CSRSS.EXE .....is infected...but my virus app doesnt identify it

**s8n** · August 2nd, 2005, 10:47 PM

hi team.. i have an infected CSRSS.EXE..........i get advertising popups and my UL on my modem is ULing when it shouldnt......i cant identify the virus cause my Norton doesnt pick it up or any other Spyware app......i also did have an infected MOUSE.EXE .....but my virus checker did pick that up as W32.Spybot.Worm .....i have cleaned that off.....but still my CSRSS.EXE is still infected with ??

any help is appreciated

s8n

**geoscomp** · August 3rd, 2005, 08:33 AM

Have you tried using the Panda activescan or Trend Micro's housecall yet? Usually the antivirus on an infected machine is suspect..and Norton seems more suspect than a lot of others..online scanning works a lot better. What other spyware apps did you use? usually the csrss.exe that is associated with a trojan is associated with a netsky variant that uses its own smtp engine..doesnt cause pop-ups though..sends out email instead. If you havent done an online virus scan, and used spybot s&d/ad-aware/hijack-this
(and the microsoft antispyware app if you have xp) you may have a lot more infected.

**s8n** · August 5th, 2005, 02:42 AM

i tried both online virus checkers and i got a couple of small things and a Worm....i cleaned all that off , i reformatted and put Win2000Pro on again..... as soon as i connected to the internet , the popup popped up immediately , and wouldnt stop till i disconnected.....it just wont go away........my modem has stopped ULing which is great...(due to 1 Worm removal).....theres one remaining or i think maybe something malicious is embedded into my Win2000Pro........i have switched back to Win98 and not 1 hich yet.....i would prefer to use Win2000Pro tho.

**Platypus** · August 5th, 2005, 04:31 AM

Windows 2000 suffers similarly to XP when it comes to on-line security threats, whereas 98 is not targeted nearly as much. The security measures for 2000 should be as for XP, do not go on-line without firewall and anti-virus active and security patches installed. What Service Pack level is the 2000? You will need to be at least SP3 to be able to use all the security patches available.

**s8n** · August 5th, 2005, 05:16 AM

hi Platypus man.....Win2000 fixed the transfer of files over 2GB+ btw ! .........updated shell32.dll ! ......... i will give what u said a shot........i installed Service Pack 4 after Windows 2000 Pro.......do u think this 'instant popup' is due to lack of security or its has infected my system even tho i cant detect it ? when i check the process it is coming from its coming from CSRSS.EXE...........is the Service Pack 4 sufficient enough or do i need more upgrades/patches ?

s8n

**Platypus** · August 5th, 2005, 06:17 AM

Originally Posted by s8n

Win2000 fixed the transfer of files over 2GB

And if you use NTFS you can have files over 4GB.

Once the SP is installed, you should install all the available security patches, as many as possible from disk before going on-line for the first time. The latest MS Security Update CD I can lay my hands on at the moment is Feb 2004, although I thought I remembered a later one than that. When you do go on-line, the very first thing you should do is obtain all the more recent MS update patches. You can only get a complete update of all available patches after SP3 or later is installed, as not all security issues are addressed for SP2 or earlier (unsupported OS Version). If you've installed a service pack after installing any security patches, the patches should be applied again as they could have been overwritten by the SP updates, which are probably older than the security patches.

You don't have two instances of CSRSS.EXE running do you? There are some worms or even keyloggers that run as a fake CSRSS.EXE, not located in the System32 folder.

**s8n** · August 5th, 2005, 06:37 AM

roger that........na its just the single CSRSS.EXE running....note taken about fakes not located in the System32 folder.....NTFS could be handy for PS2 and DVD

**Ferrit** · August 5th, 2005, 08:49 AM

Originally Posted by s8n

i tried both online virus checkers and i got a couple of small things and a Worm....i cleaned all that off , i reformatted and put Win2000Pro on again..... as soon as i connected to the internet , the popup popped up immediately , and wouldnt stop till i disconnected.....it just wont go away........my modem has stopped ULing which is great...(due to 1 Worm removal).....theres one remaining or i think maybe something malicious is embedded into my Win2000Pro........i have switched back to Win98 and not 1 hich yet.....i would prefer to use Win2000Pro tho.

.....theres one remaining or i think maybe something malicious is embedded into my Win2000Pro........

Pretty much the only way something malcious could be embedded in your win 2000Pro is if its a downloded copy

**s8n** · August 8th, 2005, 09:29 PM

i think i have good news thanx to u guys.......i installed a Firewall a new Anti Virus with updated defs , Service Pack 4 , and a 30mb most popular Security Patches in one.
...i have been online for 29+ hours and the 'popup' in question has not come up once !
.... i am going to keep monitoring it but i think its OK now .......thank you again

s8n