• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 484
  • Last Modified:

What is csrse.exe?

I am trying to find out what the file "csrse.exe" is associated with.  It is located in c:\windows\systems32.  OS is Windows XP Professional running MS Office 2003.

We are unable to reach our remote VPN PC, even though it is logged in.  Logged user in as administrator and found out that under the Local Policy Settings no one had access to the computer from the network.  Our core build has this filled in with various group names.

We think this file csrse.exe may be the culprit.

We have symanted corporate addition and Spybot has been run.
0
Lisa_Lewald
Asked:
Lisa_Lewald
1 Solution
 
GATOR420Commented:
Discovered=09/13/2004 07:02:00
ID=51E449ECEB0149C101E6A0260808C31C
ID2=97280,FE45BC2B9CF93B128F6EC7B94AAA7278
ID3=96256,DB9019BC9249EA4873875DD781349394
MD5=C4AF4EDEE1D35EB5AD867F650D76567E
Size=97280
Filename=csrse.exe
Company=N/A
Risk=9.0
Virus=Sdbot.worm ***

[Risk Analyzer]
AutoRun=12
NonBrand=10
PoliciesChanged=10
FileCreated=4
FileCreatedInWinSys=4
CloneThreat=4
RunProcess=4
TCPClient=12
TCPServer=10
McAfee=8
Symantec=8

[Virus Known As (McAfee)]
W32/Sdbot.worm=1

[Virus Known As (Symantec)]
W32.Spybot.Worm=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
Microsoft Registry=csrse.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\]
Microsoft Registry=csrse.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
Microsoft Registry=csrse.exe

[FileCreated]
c:\windows\system32\csrse.exe=1

[ThreadCreated]
Count=7

[TCPServer] ; Port=Status(Handle)
113=64 (15904)1,1

[TCPClient] ; IP:Port=Status(Handle)
255.255.255.255:6667=16 (16020)1,1

Looks like a virus to me....
0
 
SheharyaarSaahilCommented:
Hello Lisa_Lewald =)

>> We think this file csrse.exe may be the culprit.

You are thinking right, its a faked file and process, delete it from ur system and registry !!
It shudn't be running in background :)
0
 
SheharyaarSaahilCommented:
and u can use hijackthis to trace out all its entries :)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
MicrotechCommented:
http://vil.nai.com/vil/content/v_100454.htm
removal instructions on this site also
0
 
MicrotechCommented:
ignore my post.. wrong virus... friday afternoon blues!! sorry
0
 
Lisa_LewaldAuthor Commented:
Thanks for the help, everyone.  Symantec quarantined the virus, but not before it did it's damage.  We struggled through and it seems to be good now.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now