater
(13 items)
 
  
CPUMotherboardGraphicsRAM
Q9550 E0 4.04GHz EP45-UD3P 2 x EVGA 896MB 55nm c216 2x2GB Corsair Dominators 
Hard DriveOptical DriveOSMonitor
Seagate 250GB Sony and TSST Windows XP (SP2) Acer H213H (21.5", 1080p) 
KeyboardPowerCaseMouse
Logitech G15 Corsair TX750W NZXT Tempest Logitech G5 
Mouse Pad
Ratpadz XT 
  hide details  
Reply
The Space Heater
(13 items)
 
  
CPUMotherboardGraphicsRAM
Q9550 E0 4.04GHz EP45-UD3P 2 x EVGA 896MB 55nm c216 2x2GB Corsair Dominators 
Hard DriveOptical DriveOSMonitor
Seagate 250GB Sony and TSST Windows XP (SP2) Acer H213H (21.5", 1080p) 
KeyboardPowerCaseMouse
Logitech G15 Corsair TX750W NZXT Tempest Logitech G5 
Mouse Pad
Ratpadz XT 
  hide details  
Reply
post #2 of 14
Aren't those normal windows 7 processes?
post #3 of 14
Quote:
Originally Posted by TFL Replica View Post
Aren't those normal windows 7 processes?
This.
Plus if he's using it for his work, he really, *really* needs a backup for his data. Tell him he absolutely needs to go buy a pair of 1tb external drives.
Ryzen 5 1600
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 5 1600 MSI B350 Gaming Plus Gigabyte GeForce GTX 1060 WINDFORCE2 OC 16GB (2x8GB) Corsair DDR4 Vengeance LED, PC4-24... 
Hard DriveHard DriveCoolingOS
256GB Samsung PM961 Polaris M.2 NVMe  1TB Toshiba DT01ACA100 3.5" HDD, SATA III  Cooler Master Hyper 212 Evo Windows 10 64 
KeyboardPowerCaseMouse
Unicomp Model M 650W EVGA SuperNOVA G1, 80PLUS Gold, Full Modular Kolink Luminosity Cooler Master Reaper Aluminium 
  hide details  
Reply
Ryzen 5 1600
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 5 1600 MSI B350 Gaming Plus Gigabyte GeForce GTX 1060 WINDFORCE2 OC 16GB (2x8GB) Corsair DDR4 Vengeance LED, PC4-24... 
Hard DriveHard DriveCoolingOS
256GB Samsung PM961 Polaris M.2 NVMe  1TB Toshiba DT01ACA100 3.5" HDD, SATA III  Cooler Master Hyper 212 Evo Windows 10 64 
KeyboardPowerCaseMouse
Unicomp Model M 650W EVGA SuperNOVA G1, 80PLUS Gold, Full Modular Kolink Luminosity Cooler Master Reaper Aluminium 
  hide details  
Reply
post #4 of 14
Those are normal processes.

But if you think you have a virus/trojan/malware.

Run these programs in this order:

1. Combofix
2. Malwarebytes
3. Hitman Pro

If you know how to use hijackthis then I suggest running that to check the startup items. Mind you if you never have used hijackthis I wouldn't recommend running it, as it's not a virus scanner.
Perpetual debt
(15 items)
 
Money Pit
(17 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 2600k Asus P8P67 Pro PNY GTX 480 2x4gb G.Skill Ripjaws 2133mhz 
Hard DriveCoolingOSMonitor
OCZ Vertex 3 Coolit Freezone Elite Win7 Ultimate Samsung 2233rz 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX750 Antec Server case Razer Deathadder 
Mouse PadAudioAudio
Thermaltake LCD Mousepad Logitech 5.1 Surround Tritton AX PC Pro 5.1 Surround Headset 
CPUMotherboardGraphicsRAM
Intel q6600 @ 3.9ghz (433x9) EVGA 780i FTW evga 8200gs 512mb  4x2gb Corsair XMS TwinX 866mhz @ 5-5-5-5-18 
Hard DriveHard DriveOptical DriveCooling
2x 750gb Seagate Baracuda 7200.12 RAID0 5x 1.5tb Seagate Baracuda 7200.11 RAID5 LITE-ON 22X DVD Burner Black SATA Corsair H70 
OSMonitorKeyboardPower
Win7 Ultimate x64 22" Acer x223w Logitech G15 Corsair HX750 
CaseMouseMouse PadAudio
APEVIA MX-ALIEN Razer Deathadder Thermaltake LCD Mousepad Triton AX Pro PC 
Audio
Logitech 5.1 surround sound. 
  hide details  
Reply
Perpetual debt
(15 items)
 
