rsinden
asked on
csrss.exe consuming nearly 100% of CPU time
Making the laptop run excruciatingly slow. Have run virus check (AVG), spyware (Spy Sweeper) and nothing found. Restored to an earlier version - no change.
Tried creating a new user (as had come across mention of possible corrupt user profile) and after a short while exhibited the same problem.
Tried creating a new user (as had come across mention of possible corrupt user profile) and after a short while exhibited the same problem.
Try these sites to remove the worm...
http://www.liutilities.com/products/wintaskspro/processlibrary/crss/
http://www.registryeasy.com/index.php
http://www.liutilities.com/products/wintaskspro/processlibrary/crss/
http://www.registryeasy.com/index.php
also see
Csrss.exe uses 100% of the CPU When you Right-Click an item in Explorer
http://support.microsoft.com/?kbid=555021
Csrss.exe uses 100% of the CPU When you Right-Click an item in Explorer
http://support.microsoft.com/?kbid=555021
Can we look at your hijackthis log please?
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Then post the link to the saved list here.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Then post the link to the saved list here.
ASKER
rpggamergirl
http://www.rafb.net/paste/results/tjxCGe85.html
Tried the ee upload but it kept telling me the file was too small...so I tried padding it out to 230kb but still too small. Ah well...goo idea.
ASKER
After a reboot, csrsss consumes zero CPU time. Doing a few emails, running a browser for about 10-15 minutes...all OK...but then after about 20 minutes, it is back up at 99% of CPU time.
Not sure why EE upload didn't work.
I don't see any active nasty but Netmeter,
Uninstall these if listed in add/remove:
"CashBackBuddy"
"NetMeter"
and delete their folders:
C:\Program Files\NetMeter
C:\Program Files\CashBack
Also, Go to Start > Run > type
cmd
Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:
sc stop BSRRI
sc delete BSRRI
sc stop CB
sc delete CB
exit
Fix these entries if still present:
O23 - Service: BSRRI - Unknown owner - C:\DOCUME~1\ROGER~1.COM\LO
O23 - Service: CB - Unknown owner - C:\DOCUME~1\ROGER~1.COM\LO
Download ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If csrss cpu problem still exists:(this is a shot in the dark) just to make sure you don't have the Chod.D.worm (csrss worm)
Please Download MsnVirRem.exe to your desktop from one of the following mirrors:
http://downloads.malwareremoval.com/MsnVirRem.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9
http://www.greyknight17.com/spy/MsnVirRem.exe
* First close any other programs you have running as this will require a reboot
* Double click MsnVirRem.exe to run it
* Once open, click the button labelled "Search and Destroy"
<<Your computer will now be scanned for Infected Files>>
* When scanning is finished you will be prompted to reboot only if infected, Click OK
* Now click the "REBOOT" Button.
* After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
* A Message should popup from MsnVirRem if not, double click the program again and it will finish
Please Post the contents of C:\msnvirrem.log
I don't see any active nasty but Netmeter,
Uninstall these if listed in add/remove:
"CashBackBuddy"
"NetMeter"
and delete their folders:
C:\Program Files\NetMeter
C:\Program Files\CashBack
Also, Go to Start > Run > type
cmd
Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:
sc stop BSRRI
sc delete BSRRI
sc stop CB
sc delete CB
exit
Fix these entries if still present:
O23 - Service: BSRRI - Unknown owner - C:\DOCUME~1\ROGER~1.COM\LO
O23 - Service: CB - Unknown owner - C:\DOCUME~1\ROGER~1.COM\LO
Download ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If csrss cpu problem still exists:(this is a shot in the dark) just to make sure you don't have the Chod.D.worm (csrss worm)
Please Download MsnVirRem.exe to your desktop from one of the following mirrors:
http://downloads.malwareremoval.com/MsnVirRem.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9
http://www.greyknight17.com/spy/MsnVirRem.exe
* First close any other programs you have running as this will require a reboot
* Double click MsnVirRem.exe to run it
* Once open, click the button labelled "Search and Destroy"
<<Your computer will now be scanned for Infected Files>>
* When scanning is finished you will be prompted to reboot only if infected, Click OK
* Now click the "REBOOT" Button.
