Join
the community
Sign-up
Ask a question Report

Csrss.exe virus problem [Solved]

Miguel - Latest answer on Nov 9, 2012 03:41PM
Hello,
I got a serious problem with a virus i got, seems that it is infecting the csrss.exe file of my OS (windows 7 64bit). My antivirus MSE (Microsoft security essentials) gets to block the program and also the Malwarebytes does blocks it, but the thing is that they never get to find the infected file and delete it 'cause the treat disappears. i got only 3 csrss.exe files on my pc, on system32, system64 and a folder named AMD which i checked and is legitimate. I have run the scaner on safe mode, without being connected to the internet, i tried the Regedit thing and the values are ok, i tried the CCleaner, i have tried everything and i still have the virus on my pc, and i have had to restore the pc to a previous date 3 times already cause although the virus is being blocked it is damaging my system somehow. BTW the task manager only have 1 csrss.exe running. I'll appreciate a LOT any response, thanks ahead.
Read more 
More
17 answers
Answer
+3
moins plus
Jav Oct 16, 2011 09:23PM
Has this been resolved I have the same exact problem to the "T".

 Add comment
Anonymous User - Oct 16, 2011 09:31PM
Need more details,possibly you can create a new thread so that we could help you
Jav - Oct 16, 2011 10:38PM
Its the same exact problem. The only slight difference is that I get BSOD on boot of regular win 7 boot and safe mode. The exception is 0x0000135 mossing %hs file.
juju666 14Posts Wednesday December 17, 2008Registration date Security contributorStatus March 27, 2013Last seen - Oct 17, 2011 03:48AM
Hello,

Please open your topik for more help ;)

Cordially
Bowzer - Oct 26, 2011 01:25PM
a registry change will allow you to boot. boot from a pe disc (I used Hiren's as it has a good pe registry editor), run a reg editor that can load the offline hives from your windows directory, navigate to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems and change the value of the "Windows" entry. You will see a reference to consrv.dll, change that to winsrv. It will look like this after the fix: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16


ServerDLL=winsrv is more than likeley says ServerDLL=consrv at the moment...some references say that the same thing may need to be done in ControlSet002 also.
AsuL - Dec 2, 2011 11:51AM
Bowzer, you are the man!

been searching for that key for over a day now

thanks a million
Add comment
Answer
+0
moins plus
Ambucias 9124Posts Monday February 1, 2010Registration date ModeratorStatus May 16, 2013Last seen Jun 23, 2011 04:03PM
To help you, I must make a diagnostic and to do so, I require a log.

Open this link and download ZHPDiag :

http://telechargement.zebulon.fr/telecharger-zhpdiag.html


Register the file on your Desktop.

Double click on ZHPDiag.exe and follow the instructions.

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step).

Double click on the short cut ZHPDiag on your Destktop.

Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

Close ZHPDiag.


To transmit the report, click on this link :

http://www.speedyshare.com/

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).

Select the file ZHPDiag.txt.

Click on "upload »

Copy the url and post it here

 Add comment
Miguel - Jun 23, 2011 11:15PM
http://www.speedyshare.com/files/29123912/ZHPDiag.Txt

Here is the link. Hope you find the cause of this problem. Thank you a lot in advance.
Add comment
Answer
+0
moins plus
Ambucias 9124Posts Monday February 1, 2010Registration date ModeratorStatus May 16, 2013Last seen Jun 24, 2011 04:49AM
Miguel,

I have found two malware. To remove them:

1. Run regedit, locate and delete the following value:

HKCU {758D57A1-E85D-4873-BBEE-7D83FE2D5515} - (Ask.com)

2. Open Explorer and delete the following .dll file:

C:\Users\buyer\AppData\Local\Temp\bassmod.dll

Finally if the antivirus applications still find malware, they are possibly in the quarantine files. Empty the quarantine files.