Money Pit
(17 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 2600k Asus P8P67 Pro PNY GTX 480 2x4gb G.Skill Ripjaws 2133mhz 
Hard DriveCoolingOSMonitor
OCZ Vertex 3 Coolit Freezone Elite Win7 Ultimate Samsung 2233rz 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX750 Antec Server case Razer Deathadder 
Mouse PadAudioAudio
Thermaltake LCD Mousepad Logitech 5.1 Surround Tritton AX PC Pro 5.1 Surround Headset 
CPUMotherboardGraphicsRAM
Intel q6600 @ 3.9ghz (433x9) EVGA 780i FTW evga 8200gs 512mb  4x2gb Corsair XMS TwinX 866mhz @ 5-5-5-5-18 
Hard DriveHard DriveOptical DriveCooling
2x 750gb Seagate Baracuda 7200.12 RAID0 5x 1.5tb Seagate Baracuda 7200.11 RAID5 LITE-ON 22X DVD Burner Black SATA Corsair H70 
OSMonitorKeyboardPower
Win7 Ultimate x64 22" Acer x223w Logitech G15 Corsair HX750 
CaseMouseMouse PadAudio
APEVIA MX-ALIEN Razer Deathadder Thermaltake LCD Mousepad Triton AX Pro PC 
Audio
Logitech 5.1 surround sound. 
  hide details  
Reply
post #5 of 14

Hi man!
I had that problem on my sister's laptop too some time ago. At that time I found a perfect guide to remove it, basically by deleting that file AND the entry in the registry. I can't find it anymore but you should check this youtube video out.


Actually, csrss.exe is a normal Win file, but, if it is outside C:/Windows/System32 folder it might probabily be a trojan.
Hope it helps you!
Edited by d3viliz3d - 2/1/11 at 11:45am
post #6 of 14
Quote:
Originally Posted by allikat View Post
This.
Plus if he's using it for his work, he really, *really* needs a backup for his data. Tell him he absolutely needs to go buy a pair of 1tb external drives.
This!

Who would not have backups for a laptop that they make a living off of??!

Are you sure that there is really a virus on it?
ColdCut
(14 items)
 
YetiKube
(19 items)
 
 
CPUMotherboardGraphicsRAM
5960x Asus Rampage V Extreme  XFX 295x2 Core Hydro Edition CORSAIR Vengeance LPX 16GB DDR4 2800 
Hard DriveHard DriveHard DriveOptical Drive
Samsung 850 Pro  Samsung 850 EVO Western Digital Black 3TB  LG Bluray Burner 16x 
CoolingOSMonitorPower
H110i GT Windows 8.1 Pro Asus 4k Corsair AX1500i  
CaseAudio
Corsair 900D Stock 
CPUMotherboardGraphicsRAM
(1) 2500K ASRock Extreme3 Gen3 GTX 780 Classified Mushkin 996995 DDR3 1600 (2 Sticks) 
Hard DriveHard DriveHard DriveOptical Drive
Samsung 840 Pro (1) 150GB Western Digital Raptor (1) 1TB Western Digital Black Caviar (1) Samsung SATA DVD Burner 
CoolingOSMonitorKeyboard
Antec Kuhler H2O 620 Windows 8.1 LG 21:9 Ultrawide 34" 3440x1440 Filco 114 key (Blue Cherry) / HHKB Pro 2 
PowerCaseMouseMouse Pad
Corsair HX850W - 850W Mountain Mods - U2 UFO Orginal - Gloss Black Logitech G400 / Razer Deathadder BE Razer Goliathus Extended / Artisan Hien VE (Sof... 
AudioOtherOther
Creative Sounds Blaster X-FI Titanium HD Asus USB N-53 Wireless USB adapter  12 Case Fans 
  hide details  
Reply
ColdCut
(14 items)
 
