Jump to content

re: trojan csrss.exe


Recommended Posts

I did what you said and ran the EEK.  The scan said 0 files infected.  I will attach the report.  I didn't run the FRST yet because there was a warning stating it may have malicious code or a virus.  I was very unsure as to what to do, so I didn't run it.  It is still in my downloads and I can run it if you tell me it is ok.  I really want to know if the csrss.exe is a trojan or not.  Or, maybe someone was telling me this so they could sell me something.  I will see how my browser works thru the weekend since you won't be able to help me until Monday anyway.  I hope everything is ok with my laptop now and I won't have anymore issues.scan_150704-031007.txt

Link to comment
Share on other sites

Do the following:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
HKU\S-1-5-21-3817257979-4207954130-3464212805-1001\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
C:\Users\user\AppData\Local\Temp\Extract.exe
C:\Users\user\AppData\Local\Temp\SP70869.exe
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

I did everything you asked.  Here are the reports.

AdwCleanerS0.txtJRT.txtFixlog.txt

 

Is this all I need to do?  The guy that told me my system was corrupt said my laptop had to be fixed manually.  He said my drivers had stopped and my IP address was infected and no matter what software I ran to fix it, I would not be able to fix it.  I think he was just trying to get money from me.  I really appreciate all the help you are giving me.  Please let me know what else I need to do.  Thank you so much.

Link to comment
Share on other sites

Whoever, told you that you couldn't clean the system, either has no clue what they are talking about or is just after your money. It is not possible to infect an IP address, it possible to corrupt Windows critical files and services.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running?

Link to comment
Share on other sites

I ran the scans again.  Attached are the new reports.scan_150709-035458.txtFRST.txt  

 

My laptop seems to be running a lot better now.  Firefox is much faster.  I have one question.  I was able to save my passwords before.  That option is no longer available to me now.  I don't know if it was an addon thru Mozilla or what, but it is gone now.  I guess one of the scans took it off.  It is probably not very safe to do that, but it sure is easier not to have to remember all my passwords.  There used to be a little drop down window asking me if I wanted to save my password,  I don't know how to get it back, do you?  If not, it's ok.  Was I supposed to quarrantine or delete anything from those scans or wait until you review them?  Let me know what to do next.  You have helped me more than I can ever thank you.  I really, really appreciate your help.  Thank you.

Link to comment
Share on other sites

It is not safe to store you passwords in the browsers password safe. I use Keepass Password Safe to store all my usernames and passwords.

http://keepass.info/download.html

I use the Professional Edition, which is free.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
C:\Users\user\AppData\Local\Temp\pc-cleaner-setup.exe
C:\Users\user\AppData\Local\Temp\pc-support-bar-setup.exe
C:\Users\user\AppData\Local\Temp\Quarantine.exe
C:\Users\user\AppData\Local\Temp\sqlite3.dll
Reg: reg delete "HKEY_USERS\S-1-5-21-3817257979-4207954130-3464212805-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLETASKMGR" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3817257979-4207954130-3464212805-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

  I am having another problem that I think you should be made aware of.  First of all, I just got this computer in January and it has crashed twice since then.  Now, just about every time I restart it, I get an error INVALID PROCESS ATTACH ATTEMPT  It usually will attempt once and go ahead and restart.  Sometimes it will come up with another error and want me to choose to turn other options, like advanced troubleshooting, turning it off. or just restarting.  It is really weird.  I looked it up and it looks like I need an new copy of Win8.1  which I do not have.  My laptop is still under warranty.  If it crashes one more time, it will be considered a lemon and HP will give me another one.  I consider it a lemon anyway since it has crashed twice in six months.  Do you think I should call HP and see if they should take care of this problem for me?  Since I don't have a clean copy of Windows, I don't think I have any other choice.  Please give me your opinion.  Thanks.

Link to comment
Share on other sites

I called HP support.  I found out when I call them, they reroute my calls to microsoft who tries to sell me  stuff to clean up my laptop.  They say all my services have stopped and I have over 2000 warnings and errors and critical errors that are about to crash my computer.  And until I get these issues corrected I will continue to have problems no matter what.  I told them I had someone helping me with those issues all I wanted to know was about the INVALID PROCESS ATTACH ATTEMPT  and if they would provide me with another copy of windows.  She said no they would not. So they were no help to me.  She said my PC is probably going to crash again.

Link to comment
Share on other sites

You could have a corrupt system, and the only way to be sure to fix it is to reinstall Windows.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Attach the RogueKiller report to your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan
Link to comment
Share on other sites

I ran the Rogue Killer scan.  It did not run a report automatically like the other scans did so I hit the report key and saved it to my desktop.  Here is the report it generated.rk_DB1F.tmp.txt 

If I have to get a new copy of Windows8, will I be able to get one from HP or will I have to buy one?  My computer is still under warranty and it didn't come with a disc.  Thank you for helping me with this.  Let me know what to do next.

