csrss.exe causing problems.

[Frank Martin]

I have WindowsXP pro.

I first noticed a problem when I was unable
to connect to my ISP most of the time, even
though the "Windows Task Manager" networking
tab, and the graph there, showed a lot of
traffic leaving my computer and nothing
coming in.

Various virus scanners did not fix the
problem.

I downloaded a "TCPView" and noticed that
when the problem occurred, numerous entries
of "csrss.exe" occurred and the location of
this was in C:\Windows\Config, and there was
another file in this folder called
"supdate.exe."

When I close down the "csrss.exe" file in the
TCPView window the problem disappears and my
internet connection works OK.

However, it always reappears about once a day
requiring the same deletion. My ISP has said
that during these periods of outward traffic
it is all going to "somewhere in California".

I have tried renaming the "csrss.exe", but
then the computer does not work properly.

Can anyone guide me to fix this problem it
has been occurring for several weeks.

Regards, Frank

 

[David H. Lipman]

From: "Frank Martin" <fm@general.com.au>

| I have WindowsXP pro.

| I first noticed a problem when I was unable
| to connect to my ISP most of the time, even
| though the "Windows Task Manager" networking
| tab, and the graph there, showed a lot of
| traffic leaving my computer and nothing
| coming in.

| Various virus scanners did not fix the
| problem.

| I downloaded a "TCPView" and noticed that
| when the problem occurred, numerous entries
| of "csrss.exe" occurred and the location of
| this was in C:\Windows\Config, and there was
| another file in this folder called
| "supdate.exe."

| When I close down the "csrss.exe" file in the
| TCPView window the problem disappears and my
| internet connection works OK.

| However, it always reappears about once a day
| requiring the same deletion. My ISP has said
| that during these periods of outward traffic
| it is all going to "somewhere in California".

| I have tried renaming the "csrss.exe", but
| then the computer does not work properly.

| Can anyone guide me to fix this problem it
| has been occurring for several weeks.

| Regards, Frank

These are illegitimate..

C:\Windows\Config\csrss.exe
C:\Windows\Config\supdate.exe

You are indeed infected with malware.
You said "Various virus scanners did not fix the problem."

What were the anti virus scanners used and did they at least find anything in thos files ?

Chances are there are multiple load points for the malware and thus if you delete one, a
"helper" will recreate the process. You would have to find the Load Points through
software such as AutoRuns and remove the malware from being loaded by the OS as well as
kill any running processes and then reboot.

You can find out what AV comapny detects them by submitting samples to Virus Total.
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.


The W32/DeleteMP3.worm is known to use C:\WINDOWS\system32\config\csrss.exe
http://vil.nai.com/vil/content/v_142869.htm

I don't think you have the above, based upon your description of traffic, you may have a
spambot.

If you can not help yourself through the above processes, then I suggest guided help
through an Expert Forum.



1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe Format --> uncheck "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Frank Martin]

