Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 26 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter · #1 ·
First off i'm new here and I want to thank anyone in advance for any help!!
I downloaded a norton antivirus torrent for my girlfriends computer and I think it came with a virus or trojan or spyware.
Everytime I start her computer now it tell me...
Windows cannot find 'C:WINDOWS\config\csrss.exe'. make sure you types the name correctly, and then try again. To search for a file, click the START button

Now the internet is super slow and I cant even go to regular sites like myspace, google, or yahoo.:upset:

I also have a second problem. I accepted a a winrar from someone on msn messenger and now my computer sends it out to all the people on my msn messenger buddy list when i'm on.:4-dontkno

PLEASE HELP AND THANKS IN ADVANCE!!! O AND WE HAVE WINDOWS XP.
 

·
Registered
Joined
·
327 Posts
It's surprisingly easy to hide malware in torrent software.

You would be a lot better off paying for the software next time.
 

·
Registered
Joined
·
327 Posts
Well it was my first time useing torrents so I was just downloading music and stuff, but I learned my lessen
Can you please help me?
Well it's just a microsoft runtime file.

If you have your windows cd, you could just do a repair.

It's only a few steps, and it can fix quite a few problems.
 

·
Registered
Joined
·
327 Posts
Thanks man but how do I do that??? I'm not to savy when it comes to comp.:sigh:
I suggest you read through this once, so you'll have a feel for it before you start. It's not complicated, but if you don't read it first, you could misunderstand something and jump the gun in the wrong direction.





XP Repair install
_______________



1) Boot the computer using the XP CD. You may need to change the boot order in the system BIOS so
the CD boots before the hard drive. Check your system documentation for steps to access the BIOS and
change the boot order.
________________________________________________________________________________________

2) When you see the "Welcome To Setup" screen, you will see the options below

This portion of the Setup program prepares Microsoft
Windows XP to run on your computer:

1) To setup Windows XP now, press ENTER.

2) To repair a Windows XP installation using Recovery Console, press R.

3) To quit Setup without installing Windows XP, press F3.

-------YOU WANT TO PRESS ENTER HERE---------

Do not choose "To repair a Windows XP installation using the Recovery Console, press R",
(you Do Not want to load Recovery Console).
________________________________________________________________________________________

3) Accept the License Agreement and Windows will search for existing Windows installations.
________________________________________________________________________________________

4) Select the XP installation you want to repair from the list and press R to start the repair.
If Repair is not one of the options, END setup.

________________________________________________________________________________________

5) Setup will copy the necessary files to the hard drive and reboot.

After the reboot - Do not press any key to boot from CD when the message appears.

Setup will continue as if it were doing a clean install, but your applications and settings will remain intact.

Done.
________________________________________________________________________________________
 

·
TSF Team Emeritus , Microsoft Visitng Expert
Joined
·
4,279 Posts
Hello elferoz2k5

Windows cannot find 'C:WINDOWS\config\csrss.exe'.
I think this is the worm or trojan you downloaded.
Note it is located in 'C:WINDOWS\config

The legitimate csrss.exe file is located in the folder C:\Windows\System32. In other cases, csrss.exe is a virus, spyware, trojan or worm!

Run your antivirus and spyware programs and if they do not find and delete it please do the following.......
Please follow our 5 Step process outlined here:

http://www.techsupportforum.com/sec...read-before-posting-malware-removal-help.html

After running through all the steps, please post the requested logs in the HijackThis Log Help forum.
http://www.techsupportforum.com/security-center/hijackthis-log-help/

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #9 ·
THANKS Dunedin!!!!!!!!!!!!
I'll do all the 5 steps next weekend, because I work alot during the week and then i'll reply...but thanks alot bro...I'm realllllllyyyyy Thankful:wave:
 

·
TSF Team Emeritus , Microsoft Visitng Expert
Joined
·
4,279 Posts
elferoz2k5 :smile:

I`m going on holiday on Friday so I won`t be able to answer you next week.

There are lots of others to help though :smile:

Good luck. I hope you manage to get it cleaned up.
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Thanks, Dunedin! You are correct!!

@Rob 1, config\csrss.exe is assuredly malware in that location.

http://www.threatexpert.com/reports.aspx?find=Config\csrss.exe

The OP is experiencing a message from Windows complaining of a file missing at startup. An orphaned registry item is the likely cause of the error message, either in a winlogon\\shell or other startup location.

@ elferoz2k5 -

You'd do well indeed to follow Dunedin's instructions when you get the time. Even if this entry is orphaned, there may be more dross left behind.
 