* After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
* A Message should popup from MsnVirRem if not, double click the program again and it will finish
Please Post the contents of C:\msnvirrem.log
ASKER
Many thanks for excellent detailed instructions.
Uninstalled NetMeter (curious to know why you don't like this utility?)
CashbackBuddy did not exist.
BSRRI wasn't running but deleted OK. Curious to know what BSRRI is as Googling produced no results that I could see.
CB - wasn't running but deleted OK.
I think the reference to CB (as in O23 service CB unknown owner) may have led you to suggest cashBack. I am embarassed to admit that I think CB did in fact stand for Cablehead Blackbox which was quarantined by SpySweeper when I ran a checksweep. However, as CB was remaining as a service (although stopped) suggests that SpySweeper maybe was not as rigourous as I might have hoped. Am embarassed to note that Blackbox can only be installed manually and so that means that I let my guard down as I am usually paranoid about downloading and installing s/w other than from reputable sources. Clearly, not as careful as I should be and, no, I cannot remember where this might have come from.
However, as far as I can tell, all traces of CB have now gone.
Ran ATF Cleaner (neat utility - thanks)
Ran MsnVirRem and that reported no viruses.
Cleaned up the registry for good measure and it certainly boots up quicker now.
Thought problem had been fixed but after a while csrss back up to 99-100% when first ran up early morning.
However, as at 10.40am BST, csrss running very low CPU usage. Will continue to monitor.
Uninstalled NetMeter (curious to know why you don't like this utility?)
CashbackBuddy did not exist.
BSRRI wasn't running but deleted OK. Curious to know what BSRRI is as Googling produced no results that I could see.
CB - wasn't running but deleted OK.
I think the reference to CB (as in O23 service CB unknown owner) may have led you to suggest cashBack. I am embarassed to admit that I think CB did in fact stand for Cablehead Blackbox which was quarantined by SpySweeper when I ran a checksweep. However, as CB was remaining as a service (although stopped) suggests that SpySweeper maybe was not as rigourous as I might have hoped. Am embarassed to note that Blackbox can only be installed manually and so that means that I let my guard down as I am usually paranoid about downloading and installing s/w other than from reputable sources. Clearly, not as careful as I should be and, no, I cannot remember where this might have come from.
However, as far as I can tell, all traces of CB have now gone.
Ran ATF Cleaner (neat utility - thanks)
Ran MsnVirRem and that reported no viruses.
Cleaned up the registry for good measure and it certainly boots up quicker now.
Thought problem had been fixed but after a while csrss back up to 99-100% when first ran up early morning.
However, as at 10.40am BST, csrss running very low CPU usage. Will continue to monitor.
>>Uninstalled NetMeter (curious to know why you don't like this utility?)<<
Well known antispyware databases like CastleCops classified NetMeter as a rogue apps. A lot of program out there sounds good but they also have their own hidden purpose.
For example many people might think that Cybersitter is a good program because of what it says but in reality when you install it it redirects you to advertisement sites "www.safe-site.com" is one of them and it blocks these security sites; Sysinternal.com, Kaspersky and Panda sites.
Process Name : NetMeter
File Name : NetMeter.exe
Description: NetRatings software by Opistat . "OpiStat measures Internet usage anonymously and surveys participants according to their profiles and online habits". This software has been reported to get downloaded and installed automatically after a Grokster install.
Rating: Typically viruses, spyware, adware and resource hogs.
>>Curious to know what BSRRI is as Googling produced no results that I could see.<<
Malware are known to hide themselves as a service to evade detection, and because there was no hits when googling the filename and the display name, and because the service name is unknown and it was running from the temp folder, that was my reason for stopping/deleting the service.
Legit services that runs from the temp folder normally shows their display name like the SysInternal's Rootkit Revealer which also runs from the temp folder.
