Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

CSRSS.EXE, Norton AV and ZoneAlarm

This is a discussion on CSRSS.EXE, Norton AV and ZoneAlarm within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. My Problem started after clicking on the following link (careful): http://cgi.ebay.com/ebaymotors/ws/eB...tem=2440339637 The site started to download some kind of java


 
 
Thread Tools Search this Thread
Old 11-04-2003, 07:33 PM   #1
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME



My Problem started after clicking on the following link (careful):

http://cgi.ebay.com/ebaymotors/ws/eB...tem=2440339637

The site started to download some kind of java script. Another person reported that their antivirus software picked up some kind of virus in it. A few other users reported antivirus program and firewall problems as well.

Here's what happened to my computer: after clicking on the above link and letting that page load, ZoneAlarm popped up a warning that the program CSRSS.EXE was trying to access the internet Destination IP: 81.7.111.250: Port 3271 and act as a server, and that it had never accessed the internet before. This is normal for ZoneAlarm. It prompted me to allow or disallow the connection and I chose NOT to allow it. Soon after, ZoneAlarm and Norton AntiVirus both closed. Efforts to restart them did not work. Eventually ZoneAlarm locked down all internet access to/from my computer, saying that it had detected some kind of irregular function. So, I rebooted and neither program loaded at start up. Trying to load either program manually only results in the program being open for a few seconds before shutting down. I tried rebooting to my Norton AntiVirus rescue disks, but unfortunately the bootable floppy disk has a bad file and that won't work either.

I ran the Symantec Online virus scan and it completed and found no viruses or trojan horses. I am currently running a free online scan from Trend Micro, and so far it also has found no viruses or trojan horses. I've rebooted 8-10 times already, and neither program will load at startup and neither program will stay open when started manually.

Any ideas on how to figure out what is wrong?

__________________
jctrac is offline  
Old 11-04-2003, 10:47 PM   #2
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


First of all, if you do a search on Google for “CSRSS.EXE” you will find loads of stuff that may help. Having read a few articles we need to know which OS you are using? Have a look at this article
http://homepages.tesco.net/~J.deBoyn...space-bug.html

A search on the Symantec website http://www.symantec.com/search/ for “CSRSS.EXE” gives 7 possibilities:
W32.Dalbug.Worm
Spyware.LoverSpy
Backdoor.Hale
W32.Ahlem.A@mm
W32.Nimda.E@mm
Backdoor.Sokacaps
Backdoor.Ciadoor

Have a read of the articles on the Symantec website, they will tell you how to get your system and Norton up and running dependent on your OS.

Last of all It may be worth going to http://www.majorgeeks.com/download3155.html and downloading the HijackThis tool and posting the results.

Hope this helps.

__________________
SuperCub is offline  
Old 11-05-2003, 12:49 PM   #3
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME


I have Windows ME.
__________________
jctrac is offline  
Old 11-05-2003, 02:36 PM   #4
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME



Unfortunatley, I had to pay Symantec Tech Support $69.95 to find this out. First of all, CSRSS.EXE is NOT a standard component of Windows ME. It is part of XP, but not ME. So, the fact that I had it was already dubious.

This file loaded itself in many ways, various different Registry keys, Win.ini, system.ini, etc. I don't know what it was or what it intended to do, but its effect was to shut down any antivirus or software firewall program. Symantec wants me to quarantine it and send it to them for analysis, as the guy suspected it was a brand new virus of the type they are seeing hundreds of, namely viruses that shut down or damage NAV.

So, for any of you that clicked on that site, keep a lookout for strange behavior, it may be too new for your antivirus software to pick up at this point.
__________________
jctrac is offline  
Old 11-05-2003, 03:08 PM   #5
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


I say once again have a read of the Symantec info it’s comprehensive and will give you help in restarting your anti-virus software. It will tell you how to look in the Exclusions B4 you scan , how to update your definition file by doing an update from the website rather than using Live update which is probably not working, How to use Safe mode to do your scan.

You are correct that CSRSS.EXE is normally associated with NT,2K,XP not ME However if you read about Backdoor.Hale http://securityresponse.symantec.com...door.hale.html
And
W32.Ahlem.A@mm
http://securityresponse.symantec.com...hlem.a@mm.html
Both can infect ME and are associated with your problem.

Read my first post again and have another look at the Symantec website.

