Virus issues [Archive] - Glock Talk

PDA

View Full Version : Virus issues


Z34Lee
12-04-2004, 16:17
Well, 2 years with this computer and life was good, but it's going south now.

I have a Dell using XP, and have AVG 6.0, with regular updates and regular scans.

Last week I went to a website looking for lyrics. It tried to download a program which AVG found as a virus. Either way, it still got on there and after some work, I got rid of the files. It was a trojan horse downloader program which installed all kinds of crap on my PC. In all this process I also upgraded to AVG 7.0.

Lately my computer just hasn't been the same. It seems as though it's really using up my resources, caused display problems, and just doesn't act the same in general. Over the past two years this computer has run GREAT and if there ever was a little glitch, it was easily solved. Now it bogs down and has more major problems.

I restarted my computer recently, did the ctrl+alt+del thing and noticed that my CPU is running at near 100% all the time now - with almost nothing running. In the processes tab, I see that a file called csrss.exe is using 30-50% of cpu usage now. From just a little research it seems that this can be a virus. Now I've also started noticing the links that show up on webpages under certain words, leading you to advertiser sites. Any help would be appreciated. I'm doing another full scan with AVG now, but I don't think I'll have any luck.

hwyhobo
12-04-2004, 17:53
Where is that file located? In system32 or elsewhere?

Z34Lee
12-04-2004, 17:58
Not sure, I downloaded adaware and so far, everything seems to be working smoothly.

NetNinja
12-04-2004, 18:38
Please read the sticky at the top of the tech Forum.

Z34Lee
12-04-2004, 18:42
I did, that's why I downloaded AdAware SE.

metallic
12-04-2004, 19:10
You might just want to backup all your important files and do a fresh reinstall of Windows XP if you cant seem to nail the problem down and fix it. I've found all versions of Windows to need to be freshly reinstalled after a certain amount of time.

fastvfr
12-05-2004, 15:07
How about this: try downloading AVAST! AV and deleting AVG.

The AVG 7.0 Free is still pretty buggy, so for the time being I am running Avast on all of my PC's.

It is less bloated and consumes fewer resources; it is also 'cleaner' and doesn't cause the issues AVG currently is.

On some PC's, AVG caused XP Pro to take upwards of ten MINUTES to boot until it was removed...reinstaling brought the problems back. It also caused my PC to 'hesitate' when R. clicking any of the drive icons in My Computer...for two or three minutes. Ripped it out and all was well.

Draw your own conclusions.

And another thing: many times I have seen AVAST remove virii that AVG couldn't.

AVG's Resident Scanner seems to be more sensitive, though.

Best regards,

FastVFR

Z34Lee
12-05-2004, 15:08
Well it seems I'm still having big time issues here. The csrss.exe file cranks away hard most of the time, then I get an error report that Dr.Watson Postmortem debugging has to close. I've run several full scans with AVG to no avail. Now, as I look through GlockTalk certain words are highlighted once again as hyperlinks that should not be there. A spyware problem of some sort, but one that has also affected much more of my computer. It has gotten into my display settings. Hopefully I can get this nailed down.

Z34Lee
12-05-2004, 23:48
The Avast did pick up a trojan horse or two, but still isn't solving my csrss.exe problems. My other user account has basically become unusable. If it's any use, here's my Hijack This log

Logfile of HijackThis v1.98.2
Scan saved at 1:36:07 AM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Uncle Jesse\My Documents\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\system32\mskceo.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\system32\mskhhe.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\system32\msfaol.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\msnkmi.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/204f663a76a2dace5200/netzip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe

sdakota
12-06-2004, 00:54
First, you really should do a search and find out where csrss.exe is located on your computer - there may be more than one occurrence. If there is one in c:\ or c:\windows it's probably a virus - the valid csrss.exe should be in c:\windows\system32

Second, go to http://hijackthis.de/index.php and paste in your Hijack This! log. This will return an analysis of your log and you can (CAREFULLY) remove the items that are marked as "nasty" and any others that you know shouldn't be in your system. I say to be careful because Hijack This! is very powerful and can remove things that you don't want removed.

Thirdly, I would suggest you go to TrendMicro (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUCHON.B&VSect=T) and read the info and then go to "Scan your PC" (http://housecall.trendmicro.com/) to run their online virus scan. You don't need to uninstall or disable whatever antivirus you already have running on your PC.

Hope this helps !

Z34Lee
12-06-2004, 01:44
Originally posted by sdakota
First, you really should do a search and find out where csrss.exe is located on your computer - there may be more than one occurrence. If there is one in c:\ or c:\windows it's probably a virus - the valid csrss.exe should be in c:\windows\system32

Second, go to http://hijackthis.de/index.php and paste in your Hijack This! log. This will return an analysis of your log and you can (CAREFULLY) remove the items that are marked as "nasty" and any others that you know shouldn't be in your system. I say to be careful because Hijack This! is very powerful and can remove things that you don't want removed.

Thirdly, I would suggest you go to TrendMicro (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUCHON.B&VSect=T) and read the info and then go to "Scan your PC" (http://housecall.trendmicro.com/) to run their online virus scan. You don't need to uninstall or disable whatever antivirus you already have running on your PC.

Hope this helps !

Thanks..the csrss.exe file was not in that directory. From what I've read, it sure seems like it's acting like a virus, but neither AVG 7 or Avast pick it up. I've done the trend micro scanner, and it didn't find anything. I will post on hijack this site.

RaiderRodney
12-06-2004, 10:54
May or may not help but I always scan weekly with Ad-aware SE and Spybot Search & Destroy. Sometimes Spybot finds things that Ad-aware doesn't..like things in the memory. It will then ask you to reboot and let Spybot run on startup...this should take care of the problem because I had a friend with this exact problem last week. Hope it works :)

Sulaco
12-06-2004, 14:26
Originally posted by metallic
You might just want to backup all your important files and do a fresh reinstall of Windows XP if you cant seem to nail the problem down and fix it. I've found all versions of Windows to need to be freshly reinstalled after a certain amount of time.

amen