Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have The Csrss Virus Or Something


  • Please log in to reply
2 replies to this topic

#1 dementedsnake

dementedsnake

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 28 June 2006 - 06:07 PM

Hey, here's my problem. My computer's been running slow lately and my virus detection programs haven't found anything. So, going against all rational thoughts and intuitions, I decided to try out the virus scanner over at stopsign.com. You know the one. It's the "free" virus scanner advertisted on TV. Anyway, I downloaded (im so gulible) the program and let it install. Spybot alerted me to several attempts at adding startup programs but I declined them all. After installation, I let it update and then I let it scan. It found two cookies and a virus (can't remember the name, I've already gotten rid of stopsign) I manually deleted the virus's file and it's forever gone. But that's not the problem. Since then, I've been curious about a file that's been running on my laptop. It's labeled as "csrss". Normally I wouldn't be so paraniod, but the program's pathway just looks weird. ( \??\C:\WINNT\system32\csrss.exe ) The thing is, there's another file with the same pathway. Again, this normally wouldn't alert me to any potental(SP?) virus, but i noticed that other system files in the same location had different (filled out instead of "??") paths. This was enough to make me wonder. So, I tried to end the program with both the program manager and spybot. Neither worked.
(sorry for the huge paragraphs)

So, next, I decided to delete to file. I made a copy of it (labeled "Copy Of CSRSS.exe) (<--not sure about the capitalization here...)and tried to delete to file to see what would happen. The normal deletion way proved to be a waste of time; I kept the folder open. Instead, I used Sypbot's "Secure Shredder" and got rid of the program. But instead, It just replaced itself after I had deleted it. Now I was sure it was some sort of virus or spyware because I had never seen a system file replicate itself after deletion. I went back to the folder where it was (c:winnt\system32) and then I noticed that since the failed deletion attempt, another file had been created. (It had appeared at the bottom of the folder, out of line, along with the new csrss.exe file)

I used spybot to deleted BOTH of these. They appeared again. (BTW: The other file is nonsensical, it's just a randomly named file with about 8 letters and a seemingly random extension.) Agian, they both reappeared magically in the folder. I hit refresh (accident, I think) and all of the files were realigned. I found both files again. But I noticed two other files. Those too were deleted, and those too respawned.

So now I'm stuck. I can't delete these supicous(SP?) files and everytime I try, they spawn more files...

Hope someone can help...

Oh, and here are the file names involved:
ayhegdjl.b
csrss.exe
Copy of csrss.exe
csrsrv.dll
Copy of csrsrv.dll
wsttmzrn.r

Also, I just remebered, I can't delete the copies I made either; so this might just be normal windows crap.

...

Oh, and since I started, files in the system folder are popping up that seem to be authentic files except for the fact that they are in windows media palyer format. They're not media files, they're too small and will not run when clicked...

Hope this is just all in my head and not some virus, but if I am infected, than any help is appreciated.

EDIT: Oh, and I'm running windows 2000.

EDIT EDIT:Like the idiot I am, I just noticed the pinned threads. I'm trying those suggestions right now.

Edited by dementedsnake, 28 June 2006 - 06:44 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:45 AM

Posted 29 June 2006 - 09:54 AM

Hi dementedsnake,

I just noticed the pinned threads. I'm trying those suggestions right now.


Let us know how it goes... if you have any questions, please ask.

rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 dementedsnake

dementedsnake
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 03 July 2006 - 03:07 AM

Sorry it took so long to respond. All of my bookmarks got erased (Firefox glitch) and it took forever to figure out which site I had this posted.

I'm about to redo all of the tests and things in the pinned threads. Last time, very few of them worked (one wouldn't even start).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users