Let me know

P.S. The malware you first got no doubt came from Limewire (should be deleted) and Azereus

 Add comment
Add comment
Answer
+0
moins plus
Miguel Jun 24, 2011 09:02AM
After i deleted the Value on the the registry (it was located on HKEY Local Machine/Software/Microsoft/Internet Explorer/Search Scopes/758D57A1-E85D-4873-BBEE-7D83FE2D5515) and then deleted the bassmod.dll file i run a quick scan and the antivirus found a malware on C:\Windows\system32\consrv.dll, the virus is named Trojan:Win64 Sirefef.B

After i deleted that virus and run the scanner again in search of any other malware or virus the MSE didnt find anything, but after 5 mins the same alert came up again, the same virus Sireref.B infecting another file:
Items:
file:C:\Windows\assembly\tmp\U\800000cb.@
file:C:\Windows\assembly\tmp\U\800000cf.@
But when i hit clean or remove the treat just disappears and the antivirus is unable to delete the file.

 Add comment
Add comment
Answer
+0
moins plus
Ambucias 9124Posts Monday February 1, 2010Registration date ModeratorStatus May 16, 2013Last seen Jun 24, 2011 03:44PM
The Trojan Horse Siresef B. is not a real menace other than being detected by Microsoft Security Essentials and may not be detected by any other antivirus. Actually the detection by MSE is the only symptom.

ZHP Diag is a top notch diagnostic tool and did not see the Trojan Horse roaming in the stable, hence to prove that it's just an annoying nuisance.

I suggest that:

1. You update MSE

2. Turn off your system restore

3. Search for this file and delete it if found :
da4b90ab5e376fc4cdbaa567bbbe0d68

4. Delete:

C:\Windows\assembly\tmp\U\800000cb.@
file:C:\Windows\assembly\tmp\U\800000cf.@

5. Download and run this free but very efficient registry cleaner:

http://en.kioskea.net/download/download-13339-eusing-free-registry-cleaner

6. Turn your system restore back on.

Good luck

 Add comment
Miguel - Jun 24, 2011 05:56PM
thank you very much for your efforts, unfortunately nothing changed, i did all of what i know and what you told me, the files that are "infected" doesnt even appears while using CMD with admin privileges to see all hidden files, the file you told me to find and delete doesnt appear neither. What i'll do is allow the virus to run though my computer after doing a backup and see what happens, if it is bad i'll definitely format and install windows again, i'm sick and tired of this virus already hehe. Thanks again bro, take care :)
Add comment
Answer
+0
moins plus
Ambucias 9124Posts Monday February 1, 2010Registration date ModeratorStatus May 16, 2013Last seen Jun 25, 2011 05:46AM
Miguel,

I have one more solution to rid your computer of this rogue.

Lets fist kill the evil process.

1. Download to your desktop and run Rogue Kill:

http://download.bleepingcomputer.com/grinler/rkill.com

2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Download to your desktop Malwarebyte.

http://en.kioskea.net/telecharger/telecharger-105-malwarebytes-anti-malware

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it kioskea.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

 Add comment
Miguel - Jun 25, 2011 11:42AM
I did as you said, the Rogue program didn't find anything wrong, it just stopped Google Chrome and a Rundll file on a windows folder, the malwarebytes found a keygen (which is not a threat) and a malware on the registry. I did allow the 2 files that were infected to run and nothing changed, i opened the task manager to see if there was a new unknown process opened but there was nothing new in there. Everything seems to be fine and points that it was a false alarm; BUT i cant turn my firewall on lol i don't know if it was activated or not before (it was supposed to be on...) when i try to turn it on it says that some of my settings.... i'll do some research now to see how to activate it, if you know please let me know. Thank you so much once again.
Add comment
Answer
+0
moins plus
Ambucias 9124Posts Monday February 1, 2010Registration date ModeratorStatus May 16, 2013Last seen Jun 25, 2011 03:42PM
Go to your control panel and then to security centre, you will find your Windows Firewall there.

 Add comment
Add comment
Answer
+0
moins plus
duma ndugu Nov 9, 2012 06:23AM
Thank you so very much! now i know how the registry acts like a central commmand for a root kit

 Add comment
Ambucias 9124Posts Monday February 1, 2010Registration date ModeratorStatus May 16, 2013Last seen - Nov 9, 2012 03:41PM
@Duma ndugu

Everything you do on the computer is inscribed in the registry and every application, malware or other has it's main base in the registry.
Add comment
Ask a question
This document entitled « csrss.exe virus problem » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.
Register now

Not a member yet?

sign-up, it takes less than a minute and it's free!

Members get more answers than anonymous users.

Being a member gives you detailed monitoring of your requests.

Being a member gives you additional options.

Receive our newsletter

health.kioskea.net