Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible corruption in Java due to Malware+might have the corrupted file of csrss.exe

  • This topic is locked This topic is locked
1 reply to this topic

#1 Genjora


  • Members
  • 1 posts
  • Local time:05:29 AM

Posted 14 October 2011 - 04:00 PM

Hello;I was told to come here to post logs after downloading HijackThis. I have fully read the guide on how to post logs and have downloaded the dds program and the GMER program,so I will post these instead of the HijackThis ones.

My friend,who is a computer tech,came over last week and we were watching some videos and he noticed that they were loading very slowly and sometimes stopping randomly. We did a speed test and my speeds are fine and I have Verizon FIOS. Even my Ping was normal. Upon looking at the processes my computer was running,he said I might have a virus named csrss.exe. We completely did a scan with Malwarebytes and Windows Security Essentials;MalwareBytes didn't pick up anything,while Windows Security picked up some corruptions in my Java. It then proceeded to clean it and stuff.

I did more research on the csrss.exe process and I DO KNOW that this is a program that windows runs and that also comes with the computer but that it can get corrupted and can be used by keyloggers to steal passwords and such. Reference They also said you could be infected if you have two csrss.exe running instead of just one. So when I click on "show processes from all users" in the Task Manager,it shows two so now I'm a bit worried.
Now I possibly have this csrss.exe corruption and some other stuff that prevents me from watching videos by randomly stopping or loading very slow.

I was reading up on how to get rid of csrss.exe and I found that it could be removed by creating a new user account in your computer,copying all your important files to there,and deleting the old account. I did just that;I don't know a lot about very technical computer stuff,just basic stuff,so when I click to show all processes,it still shows 2 of them running,even after I created the new user account. I don't know if it's suppose to be like that or if it's infested...but that's why I am posting here,haha.
If my computer turns out to be fine,then I might just need to give ol' Verizon a call but I am absolutely positive this was not happening 1 month ago. My computer is from around 2004-05 so it's not the fastest thing ever but I have made sure it is kept clean thanks to my computer knowledgeable friend. I also recently got a new USB wireless adapter to connect to the router in my parents' room since my old wireless card died. So I don't know if it could be this new USB adapter but I am positive it works fine and I get full bars. And like I said,speedtest.net shows good ping(15ms,which isn't bad for wireless and sometimes it goes down to 5ms) and download of 15-13 mbps,upload of 5.50 mbps,which is what Verizon promises to give me.