"David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote in
message
news:%23Ohd02t5IHA.3420@TK2MSFTNGP05.phx.gbl...
> From: "Frank Martin" <fm@general.com.au>
>
> | I have WindowsXP pro.
>
> | I first noticed a problem when I was
> unable
> | to connect to my ISP most of the time,
> even
> | though the "Windows Task Manager"
> networking
> | tab, and the graph there, showed a lot of
> | traffic leaving my computer and nothing
> | coming in.
>
> | Various virus scanners did not fix the
> | problem.
>
> | I downloaded a "TCPView" and noticed that
> | when the problem occurred, numerous
> entries
> | of "csrss.exe" occurred and the location
> of
> | this was in C:\Windows\Config, and there
> was
> | another file in this folder called
> | "supdate.exe."
>
> | When I close down the "csrss.exe" file in
> the
> | TCPView window the problem disappears and
> my
> | internet connection works OK.
>
> | However, it always reappears about once a
> day
> | requiring the same deletion. My ISP has
> said
> | that during these periods of outward
> traffic
> | it is all going to "somewhere in
> California".
>
> | I have tried renaming the "csrss.exe",
> but
> | then the computer does not work properly.
>
> | Can anyone guide me to fix this problem
> it
> | has been occurring for several weeks.
>
> | Regards, Frank
>
> These are illegitimate..
>
> C:\Windows\Config\csrss.exe
> C:\Windows\Config\supdate.exe
>
> You are indeed infected with malware.
> You said "Various virus scanners did not
> fix the problem."
>
> What were the anti virus scanners used and
> did they at least find anything in thos
> files ?
>
> Chances are there are multiple load points
> for the malware and thus if you delete one,
> a
> "helper" will recreate the process. You
> would have to find the Load Points through
> software such as AutoRuns and remove the
> malware from being loaded by the OS as well
> as
> kill any running processes and then reboot.
>
> You can find out what AV comapny detects
> them by submitting samples to Virus Total.
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against
> many different AV vendor's scanners.
> That will give you an idea what it is and
> who recognizes it. In addition Virus
> Total will provide the sample to all
> participating vendors.
>
> You can also submit a suspect, one at a
> time, via the following email URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back
> the exact results.
>
>
> The W32/DeleteMP3.worm is known to use
> C:\WINDOWS\system32\config\csrss.exe
> http://vil.nai.com/vil/content/v_142869.htm
>
> I don't think you have the above, based
> upon your description of traffic, you may
> have a
> spambot.
>
> If you can not help yourself through the
> above processes, then I suggest guided help
> through an Expert Forum.
>
>
>
> 1. Download and execute HiJack This! (HJT)
> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>
> 2. Disable Notepad's word wrap:
> In Notepad.exe Format --> uncheck "Word
> wrap"
>
> 3. Download/run Deckard's System Scanner:
> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>
> 4. Save the scan results (Main.txt and
> Extra.txt)
>
> 5. And then post the contents of Main.txt
> and Extra.txt in your post in one of the
> below
> expert forums...
>
>
> { Please - Do NOT post the HJT and
> Deckard's System Scanner Logs here ! }
>
> Forums where you can get expert advice for
> HiJack This! (HJT) and Deckard's System
> Scanner
> Logs.
>
> NOTE: Registration is REQUIRED in any of
> the below before posting a log
>
> Suggested primary:
> http://www.thespykiller.co.uk/index.php?board=3.0
>
> Suggested secondary:
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.malwarebytes.org/forums/index.php?showforum=7
>
> Suggested tertiary:
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.atribune.org/forums/index.php?showforum=9
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://forum.networktechs.com/forumdisplay.php?f=130
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://www.5starsupport.com/ipboard/index.php?showforum=18
> http://aumha.net/viewforum.php?f=30
> http://makephpbb.com/phpbb/viewforum.php?f=2
> http://forums.techguy.org/54-security/
> http://forums.security-central.us/forumdisplay.php?f=13
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV -
> http://www.pctipp.ch/downloads/dl/35905.asp


Thank you, I am following this through.

 

[Frank Martin]

I have been trying to solve this problem for
some time, and when I use the Virus checker
"F-Secure Internet Checker" this confirms
that the files:

C:\Windows\Config\csrss.exe
C:\Windows\Config\supdate.exe

are causing the problem, and this F-Secure
renames the files which fixes the problem.

Unfortunately, these files are also essential
windows files, therefore I ask:

Can I copy across the clean and uninfected
files from the original WindowsXP pro disks?
And how can I do this, and will this fix it.


