cssrss creating HQS Trojan at startup

calvin333 · 05-25-2008, 10:22 AM

I have been getting Trojan warning for over a week everytime I run NOD on-demand scan, and I delete the trojan file everytime (they are in the system32 folder), but they keep coming back.

Finally tonight when I turned on the computer NOD pop up saying that an HQS trojan was created by the cssrss process in windows/system32/

I looked through there and saw csrss and cssrss processes, and I believe csrss is a legitimate MS process.

My question is : can I go in and delete cssrss ? Is it a legitimate MS process infected?

**grumpygit** · 05-25-2008, 10:36 AM

Hi and welcome to TSF.
cssrss.exe is not a legit process. It is loaded by the W32/FORBOT-CE worm.
http://www.castlecops.com/s6114-cssrss_exe.html

I recommend you follow the instructions in the link below and post your logs in the hijack this section. An analyst will check your logs and advise you on cleaning your machine.

http://www.techsupportforum.com/secu...oval-help.html

tetonbob · 05-25-2008, 08:32 PM

csrss.exe in system32 and system32\dllcache is a legit process. It should be 6,144 bytes on most XP machines.

cssrss.exe is not legit, as grumpygit has pointed out.

There's quite possibly something else on the system alongside...but in addition to deleting the file, you need to remove the loading point(s).

If you require assistance, follow the instructs in the link grumpygit has already provided.

calvin333 · 06-11-2008, 03:25 AM

First of all thank you for your replies.
I've been trying to do as instructed and scan with Panda ActiveScan but
IE and Firefox keep getting aborted when I'm about 30% complete (going from C to D drive)
and when the browser process was aborted then all data is lost.

So far after C drive scan I get about 7 infected files (mostly from RP3x files) but not getting scan complete is really frustrating. Is it because I don't have enough RAM (I have 512 MB)?

How do I remedy this situation and at least get scan completion?

calvin333 · 06-11-2008, 04:59 AM

Finally got Active Scan to run to completion.
I also use the Disinfect function to disinfect several trojan downloader in RP32... etc.
I am doing the DSS scan now and will post all logs in the Hijack this forum.

Thanks again.

05-25-2008, 10:22 AM	#1 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	cssrss creating HQS Trojan at startup I have been getting Trojan warning for over a week everytime I run NOD on-demand scan, and I delete the trojan file everytime (they are in the system32 folder), but they keep coming back. Finally tonight when I turned on the computer NOD pop up saying that an HQS trojan was created by the cssrss process in windows/system32/ I looked through there and saw csrss and cssrss processes, and I believe csrss is a legitimate MS process. My question is : can I go in and delete cssrss ? Is it a legitimate MS process infected?

05-25-2008, 10:36 AM	#2 (permalink)
grumpygit T-Shirt Winner Join Date: Oct 2006 Location: hertford, england Posts: 4,746 OS: win xp pro sp3 My System Blog Entries: 2	Re: cssrss creating HQS Trojan at startup Hi and welcome to TSF. cssrss.exe is not a legit process. It is loaded by the W32/FORBOT-CE worm. http://www.castlecops.com/s6114-cssrss_exe.html I recommend you follow the instructions in the link below and post your logs in the hijack this section. An analyst will check your logs and advise you on cleaning your machine. http://www.techsupportforum.com/secu...oval-help.html __________________ Grumpygit

05-25-2008, 08:32 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,735 OS: 2000 Pro; XP Pro; XP Home	Re: cssrss creating HQS Trojan at startup csrss.exe in system32 and system32\dllcache is a legit process. It should be 6,144 bytes on most XP machines. cssrss.exe is not legit, as grumpygit has pointed out. There's quite possibly something else on the system alongside...but in addition to deleting the file, you need to remove the loading point(s). If you require assistance, follow the instructs in the link grumpygit has already provided. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-11-2008, 03:25 AM	#4 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup First of all thank you for your replies. I've been trying to do as instructed and scan with Panda ActiveScan but IE and Firefox keep getting aborted when I'm about 30% complete (going from C to D drive) and when the browser process was aborted then all data is lost. So far after C drive scan I get about 7 infected files (mostly from RP3x files) but not getting scan complete is really frustrating. Is it because I don't have enough RAM (I have 512 MB)? How do I remedy this situation and at least get scan completion?

06-11-2008, 04:59 AM	#5 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup Finally got Active Scan to run to completion. I also use the Disinfect function to disinfect several trojan downloader in RP32... etc. I am doing the DSS scan now and will post all logs in the Hijack this forum. Thanks again.