Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I'm infected and csrss.exe wont run at Star-Up


  • Please log in to reply
20 replies to this topic

#1 the doomed

the doomed

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 28 June 2011 - 04:41 AM

Running XP, getting error message at Start-Up saying csrss.exe wont run.

Seems my Avast is also disabled.

Anyone able to point me in the right direction please?

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:02 AM

Posted 28 June 2011 - 07:08 PM

It may be fake csrss.exe.
Depending on file location.
What is the EXACT message?

Except for Avast can you use computer normally?
If not, what are any other issues?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 29 June 2011 - 03:43 AM

[duplicate]

Edited by the doomed, 29 June 2011 - 03:46 AM.


#4 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 29 June 2011 - 03:46 AM

Thanks.

"Windows cannot find 'C:\DOCUME~\User\LOCALS~1\Temp\csrss.exe'. Make sure you types the name correctly, and then try again. To search for a file, click the Start button, and then click Search."
[OK]

"Could not load or run 'C:\DOCUME~\User\LOCALS~1\Temp\csrss.exe' specified in the registry. Make sure the file exists on your computer or remove the reference in the registry."
[OK]

-after hitting both OK buttons the system then loads fully.

Have updated Avast version and definitions and it (Avast) seems to load without any problems now.

However IE is not loading webpages

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:02 AM

Posted 29 June 2011 - 06:23 PM

That's definitely a fake..
No .exe file should be present in temporary folders.
Legit csrss.exe file is located in C:\Windows\System32 folder.

We'll have to run some checks...

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===========================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 30 June 2011 - 08:32 AM

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
avast! Free Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 6
Out of date Java installed!
Adobe Flash Player
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````



--------------------------------------------------

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6986

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

30/06/2011 14:24:23
mbam-log-2011-06-30 (14-24-23).txt

Scan type: Quick scan
Objects scanned: 181378
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:02 AM

Posted 30 June 2011 - 08:54 PM

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=========================================================================

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 01 July 2011 - 04:32 AM

Scan below. Dont know if it makes any difference but scsans all done in safe mode.


aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-07-01 10:02:44
-----------------------------
10:02:44.046 OS Version: Windows 5.1.2600 Service Pack 3
10:02:44.046 Number of processors: 2 586 0x1C02
10:02:44.046 ComputerName: PC223112131188 UserName: Administrator
10:02:44.937 Initialize success
10:02:46.843 AVAST engine defs: 11062900
10:03:04.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:03:04.531 Disk 0 Vendor: TOSHIBA_MK6028GAL BN101C Size: 57231MB BusType: 3
10:03:06.562 Disk 0 MBR read successfully
10:03:06.578 Disk 0 MBR scan
10:03:07.437 Disk 0 unknown MBR code
10:03:09.468 Disk 0 scanning sectors +117194175
10:03:09.546 Disk 0 scanning C:\WINDOWS\system32\drivers
10:03:29.171 Service scanning
10:03:34.406 Disk 0 trace - called modules:
10:03:34.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
10:03:34.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f4eab8]
10:03:34.421 3 CLASSPNP.SYS[f7777fd7] -> nt!IofCallDriver -> \Device\00000071[0x86f70948]
10:03:34.421 5 ACPI.sys[f76ce620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f50940]
10:03:34.718 AVAST engine scan C:\WINDOWS
10:20:52.078 AVAST engine scan C:\Documents and Settings\Administrator.PC223112131188
10:22:11.187 AVAST engine scan C:\Documents and Settings\All Users
10:23:32.578 Scan finished successfully
10:23:58.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.PC223112131188\Desktop\MBR.dat"
10:23:59.015 The log file has been saved successfully to "C:\Documents and Settings\Administrator.PC223112131188\Desktop\aswMBR.txt"

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:02 AM

Posted 01 July 2011 - 07:47 PM

Any reason why safe mode?
RKUnhooker will not run in Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 04 July 2011 - 02:26 PM

Any reason why safe mode?
RKUnhooker will not run in Safe Mode.

can get IE to load pages in normal mode.

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:02 AM

Posted 04 July 2011 - 03:30 PM

Download RKUnhooker in Safe Mode with Networking.
Restart in normal mode and see, if RKU will run.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 04 July 2011 - 03:32 PM

Have just completed running it now.

Nothing detected.

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:02 AM

Posted 04 July 2011 - 03:44 PM

I'd like to see the log.

Also, can you update and run MBAM in normal mode?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 the doomed

the doomed
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 04 July 2011 - 04:33 PM

Posting now in normal mode having ran MBAM and removed 3 threats.


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
==============================================
>Stealth
==============================================




Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7021

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/07/2011 22:23:25
mbam-log-2011-07-04 (22-23-25).txt

Scan type: Quick scan
Objects scanned: 183551
Time elapsed: 30 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:02 AM

Posted 04 July 2011 - 04:40 PM

Very good :)

How are the issues?

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users