Regards, Frank






"Frank Martin" <fm@general.com.au> wrote in
message
news:O2tbJyw5IHA.2348@TK2MSFTNGP06.phx.gbl...
>
> "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote in
> message
> news:%23Ohd02t5IHA.3420@TK2MSFTNGP05.phx.gbl...
>> From: "Frank Martin" <fm@general.com.au>
>>
>> | I have WindowsXP pro.
>>
>> | I first noticed a problem when I was
>> unable
>> | to connect to my ISP most of the time,
>> even
>> | though the "Windows Task Manager"
>> networking
>> | tab, and the graph there, showed a lot
>> of
>> | traffic leaving my computer and nothing
>> | coming in.
>>
>> | Various virus scanners did not fix the
>> | problem.
>>
>> | I downloaded a "TCPView" and noticed
>> that
>> | when the problem occurred, numerous
>> entries
>> | of "csrss.exe" occurred and the location
>> of
>> | this was in C:\Windows\Config, and there
>> was
>> | another file in this folder called
>> | "supdate.exe."
>>
>> | When I close down the "csrss.exe" file
>> in the
>> | TCPView window the problem disappears
>> and my
>> | internet connection works OK.
>>
>> | However, it always reappears about once
>> a day
>> | requiring the same deletion. My ISP has
>> said
>> | that during these periods of outward
>> traffic
>> | it is all going to "somewhere in
>> California".
>>
>> | I have tried renaming the "csrss.exe",
>> but
>> | then the computer does not work
>> properly.
>>
>> | Can anyone guide me to fix this problem
>> it
>> | has been occurring for several weeks.
>>
>> | Regards, Frank
>>
>> These are illegitimate..
>>
>> C:\Windows\Config\csrss.exe
>> C:\Windows\Config\supdate.exe
>>
>> You are indeed infected with malware.
>> You said "Various virus scanners did not
>> fix the problem."
>>
>> What were the anti virus scanners used and
>> did they at least find anything in thos
>> files ?
>>
>> Chances are there are multiple load points
>> for the malware and thus if you delete
>> one, a
>> "helper" will recreate the process. You
>> would have to find the Load Points through
>> software such as AutoRuns and remove the
>> malware from being loaded by the OS as
>> well as
>> kill any running processes and then
>> reboot.
>>
>> You can find out what AV comapny detects
>> them by submitting samples to Virus Total.
>> http://www.virustotal.com/flash/index_en.html
>> The submission will then be tested against
>> many different AV vendor's scanners.
>> That will give you an idea what it is and
>> who recognizes it. In addition Virus
>> Total will provide the sample to all
>> participating vendors.
>>
>> You can also submit a suspect, one at a
>> time, via the following email URL...
>> mailto:scan@virustotal.com?subject=SCAN
>>
>> When you get the report, please post back
>> the exact results.
>>
>>
>> The W32/DeleteMP3.worm is known to use
>> C:\WINDOWS\system32\config\csrss.exe
>> http://vil.nai.com/vil/content/v_142869.htm
>>
>> I don't think you have the above, based
>> upon your description of traffic, you may
>> have a
>> spambot.
>>
>> If you can not help yourself through the
>> above processes, then I suggest guided
>> help
>> through an Expert Forum.
>>
>>
>>
>> 1. Download and execute HiJack This! (HJT)
>> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>>
>> 2. Disable Notepad's word wrap:
>> In Notepad.exe Format --> uncheck "Word
>> wrap"
>>
>> 3. Download/run Deckard's System Scanner:
>> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>>
>> 4. Save the scan results (Main.txt and
>> Extra.txt)
>>
>> 5. And then post the contents of Main.txt
>> and Extra.txt in your post in one of the
>> below
>> expert forums...
>>
>>
>> { Please - Do NOT post the HJT and
>> Deckard's System Scanner Logs here ! }
>>
>> Forums where you can get expert advice for
>> HiJack This! (HJT) and Deckard's System
>> Scanner
>> Logs.
>>
>> NOTE: Registration is REQUIRED in any of
>> the below before posting a log
>>
>> Suggested primary:
>> http://www.thespykiller.co.uk/index.php?board=3.0
>>
>> Suggested secondary:
>> http://www.bleepingcomputer.com/forums/forum22.html
>> http://castlecops.com/forum67.html
>> http://www.malwarebytes.org/forums/index.php?showforum=7
>>
>> Suggested tertiary:
>> http://www.dslreports.com/forum/cleanup
>> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
>> http://www.atribune.org/forums/index.php?showforum=9
>> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
>> http://gladiator-antivirus.com/forum/index.php?showforum=170
>> http://forum.networktechs.com/forumdisplay.php?f=130
>> http://forums.maddoktor2.com/index.php?showforum=17
>> http://www.spywarewarrior.com/viewforum.php?f=5
>> http://forums.spywareinfo.com/index.php?showforum=18
>> http://forums.techguy.org/f54-s.html
>> http://forums.tomcoyote.org/index.php?showforum=27
>> http://forums.subratam.org/index.php?showforum=7
>> http://www.5starsupport.com/ipboard/index.php?showforum=18
>> http://aumha.net/viewforum.php?f=30
>> http://makephpbb.com/phpbb/viewforum.php?f=2
>> http://forums.techguy.org/54-security/
>> http://forums.security-central.us/forumdisplay.php?f=13
>>
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV -
>> http://www.pctipp.ch/downloads/dl/35905.asp
>
>
> Thank you, I am following this through.
>

 

[David H. Lipman]

From: "Frank Martin" <fm@general.com.au>

| I have been trying to solve this problem for
| some time, and when I use the Virus checker
| "F-Secure Internet Checker" this confirms
| that the files:

| C:\Windows\Config\csrss.exe
| C:\Windows\Config\supdate.exe

| are causing the problem, and this F-Secure
| renames the files which fixes the problem.

| Unfortunately, these files are also essential
| windows files, therefore I ask:

| Can I copy across the clean and uninfected
| files from the original WindowsXP pro disks?
| And how can I do this, and will this fix it.


| Regards, Frank


The name csrss.exe may be legitimate bu the file is not. The malware is using the
legitimate file name csrss.exe to obfuscate its malicious intent.

