Help me!(csrss.exe)

OK ..... This should be worth more points however I have found a way to get spyware and viruses off computers without having them reinfect themselves like this one. It sounds a little extreme yet it works.

1. Go to your local computer store and buy a USB (v2.0) HDD Enclosure for a regular 3.5 HDD. (Don't go cheap on this as some of these devices will not support old HDDs. If you are not sure, check with the HDD Enclosure manufacturer.) If it is a notebook 2.5 HDD, buy the 3.5 to 2.5 converter cable.

2. On a separate "clean system" (an old sytem that you don't use any more is good for this), make sure you have updated OS (with all patches), anti-virus, and spyware programs. (I prefer Panda Anti-virus and Webroot Spysweeper.)

3. Remove the HDD from the infected computer and install into the HDD Enclosure. Turn on the power and plug into the USB port of the clean system.

4. Run your antivirus and spyware programs on the HDD in the USB HDD Enclosure.

This procedure should find and remove all the executables from your HDD. Make a list of them because you will want to go back and remove these from the registry BEFORE you plug the infected system back into the Net.

@ cj0ndeck, this is a good idea indeed, but what about this solution:

http://www.bitdefender.com/bd/site/products.php?p_id=40

LinuxDefender Live! CD

A Linux distro complete with BitDefender tools on a bootable CD  

LinuxDefender started as a BitDefender project designed to provide system administrators, security experts and users of both Windows and Linux computers with virus incident rescue tools.

LinuxDefender is a GNU/Linux distribution based on Debian which integrates the latest BitDefender for Linux security solution, offering instant SMTP antivirus/antispam protection and a desktop antivirus capable to scan and disinfect existing hard drives (including Windows partitions), remote Samba/Windows shares or NFS mount points. A web based configuration interface to BitDefender solutions is also included as a Webmin configuration module

Hot Features:
# Instant email protection (antivirus & antispam)
# Disinfection of infected files from Windows partitions
# NTFS write support
# Web based configuration
# Automatic hardware detection and support for almost any pc card and peripheral

Featured Software
• Linux Kernel 2.4.x and/or 2.6.x
• BitDefender SMTP Proxy (featuring the new BitDefender AntiSpam module)
• BitDefender Remote Admin (Webmin interface)
• BitDefender Linux Edition (free antivirus scanner)
• BitDefender Documentation (PDF & HTML format)
• utilities for data recovery and system repairs (Amanda backup solution, parted, QTParted and partimage, partition resize, save & recovery solution, etc...)
• network and security analysis tools for network administrators (nessus, nmap, Ethereal, iptraf etc...)
• Internet connection software
• Graphical desktop environment (KDE / Gnome / XFCE / IceWM / fluxbox)
• Web browsers (Mozilla, Konqueror)
• Email clients
• PDF Viewer (Adobe Acrobat)

---
To handle XP SP" NTFS partitions use this workaround:

ISSUE:
The NTFS partition can't be mounted in r/w mode. The file ntoskrnl.exe isn't found.
 
SOLUTION:
Windows XP SP2 has a new version of ntoskrnl.exe which is not recognized by the captive program (which is responsible for mounting the NTFS partitions in r/w mode).

There is a workaround regarding this issue.
Please follow the instructions below:

First the NTFS partition must be mounted read-only, by opening a terminal and then typing the commands:

su -
mount -t ntfs /dev/hdaX /mnt/hdaX

(replace hdaX with the partition that has Windows XP SP2 installed, if there is just 1 partition (drive c:) it's hda1 )

Start the Captive-installer clicking on Forward button and then Skip. In the new window choose Browse, select the previously mounted partition that has Windows XP SP2, then select the Windows folder. After that click on Forward button. The files are going to be recognized and you can press OK.

Next step is to unmount the NTFS partition from the terminal window, by typing the command:

umount /mnt/hdaX
(replace hdaX with the partition that has Windows XP SP2 installed)

and double click on the desktop icon (for that partition) which will mount it as r/w.

--

This is a bit more to do, but a working solution and it costs you a single CDRom, nothing more...

Tolomir

As you can see from this post:

http://castlecops.com/StartupList.html

Enter in "csrss.exe" and click "Search" -- csrss.exe can be related to any of 20-30 different strains.

There is a good chance you have other spyware or malware on your system that may be causing the re-infection so I would recommend posting a link to a log on one of the many sites out there (I reside on Castlecops.com, SpywareInfo.com, and BleepingComputer.com -- PM me at one of those sites if you post a HijackThis log there).

If you wish the solely address the csrss.exe issue, please check the following registry locations (Start > Run and type in "regedit"):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

Please post the name of the registry entry pointing to the data value of c:\WINDOWS\csrss.exe (or %windir%\csrss.exe) and post that back here.

