|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-09-2006, 04:44 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2005
Posts: 17
OS: XP
|
csrss.exe?
I have read other posts and have PM'd Subs about this but I would like to know the steps to stopping this worm because it keeps coming back no matter what I do.
here is my hjt log Logfile of HijackThis v1.99.1There, I know i need darknights thing that weeds out the bad stuff automatically i dont have a link so please help. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-10-2006, 07:29 PM
|
#2 (permalink) |
|
Analyst, Security Team
|
greyknight17....
 Program was discontinued...I don't see any signs of it...you are probably talking about the MSN virus. Be careful because there is a legitimate file called csrss.exe and you don't want to delete it. Let's use the tool to check: Download MsnVirRem at http://www.greyknight17.com/spy/MsnVirRem.exe and save it to your desktop. First close any other programs you have running as this will require a reboot. Double click MsnVirRem.exe to run it. Once open, click the button labeled 'Search and Destroy'. Your computer will now be scanned for Infected Files. When scanning is finished you will be prompted to reboot only if infected. Click OK. Now click the 'REBOOT' button. After the reboot, you will receive file not found errors (usually 4). Please acknowledge them and continue. A message should popup from MsnVirRem. If not, double click the program again and it will finish. Post the contents of C:\msnvirrem.log along with a fresh HijackThis log.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
06-11-2006, 11:37 AM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2005
Posts: 17
OS: XP
|
MsnVirRem Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\JT\Desktop 6/11/2006 1:33:21 PM ---Infection Files Found--- NO INFECTION FILES FOUND - Cleaning Aborted. and the hjt log Logfile of HijackThis v1.99.1 Scan saved at 1:35:50 PM, on 6/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Spybot-Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot-Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing) Oh and do you have nay idea why I can no longer run windows media player? not a big deal but my little brother tried to update to v.11 beta and now I cant even use wmp! No biggie if you dont know just sort of wierd that that happens |
|
|
|
|
06-11-2006, 01:25 PM
|
#4 (permalink) |
|
Analyst, Security Team
|
OK, according to the scan you don't have the infected csrss.exe file there. There should be a valid csrss.exe file in your c:\windows\system32 folder. So if that's the one you are talking about, leave it alone. It's legit.
Not sure what's wrong with Media Player, but I do see that it's trying to locate a service to run the sharing feature, but it's not found. Try updating to v11 beta again if you can. Otherwise, try using a System Restore point to go back before the v11 beta install.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
| Thread Tools | |
|
|
