Possible Trojan: CSRSS.EXE
Very unusual situation. I have just talked to the technical folks at Webroot whose product, SpySweeper, does not detect the following during a sweep; but, in the midst of my doinb work (Word, etc.) on the PC an alert pops up regarding: csrss.exe.
I did a search on my PC and found the following:
Name Folder Size Type
csrss.exe c:\windows 26kb Application
csrss.ex_ c:\windows\I386 2kb EX_file
csrss.exe-12B63473.pf c:\windows\prefetch 36kb PF file
csrss.exe-39B8819D.pf c:\windows\prefetch 53kb PF file
csrss.exe c:\windows\system32 6kb Application
csrss.exe c:\windows\ServicePackFile
The Problem: the tech over at Webroot says that there shouldn't be that many "csrss" files; and, they should not be larger than 6 kb.
I realize this is limited information; but, the alert keeps coming up while I'm working on the PC and I don't know if there is a trojan, virus, or what on my PC.
I have run both SpySweeper and PC-Cillin for Internet Security 2006. With each sweep and virus scan, the most I have come up with are various "cookies" which; of course, I automatically deleted.
Please Help Me! I am very worried that I may have an unknown "something" (virus, trojan, or whatever). Except for these occasional "csrss" alerts and occasional cookies, I find no other evidence of a virus, trojan, or whatever.
Your Help is Greatly Appreciated!!!
GadgetDude
I did a search on my PC and found the following:
Name Folder Size Type
csrss.exe c:\windows 26kb Application
csrss.ex_ c:\windows\I386 2kb EX_file
csrss.exe-12B63473.pf c:\windows\prefetch 36kb PF file
csrss.exe-39B8819D.pf c:\windows\prefetch 53kb PF file
csrss.exe c:\windows\system32 6kb Application
csrss.exe c:\windows\ServicePackFile
The Problem: the tech over at Webroot says that there shouldn't be that many "csrss" files; and, they should not be larger than 6 kb.
I realize this is limited information; but, the alert keeps coming up while I'm working on the PC and I don't know if there is a trojan, virus, or what on my PC.
I have run both SpySweeper and PC-Cillin for Internet Security 2006. With each sweep and virus scan, the most I have come up with are various "cookies" which; of course, I automatically deleted.
Please Help Me! I am very worried that I may have an unknown "something" (virus, trojan, or whatever). Except for these occasional "csrss" alerts and occasional cookies, I find no other evidence of a virus, trojan, or whatever.
Your Help is Greatly Appreciated!!!
GadgetDude
csrss.exe c:\windows 26kb Application
Is NOT supposed to be there.
csrss.ex_ c:\windows\I386 2kb EX_file
csrss.exe c:\windows\system32 6kb Application
csrss.exe c:\windows\ServicePackFile
These are fine....
csrss.exe-12B63473.pf c:\windows\prefetch 36kb PF file
csrss.exe-39B8819D.pf c:\windows\prefetch 53kb PF file
These are more likely prefetch files that are remnant of the csrss.exe in C:\Windows.
Take a look at this key in teh registry..
HKEY_LOCAL_MACHINE\Softwar
Whats there? If it is
"rundll32" = "windows\csrss.exe" , then it is our friend "Trojan.Gutta"
http://www.symantec.com/security_response/writeup.jsp?docid=2004-020914-0902-99&tabid=2
If not, then you need to look at those keys very carefully, and see what is starting there. You can safely disable all startup files using Statr>Run>MSConfig, and that way you can easily enable a startup item if needed. Dont disable the AV though.
Also, need to make sure that your system is 100% up to date on Security patches.
Is NOT supposed to be there.
csrss.ex_ c:\windows\I386 2kb EX_file
csrss.exe c:\windows\system32 6kb Application
csrss.exe c:\windows\ServicePackFile
These are fine....
csrss.exe-12B63473.pf c:\windows\prefetch 36kb PF file
csrss.exe-39B8819D.pf c:\windows\prefetch 53kb PF file
These are more likely prefetch files that are remnant of the csrss.exe in C:\Windows.
Take a look at this key in teh registry..
HKEY_LOCAL_MACHINE\Softwar
Whats there? If it is
"rundll32" = "windows\csrss.exe" , then it is our friend "Trojan.Gutta"
http://www.symantec.com/security_response/writeup.jsp?docid=2004-020914-0902-99&tabid=2
If not, then you need to look at those keys very carefully, and see what is starting there. You can safely disable all startup files using Statr>Run>MSConfig, and that way you can easily enable a startup item if needed. Dont disable the AV though.
Also, need to make sure that your system is 100% up to date on Security patches.
