| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 53892 | 2005-01-30 09:40:00 | CSRSS.exe | Codex (3761) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 319433 | 2005-01-30 09:40:00 | ok, i recently found that a new process was starting on my computer, a virusi believe, because now theres two csrss.exe's, one is located in: C:\WINNT\system32\plzpygoj\csrss.exe and the other in: C:\WINNT\system32\csrss.exe i have removed all startup information about the C:\WINNT\system32\plzpygoj\csrss.exe one but there is also a registry key that keeps on tryig to install on startup called kill.reg so yea any help wud be great :badpc: :badpc: |
Codex (3761) | ||
| 319434 | 2005-01-30 09:54:00 | You might find a file by the same name in the root of your C drive, that needs to go as well May have to turn on show all files to see it If it won't delete you will need to use taskmanager to stop the process You will have to disable it in msconfig/startup first, but you say you've alraedy done that |
bartsdadhomer (80) | ||
| 319435 | 2005-01-30 09:57:00 | You might find a file by the same name in the root of your C drive, that needs to go as well May have to turn on show all files to see it If it won't delete you will need to use taskmanager to stop the process You will have to disable it in msconfig/startup first, but you say you've alraedy done that ok i cant run msconfig because parantly it doesnt exist(wat the hell?? lol) so i went and removed al lthe registry keys relating to it manually(god it takes ages lol) so yea |
Codex (3761) | ||
| 319436 | 2005-01-30 09:58:00 | C:\WINNT\system32\plzpygoj\csrss.exe Definately malware. Download HiJackThis (Google will find it for you) and run it, have that clean up that process. It finds every process, including valid ones, so just take out that one. Post a copy of your HJT log back here if you need to. |
godfather (25) | ||
| 319437 | 2005-01-30 10:15:00 | heres the log Logfile of HijackThis v1.99.0 Scan saved at 11:07:45 p.m., on 30/01/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINNT\Explorer.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\MSTask.exe C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINNT\system32\stisvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\COMPAQ\CPQINET\CPQInet.exe C:\Program Files\NetPumper\NetPumperIEProxy.exe C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINNT\system32\plzpygoj\csrss.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Mindbeat\MPower\MPower.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\Symantec\Web Tools\CKA.exe C:\WINNT\system32\svchost.exe C:\Program Files\GetRight\getright.exe C:\Program Files\GetRight\getright.exe C:\Program Files\Remote Disconnection Utility\RDServer.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.974\Hi jackThis.exe C:\WINNT\system32\ipconfig.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ O1 - Hosts: 62.93.200.61 irc.westwood.com O1 - Hosts: 62.93.200.61 servserv.westwood.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [MPower] "C:\Program Files\Mindbeat\MPower\MPower.exe" O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Symantec\Web Tools\CKA.exe O4 - Startup: Shortcut to Local Area Connection.lnk = ? O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe O4 - Global Startup: Remote Disconnection Server.lnk = C:\Program Files\Remote Disconnection Utility\RDServer.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - download.zonelabs.com O17 - HKLM\System\CCS\Services\Tcpip\..\{42D9986E-E19D-4D97-8F17-2AE653213469}: NameServer = 203.97.33.14 203.97.37.14 O17 - HKLM\System\CCS\Services\Tcpip\..\{FC88AA40-3D67-42BE-8BCE-09D18A158283}: NameServer = 192.168.0.1 O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe O23 - Service: VNC Server Version 4 - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe |
Codex (3761) | ||
| 319438 | 2005-01-30 20:38:00 | You may have been infected with the Cool WebSearch Trojan at some stage which corrupts msconfig See this page here & download & install another www.spywareinfo.com If that doesn't work download & install Spybot & run it in advanced mode & use the tools > startup menu to remove the offending entries And WOW, Nortons sure has a hold on a heap of your systems resources |
bartsdadhomer (80) | ||
| 319439 | 2005-01-30 23:18:00 | lol yea nortan does take a bit but its all good :D | Codex (3761) | ||
| 319440 | 2005-01-30 23:28:00 | Tick this one C:\WINNT\system32\plzpygoj\csrss.exe And have HJT fix it, then delete the file and folder. Safe mode if needed. |
godfather (25) | ||
| 1 | |||||