>>I think the reference to CB (as in O23 service CB unknown owner) may have led you to suggest cashBack.<<
Yes, because of the cb.exe file that belongs to Cashbackbuddy.
http://72.14.203.104/search?q=cache:U_JTnZlVEB4J:www.symantec.com/avcenter/venc/data/adware.cashbackbuddy.html+CB.exe&hl=en&gl=au&ct=clnk&cd=5&lr=lang_en
Would you like to run these diagnostic tools, one of them might led us to the culprit.
1. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
2. Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
3. Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
Well known antispyware databases like CastleCops classified NetMeter as a rogue apps. A lot of program out there sounds good but they also have their own hidden purpose.
For example many people might think that Cybersitter is a good program because of what it says but in reality when you install it it redirects you to advertisement sites "www.safe-site.com" is one of them and it blocks these security sites; Sysinternal.com, Kaspersky and Panda sites.
Process Name : NetMeter
File Name : NetMeter.exe
Description: NetRatings software by Opistat . "OpiStat measures Internet usage anonymously and surveys participants according to their profiles and online habits". This software has been reported to get downloaded and installed automatically after a Grokster install.
Rating: Typically viruses, spyware, adware and resource hogs.
>>Curious to know what BSRRI is as Googling produced no results that I could see.<<
Malware are known to hide themselves as a service to evade detection, and because there was no hits when googling the filename and the display name, and because the service name is unknown and it was running from the temp folder, that was my reason for stopping/deleting the service.
Legit services that runs from the temp folder normally shows their display name like the SysInternal's Rootkit Revealer which also runs from the temp folder.
>>I think the reference to CB (as in O23 service CB unknown owner) may have led you to suggest cashBack.<<
Yes, because of the cb.exe file that belongs to Cashbackbuddy.
http://72.14.203.104/search?q=cache:U_JTnZlVEB4J:www.symantec.com/avcenter/venc/data/adware.cashbackbuddy.html+CB.exe&hl=en&gl=au&ct=clnk&cd=5&lr=lang_en
Would you like to run these diagnostic tools, one of them might led us to the culprit.
1. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
2. Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
3. Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
ASKER
Understand what you say re cb.exe but equally concerned as to how it would have got onto my system!
Silent runner result URL at http://www.rafb.net/paste/results/6gAg3V67.html
Blacklight result :
07/12/06 11:53:18 [Info]: BlackLight Engine 1.0.42 initialized
07/12/06 11:53:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/12/06 11:53:19 [Note]: 7019 4
07/12/06 11:53:19 [Note]: 7005 0
07/12/06 11:53:26 [Note]: 7006 0
07/12/06 11:53:26 [Note]: 7011 1352
07/12/06 11:53:27 [Note]: 7026 0
07/12/06 11:53:27 [Note]: 7026 0
07/12/06 11:53:37 [Note]: FSRAW library version 1.7.1019
07/12/06 11:57:58 [Note]: 2000 1006
07/12/06 12:05:54 [Note]: 7007 0
It reported nothing untoward. BTW FYI the try.shtml link no longer works...
rootkit results
C:\Documents and Settings\Roger.COMPAQ\Appl
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.ba
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\WINDOWS\Internet Logs\bu_todelete.rdb 12/07/2006 12:24 1.63 MB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Internet Logs\bu_tosave.rdb 12/07/2006 12:28 1.63 MB Visible in directory index, but not Windows API or MFT.
The good news is that csrss.exe is sitting there quietly good as gold and consuming virtually no resources.
Even better news (for you) is that I have upped the points as I really appreciate the extra distance that you are going on this plus the excellent feedback and explanations.