ASKER
You have given me much information to think about.
I will carefully examine this gett back to you soon.
Chris/InterAX: please, I apologize for my ignorance; but, I am not sure I understand what you're saying.
Task Manager I get; but, I think you saying in RUN type 'netstat -a -o' but if anything is running out the IP stack what am I supposed to do about it?
In any event, I will work with all suggestions and get back to you shortly.
I APPRECIATE YOU AND YOUR HELP!!!
GadgetDude
I will carefully examine this gett back to you soon.
Chris/InterAX: please, I apologize for my ignorance; but, I am not sure I understand what you're saying.
Task Manager I get; but, I think you saying in RUN type 'netstat -a -o' but if anything is running out the IP stack what am I supposed to do about it?
In any event, I will work with all suggestions and get back to you shortly.
I APPRECIATE YOU AND YOUR HELP!!!
GadgetDude
ASKER
How do I access the hidden column in task manager?
GadgetDude
GadgetDude
ASKER
Good NEWS!
"rundll32" = "windows\csrss.exe" was not where Chris said it would be. It's Not There!
GadgetDude
"rundll32" = "windows\csrss.exe" was not where Chris said it would be. It's Not There!
GadgetDude
ASKER
OK. I have examined both of your suggestions with these results:
[1] there is no "rundll32" = "windows\csrss.exe"
[2] there is no "hahafool" in the HKEY_CLASSES_ROOT/.EXE
[3] 'netstat -a -o' ran so extremely fast, I couldn't determine anything. The CMD windows opened and closed; the whole process was no more than 2 seconds.
[4] The only thing left is a "c:\windows\csrss.exe"; which I am told shouldn't be there? Do I safely delete this?
Honestly, I've done everything you guys suggested; but, I don't what the next step is; if there is indeed a "Next" step.
But, I do appreciate you!
GadgetDude
[1] there is no "rundll32" = "windows\csrss.exe"
[2] there is no "hahafool" in the HKEY_CLASSES_ROOT/.EXE
[3] 'netstat -a -o' ran so extremely fast, I couldn't determine anything. The CMD windows opened and closed; the whole process was no more than 2 seconds.
[4] The only thing left is a "c:\windows\csrss.exe"; which I am told shouldn't be there? Do I safely delete this?
Honestly, I've done everything you guys suggested; but, I don't what the next step is; if there is indeed a "Next" step.
But, I do appreciate you!
GadgetDude
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, I AM REALLY, REALLY STUPID!
I tried pasting the info; but for some reason I could not. I kept getting INVALID FILE NAME or something like that.
I hope and pray that putting the information on display this way doesn't endanger me. Otherwise, I will have to cancel my Experts-Exchange membership.
I'm sorry I am so incredibly stupid. Perhaps there is a way I can get this last "submit" deleted?
GadgetDude
I tried pasting the info; but for some reason I could not. I kept getting INVALID FILE NAME or something like that.
I hope and pray that putting the information on display this way doesn't endanger me. Otherwise, I will have to cancel my Experts-Exchange membership.
I'm sorry I am so incredibly stupid. Perhaps there is a way I can get this last "submit" deleted?
GadgetDude
ASKER
I am sorry for the lack of email etiquette that my last submit showed.
I was very, very angry with myself and no one else.
I apologize very sincerely.
In any event: I took the "csrss.exe" file from c:]windows and changed it to csrss.old.
That should solve the problem. If it does, I will delete it.
I feel very ashamed of myself and am, therefore, closing this file regardless of whether or not a solution is found.
Once again very deeply, I apologize.
GadgetDude
I was very, very angry with myself and no one else.
I apologize very sincerely.
In any event: I took the "csrss.exe" file from c:]windows and changed it to csrss.old.
That should solve the problem. If it does, I will delete it.
I feel very ashamed of myself and am, therefore, closing this file regardless of whether or not a solution is found.
Once again very deeply, I apologize.
GadgetDude
>>I hope and pray that putting the information on display this way doesn't endanger me. Otherwise, I will have to cancel my Experts-Exchange membership.<<
Your Hijackthis log doesn't show any personal identifiable entries, thousands of people have same programs running in their machines.
Don't worry, I'll delete your hijackthis log if it makes you feel better.
Your Hijackthis log doesn't show any personal identifiable entries, thousands of people have same programs running in their machines.
Don't worry, I'll delete your hijackthis log if it makes you feel better.
Have you scanned with a fully updated AV?
Also, you could try to see if the process is making any unexpected outbound connections. Get the PID of the process from Task Manager. (The column is hidden by default) Then run 'netstat -a -o' to show any connections being made out of the IP stack.
Good Luck,
Chris