1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

C:\WINDOWS\Config\csrss.exe - File not found [moved from XP; Malware help needed]

Discussion in 'Virus & Other Malware Removal' started by Mike PC, Apr 16, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Mike PC

    Mike PC Thread Starter

    Joined:
    Apr 15, 2008
    Messages:
    18
    Every time I long on to windows xp (installed on D:\) I get the error message 'Cannot find C:\WINDOWS\Config\csrss.exe. The ..............)

    Vista is installed on C:\ and i multiboot

    HELP
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It's a malware issue; You're AV has removed the malicious file but there is a startup call remaining for it.

    The real version is in the system32 directory.

    Post a HijackThis scanlog:

    Download and install HijackThis. Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
     
  3. Mike PC

    Mike PC Thread Starter

    Joined:
    Apr 15, 2008
    Messages:
    18
    Thanks for the reply: i have attached the log file to this post. please reply soon

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:00:36, on 16/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.exe
    D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\afinding.exe
    D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    D:\Program Files\Bonjour\mDNSResponder.exe
    D:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
    D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    D:\WINDOWS\system32\perfs.exe
    D:\WINDOWS\system32\routing.exe
    D:\Program Files\Streamload\MediaMax XL\StreamloadService.exe
    D:\WINDOWS\system32\wserving.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Outlook Express\msimn.exe
    D:\WINDOWS\System32\svchost.exe
    D:\PROGRA~1\MOZILL~2\FIREFOX.EXE
    D:\WINDOWS\system32\wuauclt.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
    O1 - Hosts: 82.98.86.179 dyotb.cn
    O1 - Hosts: 82.98.86.179 pnwal.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} (AXTNS Control) - http://download.livemath.com/activex/AXTNS.ocx
    O23 - Service: AFinding Service (AFinding) - Unknown owner - D:\WINDOWS\system32\afinding.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: perfmons Service (perfmons) - Unknown owner - D:\WINDOWS\system32\perfs.exe
    O23 - Service: Routing Service (Routing) - Unknown owner - D:\WINDOWS\system32\routing.exe
    O23 - Service: Streamload Service (StreamloadService) - Streamload - D:\Program Files\Streamload\MediaMax XL\StreamloadService.exe
    O23 - Service: Symantec Core LC - Unknown owner - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: WServing Service (WServing) - Unknown owner - D:\WINDOWS\system32\wserving.exe

    --
    End of file - 6615 bytes
     

    Attached Files:

    • log.txt
      File size:
      6.5 KB
      Views:
      315
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have a very extensive malware infection on your XP drive, and possibly on Vista as well.

    This is not my area any more so I am going to move the thread to the Malware forum and request additional help for you through the "report thread" option.

    If you do not get a response within 24 hours PM me and I will ask someone personally.

    Fixing this entry in HijackThis will stop that particular message, but you need much more extensive scanning and cleaning:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,240
    For now, please do this on your XP OS only. Please let me know if your Vista OS is 32-bit or 64-bit.


    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

    Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

    Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/704247

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice