Virus & CSRSS.exe i WINDOWS/Config ?

2008-04-19, 10:59 #1

Medlem

Reg: Jan 2008

Inlägg: 44

Hey!

Jag tror att jag stött på ett virus, fick upp ett meddelande av F-secure, gick inte att ta bort eller rensa.

Körde Hijackthis och fick: (se nästa inlägg)

Tänkte att någon trevlig själ skulle vilja vara så trevlig att kika igenom min logg och se vad de tycker? Csrss.exe startar från C:\WINDOWS\Config, filen heter csrss.0xe (tror att F-secure försökte byta namn på den), samt att det ligger ännu en csrss.exe i system32-mappen.

All hjälp uppskattas!

Citera

2008-04-19, 11:00 #2

Medlem

Reg: Jan 2008

Inlägg: 44

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:22, on 2008-04-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program\Anti-Virus\F-Secure Internet Security\Common\FSM32.EXE
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program\Media\Internet\Google\Gmail Notifier\gnotify.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\Program\Spel\Steam\Steam.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Anti-virus\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program\Media\Musik\Last.fm\LastFMHelper.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Anti-Virus\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program\Anti-Virus\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program\Anti-Virus\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program\Anti-Virus\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program\Anti-Virus\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\Program\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program\Anti-Virus\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program\Anti-Virus\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program\Anti-Virus\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program\Anti-Virus\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program\Anti-Virus\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program\Anti-Virus\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program\Anti-Virus\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program\Anti-Virus\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Media\Musik\Winamp\winamp.exe
C:\Program\Media\Musik\Last.fm\LastFM.exe
C:\Program\Anti-Virus\F-Secure Internet Security\FSGUI\fsavgui.exe
C:\Program\Programmering\UltraEdit\uedit32.exe
C:\Program\Anti-Virus\Trend Micro\HijackThis\HijackThis.exe

Citera

2008-04-19, 11:00 #3

Medlem

Reg: Jan 2008

Inlägg: 44

Fortsättning...

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O1 - Hosts: 217.20.115.52 l2authd.lineage2.com
O1 - Hosts: 217.20.115.52 l2testauthd.lineage2.com
O1 - Hosts: 217.20.115.52 l2patcher.lineage2.com
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualSt udio.QualityTools.RecorderBarBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\Anti-Virus\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\Anti-Virus\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\Media\Film\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program\Media\Internet\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program\Spel\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Anti-virus\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program\Anti-Virus\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program\Media\Musik\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206300632718
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\Anti-Virus\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program\Anti-Virus\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\Anti-Virus\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\Anti-Virus\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program\TGTSoft\StyleXP\StyleXPService.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\xaphan\Skrivbord\

--
End of file - 10441 bytes

Citera

2008-04-19, 11:10 #4

Medlem

Reg: Jun 2007

Inlägg: 4 828

Det finns EN klistrad tråd man ska läsa innan man postar och den missar du? Bra jobbat.

http://www.flashback.org/showthread.php?t=657998

edit: enligt www.hijackthis.de är dessa 2 det enda:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Citera

2008-04-19, 11:18 #5

Medlem

Reg: Jan 2008

Inlägg: 44

Ah, yeah, sorry. Missade den raden i tråden, tack så mycket i alla fall!

Filen i Config är på 756 kb och den i system32 på 6kb. Den i system32 har informationsdata som påpekar att den är skapad av Microsoft, build X, Språk (USA) osv.. medan den andra är inte skapad av MS.

Antar att det är okay att ta bort den i Config?

Citera

2008-04-20, 18:41 #6

Medlem

Reg: Sep 2006

Inlägg: 2 030

IT-säkerhet -> Datoranvändning - MS Windows

// Mod

Citera

2008-04-20, 20:11 #7

Medlem

Reg: Mar 2007

Inlägg: 12 238

ska bort: C:\WINDOWS\Config\csrss.exe

om du vill så kolla filen här
http://www.virustotal.com/sv/

Citera

Virus & CSRSS.exe i WINDOWS/Config ?

Skapa ett konto eller logga in för att kommentera

Skapa ett konto

Logga in