Here is the log from DDS:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8080.16413 BrowserJavaVersion: 1.6.0_26
Run by Gengar1 at 16:24:19 on 2011-10-14
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.1704 [GMT -4:00]
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\IObit\Game Booster\gbtray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Configuration: {e6a9268b-f8c9-4748-b453-e7fa556d94b8} - Browser Enhancements
uRun: [Google Update] "c:\users\gengar1\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
TCP: DhcpNameServer =
TCP: Interfaces\{579DE4C3-6262-4DB4-B808-D9758650C6F8} : DhcpNameServer =
TCP: Interfaces\{AD105C69-8DCC-479C-840F-9E2724354A96} : DhcpNameServer =
TCP: Interfaces\{DF3C045F-A74B-4A37-A485-FC50FE9839D9} : DhcpNameServer =
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2011-10-1 21728]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl357ea402;MpKsl357ea402;c:\programdata\microsoft\microsoft antimalware\definition updates\{a80d79b3-dae3-47ef-a168-960bff0df79f}\MpKsl357ea402.sys [2011-10-14 28752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-23 328536]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-10 366152]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2011-10-1 699896]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-10 22216]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2011-5-24 143360]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-30 2255464]
S2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2011-10-1 272864]
S3 ActionReplayDS;ActionReplayDS;c:\windows\system32\drivers\ActionReplayDS.sys [2010-4-20 29184]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-9 15872]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-9 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-7-22 1343400]
=============== Created Last 30 ================
2011-10-14 04:25:26 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a80d79b3-dae3-47ef-a168-960bff0df79f}\MpKsl357ea402.sys
2011-10-14 04:25:14 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a80d79b3-dae3-47ef-a168-960bff0df79f}\offreg.dll
2011-10-14 04:25:11 7269712 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a80d79b3-dae3-47ef-a168-960bff0df79f}\mpengine.dll
2011-10-12 17:43:44 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{83cacf5c-16d7-41cf-b861-2ea48fee93ff}\gapaengine.dll
2011-10-11 14:38:46 -------- d-----w- c:\users\gengar1\appdata\roaming\NVIDIA
2011-10-11 14:38:42 -------- d-----w- c:\users\gengar1\appdata\roaming\Firestorm
2011-10-11 14:38:41 -------- d-----w- c:\users\gengar1\appdata\local\Firestorm
2011-10-11 14:30:29 -------- d-----w- c:\program files\Firestorm-Beta-Mesh
2011-10-11 03:49:22 -------- d-----w- c:\users\gengar1\appdata\local\Diagnostics
2011-10-11 02:35:05 388096 ----a-r- c:\users\gengar1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-11 02:34:59 -------- d-----w- c:\users\gengar1\riotsGamesLogs
2011-10-11 02:34:39 -------- d-----w- c:\users\gengar1\appdata\roaming\LolClient
2011-10-11 02:22:43 -------- d-----w- c:\users\gengar1\appdata\local\Google
2011-10-11 02:22:34 -------- d-----w- c:\users\gengar1\appdata\local\Deployment
2011-10-11 02:22:34 -------- d-----w- c:\users\gengar1\appdata\local\Apps
2011-10-11 02:08:41 -------- d-----w- c:\users\gengar1\appdata\roaming\Malwarebytes
2011-10-11 01:37:43 -------- d-----w- c:\program files\Trend Micro
2011-10-10 17:38:26 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-02 16:08:40 69632 ------w- c:\program files\common files\installshield\updateservice\issch.exe
2011-10-02 16:08:39 380928 ------w- c:\program files\common files\installshield\updateservice\agent.exe
2011-10-02 16:08:39 212992 ------w- c:\program files\common files\installshield\updateservice\ISDM.exe
2011-10-01 22:06:16 91376 ----a-w- c:\windows\system32\bcmwlcoi.dll
2011-10-01 22:06:16 699896 ----a-w- c:\windows\system32\drivers\bcmwlhigh6.sys
2011-10-01 22:06:16 3862528 ----a-w- c:\windows\system32\bcmihvsrv.dll
2011-10-01 22:06:16 3551232 ----a-w- c:\windows\system32\bcmihvui.dll
2011-10-01 22:06:16 1176312 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2011-10-01 22:06:15 21728 ----a-w- c:\windows\system32\drivers\SCMNdisP.sys
2011-10-01 22:06:11 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2011-10-01 22:06:11 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-10-01 22:06:10 96784 ----a-w- c:\windows\system32\Packet.dll
2011-10-01 22:06:10 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-10-01 22:06:09 -------- d-----w- c:\program files\NETGEAR
2011-09-26 18:48:30 914024 ----a-w- c:\windows\system32\nvdispco32.dll
2011-09-26 18:48:30 875112 ----a-w- c:\windows\system32\nvgenco32.dll
2011-09-26 18:48:30 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-09-26 18:48:30 2391656 ----a-w- c:\windows\system32\nvcuvid.dll
2011-09-26 18:48:30 2090088 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-09-26 18:48:30 12636776 ----a-w- c:\windows\system32\nvd3dum.dll
2011-09-26 18:48:30 10304104 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-09-26 18:48:29 5404776 ----a-w- c:\windows\system32\nvcuda.dll
2011-09-26 18:48:29 17193576 ----a-w- c:\windows\system32\nvcompiler.dll
2011-09-23 08:32:23 -------- d-----w- c:\program files\Stamps.com Internet Postage
==================== Find3M ====================
2011-08-29 05:18:16 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-03 11:50:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-08-03 11:50:00 600680 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-08-03 11:50:00 599144 ----a-w- c:\windows\system32\nvvsvc.exe
2011-08-03 11:50:00 3730024 ----a-w- c:\windows\system32\nvcpl.dll
2011-08-03 11:50:00 2558568 ----a-w- c:\windows\system32\nvsvc.dll
2011-08-03 11:50:00 2412136 ----a-w- c:\windows\system32\nvapi.dll
2011-08-03 11:50:00 16595560 ----a-w- c:\windows\system32\nvoglv32.dll
2011-08-03 11:50:00 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-07-22 14:28:48 97280 ------w- C:\bootsect.exe
2011-07-20 02:50:23 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-07-20 02:50:23 1699328 ----a-w- c:\windows\system32\esent.dll
2011-07-20 02:50:23 148864 ----a-w- c:\windows\system32\drivers\storport.sys
2011-07-20 02:50:23 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-07-20 02:50:22 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-07-20 02:50:22 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-07-20 02:50:22 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-07-20 02:50:22 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-07-20 02:50:22 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-07-20 02:49:54 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-07-20 02:49:54 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-07-20 02:49:54 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-07-20 02:49:54 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-07-20 02:49:54 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-07-20 02:49:54 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-07-20 02:49:54 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
============= FINISH: 16:24:41.36 ===============

Attached Files

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,532 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:29 AM

Posted 19 October 2011 - 01:33 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Before suggesting any other tools I need to see the result of these scans.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.


Please Download

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users