You should not need to spend money asking the Symantec helpdesk to solve your problem the people at Symantec have already written all the info you need to their website, which in my opinion is very well laid out and the search engine is all you need to find the answers, I use it nearly every day.
__________________
SuperCub is offline  
Old 11-05-2003, 03:15 PM   #6
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME


Ok, I just read the two links that you gave me. And I also thoroughly searched the Symantec website for about 5 hours last night before giving up. Neither those two you just linked to, nor anything else that I found, described the behavior of the virus that I apparently got. It was different. Lots of different viruses and trojans use csrss.exe, but the one I got doesn't seem to be described anywhere on Symantec's website, Sophos's website, McAfee's website, or any other that Google may have found.
__________________
jctrac is offline  
Old 11-05-2003, 10:28 PM   #7
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


OK I am going to give you a few tips to get the virus checker working. Once working I hope it will discover your problem. This is general stuff but should help.

In ME you must switch off the auto-restore. Read about out to do this here. I am only using this page for GENERAL information, we are not trying to look for a particular virus at this stage. So forget about the name of the virus at the top of the page. http://securityresponse.symantec.com...door.hale.html Go to “removal instructions”, Read and carryout Items 1, 2 and 3 B4 you try to scan you should be able to open Norton whilst in safe mode if you can’t then you will have to go about this a different way. Open Norton and go to Options, Norton AntiVirus, inside click on auto-protect, click on Exclusions. Now have a look and see if any of your files have been excluded from the checker if so delete this exclusion. Now repeat this exercise for Manual exclusions. Now read and carryout item 4.You should now be ready to carryout your first scan.

We still have other stuff to do the above is part one. Let me know how you get on?

Don’t worry to much about the name of your virus, different ant-virus company’s call them different names. Your anti-virus software is very good at discovering viral activity no matter what the SOB is called. Also it is unlikely that you have discovered a new virus not known B4
__________________
SuperCub is offline  
Old 11-06-2003, 01:40 AM   #8
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


I have set-up a test on my test computer and have successfully caught your virus. Yes it’s a problem. I am going out on a call so I wont be able to look at this untill I get back.

Tell you what I have discovered so far:

Log on to your machine in Safe Mode do a search for scssr.exe when you find it right click and go to properties change the properties from Hidden to Archive.

Now reboot into DOS to do this you will need a Windows Boot disk from a clean Machine. I will leave that to you. Now Go to C:\Windows and rename the scssr.exe to scssr.old. Reboot into safe mode and you will be able to run your virus checker. That’s as far as I have got, I am off out I will talk to you again soon.


Watch this space I will come back to you later today or tonight.
__________________
SuperCub is offline  
Old 11-06-2003, 07:11 AM   #9
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME


I hope whatever it is doesn't do any damage to your machine.

I guess I wasn't clear about this from my last post, but the Symantec guy helped me clear the virus from my machine. It's been renamed and quarantined by NAV, removed from my Registry, win.ini and system.ini files, and submitted to Symantec as a possible new virus. So, I think my machine is clear at the moment, as I have NAV and ZoneAlarm working again. FWIW, neither NAV, the Symantec online virus check, nor the online Trend Mirco virus check caught this thing. I am very curious to see if you can identify what it is and, more importantly to me, why NAV and the online scans couldn't catch it.
__________________
jctrac is offline  
Old 11-06-2003, 07:52 AM   #10
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


I am back.

No don’t worry about my machine. I use a test unit which is in a clean and secure environment away from the rest of the network. I use it to test out different problems that my clients may have or that I am interested in. When I have finished, the build on this machine will be removed completely and a new one put in place, the machine is then virus checked and made ready for the next time.

I did not realize that you are now up and running but I would be interested to know the full details. If you have the time to ether include it with the current thread or send me a private message.

Thanks
__________________
SuperCub is offline  
Old 11-06-2003, 09:21 AM   #11
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME


Not many details to tell. I booted to a WinME startup disk which got me to a DOS prompt. I went to my C:\Windows folder, found that file, changed its atributes and renamed it. Then I rebooted and got error messages that CSRSS.EXE was missing, etc. Then I went into the Registry and deleted any keys that caused that file to load on startup (there were several), then I edited win.ini and system.ini to remove any references to it. Rebooted again and no more error messages, everything works normal. So, I think it's gone. Then I quarantined the renamed file with NAV, which by the way still doesn't see any problems with the file, and sent it to Symantec.

I may never know what it was or what it intended to do. But I know I got it from that website and it slipped right by NAV which had very current virus definitions at the time.