Link to comment
Share on other sites

All HP systems come with a restore partion, and you can resotre the system to factory new using it. 

 

See: http://support.hp.com/us-en/document/c03489643

 

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Click the Registry Tab and select the following items:
      [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3817257979-4207954130-3464212805-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
      [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3817257979-4207954130-3464212805-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
    • Click the Delete button.


    [*]Attach the RogueKiller report to your next reply.

    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Delete



Link to comment
Share on other sites

OK, let's dig a little deeper.

 

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update
    Note: If you receive an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Analysis
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Link to comment
Share on other sites

Ok Kevin you lost me on this one.  I tried, but I failed.  I did the unzip to my desktop for the avz4 and double clicked on avz.exe  and hit run.  But there is where I got lost.  There was no update button on the right side of the log.  I am attaching a picture of the screens of the two things that came up.  The screen from where I hit  avz.exe and what came up next.  Please tell me what I am doing wrong and what I should have done.  I am sorry for being ignorant about what you are trying to help me with and I appreciate your patience.  Thank you and please don't quit on me.post-37169-0-21212600-1436906740_thumb.jpgpost-37169-0-33473400-1436906773_thumb.jpg

I hit the second little box on the right because when I ran my mouse over it, it said something about update.  It ran some sort of scan, but it wasn't what you described in your instructions.  I really couldn't tell what was going on because everything was in numbers instead of words.  Like I said, I was really lost as to what to do.  HELP!

Link to comment
Share on other sites

Ok, I think I did it correctly. At least I think I did.  Here is the log.  I also saved the log from the scan in case you need it.  virusinfo_syscheck.zip   I did it correctly yesterday but wasn't sure since it looked so strange to me.  Thank you for letting me know it was the correct button.  Sorry it is taking so long to get these problems rectified.  I really appreciate your help. Let me know what to do next.  Thanks again.

 

Link to comment
Share on other sites

The last few times I have restarted it, I haven't had a problem.  It seems to be running a little better right now, but I haven't been using it very much.  When someone connects remotely, they look at the event logs and there are a lot of errors (over 2000) some critical.  And a lot of my services are stopped. They also say my drivers are not working.  Are they doing something when they log on to try to sell me something or is something really wrong with my computer? Or can you tell from what you have done so far.  I know I was having issues with my firefox browser being so slow I couldn't barely stand to use it.  And the thing when I would restart it (which is not happening anymore-at least it hasn't lately).  But it seems to be a little better, but I really can't tell until I use it more.  Should I just keep using it and let you know if I have more problems or what should I do.  I was told not to do any internet banking or buy anything online.  I check my balance and haven't had any problems with my account so far.  Do you think my system is safe?  Please let me know your opinion.  Thank you.

Link to comment
Share on other sites

The Windows Event logs will show errors, for the most part they are not anything to be concerned about.  An error severe enough to cause a crash will generate a dump file, that is more usefull than the event log.

If a bunch of servies are stop, then drivers are not goign to work.

Let's try resetting some areas of Windows to their defaults.

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

This tool will need to be run in Safe Mode.

  • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  • Now open this folder and double-click Repair_Windows.exe.
  • Click the Repairs tab on the far right.
  • Click the Start button (bottom right)

    Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.

  • Click Unselect All
  • Put a checkmark in the following items:
    • Reset Registry Permissions
    • Reset File Permissions
    • Register System Files
    • Repair Windows Firewall
    • Repair MDAC/MS Jet
    • Repair Hosts File
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Proxy Settings
    • Repair Windows Updates
    • Repair Volume Shadow Copy Service
    • Repair MSI (Windows Installer)
    • Repair Windows Snipping Tool
    • Repair Print Spooler
    • Restore Important Windows Services
    • Set Windows Services To Default Startup
    • Repair Windows 8 App Store
    • Repair Windows 8 Component Store
    Note: Leave everything else unchecked
  • Put a checkmark in Restart System When Finished
  • Now click the Start button (bottom right)
This may take a while to finish.

Windows Repair will create several logs while it is running. I do not need them unless, there are errors.

Link to comment
Share on other sites

It took me over 30 mins just to get my computer to restart. I am not sure about the logs. It gave me several. Also it didn't have the place to check for  Repair WInsock & DNS Cache. I will get the logs I think you need and attach on the next post.  I was just letting you know what was going on.

Link to comment
Share on other sites

The first log (windows repair log) didn't have any problems, these logs I was unsure of:

 

Repair_Component_Store.txtRepair_App_Store.txtRepair_MSI_Windows_Installer.txtRepair_Volume_Shadow_Copy_Service.txtRepair_Windows_Firewall.txtRepair_Windows_Updates.txt

 

I thought my system was going to crash the way it was acting.  I had a really hard time getting it to restart.  I almost wiped the disc.  I am ready to call HP and tell them to take this laptop and shove it. (If you know what I mean).  Thanks for your help.

