C:\WINDOWS\System32\csrss386.exe

  bamfiesler 07:49 01 Dec 2004
Locked

This little B got onto mysystem when I had the Firewall turn off for loading a game!! DOH!

The Firewall now blocks it from doing anything, but it does try to connect to some site before the Firewall gets it.

ANy ideas of how to blitz it?

Thanks to all, etc.

  bamfiesler 07:51 01 Dec 2004

Could I run msconfig, and delete the executable from there??

  JoeC 07:54 01 Dec 2004

Go here and have a read


click here

  bamfiesler 07:57 01 Dec 2004

Odd, Spybot didn't find it!

  bamfiesler 07:59 01 Dec 2004

...niether did AVG.

  Jeffers22 08:13 01 Dec 2004

Download HijackThis from click here Save it to it's own folder, then run it. Post the log - you will need to do it in two parts because of the 800 word limit on posts. With luck an expert (such as Nellie2) will see it and post back fairly quickly.

  bamfiesler 09:07 01 Dec 2004

Logfile of HijackThis v1.98.2
Scan saved at 07:46:23, on 01/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\csrss386.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Donald\My Documents\my downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft CSRSS386 Protocol] csrss386.exe
O4 - HKLM\..\RunServices: [Microsoft CSRSS386 Protocol] csrss386.exe
O4 - HKCU\..\Run: [Microsoft CSRSS386 Protocol] csrss386.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB2757EE-A0D2-466D-828D-2D124ECAA46D}: NameServer = 158.152.1.43 158.152.1.58

  ACOLYTE 11:32 01 Dec 2004

click here try dloading and running this in safe mode and with system restore off preferably.

  Nellie2 19:23 01 Dec 2004

Yes it is the spybot worm, it's best to let a dedicated virus scanner deal with it.

Disable system restore and then go click here for an online scan.

Post back and let us know if the scan found anything. It should do because this worm is in it's database.

  bamfiesler 20:59 01 Dec 2004

I really don't get this:
both HouseCall and Stinger found viruses that AVG had missed, but csrss386.exe is still on my system, and trying its bets to contact its homesite, or whatever.

This crap is enough to make you sick...........

  Nellie2 22:20 01 Dec 2004

ok, make sure you have hidden files and folders set to show, click here for details.

Bring up task manager Ctrl-Alt-Del and end this process

csrss386.exe

Then run hijackthis again and put a tick against the following and click 'fix checked'

O4 - HKLM\..\Run: [Microsoft CSRSS386 Protocol] csrss386.exe

O4 - HKLM\..\RunServices: [Microsoft CSRSS386 Protocol] csrss386.exe

O4 - HKCU\..\Run: [Microsoft CSRSS386 Protocol] csrss386.exe

Then find and delete this file

C:\WINDOWS\System32\csrss386.exe

Reboot and post another hijack log for a check over.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Fujitsu Lifebook P727 laptop review

Microsoft Paint set to die after 32 years

Mac power user tips and hidden tricks

Comment désactiver la saisie intuitive et paramétrer votre clavier ?