By the way, one thing I did notice is that the file resets its own attributes every time it runs. So, if you reboot before you clear the Registry keys or before you remove it from win.ini and system.ini it will re-hide itself.
__________________
jctrac is offline  
Old 11-06-2003, 09:33 AM   #12
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


Thank you for the reply yes I have found all of those things plus it puts Cookies in the system.
I recommend that you do a run through with Spybot and Ad-Aware6.0 you can read a download them from http://www.majorgeeks.com/ Spyware Tools. This will give you the final clear out.

OK here is what I found First Norton does not find this infection. It successfully switches Norton off both in normal and safe mode. It places a hidden file csrss.exe in the windows directory. It makes entries in the win.ini, system.ini and the Registry. It places cookies on the system. I have removed it successfully using a combination of a manual search, Spybot and Ad-Aware6.0 Norton gave no help when I did get it running it found nothing.

I am pleased that you have had a successful outcome.
__________________
SuperCub is offline  
Old 11-06-2003, 09:39 AM   #13
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME


Thanks for your help. I already have Adaware, I will run it now, then download Spybot. Sounds like you encountered the exact same things I got. At least I know I'm not crazy, other people telling me I didn't have a virus if NAV didn't pick it up. By the way, it also successfully shuts down ZoneAlarm in both normal and safe modes.

Let me know if you figure out exactly what this bug is, if other virus scanners besides NAV can catch it, and, for friends of mine that have visited that site, whether or not Win2k and WinME users are susceptible to it.
__________________
jctrac is offline  
Old 11-06-2003, 09:45 AM   #14
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


I shall watch the Norton, Sophos Website’s with interest. By the way did you put in a bid on the Ferrari?
__________________
SuperCub is offline  
Old 11-06-2003, 09:49 AM   #15
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME


LOL, No. I shut down Internet Explorer once I saw strange things happening. Obivously too late. And I haven't been back!
__________________
jctrac is offline  
Old 11-06-2003, 09:53 AM   #16
Registered Member
 
Join Date: Nov 2003
Posts: 19
OS: Win ME


Hey, I just noticed that my Windows Media Player is gone! Did this happen to you as well? Perhaps related to the virus?
__________________
jctrac is offline  
Old 11-06-2003, 09:58 AM   #17
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


One of the things I noticed was that it used the Media Player to make the original infection. I was just about to blow away the build on the test machine so give me a while and I will get back to you.
__________________
SuperCub is offline  
Old 11-06-2003, 10:36 AM   #18
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


OK here is what I have just done to retrieve it. Go to C:\Programe Files\Windows Media Player Rename Mplayer2.exe to mplayer2.old Then go to the windows Update website and connect (you may not find an update for the mplayer 9 but go back to your program files and click on SETUP_WM.EXE and you should download the latest version. I hope you have broadband!

Now this is a little worrying, what else has been changed? Personally I would consider blowing away this build and starting again. I would do a good job and make sure that I deleted the boot track and possibly overwrite the disk before using it again. If you need any help just ask. If you deicide to carry on as you are then keep a good backup of your data, run Spybot, Ad-aware and NAV on a very regular basis
__________________
SuperCub is offline  
Old 11-06-2003, 10:41 AM   #19
Registered Member
 
Join Date: Nov 2003
Location: Colorado
Posts: 28
OS: WinXP Pro


Quote:
Originally posted by SuperCub
OK here is what I found First Norton does not find this infection. It successfully switches Norton off both in normal and safe mode. It places a hidden file csrss.exe in the windows directory. It makes entries in the win.ini, system.ini and the Registry. It places cookies on the system.
Beware of something else... There was a csrss.exe virus that went around last year that created similar havoc with Norton. The virus not only could switch off Norton on command, it would frequently make changes to the Norton files so that other viruses could get in undetected. The worst part of this virus was it would program Norton to eventually self-destruct. Usually the time limit associated with the virus was indeterminate, based on how often you accessed the internet. If that is the virus you picked up, (I pray it wasn't ) your computer is a ticking time-bomb.

When (if) Norton self-destructs it will randomly delete files, system .ini files, .cab files, etc. permanently destroying your current operating system. I've found that sometimes uninstalling Norton and reinstalling it may work (sometimes not).

I suggest canning Norton, and going with another virus protector, like PC-cillin
__________________
cypher-neo is offline  
Old 11-06-2003, 10:50 AM   #20
Registered Member
 
Join Date: Sep 2003
Location: Hertfordshire England
Posts: 126
OS: Win 9x/2K/XP


OK in view of what cypher-neo has said I wouldn’t wait for Norton to come back to you with an update I would start over. I would also ask Symantec to refund your $68 after all their product did not perform at all.

__________________
SuperCub is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 03:23 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts