|
Posted by Frank Martin on July 29, 2008, 8:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
some time, and when I use the Virus checker
"F-Secure Internet Checker" this confirms
that the files:
C:\Windows\Config\csrss.exe
C:\Windows\Config\supdate.exe
are causing the problem, and this F-Secure
renames the files which fixes the problem.
Unfortunately, these files are also essential
windows files, therefore I ask:
Can I copy across the clean and uninfected
files from the original WindowsXP pro disks?
And how can I do this, and will this fix it.
Regards, Frank
message
>
> "David H. Lipman"
> message
>>
>> | I have WindowsXP pro.
>>
>> | I first noticed a problem when I was
>> unable
>> | to connect to my ISP most of the time,
>> even
>> | though the "Windows Task Manager"
>> networking
>> | tab, and the graph there, showed a lot
>> of
>> | traffic leaving my computer and nothing
>> | coming in.
>>
>> | Various virus scanners did not fix the
>> | problem.
>>
>> | I downloaded a "TCPView" and noticed
>> that
>> | when the problem occurred, numerous
>> entries
>> | of "csrss.exe" occurred and the location
>> of
>> | this was in C:\Windows\Config, and there
>> was
>> | another file in this folder called
>> | "supdate.exe."
>>
>> | When I close down the "csrss.exe" file
>> in the
>> | TCPView window the problem disappears
>> and my
>> | internet connection works OK.
>>
>> | However, it always reappears about once
>> a day
>> | requiring the same deletion. My ISP has
>> said
>> | that during these periods of outward
>> traffic
>> | it is all going to "somewhere in
>> California".
>>
>> | I have tried renaming the "csrss.exe",
>> but
>> | then the computer does not work
>> properly.
>>
>> | Can anyone guide me to fix this problem;
>> it
>> | has been occurring for several weeks.
>>
>> | Regards, Frank
>>
>> These are illegitimate..
>>
>> C:\Windows\Config\csrss.exe
>> C:\Windows\Config\supdate.exe
>>
>> You are indeed infected with malware.
>> You said "Various virus scanners did not
>> fix the problem."
>>
>> What were the anti virus scanners used and
>> did they at least find anything in thos
>> files ?
>>
>> Chances are there are multiple load points
>> for the malware and thus if you delete
>> one, a
>> "helper" will recreate the process. You
>> would have to find the Load Points through
>> software such as AutoRuns and remove the
>> malware from being loaded by the OS as
>> well as
>> kill any running processes and then
>> reboot.
>>
>> You can find out what AV comapny detects
>> them by submitting samples to Virus Total.
>> http://www.virustotal.com/flash/index_en.html
>> The submission will then be tested against
>> many different AV vendor's scanners.
>> That will give you an idea what it is and
>> who recognizes it. In addition Virus
>> Total will provide the sample to all
>> participating vendors.
>>
>> You can also submit a suspect, one at a
>> time, via the following email URL...
>> mailto:scan@virustotal.com?subject=SCAN
>>
>> When you get the report, please post back
>> the exact results.
>>
>>
>> The W32/DeleteMP3.worm is known to use;
>> C:\WINDOWS\system32\config\csrss.exe
>> http://vil.nai.com/vil/content/v_142869.htm
>>
>> I don't think you have the above, based
>> upon your description of traffic, you may
>> have a
>> spambot.
>>
>> If you can not help yourself through the
>> above processes, then I suggest guided
>> help
>> through an Expert Forum.
>>
>>
>>
>> 1. Download and execute HiJack This! (HJT)
>> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>>
>> 2. Disable Notepad's word wrap:
>> In Notepad.exe; Format --> uncheck; "Word
>> wrap"
>>
>> 3. Download/run Deckard's System Scanner:
>> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>>
>> 4. Save the scan results (Main.txt and
>> Extra.txt)
>>
>> 5. And then post the contents of Main.txt
>> and Extra.txt in your post in one of the
>> below
>> expert forums...
>>
>>
>> { Please - Do NOT post the HJT and
>> Deckard's System Scanner Logs here ! }
>>
>> Forums where you can get expert advice for
>> HiJack This! (HJT) and Deckard's System
>> Scanner
>> Logs.
>>
>> NOTE: Registration is REQUIRED in any of
>> the below before posting a log
>>
>> Suggested primary:
>> http://www.thespykiller.co.uk/index.php?board=3.0
>>
>> Suggested secondary:
>> http://www.bleepingcomputer.com/forums/forum22.html
>> http://castlecops.com/forum67.html
>> http://www.malwarebytes.org/forums/index.php?showforum=7
>>
>> Suggested tertiary:
>> http://www.dslreports.com/forum/cleanup
>> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
>> http://www.atribune.org/forums/index.php?showforum=9
>>
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
>> http://gladiator-antivirus.com/forum/index.php?showforum=170
>> http://forum.networktechs.com/forumdisplay.php?f=130
>> http://forums.maddoktor2.com/index.php?showforum=17
>> http://www.spywarewarrior.com/viewforum.php?f=5
>> http://forums.spywareinfo.com/index.php?showforum=18
>> http://forums.techguy.org/f54-s.html
>> http://forums.tomcoyote.org/index.php?showforum=27
>> http://forums.subratam.org/index.php?showforum=7
>> http://www.5starsupport.com/ipboard/index.php?showforum=18
>> http://aumha.net/viewforum.php?f=30
>> http://makephpbb.com/phpbb/viewforum.php?f=2
>> http://forums.techguy.org/54-security/
>> http://forums.security-central.us/forumdisplay.php?f=13
>>
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV -
>> http://www.pctipp.ch/downloads/dl/35905.asp
>
>
> Thank you, I am following this through.
>
| 
XML site map