·
Registered
Joined
·
327 Posts
Thanks, Dunedin! You are correct!!

@Rob 1, config\csrss.exe is assuredly malware in that location.

http://www.threatexpert.com/reports.aspx?find=Config\csrss.exe

The OP is experiencing a message from Windows complaining of a file missing at startup. An orphaned registry item is the likely cause of the error message, either in a winlogon\\shell or other startup location.

@ elferoz2k5 -

You'd do well indeed to follow Dunedin's instructions when you get the time. Even if this entry is orphaned, there may be more dross left behind.
The problem isn't that the file showed up in the malware location during a spyware scan though. It's a file that windows is not able to locate.
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
This is why:

The OP is experiencing a message from Windows complaining of a file missing at startup. An orphaned registry item is the likely cause of the error message, either in a winlogon\\shell or other startup location.
Something, perhaps the OP's resident, already deleted the file.

With the registry entry present, Windows is complaining.

Just because there's an error from Windows does not mean it's a Windows file which is missing.

There are many cases on the boards of users with "file missing" messages, many of which stem from orphaned startups.
 

·
Registered
Joined
·
327 Posts
I could see where Norton deleted/quarantined a virus and caused this.

But windows not finding the file, doesn't sound like an active virus to me.

It would be easy enough for thread starter to install AVG or Avast, and run a scan to double check what Norton has cleaned up.
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
@ Rob 1 -

I'm not sure you're understanding what I'm trying to tell you.

I'm not saying it's an active infection (though from the OP's comments, there may well be more on the machine). I'm saying the registry has an orphan at startup. The file is missing from a Windows startup procedure. It matters not that the file was from an infection. The startup remains. The Windows message appears. There are two ways to take care of that. Restore the file (not desirable, because that file is malware) or remove the offending orphan from the registry. This can be done manually if one knows their way around the registry, or with removal tools at our disposal.

Where in the registry can be determined once elferoz2k5 posts logs in the HJT forum.

Also, your suggestion of installing a second or third antivirus is not the best idea, if you mean to suggest to install another AV at the same time as Norton. Having more than one resident antivirus application installed at one time can cause system issues.

It would also not likely address the OP's situation.

Let's not hijack this thread any longer.

@ elferoz2k5 -

Please also change your MSN Messenger password.
 

·
Registered
Joined
·
327 Posts
@ Rob 1 -

I'm not sure you're understanding what I'm trying to tell you.

I'm not saying it's an active infection (though from the OP's comments, there may well be more on the machine). I'm saying the registry has an orphan at startup. The file is missing from a Windows startup procedure. It matters not that the file was from an infection. The startup remains. The Windows message appears. There are two ways to take care of that. Restore the file (not desirable, because that file is malware) or remove the offending orphan from the registry. This can be done manually if one knows their way around the registry, or with removal tools at our disposal.

Where in the registry can be determined once elferoz2k5 posts logs in the HJT forum.

Also, your suggestion of installing a second or third antivirus is not the best idea, if you mean to suggest to install another AV at the same time as Norton. Having more than one resident antivirus application installed at one time can cause system issues.

It would also not likely address the OP's situation.

Let's not hijack this thread any longer.

@ elferoz2k5 -

Please also change your MSN Messenger password.
You're right about that. I should have added, that when I do that I always delete the program when I'm done.

I also run Symantec antivirus, and on the odd occasion where something didn't look right, i've ran alternate scans to double check that all was good.
This includes going from PestPatrol, to Spybot S&D and Adaware.

And of course, runnning Hijackthis is always a good bet.

I've thought plenty about this sort of thing, and it even occurs to me that all of the people who post here could have a brief comment in their sig along the lines of:

You should be running:
Antivirus
Antispyware
Firewall (software or hardware)
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #19 ·
Hey guys sorry i'm just getting back to you, but I tried to do that 5 step thing and when I did step 2 with that panda program it gave me an error with internet explorer and firefox!! So it did not finish.
IDK WHAT TO DO. I can't even access my yahoo email or myspace and i can't even search on google.
Any tips??????
Thanks in advance;-)
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Hi elferoz2k5 -

As Dunedin noted above,

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
and as we state in Step 1....


It is appreciated that the level of infection may not allow you to complete all these steps. Therefore, if for some reason you cannot perform one of the steps, move on to the next step and advise the Analyst accordingly when you post the requested logs.
All the steps are important, but the logs we really need to begin analysis are in Step 5.
 
1 - 20 of 26 Posts
Status
Not open for further replies.
Top