Silent runner result URL at http://www.rafb.net/paste/results/6gAg3V67.html
Blacklight result :
07/12/06 11:53:18 [Info]: BlackLight Engine 1.0.42 initialized
07/12/06 11:53:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/12/06 11:53:19 [Note]: 7019 4
07/12/06 11:53:19 [Note]: 7005 0
07/12/06 11:53:26 [Note]: 7006 0
07/12/06 11:53:26 [Note]: 7011 1352
07/12/06 11:53:27 [Note]: 7026 0
07/12/06 11:53:27 [Note]: 7026 0
07/12/06 11:53:37 [Note]: FSRAW library version 1.7.1019
07/12/06 11:57:58 [Note]: 2000 1006
07/12/06 12:05:54 [Note]: 7007 0
It reported nothing untoward. BTW FYI the try.shtml link no longer works...
rootkit results
C:\Documents and Settings\Roger.COMPAQ\Appl
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.ba
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\System Volume Information\_restore{B3E0B
C:\WINDOWS\Internet Logs\bu_todelete.rdb 12/07/2006 12:24 1.63 MB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Internet Logs\bu_tosave.rdb 12/07/2006 12:28 1.63 MB Visible in directory index, but not Windows API or MFT.
The good news is that csrss.exe is sitting there quietly good as gold and consuming virtually no resources.
Even better news (for you) is that I have upped the points as I really appreciate the extra distance that you are going on this plus the excellent feedback and explanations.
>> BTW FYI the try.shtml link no longer works...<<
oh sorry about that, I must update my links, thanks for letting me know, appreciate it.
Silent Runner's log didn't show anything suspicious,
Blacklight didn't find anything,
Rootkit Revealer didn't find any rootkit either.
though some trojans/worms can also hide from blacklight and Rootkit Revealer.
>>The good news is that csrss.exe is sitting there quietly good as gold and consuming virtually no resources.<<
fingers' crossed, let's hope it will stay that way.
>>Even better news (for you) is that I have upped the points as I really appreciate the extra distance that you are going on this plus the excellent feedback and explanations.<<
Very much appreciated thanks, I just hope I can help you.
You don't have these files do you? these are some variants of Chod.D worm.
C:\WINDOWS\System32\[rando
c:\documents and settings\[USERNAME]\start menu\programs\startup\csrs
C:\WINDOWS\winsock\csrss.e
C:\WINDOWS\config\svchost.
C:\WINDOWS\winsock\service
oh sorry about that, I must update my links, thanks for letting me know, appreciate it.
Silent Runner's log didn't show anything suspicious,
Blacklight didn't find anything,
Rootkit Revealer didn't find any rootkit either.
though some trojans/worms can also hide from blacklight and Rootkit Revealer.
>>The good news is that csrss.exe is sitting there quietly good as gold and consuming virtually no resources.<<
fingers' crossed, let's hope it will stay that way.
>>Even better news (for you) is that I have upped the points as I really appreciate the extra distance that you are going on this plus the excellent feedback and explanations.<<
Very much appreciated thanks, I just hope I can help you.
You don't have these files do you? these are some variants of Chod.D worm.
C:\WINDOWS\System32\[rando
c:\documents and settings\[USERNAME]\start menu\programs\startup\csrs
C:\WINDOWS\winsock\csrss.e
C:\WINDOWS\config\svchost.
C:\WINDOWS\winsock\service
ASKER
No folder winsock present.
Config folder is empty.
No other files in your list found
For good measure searched for csrss.exe and found 3 (one in $NTInstall..., one in System 32 and one in Service Pack...all with 2004 or later dates (not that that guarantees anything ;-)
csrss.exe still behaving itself.
Config folder is empty.
No other files in your list found
For good measure searched for csrss.exe and found 3 (one in $NTInstall..., one in System 32 and one in Service Pack...all with 2004 or later dates (not that that guarantees anything ;-)
csrss.exe still behaving itself.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes...gut feel says that it's fixed. I do remember when I ran a search for it during the time I was trying to sort this out by myself I did come up with many more instances including one in the System folder dated 10th July 2006 which clearly was wrong. However I think a combination of a System restore to an earlier date plus all your good advice has cleaned out the 'bad' stuff
Glad to hear csrss.exe is still behaving okay, you did a good job!
Thanks for the points and the A grade :)
Best wishes!
Thanks for the points and the A grade :)
Best wishes!
Note: The csrss.exe file is located in the C:\Windows\System32 folder. In other cases, csrss.exe is a virus, spyware, trojan or worm!
http://www.neuber.com/taskmanager/process/csrss.exe.html