CSRSS @ c/i386

[HiddenStupid]

(dell)

CSRSS @ c/i386

How to get rid of CSRSS virus?

click start..search for csrss and comes out with 5 results:
- CSRSS from C/i386
- CSRSS from c/windows/system32
- csrss and numbers end with hdmp from c/windows/PCHEALTH/ErrorRep/userdumps
- csrss and numbers end with mdmp from c/windows/PCHEALTH/ErrorRep/userdumps
- csrss and numbers end with mdmp from c/windows/PCHEALTH/ErrorRep/userdumps

went to C/ and found a folder called i386 and size of 988mb... open up... full of files... notepads, exe's, picture icon ect...

heres some of the names on the files in the i386 folder:
- sendmail.dll
- WINLOGON
- WSSCRIPT
- DellSys.dll
- AGENTSVR (shows man in suit with black shades and hat as icon)
- (jpeg file) name desktop_screen_shot. as preview on left side show desktop and desert wallpaper and browser open and paintshop open.



Heres some refference for you to help me get rid of this nasty virus:
- http://www.techspot.com/startup/1632/
- http://www.processlibrary.com/directory/files/pchealth



and here is result when scanned with SDfix:

Trojan Files Found:



Could Not Remove C:\csrss.exe
Could Not Remove C:\WINDOWS\lsasss.exe
Could Not Remove C:\WINDOWS\system32\remote.exe
Could Not Remove C:\WINDOWS\system32\windowz.exe
Could Not Remove C:\WINDOWS\system32\winsys.exe
Could Not Remove C:\WINDOWS\system32\winxp.exe

 

[smartali89]

is anti-virus or antispyware installed on your system?

 

[smartali89]

Try removing it from the startup, the original csrss.exe (its a windows file) resides in c:\windows\system32 folder

 

[HiddenStupid]

is anti-virus or antispyware installed on your system?

scanned full-scan with:

- AVG anti virus
- AVG anti spyware
- TCspy
- SDfix
- SmitRem
- Smitfraudfix
- ccleaner registry cleaner
- ccleaner cleaner
- scanned individual single file with avg.... no detect

 

[smartali89]

Have you removed it from startup?

 

[HiddenStupid]

Try removing it from the startup, the original csrss.exe (its a windows file) resides in c:\windows\system32 folder

c/duc setting/all user/start menu/ program/startup.... startup folder empty

 

[smartali89]

Use Process Explorer to find that from which folder it is running . It will show the location of it.

What problems are you facing?

 

[smartali89]

CSRSS.EXE - Confusion

Csrss.exe is the Microsoft client server runtime which generates worker threads for client requests. The confusion over csrss.exe comes from Trojans or viruses that use the same executable name (.exe) as that of csrss.

Many spyware/malware programs use filenames of usual, non-malware programs.

The legitimate csrss.exe is part of the Microsoft client server software and is a very important part of the system which should not be removed.

One way to determine if csrss.exe is a legitimate file besides looking at the date modified is to right click on csrss.exe inside Task Manager and attempt to end process. Because csrss is a critical file, Microsoft should inform you with a message that csrss.exe is a critical system process and end it is not possible.

If you do not receive this message when attempting to end the csrss.exe process, then it may indeed be a virus.

 

[HiddenStupid]

Use Process Explorer to find that from which folder it is running . It will show the location of it.

What problems are you facing?

I do not notice any problem I am facing... everything seems normal.... no problem but when scann with SDfix.... it shows that it is a trojan virus and research and refferences shows its a virus... and..... and..... yeah I dont notice any problem.

 

[smartali89]

Maybe its not a virus, just use task manager to end this process.

 

[HiddenStupid]

CSRSS.EXE - Confusion

Csrss.exe is the Microsoft client server runtime which generates worker threads for client requests. The confusion over csrss.exe comes from Trojans or viruses that use the same executable name (.exe) as that of csrss.

Many spyware/malware programs use filenames of usual, non-malware programs.

The legitimate csrss.exe is part of the Microsoft client server software and is a very important part of the system which should not be removed.

One way to determine if csrss.exe is a legitimate file besides looking at the date modified is to right click on csrss.exe inside Task Manager and attempt to end process. Because csrss is a critical file, Microsoft should inform you with a message that csrss.exe is a critical system process and end it is not possible.

If you do not receive this message when attempting to end the csrss.exe process, then it may indeed be a virus.

alt tab delete... process list comes up.... found says CSRSS.EXE press end process.... popup says:

"this is a critial system process. task manager cannot end this process"

 

[smartali89]

That means your are safe, that is not the virus

 

[HiddenStupid]

That means your are safe, that is not the virus

no, I still have doubt..... I am 97% sure it is a virus.

click start... search winsys.exe..... shows winsys folder from c/WINDOWS/SYSTEM32.... open up.... inside see folder called:

- avpr.exe
here is refference for you to help me get rid of it http://www.auditmypc.com/process/avpr.asp

also remmeber my SDfix log result?:
Trojan Files Found:



Could Not Remove C:\csrss.exe
Could Not Remove C:\WINDOWS\lsasss.exe
Could Not Remove C:\WINDOWS\system32\remote.exe
Could Not Remove C:\WINDOWS\system32\windowz.exe
Could Not Remove C:\WINDOWS\system32\winsys.exe
Could Not Remove C:\WINDOWS\system32\winxp.exe

......this link http://www.auditmypc.com/process/avpr.asp shows that the avpr.exe is related to lsass which is similar like lsasss.exe

also here is some of the file/folder names in the winsys folder:
- ccsrs.exe
- CSRSS.EXE
- CSRSRV.DLL
- fuck.exe
- gothica.exe
- winxp.exe
- ANTSetup.exe
- dla.exe
- LUSRMGR.MSC
- CMD.EXE


dont some of these look suspicious?

 

[smartali89]

C:\WINDOWS\lsasss.exe
C:\WINDOWS\system32\remote.exe
C:\WINDOWS\system32\windowz.exe
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\winxp.exe

All are viruses.

Try Kaspersky, Or Nod32 Or Nortan Corporate Edition Anti-Virus

 

[HiddenStupid]

C:\WINDOWS\lsasss.exe
C:\WINDOWS\system32\remote.exe
C:\WINDOWS\system32\windowz.exe
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\winxp.exe

All are viruses.

Try Kaspersky, Or Nod32 Or Nortan Corporate Edition Anti-Virus

Tried Nod32.. no help. Will try kaspersky. Will try Norton Corporate Edition Anti-Virus. thanks for suggestion.

 

[Deleted member 3]

Try removing them in safe mode. If you can't do that use some bootdisk to remove the files manually.

 

[HiddenStupid]

Try removing them in safe mode. If you can't do that use some bootdisk to remove the files manually.

Bootdisk? like windows XP disk?







I guess I shall rest on this case for a while.... head getting numb..... will enjoy doing something else.... hope I will eventually get rid of it.

 

[Deleted member 3]

Like any disk you can boot from and then delete the files. Recovery console can be used from the XP disk for example, BartPE, ultimate bootdisk contains various disks as well.

 

[HiddenStupid]

oh I see.

I heard somewhere that i386 from c/: is part of operating system..... but I thought its a virus?