Qoologic I can't shake it! Help Please!

The legitimate csrss.exe is part of the Microsoft client server software and is a very important part of the system which should not be removed.

One way to determine if csrss.exe is a legitimate file besides looking at the date modified is to right click on csrss.exe inside Task Manager and attempt to end process. Because csrss is a critical file, Microsoft should inform you with a message that csrss.exe is a critical system process and end it is not possible.

when i do this,i can't close it,cuz it's essential it says...cuz this mean i'm clean?

 

Ok there is a legitimate process named csrss.exe, but you also have a malware file with the same name.

Follow these instructions....

Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.

Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.

Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

C:\WINDOWS\csrss.exe


Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.

(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)

Then run the scan with Ewido, clean what it finds and save the log file.

Then post a new HijackThis log and Ewidos log to here.

 

hi,i'll try this,thx,question though,can't i just fix checked for that entry in hijack this?

 

Fixing is not enough for O23 entries, did you do the Removal.bat thing?

Just follow he instructions and we'll get you cleaned

 

no when you reboot it will reinstall its self so follow what JaPK posted

 

do the hidden files have to be shown for killbox to delete it?
also,when i choose the -> choose Paste from Clipboard option
it doesn't copy it,can i just copy the link in the box otherwise,is that the same?

 

No the killbox doesn't require hidden files to be shown.

You have to copy the following line to your clipboard before clicking the "Paste from Clipboard" option: C:\WINDOWS\csrss.exe

Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.

So select this with your mouse -> C:\WINDOWS\csrss.exe
Then press CTRL+C, the line is now on your clipboard

Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.

 

ok,i'll try that at home and post the result.

I have another question,whenever i boot my pc,even from the start,when i get to the desktop, i can't move my mouse for a couple of seconds,i've read somewhere that this can be caused by something in my power control options, you have any info on this,don't get me wrong,my pc boots very fast,but it's unresponsive for a couple of seconds...

 

aldo,so i have some unnecesary entries?
for instance,i don't need the ipod thing,can i check that entry in hjt and fix checked? Any others?

 

this is the new log,clean?

if so,can you help me with the other questions?

Logfile of HijackThis v1.99.1
Scan saved at 23:04:33, on 15/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hln.be/hlns/cache/homehome.html?10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

I think that the mouse freezing is normal.

Your HjT log is clean now, did you run a scan with Ewido? Post its log to here.

If you don't need that iPod thing, go to Control Panel -> Add/Remove Programs and check if you can find it there.

 

this is the new log from ewido

ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 9:37:16, 16/05/2006
+ Rapport samenvatting: B41DF1DA

+ Scan resultaten:

C:\Documents and Settings\J.NOPPE\Cookies\j.noppe@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Schoongemaakt met een backup
C:\Documents and Settings\J.NOPPE\Cookies\j.noppe@com[1].txt -> TrackingCookie.Com : Schoongemaakt met een backup


::Einde rapport


i always get those tracking cookies,do you know how to stop getting them? Otherwsie it's clean,i guess,right?

I can't remove the ipod thing in the control panel,any other way?

Right now,i'm using windows defender,ewido,spywaredoctor and spy sweeper in real-time protection along with zone alarm,
is it ok to run that much stuff in real time? Or should i disable sth to not let one prog interfere with the other?

 

yes its ok i have that many plus a few more with no problems.

the mouse freezing is normal, what causes that is all your startup programs booting up at the same time which delays your mouse for a minute or two

 

Yes the log is clean.

Install a hosts file if you want to get rid of cookies, instructions -> http://www.mvps.org/winhelp2002/hosts.htm

If you want to disable that ipod service:
-> Start
-> Run
-> write this to the field: services.msc
-> scroll down to iPodService
-> Right click it with your mouse
-> Properties
-> Change the startup type to Disabled
-> Press Apply
-> Ok
-> Close the window and restart your computer.

And it is good to have an arsenal against malware

 

thanks a lot!!!

 

You're welcome

 

when i scanned with avg a week ago,i had a couple of virusses,it then moved them to the virus vault,and now i'm clean... My question is,when i check virus vault,the files are still there,is that normal? I suppose so,but can i just delete these files or doesn't it matter?

 

Yes it is normal that the files are still there. Virus vault is AVG's quarantine section. You can delete the files from vault.

 

please,anyone,how can i download an essential windows defender update from windows update site,i can just keep downloading and downloading,what's strange is also that it says it's downloaded but 0 kb, maybe there's sth in my security settings for internet explorer that doesnt download the update properly,please help me out. Not much use for windows defender if it doesn't update properly

 

Jurgennop, i had the same problem ,what i did is go to mircosofts site and redownload the whole program that seems to fix it