Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown Malware

  • Please log in to reply
2 replies to this topic

#1 Edhandwork


  • Members
  • 1 posts
  • Local time:01:11 PM

Posted 13 April 2010 - 12:51 PM

Hello everybody,

I've been trying for several days to get rid of recurring Malware, specifically Scareware, on my computer, i'm running windows XP and i believe it is SP3. I had XP Smart security on my computer and managed to successfully get rid of it, however now i am encountering a new scare ware that displays the following
"An unidentified program wants access to your computer: Windows security center block active process: csrcs.exe process try direct to memory process (whatever .exe program had tried to run)"
it then gives me two options, allow, which will close the program and return me to my desktop, or scan which takes me eventually to a buy screen. The problem is it blocks me from doing anything while the initial scare message is up, and if i hit scan it won't allow me to close anything until i make a purchase (i assume this, as i have not made any purchases of any kind)

I did go all the way to the purchase screen to see if there were any identifiers for this Scareware, and the only thing i am able to find is Security Center AV-Pack for TID, which has yielded no results on any web searches i have run

This particular one is driving me batty, as MalwareBytes seems unable to pick it up at all (i have run several scans) and i can't even open task manager to see if i can find its .exe process, as i get the scare-screen

any help at all would be appreciated,

*edit: i'm also not the most techno savvy person, i know just enough to get me introuble :thumbsup:*

Edited by Edhandwork, 13 April 2010 - 12:53 PM.

BC AdBot (Login to Remove)


#2 argyx


  • Members
  • 1 posts
  • Local time:12:11 PM

Posted 20 April 2010 - 12:29 AM

I saw this today after removing Antivirus XP. I found that running RKILL stopped it, so I started digging. RKILL was stopping something under RUNDLL32. After much trial and error, and using Sysinternals' Process Explorer, I found it was GDIPLUS.DLL in an All Users sub-folder. It was using some sort of LogOn trick in the registry to pull this off.

Unfortunately, I don't have access to the users's PC to check the exact details right now. I'd start with RKILL though.

Edited by argyx, 20 April 2010 - 12:32 AM.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:11 PM

Posted 22 April 2010 - 09:56 PM

Hello Edhandwork,

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users