YetiKube
(19 items)
 
 
CPUMotherboardGraphicsRAM
5960x Asus Rampage V Extreme  XFX 295x2 Core Hydro Edition CORSAIR Vengeance LPX 16GB DDR4 2800 
Hard DriveHard DriveHard DriveOptical Drive
Samsung 850 Pro  Samsung 850 EVO Western Digital Black 3TB  LG Bluray Burner 16x 
CoolingOSMonitorPower
H110i GT Windows 8.1 Pro Asus 4k Corsair AX1500i  
CaseAudio
Corsair 900D Stock 
CPUMotherboardGraphicsRAM
(1) 2500K ASRock Extreme3 Gen3 GTX 780 Classified Mushkin 996995 DDR3 1600 (2 Sticks) 
Hard DriveHard DriveHard DriveOptical Drive
Samsung 840 Pro (1) 150GB Western Digital Raptor (1) 1TB Western Digital Black Caviar (1) Samsung SATA DVD Burner 
CoolingOSMonitorKeyboard
Antec Kuhler H2O 620 Windows 8.1 LG 21:9 Ultrawide 34" 3440x1440 Filco 114 key (Blue Cherry) / HHKB Pro 2 
PowerCaseMouseMouse Pad
Corsair HX850W - 850W Mountain Mods - U2 UFO Orginal - Gloss Black Logitech G400 / Razer Deathadder BE Razer Goliathus Extended / Artisan Hien VE (Sof... 
AudioOtherOther
Creative Sounds Blaster X-FI Titanium HD Asus USB N-53 Wireless USB adapter  12 Case Fans 
  hide details  
Reply
post #7 of 14
http://en.wikipedia.org/wiki/Vundo

Hijacked winlogon.exe, you'll see much higher memory usage. And because it can cause problems with your internet connection, you probably shouldn't download any more stuff. Try installing an antivirus from disk, then boot into safe-mode. Your friend might have to go buy Kaspersky or something because it will often hide from Malwarebytes etc. I don't really know what to do, but that sounds like what it is.
It's A Computer!
(13 items)
 
Also a Computer!
(15 items)
 
 
CPUMotherboardGraphicsRAM
i5 2500K Gigabyte Z68X-UD4 Asus HD 5850 G. Skill Ripjaws 
Hard DriveHard DriveOptical DriveCooling
Crucial M4 WD Caviar Black Samsund SH-S223A Antec Kuhler 920  
OSMonitorPowerCase
Windows 7 Home Samsung 2443BW HAS Silverstone Strider Plus 750W NZXT Source 210 Black 
Mouse
Logitech G500 
CPUMotherboardGraphicsRAM
AMD PII X4 965BE MSI 790FX-GD70 ASUS HD 4850  G.Skill Ripjaws 
Hard DriveHard DriveOptical DriveCooling
Intel X25-V WD Caviar Blue Samsung S222A Thermalright Venomous-X 
OSMonitorPowerCase
Windows 7 64 Home Samsung S23A Corsair TX750W NZXT Source 210 Black 
Mouse
MX 518 
CPUMotherboardGraphicsRAM
Lapped e2180@3.0GHz Gigabyte GA-G41M-ES2L 9500GT Patriot DDR2@800MHz 
Hard DriveOSMonitorPower
Hitachi 500gb Windows 7 Viewsonic 19" Cooler Master 500W 
  hide details  
Reply
It's A Computer!
(13 items)
 
Also a Computer!
(15 items)
 