The legitimate file belongs and execute from %windir%\system32

Now go post in one of the Expert Forums like I suggested to you two weeks ago.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Frank Martin]

"David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote in
message
news:uWAV4Qe8IHA.5052@TK2MSFTNGP03.phx.gbl...
> From: "Frank Martin" <fm@general.com.au>
>
> | I have been trying to solve this problem
> for
> | some time, and when I use the Virus
> checker
> | "F-Secure Internet Checker" this confirms
> | that the files:
>
> | C:\Windows\Config\csrss.exe
> | C:\Windows\Config\supdate.exe
>
> | are causing the problem, and this
> F-Secure
> | renames the files which fixes the
> problem.
>
> | Unfortunately, these files are also
> essential
> | windows files, therefore I ask:
>
> | Can I copy across the clean and
> uninfected
> | files from the original WindowsXP pro
> disks?
> | And how can I do this, and will this fix
> it.
>
>
> | Regards, Frank
>
>
> The name csrss.exe may be legitimate bu the
> file is not. The malware is using the
> legitimate file name csrss.exe to obfuscate
> its malicious intent.
>
> The legitimate file belongs and execute
> from %windir%\system32
>
> Now go post in one of the Expert Forums
> like I suggested to you two weeks ago.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV -
> http://www.pctipp.ch/downloads/dl/35905.asp
>
>

I have joined "Castlecops" but for the life
of me I cannot see where to post a message.
There is no area to type into. What button
should I
push?

Frank

 

[Malke]

Frank Martin wrote:


> I have joined "Castlecops" but for the life
> of me I cannot see where to post a message.
> There is no area to type into. What button
> should I
> push?

If Castle Cops doesn't work for you, choose a different place. But do it
now your computer is infected.

http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25Look
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ

 

[Frank Martin]

I tried "aumha.net" but where here is the
"HijackThis forum" button on which to click.




"Malke" <malke@invalid.invalid> wrote in
message
news:evvprZk8IHA.4140@TK2MSFTNGP02.phx.gbl...
> Frank Martin wrote:
>
>
>> I have joined "Castlecops" but for the
>> life
>> of me I cannot see where to post a
>> message.
>> There is no area to type into. What
>> button
>> should I
>> push?
>
> If Castle Cops doesn't work for you, choose
> a different place. But do it
> now your computer is infected.
>
> http://aumha.net/ - Click on the HijackThis
> forum. Read the announcement and
> the stickies *first*.
> http://www.atribune.org/forums/index.php?showforum=9
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25Look
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://spywarewarrior.com/viewforum.php?f=5
> http://forums.techguy.org/54-security/
> http://forums.tomcoyote.org/
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers - Don't Panic!
> FAQ -
> http://www.elephantboycomputers.com/#FAQ
>

 

[Malke]

Frank Martin wrote:

> I tried "aumha.net" but where here is the
> "HijackThis forum" button on which to click.

Both PA Bear and I gave you links. If you can't get to where you need to,
then take the machine to a computer repair shop. I have no idea how to tell
someone "click here" in writing. In any case, if you seriously cannot
figure out how to post in one of those forums, you shouldn't be working on
the computer yourself. I say that not to hurt your feelings but simply as a
practical matter.

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ

 

[Frank Martin]

"Malke" <malke@invalid.invalid> wrote in
message
news:%23yKNrfq8IHA.4928@TK2MSFTNGP05.phx.gbl...
> Frank Martin wrote:
>
>> I tried "aumha.net" but where here is the
>> "HijackThis forum" button on which to
>> click.
>
> Both PA Bear and I gave you links. If you
> can't get to where you need to,
> then take the machine to a computer repair
> shop. I have no idea how to tell
> someone "click here" in writing. In any
> case, if you seriously cannot
> figure out how to post in one of those
> forums, you shouldn't be working on
> the computer yourself. I say that not to
> hurt your feelings but simply as a
> practical matter.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers - Don't Panic!
> FAQ -
> http://www.elephantboycomputers.com/#FAQ


Well I did get into the "AumHa" site, and I
followed a few posts which gave me a clue how
to fix it see following:-.

I have since discovered the problem was
caused by a pernicious worm masquerading as
csrss.exe in the C:\Windows\Config folder.

It was probably a spambot because it was
causing so much outflow from my computer that
I couldn't get to use the internet at all.

I cannot imagine what was being sent out!

I got rid of it by running the "HijackThis"
software and identifying the registry string
that was causing the trouble, and deleting
it.

Then I deleted csrss.exe and all is well so
far.

Now I always check the "Windows Task Manager"
(networking tab) to observe any activity when
I'm not using the internet, and now there is
zero activity unless I'm using it.

I found the Virus checker "F-Secure" was the
only one of many that actually identified the
location of the worm Computer Associates &
ZoneAlarm flopped badly. This "F-Secure"
actually unzips files to check for malware,
although a complete scan takes a long time -
like overnight.

Regards, Frank