Tech Support banner

Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
Hello

My XP machine on start-up started to throw up a number of error messages regarding csrss.exe. After ok-ing them, and trying to get online, I found that although I could connect to the internet, I couldn't access any pages whatsoever. I have another pc, so could use that to get online, and having read a lot of stuff from many sources (including these forums), figured that csrss.exe must be the cause.

I have run the following programs, and have not been able to remove the offending item.

cleanup30
cwshredder
hijackthis
killbox
adaware se personal (& vx2cleaner)
malware removal
tmas-web-scan
spybotsd
spysweeper

I cannot delete the csrss file, I can't stop it from running, I can't format the hard drive, and am completely stumped as to how to remove it. If anyone could point me in the right direction, I;d be very grateful as I am at a loss as to what to do next.

I have posted the latest hjt log file below.

Logfile of HijackThis v1.99.1
Scan saved at 21:45:36, on 14/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cwshredder.net/cwshredder/cwsredir.php?target=tmas
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #2 ·
I've just noticed something a little disconcerting...

As I can't view any online webpages with the ill pc, I have been downloading relevant anti-spyware/clean-up programs and saving them to a memory stick. This only had the wanted files on it... now I have just spotted that the csrss.exe file is on here too - and I didn't put it there!

Surely this can't be right?!?!? Any assistance gratefully received :smile:
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello Tay,

This is a very scant log. If you disabled items from running at Startup through msconfig, please re-enable them.

Please run another scan with HijackThis from Normal Mode and post the log here.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #4 ·
Thanks for the reply.

I've posted a new log under here, but that too is scant. I haven't disabled anything, but there isn't much on this machine as I had to reinstall xp recently.

Logfile of HijackThis v1.99.1
Scan saved at 13:35:47, on 15/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Ellis\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi Tay,

I'm not seeing anything in this log. Can you tell me what error messages you get on start up relating to csrss.exe?
That is a legit file as it is running from the proper directory:
Description:
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #6 ·
Hello

I received various error messages, but all were similar (one said something abouts sockets?!?!), the only one which I noted was "cannot start ActivSurf: init failed". I am fairly sure that the csrss.exe message followed this. I should have explained that this isn't actually my pc with the problem - it belongs to a friend with less computer knowledge than me... I said that I'd look at the pc for her as she can't get online, and she knew that I could.

However, at xp start-up, the error message appeared app. 20 times, and just one instance of the others. The subjects of those other messages was

updsvc.exe
appcompat.txt

Until ok-ing them, it was impossible to do anything.

This friend has just informed me (a tad late) that she had been receiving emails (message undeliverable). When she looked at them, she saw that these emails had been sent to addresses that she did not recognise.

I was fairly sure that the system was now clean - thanks for replying that the log file looked ok. It is now possible to view web pages, and this system now has a lot of security, and is a hell of a lot cleaner. I've also learned a lot. :wink:

Thanks again.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
HijackThis is one of many tools used to detect malware and doesn't always show everything, I think it would be wise to do the following: :smile:

Perform an online scan using Internet Explorer with Panda ActiveScan - requires Internet Explorer
  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top