 
CPUMotherboardGraphicsRAM
i5 2500K Gigabyte Z68X-UD4 Asus HD 5850 G. Skill Ripjaws 
Hard DriveHard DriveOptical DriveCooling
Crucial M4 WD Caviar Black Samsund SH-S223A Antec Kuhler 920  
OSMonitorPowerCase
Windows 7 Home Samsung 2443BW HAS Silverstone Strider Plus 750W NZXT Source 210 Black 
Mouse
Logitech G500 
CPUMotherboardGraphicsRAM
AMD PII X4 965BE MSI 790FX-GD70 ASUS HD 4850  G.Skill Ripjaws 
Hard DriveHard DriveOptical DriveCooling
Intel X25-V WD Caviar Blue Samsung S222A Thermalright Venomous-X 
OSMonitorPowerCase
Windows 7 64 Home Samsung S23A Corsair TX750W NZXT Source 210 Black 
Mouse
MX 518 
CPUMotherboardGraphicsRAM
Lapped e2180@3.0GHz Gigabyte GA-G41M-ES2L 9500GT Patriot DDR2@800MHz 
Hard DriveOSMonitorPower
Hitachi 500gb Windows 7 Viewsonic 19" Cooler Master 500W 
  hide details  
Reply
post #8 of 14
I just had to fight a few very similar virus', I ended up using malwarebytes in safe mode to locate everything, then manually going through and deleting the files and registry entries. Took me forever hoping malwarebytes would be successful, in the end I had to do it.
Codex Gigas
(22 items)
 
  
CPUMotherboardGraphicsGraphics
I7 930 Asus P6 X58D xfx 5870 MSI 5870 Lightning 
RAMHard DriveHard DriveHard Drive
Corsair Xms3 8gb WD Caviar blue Western Digital RE3 Western Digital RE 
CoolingOSMonitorMonitor
5 120mm Cooler master R4 Blade Master Windows 7 ultimate 64bit Viewsonic VX2233WM Viewsonic VX2239WM 
MonitorKeyboardPowerCase
Viewsonic VX2239WM Razer Lycosa Mirror 650w Antec Truepower New Antec 900 
MouseMouse PadAudioAudio
Logitech Mx620 Laser Desk Logitech x-530 Creative Xfi Titanium HD 
OtherOther
Logitech G-27 Saitek x-52 
  hide details  
Reply
Codex Gigas
(22 items)
 
  
CPUMotherboardGraphicsGraphics
I7 930 Asus P6 X58D xfx 5870 MSI 5870 Lightning 
RAMHard DriveHard DriveHard Drive
Corsair Xms3 8gb WD Caviar blue Western Digital RE3 Western Digital RE 
CoolingOSMonitorMonitor
5 120mm Cooler master R4 Blade Master Windows 7 ultimate 64bit Viewsonic VX2233WM Viewsonic VX2239WM 
MonitorKeyboardPowerCase
Viewsonic VX2239WM Razer Lycosa Mirror 650w Antec Truepower New Antec 900 
MouseMouse PadAudioAudio
Logitech Mx620 Laser Desk Logitech x-530 Creative Xfi Titanium HD 
OtherOther
Logitech G-27 Saitek x-52 
  hide details  
Reply
post #9 of 14
Quote:
Originally Posted by KittensMewMew View Post
http://en.wikipedia.org/wiki/Vundo

Hijacked winlogon.exe, you'll see much higher memory usage. And because it can cause problems with your internet connection, you probably shouldn't download any more stuff. Try installing an antivirus from disk, then boot into safe-mode. Your friend might have to go buy Kaspersky or something because it will often hide from Malwarebytes etc. I don't really know what to do, but that sounds like what it is.
All the utilities I suggested are free, also, I use them on a daily basis to remove infections from my clients machines. The only thing that these scanners will not remove very well are MBR rootkits, which in that case you need to boot off the win7 disk and then open the command prompt and run the commands fixboot and fixmbr to remove those infections followed by running the scans I mentioned above.
Perpetual debt
(15 items)
 
