Error on startup Windows 2003 terminal server

I'm getting the following message when log on via my terminal servers it seems to be happnening on most profiles:

Windows cannot find 'C:\docume~1\Admin~1.MSC\Locals~1\temp\1\csrss.exe make sure you have typed the name correctly, and then try again.

Desktop
Cannot load or run C:'C:\docume~1\Admin~1.MSC\Locals~1\temp\1\csrss.exe make sure the file exists on your computer

I have run antivirus scans - CA etrust & pest patrol without any luck. I've asl run Malwarebytes and nothing has shown up?

Can some one please help me?
Jerzak1976Asked:
Who is Participating?
 
hmarcbowerCommented:
OK, looks like it might be backdoor.bot

http://www.pcmech.com/forum/networking-online-security/218380-csrss-exe-backdoor-bot-conhost-exe.html

It also appears that conhost.exe is a file that generally only exists in Windows 7 (and should be in the Windows directory, so I would say that is probably part of the issue as well, and the running process that is re-infecting the registry).  

I'm guessing you also can't get anywhere on the internet, either - your proxy server address is set to 127.0.0.1:50202

Aha, and it's in your win.ini file that the csrss.exe file is being loaded... that's a new one to me.

OK.... Here's what I'd do in your situation
1st: kill the conhost.exe process
2nd: delete the file from C:\Documents and Settings\jkeele\Application Data\Microsoft\conhost.exe
3rd: Go back into the registy to HKLM\Software\Microsoft\Windows\Current Version\Run and remove the line that launches the now deleted conhost.exe file
4th: Start..Run... MSCONFIG... WIN.INI tab - Click FIND and search for csrss.exe - DISABLE any csrss.exe entry that is trying to run from your temp dir
5th: Reboot

That should have rooted out the worst of it... but let's see what happens after a reboot...

0
 
hmarcbowerCommented:
Since it was in the temp folder, I would almost suspect it was a failed attempt at a trojan/malware.  csrss.exe is a windows file, but it's never in a temp file, so I suspect that what it's trying to load would be the malware/trojan.  If you check your registry, you'll probably find an entry for it in the Run key.

HKLM\Software\Microsoft\Windows\Current Version\Run

You should be able to delete the line out of there that runs the missing file and the error will stop.  

Did you have an av client running on it before this occurred?  Sometimes what happens is it only catches a part of the process of infection, and there are a few little things left to clean up (like maybe your A/V stopped the creation of that file in the temp folder, but didn't find any problem with it writing to the registry).
0
 
Jerzak1976Author Commented:
Have check this and the missing file is not in here at all. The only one I am not sure of is conhost.exe?
Yes antivirus was running on all the machines. Its a terminal server and it comes up on all servers when they load the infected profiles!
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
hmarcbowerCommented:
It's good that the missing file is not in the temp file.  Do you mean you checked the registry and it's not there, either?
0
 
Jerzak1976Author Commented:
yes check in the registry and its not there either!
0
 
hmarcbowerCommented:
Hm.  You could check in the HKEY Current User branch, logged in as one of the users getting the message.  I figured since it was affecting all the profiles it would be in the HKLM... but perhaps not.
0
 
Jerzak1976Author Commented:
It seems to be affecting myself, the admin, and one other user! Cant seem to find it in HKey current either!
0
 
hmarcbowerCommented:
The next step for registry is doing a search for it.  Search for csrss.exe in the whole registry and see if there are any suspicious lines that come up. As I said, it is a vital windows program, too, so don't just delete them all.
0
 
Jerzak1976Author Commented:
yes I found it in Hey current user\software\microsoft\windowsnt\current version\windows
I deleted it and then log off and log back on - seemed to be fine. I then logged off and back on again and up it popped again.. Also the Shareppoint server which hold our intranet isnt working for these particular users!!
0
 
Cliff GaliherCommented:
The fact that one of the users affected is an admin leads me to believe you have an infected machine somewhere and the malware has acquired admin privileges. From there it can cause problems with profiles on other machines, and this is one way the several of the Nimda variants spread. You may be looking at systematically isolating and rebuilding each component of your network.
0
 
hmarcbowerCommented:
Then definitely check the RUN key more closely - there is something there respawning the trojan/malware process that adds that info to the registry.  Find that process, find out what's running it, and delete the source.

Might be a good start to empty the TEMP folder in question, too - anything that it can't delete will be a running program (or locked for some other reason), and might be your culprit.  Look at the running processes on the server and see what doesn't look right.
0
 
Jerzak1976Author Commented:
now I feel sick. I've checked in Run nothing unusual in there, emptyied the Temp directory, logged off logged back on and still no luck. I just cant seem to find where is is located. I've run Hijackthis killed the process and still no luck with it.. Only affecting my profile (which is a domain admin account) the local admin account on three of the terminal servers, and one other user who is an admin as well.
0
 
hmarcbowerCommented:
Since you ran hijackthis, post the log and let's see if anyone can pick anything out.
0
 
Jerzak1976Author Commented:
0
 
Jerzak1976Author Commented:
Is dwm.exe apart of it as well?
0
 
Jerzak1976Author Commented:
tired all of this but it keeps on coming back.. Is there any software that gets rid of it?
0
 
hmarcbowerCommented:
dwm.exe - Yes, probably - it also seems to be a Windows 7 specific file that shouldn't be running on a Win2003 server.  I'm so used to seeing that one it never jumped out at me. It was a running process, but I don't see anything in the HJT log that would spawn it.  

If all that didn't solve the problem, then it's deeper in the system.  Here's a page at malwarebytes that goes through some steps to hopefully get rid of it.  

http://forums.malwarebytes.org/index.php?showtopic=63688

And also check here:

http://www.bleepingcomputer.com/forums/topic304517.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.