Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Csrss.exe infection, cannot remove


  • Please log in to reply
10 replies to this topic

#1 Maurtrick

Maurtrick

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 08 December 2013 - 07:57 AM

Hey Bleeping Computer, I'm contacting you because I'm down to the last teeth on this one. Normally I'd be able to resolve my own issues, but it seems I've bummed out on this Csrss virus.
 
As far as I know, when-ever I start up my computer (Windows 7 ultimate, 64-bit), the desktop/explorer will refuse to load. When I use Ctrl+Alt+Delete to bring up the task manager, and try to use run in order to run the explorer service, it just never comes up in the task manager. Upon further inspection, I seem to have two Csrss.exe processes running. Which typically means one is infected.
 
So far, it's prevented me from doing a number of things. The first is starting explorer.exe (Instead I just have a nice black empty screen with a cursor). The second is preventing me from making new user accounts via the command console; instead giving me access error 5. The third is hiding itself from all of my anti-virus software (Malwarebytes, Microsoft anti-virus services, AdwCleaner and iObit so far). Fourth being I can't remove it from the processes list, otherwise it gives me a blue screen and will force me to restart my PC. Fifth being I can't find it in the registries of my computer or the msconfig startup services, so if it is starting up, I can't find how as it's not in the run or runonce registries for either local user or my local machine. I've also attempted to use a System Restore, but it seems every time I get into the screen where it asks me too, my keyboard and mouse stop working, so I then have to restart my PC.
 
It's likely I've obtained this by downloading things I know I shouldn't, I've since removed these items, and the virus has not gone away unfortunately.
 
I really can't find any sort of way to resolve my issue, and I would love it if someone could help me with this. Kind regards,
 
Maurt.

Edited by Maurtrick, 08 December 2013 - 08:00 AM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:01 PM

Posted 08 December 2013 - 08:35 AM

Can you log into your computer using Safe Mode and run Malwarebytes?

#3 Maurtrick

Maurtrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 08 December 2013 - 04:27 PM

I've tried it, and there's no outcome. Malwarebytes still can't find it. On that note, it messes with my Safe Mode, too. When I run Safe Mode, it goes to a black screen as my desktop and then just has the words 'Safe Mode' in each corner. There's still two csrss.exe processes running on top of that as well.



#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:01 PM

Posted 08 December 2013 - 06:25 PM

That is the way safe mode is supposed to be, and thats how it has been since Windows 98.

Can you post the logs from malwarebytes?

#5 Maurtrick

Maurtrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 08 December 2013 - 11:48 PM

No, as in, none of my desktop items will show up. Just the black screen with the words around all the sides. Not even explorer.exe loads in Safe Mode. I'm getting the logs now, I'll edit this post with them when I can.

 

EDIT: Logs from Newest to oldest, divided by a =~=~=~=~ line. (Total 4 scans, can someone confirm I have the latest Malwarebytes, too?)

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.12.06.03
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Lucas :: LUCAS-PC [administrator]
 
12/9/2013 3:39:45 PM
MBAM-log-2013-12-09 (16-32-25).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 435051
Time elapsed: 52 minute(s), 
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
 
(end)
 
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.12.06.03
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Lucas :: LUCAS-PC [administrator]
 
12/6/2013 11:43:49 PM
mbam-log-2013-12-06 (23-43-49).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 436137
Time elapsed: 50 minute(s), 37 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 5
C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit)\AMTLib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Users\Lucas\Desktop\Microsoft Office Enterprise 2010 Corporate\Microsoft Office Enterprise 2010 Corporate\Office 2010 Toolkit\Office 2010 Toolkit.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\Lucas\Downloads\Torrents\Photoshop CS6\Adobe Photoshop CS6 Extended\DLL FILE\32bit\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Users\Lucas\Downloads\Torrents\Photoshop CS6\Adobe Photoshop CS6 Extended\DLL FILE\64bit\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
 
(end)
 

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.12.06.03
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Lucas :: LUCAS-PC [administrator]
 
12/6/2013 8:39:02 PM
mbam-log-2013-12-06 (20-39-02).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 435504
Time elapsed: 57 minute(s), 23 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 7
C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit)\AMTLib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Users\Lucas\Desktop\Microsoft Office Enterprise 2010 Corporate\Microsoft Office Enterprise 2010 Corporate\Office 2010 Toolkit\Office 2010 Toolkit.exe (RiskWare.Tool.CK) -> No action taken.
C:\Users\Lucas\Downloads\Torrents\Photoshop CS6\Adobe Photoshop CS6 Extended\DLL FILE\32bit\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Users\Lucas\Downloads\Torrents\Photoshop CS6\Adobe Photoshop CS6 Extended\DLL FILE\64bit\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Program Files (x86)\Sanctum 2\Binaries\Win32\steam_api.dll (Trojan.VirTool) -> Quarantined and deleted successfully.
C:\Users\Lucas\Desktop\TOSHIE AI\ACTIVATION V3.2 {LCD}.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
 
