Jump to content


Photo

Stumped! Csrss.exe - Hijack? Trojan?


  • Please log in to reply
3 replies to this topic

#1 bantling

bantling

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 01:49 PM

I came across this while doing a routine scan using Hijack this - I
previously identified all of my running processes and placed them into the
ignore list, so when this new entry was displayed, I was suspicious.

O4 - HKLM\..\Run: [csrss] C:\WINNT\csrss.exe

So I did a scan with both AdAware and SpyBot S&D, but both came up with
nothing.

I checked csrss.exe on the system process website, and it checked out ok,
but a google search identified it as a possible trojan. So, taking a closer
look at my machine, the task manager identified two csrss.exe applications
running, one under system and one under owner. A file search indicates that
I have the following files with the name "csrss" -

CSRSS.ex_..............................C:\I386
csrss.exe................................C:\WINNT
CSRSS.EXE-29816579.pf........C:\WINNT\Prefetch
CSRSS.EXE-2DCCB740.pf.......C:\WINNT\Prefetch
csrss.exe................................C:\WINNT\system32
csrss_2.dll..............................C:\Documents and Settings\Owner\Local Settings\Temp

The csrss.exe file in the C:\WINNT\system32 folder is identified as a
microsoft client server runtime process, the csrss.exe file in the C:\WINNT
folder (the one I was suspicious of), carries a digital signature by
Webtronix Holdings Ltd. The certificate points to the
http://www.netreplicator.com website. I went to the website, and it looks
like a template filled in with a bit of superficial text, not very
impressive. One link labeled "remove", directly links to a file called
remove.exe. The TOS/Privacy statement does state that " NetReplicator may
collect and store information about the web pages that you view and the data
that you enter into search engine fields while using NetReplicator. "

Anyway. I really don't know what this is. I didn't care for how it appeared,
so I fired up Hijack again, checked the file and fixed them, then I opened
up Killbox, plugged in C:\WINNT\csrss.exe and crossed my fingers.

Whoops.

Which promptly rebooted my computer and restored it to the last system
restore point, and gave me the dialogue that "Windows encountered a serious
error .. click to report, etc."

Any ideas?

Here's the full Hijack log, in case it helps:

Logfile of HijackThis v1.97.7
Scan saved at 9:00:40 AM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Propel Accelerator\PropelAC.exe
C:\WINNT\csrss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:8082
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = <local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe
/DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\Program Files\Propel
Accelerator\PropelAC.exe
O4 - HKLM\..\Run: [csrss] C:\WINNT\csrss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &WordWeb... -
res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program
Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality -
C:\Program Files\Propel Accelerator\pac-image.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) -
file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}
(TechToolsActivex.TechTools) - file://C:\Program
Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) -
file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) -
file://C:\DOCUME~1\Owner\LOCALS~1\Temp\ThereInstallHelper.2.0.2106.0.dll
O16 - DPF: {8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2} (There Voice Trainer) -
file://C:\Program Files\There Beta Beta
Beta\ThereClient\ThereVoiceTrainer.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://su
pport.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX
Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} (There Launcher) -
file://C:\Program Files\There Beta Beta Beta\ThereClient\ThereLauncher.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
http://us.dl1.yimg.c...ebio5_1_6_0.cab

Edited by bantling, 09 June 2004 - 12:57 PM.


#2 bantling

bantling

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 07:51 PM

*bump*

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 11 June 2004 - 02:38 PM

Fix this item with Hijack this, ensuring that all other windows are closed.

O4 - HKLM\..\Run: [csrss] C:\WINNT\csrss.exe

Reboot, and delete the file C:\WINNT\csrss.exe.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 bantling

bantling

    Member

  • New Member
  • Pip
  • 3 posts

Posted 12 June 2004 - 02:52 PM

Ok, I ran Hijack this, and fixed O4 - HKLM\..\Run: [csrss] C:\WINNT\csrss.exe

Rebooted, and attempted to delete C:\WINNT\csrss.exe, but I got an access denied error.

So -

I ran Hijack this again, and fixed O4 - HKLM\..\Run: [csrss] C:\WINNT\csrss.exe, but this time I rebooted into safe mode and deleted theC:\WINNT\csrss.exe file from there successfully.

When I ran Hijack this after re-booting back into normal mode to check if the file was still there, it showed up again, but when I looked at the files in C:\WINNT\, the csrss.exe was gone.

So, I ran Hijack this once again, and fixed O4 - HKLM\..\Run: [csrss] C:\WINNT\csrss.exe once more and it worked. I have a few other entries to fix, but nothing I can't handle on my own.

Thanks so much!

Edited by bantling, 12 June 2004 - 07:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button