Money Pit
(17 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 2600k Asus P8P67 Pro PNY GTX 480 2x4gb G.Skill Ripjaws 2133mhz 
Hard DriveCoolingOSMonitor
OCZ Vertex 3 Coolit Freezone Elite Win7 Ultimate Samsung 2233rz 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX750 Antec Server case Razer Deathadder 
Mouse PadAudioAudio
Thermaltake LCD Mousepad Logitech 5.1 Surround Tritton AX PC Pro 5.1 Surround Headset 
CPUMotherboardGraphicsRAM
Intel q6600 @ 3.9ghz (433x9) EVGA 780i FTW evga 8200gs 512mb  4x2gb Corsair XMS TwinX 866mhz @ 5-5-5-5-18 
Hard DriveHard DriveOptical DriveCooling
2x 750gb Seagate Baracuda 7200.12 RAID0 5x 1.5tb Seagate Baracuda 7200.11 RAID5 LITE-ON 22X DVD Burner Black SATA Corsair H70 
OSMonitorKeyboardPower
Win7 Ultimate x64 22" Acer x223w Logitech G15 Corsair HX750 
CaseMouseMouse PadAudio
APEVIA MX-ALIEN Razer Deathadder Thermaltake LCD Mousepad Triton AX Pro PC 
Audio
Logitech 5.1 surround sound. 
  hide details  
Reply
Perpetual debt
(15 items)
 
Money Pit
(17 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 2600k Asus P8P67 Pro PNY GTX 480 2x4gb G.Skill Ripjaws 2133mhz 
Hard DriveCoolingOSMonitor
OCZ Vertex 3 Coolit Freezone Elite Win7 Ultimate Samsung 2233rz 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX750 Antec Server case Razer Deathadder 
Mouse PadAudioAudio
Thermaltake LCD Mousepad Logitech 5.1 Surround Tritton AX PC Pro 5.1 Surround Headset 
CPUMotherboardGraphicsRAM
Intel q6600 @ 3.9ghz (433x9) EVGA 780i FTW evga 8200gs 512mb  4x2gb Corsair XMS TwinX 866mhz @ 5-5-5-5-18 
Hard DriveHard DriveOptical DriveCooling
2x 750gb Seagate Baracuda 7200.12 RAID0 5x 1.5tb Seagate Baracuda 7200.11 RAID5 LITE-ON 22X DVD Burner Black SATA Corsair H70 
OSMonitorKeyboardPower
Win7 Ultimate x64 22" Acer x223w Logitech G15 Corsair HX750 
CaseMouseMouse PadAudio
APEVIA MX-ALIEN Razer Deathadder Thermaltake LCD Mousepad Triton AX Pro PC 
Audio
Logitech 5.1 surround sound. 
  hide details  
Reply
post #10 of 14
What I'd suggest is, download Kaspersky onto a memory stick, boot in safe mode, do a full scan. That will most likely clean the whole system. Well thats what I do anyway.
    
CPUMotherboardGraphicsRAM
Intel i3 540 P7H55M-Pro XFX 6770 OCZ Platinum 
Hard DriveHard DriveHard DriveOptical Drive
OCZ Vertex 2E  Samsung F4 Maxtor DiamondMax 23 LG Super-multi Drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper212+ Microsoft Windows 7 Professional 64-bit LG W2361V Razer Tarantula 
PowerCaseMouseMouse Pad
Corsair CX430v2 Coolermaster Elite 335 Logitech MX518 Roccat Taito 
AudioAudioAudio
Asus Xonar DG Logitech Z523 2.1 Speakers Sennheiser PC350 Headset 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel i3 540 P7H55M-Pro XFX 6770 OCZ Platinum 
Hard DriveHard DriveHard DriveOptical Drive
OCZ Vertex 2E  Samsung F4 Maxtor DiamondMax 23 LG Super-multi Drive 
CoolingOSMonitorKeyboard
Coolermaster Hyper212+ Microsoft Windows 7 Professional 64-bit LG W2361V Razer Tarantula 
PowerCaseMouseMouse Pad
Corsair CX430v2 Coolermaster Elite 335 Logitech MX518 Roccat Taito 
AudioAudioAudio
Asus Xonar DG Logitech Z523 2.1 Speakers Sennheiser PC350 Headset 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Feel like a noob, can't beat virus