To make sure your not infected with Malware (Spyware, Trojans, Viruses, Adware, etc. See http://en.wikipedia.org/wiki/Malware)

Please follow the following instructions (always reboot when it recommends doing so):

1. Do you have a firewall running?
Windows XP SP2 comes with a firewall by default which I recommend you use. See: http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx
Other than that try using Kerio Personal Firewall - See http://www.kerio.com/us/kpf_download.html
If you have a slow computer you can get version 2 here: http://www.kerio.com/dwn/kpf2-en-win.exe
I believe Kerio Personal Firewall is identical to Tiny Personal Firewall and Sygate Personal Firewall.
I do not recommend using ZoneAlarm or BlackICE Defender.
To test your firewall see http://grc.com/lt/leaktest.htm or http://www.hackerwatch.org/probe/

2. Make sure Windows is updated.
Visit the Windows Update website: http://windowsupdate.microsoft.com/ (Use internet explorer)
Or Start > Run > type: wupdmgr.exe
If you are on Windows XP, please update to SP2 or above as it has the security centre.
If you are on Windows 2000, please update to SP4 or above.

3. Remove any malware.
Make sure you have anti-virus software installed, I recommend Norton Antivirus or McAfee if you have a fast PC (These are not free).
Two fairly good FREE alternative Anti-Virus solutions are http://www.avast.com/eng/avast_4_home.html or http://free.grisoft.com/
Even if you have anti-virus software installed I can recommend a visit to http://housecall.trendmicro.com/
HouseCall is a free online Java based anti-virus software solution provided by TrendMicro, its always a good idea to have a second opinion.
Make sure your anti-virus software is working and up-to-date.

Get a copy of Microsoft's Antispyware Software:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Its still in beta, but its far better than Ad-aware and SpyBot - Search & Destroy put together.
I therefore recommend uninstalling any other anti-spyware software as sometimes they just make things worse.

If you think you have a specific virus/malware, try using the following:
The Microsoft Malware Removel Tool: http://www.microsoft.com/security/malwareremove/default.mspx
The Norton Virus Removal Tools: http://securityresponse.symantec.com/avcenter/tools.list.html
Both of these tools are free to download.

Finally if you still think your infected or simply cannot get rid of a peice of malware, you need HiJackThis.
HiJackThis will create a log that you can browse through and tell it to fix, this is a bit of an expert tool so if you are unsure, ask an expert for advise.
Get a copy of HiJackThis here: http://www.merijn.org/files/hijackthis.zip or http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Usually you can spot the dodgy strings and select them for fixing, just be careful.

If you need more help with HiJackThis, it might be worth getting a copy of http://www.sysinternals.com/Utilities/ProcessExplorer.html
Its more powerful Task Manager, and its helpful when researching what certain processes are.

Another way to remove pesky spyware, etc. is by booting in safe more so only essential processes are running.  Then when you do that wipe out the .exe manually and make sure it did not plant itself in youe services (where it probably is since it keeps reappearing - there is probably a service running that check to see if the file exists and if it doesn't it recreates it.  Also check your registry for any suspect run items in both LOCAL_MACHINE and CURRENT_USER

Oh, when you check your services, check for any automatic services that look funny, and check the properties to see where they reside.  
HTH


jocasio

I created a CD that pretty much cleans nearly 99% of any spyware or adware from a PC system. Feel free to make your own version, just following the steps I have provided below:

Programs:
CWShredder.exe, Spybot S&D, Adaware SE, Webroot's Spy Sweeper, HiJackThis, FixBinet.exe, ABIRemover.exe, Alexaremover.exe

1) Install Spybot S&D, Adware SE and Spy Sweeper. Make sure you download and install the latest defination files as well for each.

2) Restart PC for SAFE MODE (Press F8 before Windows splash screen appears). Then run the following programs -- in order -- for maximum effectiveness.
a) Run CWShredder first.
b) Run Spybot S&D.
c) Run Adaware SE. Select 'smart system scan'.
d) Run FixBinet.
e) Run ABIRemover.
f) Run Alexaremover.
g) Run Spy Sweeper. Block everything then do 'Sweep Now'.
h) Run HiJackThis. Scan list of BHOs, IE Toolbars, Startup items.

* For the HiJackThis, look closely at the IE Toolbars and startup items. Delete anything that seems a bit out of place, primarly under the C:\Windows\system32 directory.

3) Make sure you have installed and are running a Anti-Virus program. I recommend using McAfee AV (Standard, Pro or Enterprise edition). Norton AV loads alot of unnecessary programs while McAfee just loads just exactly whats needed. Some 'free' antivirus programs are okay, but remember they are free for a reason, esp when it coes to making deep system scans that the more commercial antiviruses do better.