Link to comment
Share on other sites

I ran the repair again and got the same error logs.  I found out something about the event log errors I have been getting.  The critical errors have to do with the log on errors I have been getting.  It is because my computer is not completely shutting down correctly.  So I have found out if I do a shut down instead of a restart, I do not have any errors.  So that has solved that problem.  I don't think I have any malware issues anymore either.  I will see how things go for a while.  Sorry I was so late posting, I have been at the vet all day with a sick puppy.  Thank you so much for all your help.  I really appreciate it.  If you think I need to do anything else, let me know. Thanks

Link to comment
Share on other sites

Hi Kevin, I haven't had a lot of time to use my computer in the last few days but when I have, I have had a couple of issues. A little slow and the start up problem is still not corrected even with the shutdown.  I had to shutdown for an update a couple of days ago and when I started it back up, the same INVALID PROCESS ATTACH ATTEMPT error came up.  But only once this time and it restarted.  The event log is still having errors and warnings also.  Unsure of what I should do about these things. Any ideas?  Thanks for any input and help.

Link to comment
Share on other sites

Even though our software is designed so that it can be ran alongside other anti-virus software, we do not recommend it. Each AV solution competes for system resources and can cause performance issues.

You should uninstall both AVG and McAfee.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3817257979-4207954130-3464212805-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
2015-07-26 12:54 - 2015-07-26 12:54 - 00003100 _____ C:\Windows\System32\Tasks\{7590C1D0-04F1-4CF4-AEFB-AE61378D2F58}
2015-07-20 06:06 - 2015-07-26 13:00 - 00000000 ____D C:\Program Files\Reimage
2015-07-20 06:04 - 2015-07-26 13:00 - 00000165 _____ C:\Windows\Reimage.ini
C:\Users\user\AppData\Local\Temp\ReimageExpressSetup.exe
C:\Users\user\AppData\Local\Temp\ReimagePackage.exe
C:\Users\user\AppData\Local\Temp\sqlite3.exe
Task: {46345D38-B5CA-4AE9-AFAB-3D302F5E5F2E} - System32\Tasks\TweakBit\PCCleaner\Start PCCleaner оn logon => C:\Program Files (x86)\TweakBit\PCCleaner\PCCleaner.exe <==== ATTENTION
Task: {82A41EBD-4BA4-4C6F-AD0E-5D4098094AB3} - System32\T
Task: {C96F7657-10B2-4F35-98E8-4178A77F9933} - System32\Tasks\{7590C1D0-04F1-4CF4-AEFB-AE61378D2F58} => pcalua.exe -a "C:\Program Files\Reimage\Reimage Repair\uninst.exe"
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

  • Upvote 1
Link to comment
Share on other sites

Hi Kevin,  Well my system seems to be working better and faster, but I am still having the same problem when I restart it.  I have a really hard time just getting it to come back up.  It wants me to restore sometimes, but won't, it gives me a lot of other diagnostic options that are really drastic also sometimes.  Usually I just turn it off again until I can get it to come back up correctly.  I am hoping when Win 10 gets all the bugs out I can download it and I won't have these problems anymore.  I am wary of it at the moment.  Any suggestions of what I can do except a clean copy of Win 8.  Thanks for any input as always.

Link to comment
Share on other sites

I'm running Windows 10 on both my laptop and desktop, and only encountered 1 compatibility issue with the Nvidia video driver on the desktop, reinstalling the video driver solved that issue.

Doing a Windows 8 refresh may solve your problems, but you will need to reinstall some software after the refresh.

Link to comment
Share on other sites

I think I am going to wait a little while and install windows 10 and not worry with windows 8 anymore.  How do you like win10?  Do they have the bugs worked out yet.?  I had heard to wait a while to install, but you know how to fix anything that comes along, unlike someone like me.

Link to comment
Share on other sites

Windows 10 is running fine on both of my system. I had one application that would not work correctly, but uninstalled it since I don't really use it anymore. I had to reinstall the Nvidia video drivers on my Desktop. Otherwise, Windows 10 is running great on both systems, and it is definitely an improvement compared to Windows 8/8.1.

Link to comment
Share on other sites

When I download Win10 will it automatically remove Win 8.1 or what happens. I have never installed an operating system before.  Is everything provided for you.  I had a little window pop up yesterday saying it was ready for me.  The little window is still down on my task bar so I guess all I would have to do is hit it and follow the instructions.  Will microsoft help if I have any problems.  I know this isn't what you are here for, just thought you were a good person to ask.  Thanks for everything you have done for me.  My computer is running a whole lot better.  I don't know what I would have done if you had not helped me.  I am sure it would have crashed again by now. I really appreciate it.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...