Solved

What is csrse.exe?

Posted on 2004-10-15
6
450 Views
Last Modified: 2008-03-06
I am trying to find out what the file "csrse.exe" is associated with.  It is located in c:\windows\systems32.  OS is Windows XP Professional running MS Office 2003.

We are unable to reach our remote VPN PC, even though it is logged in.  Logged user in as administrator and found out that under the Local Policy Settings no one had access to the computer from the network.  Our core build has this filled in with various group names.

We think this file csrse.exe may be the culprit.

We have symanted corporate addition and Spybot has been run.
0
Comment
Question by:Lisa_Lewald
6 Comments
 
LVL 7

Accepted Solution

by:
GATOR420 earned 500 total points
ID: 12321131
Discovered=09/13/2004 07:02:00
ID=51E449ECEB0149C101E6A0260808C31C
ID2=97280,FE45BC2B9CF93B128F6EC7B94AAA7278
ID3=96256,DB9019BC9249EA4873875DD781349394
MD5=C4AF4EDEE1D35EB5AD867F650D76567E
Size=97280
Filename=csrse.exe
Company=N/A
Risk=9.0
Virus=Sdbot.worm ***

[Risk Analyzer]
AutoRun=12
NonBrand=10
PoliciesChanged=10
FileCreated=4
FileCreatedInWinSys=4
CloneThreat=4
RunProcess=4
TCPClient=12
TCPServer=10
McAfee=8
Symantec=8

[Virus Known As (McAfee)]
W32/Sdbot.worm=1

[Virus Known As (Symantec)]
W32.Spybot.Worm=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
Microsoft Registry=csrse.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\]
Microsoft Registry=csrse.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
Microsoft Registry=csrse.exe

[FileCreated]
c:\windows\system32\csrse.exe=1

[ThreadCreated]
Count=7

[TCPServer] ; Port=Status(Handle)
113=64 (15904)1,1

[TCPClient] ; IP:Port=Status(Handle)
255.255.255.255:6667=16 (16020)1,1

Looks like a virus to me....
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12321133
Hello Lisa_Lewald =)

>> We think this file csrse.exe may be the culprit.

You are thinking right, its a faked file and process, delete it from ur system and registry !!
It shudn't be running in background :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12321152
and u can use hijackthis to trace out all its entries :)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Expert Comment

by:Microtech
ID: 12321187
http://vil.nai.com/vil/content/v_100454.htm
removal instructions on this site also
0
 
LVL 17

Expert Comment

by:Microtech
ID: 12321210
ignore my post.. wrong virus... friday afternoon blues!! sorry
0
 

Author Comment

by:Lisa_Lewald
ID: 12322592
Thanks for the help, everyone.  Symantec quarantined the virus, but not before it did it's damage.  We struggled through and it seems to be good now.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now