(end)
 
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.12.06.03
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Lucas :: LUCAS-PC [administrator]
 
12/6/2013 8:27:44 PM
mbam-log-2013-12-06 (20-27-44).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213955
Time elapsed: 4 minute(s), 57 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 7
C:\$Recycle.Bin\S-1-5-21-1684967258-2734043396-1104201979-1000\$RNM4FIG.exe (PUP.Optional.FilePile.A) -> Quarantined and deleted successfully.
C:\Users\Lucas\AppData\Local\Temp\nsi92FE.tmp (PUP.Optional.Somoto.A) -> Quarantined and deleted successfully.
C:\Users\Lucas\AppData\Local\Temp\nszA73.tmp (PUP.Optional.Somoto.A) -> Quarantined and deleted successfully.
C:\Users\Lucas\AppData\Local\Temp\setup.exe (PUP.Optional.Amonetize.A) -> Quarantined and deleted successfully.
C:\Users\Lucas\AppData\Local\Temp\Download_F048\Pokemon_X_And_Emulator_Installer_Downloader.exe (PUP.Optional.FilePile.A) -> Quarantined and deleted successfully.
C:\Users\Lucas\Downloads\DTLite4471-0333.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Lucas\Downloads\MxRC.rar.exe (PUP.Optional.Installex) -> Quarantined and deleted successfully.
 
(end)
 

Edited by Maurtrick, 09 December 2013 - 12:35 AM.


#6 Maurtrick

Maurtrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 10 December 2013 - 03:37 AM

After talking to a friend (who knows a bit about computer security) it might not be csrss.exe that's infected. He has two as well, but no signs of infection. I'm unsure what to do here, now. I may have just lost my most likely lead as to resolving this issue.



#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:01 PM

Posted 10 December 2013 - 06:41 AM

Well I do see that you have been torrenting programs which can lead to infection, so can you please remove the illegally obtained Office and Photoshop Installers, as they could contain methods to infect your computer.

Please download TDSSKiller exe version to your desktop.
Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.

Click on Change Parameters and click Detect TDLFS File System.
    Click the Start Scan button.
    Do not use the computer during the scan
    If the scan completes with nothing found, click Close to exit.
    If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
    A TDSSKiller text file would be saved in Local Disk C.
    Copy and paste the contents of that file in your next reply.


ADW Cleaner


Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#8 Maurtrick

Maurtrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 11 December 2013 - 12:31 AM

FSS.txt

Spoiler
TDSSKiller log
Spoiler
AdwCleaner[S1]
Spoiler
JRT.txt
Spoiler


#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:01 PM

Posted 11 December 2013 - 06:25 AM

I see no further issues, your computer appears cleaned up.

#10 Maurtrick

Maurtrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 11 December 2013 - 06:50 AM

It's not. Upon restarting my computer the first time, I got a flash of a blue screen on death, and then my computer restarted. I ran a windows system repair, and that fixed the issue and I could log back in, but the same issue is still occurring.



#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:01 PM

Posted 11 December 2013 - 06:55 AM

We need to know more about your BSODs...

Download BlueScreenView (in Zip file)

No installation required.

Unzip downloaded file and double click on BlueScreenView.exe file to run the program and When scanning is done, go to Edit > Select All.

Then go to File > Save Selected Items, and save the report as BSOD.txt.

Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

Compliments of Broni


How to Test your RAM



Guide Overview

The purpose of this guide is to teach you how to check whether your system's RAM (Ramdom Access Memory) is working properly. Bad RAM can lead to a whole host of problems, often which do not appear to have a single cause -- appearing as systemwide glitches, blue screens, and other system trouble. MemTest86+ provides a very good detection mechanism for failed RAM, and is about as good a test you get short of actually replacing the module itself.

Tools Needed
Please perform these steps from a separate, working, machine.Perform these steps on the problem machine.
  • Put your CD in the drive and configure your machine to boot to the CD. This is different on all machines, but it's usually by pressing F12 or F10 as your system boots, and selecting either "CDROM" or your cdrom drive. If you are unable to force a CDRom boot, reply with the make and model of your machine and I should be able to get you exact instructions.
  • If you've done it correctly, MemTest86+ will start to run automaticly, as shown below:
    memtestStart.png
  • If you want to be reasonably your RAM is OK, then allow MemTest to run until you see this message:
    memtestFinished.png

    On the other hand, if you want to be completely sure your RAM is OK, allow MemTest to run overnight. Memtest will run forever until power is pulled on the machine.
  • Check the MemTest screen for any reported errors. Errors will appear as RED warnings at the bottom of the screen, similar to the following screenshot:
    memtestFail.png
  • Hard-Reset the machine, removing the MemTest disk in the process.
If you didn't get an error screen, Congratulations! :)

Compliments of Billy O'Neal.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users