Privacy guaranteed - Your email is not shared with anyone.

Virus issues

Discussion in 'Tech Talk' started by Z34Lee, Dec 4, 2004.

  1. Z34Lee

    Z34Lee Rush is Right!

    Feb 13, 2001
    Indianapolis, Indiana
    Well, 2 years with this computer and life was good, but it's going south now.

    I have a Dell using XP, and have AVG 6.0, with regular updates and regular scans.

    Last week I went to a website looking for lyrics. It tried to download a program which AVG found as a virus. Either way, it still got on there and after some work, I got rid of the files. It was a trojan horse downloader program which installed all kinds of crap on my PC. In all this process I also upgraded to AVG 7.0.

    Lately my computer just hasn't been the same. It seems as though it's really using up my resources, caused display problems, and just doesn't act the same in general. Over the past two years this computer has run GREAT and if there ever was a little glitch, it was easily solved. Now it bogs down and has more major problems.

    I restarted my computer recently, did the ctrl+alt+del thing and noticed that my CPU is running at near 100% all the time now - with almost nothing running. In the processes tab, I see that a file called csrss.exe is using 30-50% of cpu usage now. From just a little research it seems that this can be a virus. Now I've also started noticing the links that show up on webpages under certain words, leading you to advertiser sites. Any help would be appreciated. I'm doing another full scan with AVG now, but I don't think I'll have any luck.
  2. hwyhobo


    Jun 3, 2003
    Silicon Valley
    Where is that file located? In system32 or elsewhere?

  3. Z34Lee

    Z34Lee Rush is Right!

    Feb 13, 2001
    Indianapolis, Indiana
    Not sure, I downloaded adaware and so far, everything seems to be working smoothly.
  4. NetNinja

    NetNinja Always Faithful

    Oct 23, 2001
    HotLanta, GA
    Please read the sticky at the top of the tech Forum.
  5. Z34Lee

    Z34Lee Rush is Right!

    Feb 13, 2001
    Indianapolis, Indiana
    I did, that's why I downloaded AdAware SE.
  6. metallic


    Jul 20, 2004
    You might just want to backup all your important files and do a fresh reinstall of Windows XP if you cant seem to nail the problem down and fix it. I've found all versions of Windows to need to be freshly reinstalled after a certain amount of time.
  7. fastvfr

    fastvfr Ancient Tech

    Mar 28, 2001
    SW Oregon
    How about this: try downloading AVAST! AV and deleting AVG.

    The AVG 7.0 Free is still pretty buggy, so for the time being I am running Avast on all of my PC's.

    It is less bloated and consumes fewer resources; it is also 'cleaner' and doesn't cause the issues AVG currently is.

    On some PC's, AVG caused XP Pro to take upwards of ten MINUTES to boot until it was removed...reinstaling brought the problems back. It also caused my PC to 'hesitate' when R. clicking any of the drive icons in My Computer...for two or three minutes. Ripped it out and all was well.

    Draw your own conclusions.

    And another thing: many times I have seen AVAST remove virii that AVG couldn't.

    AVG's Resident Scanner seems to be more sensitive, though.

    Best regards,

  8. Z34Lee

    Z34Lee Rush is Right!

    Feb 13, 2001
    Indianapolis, Indiana
    Well it seems I'm still having big time issues here. The csrss.exe file cranks away hard most of the time, then I get an error report that Dr.Watson Postmortem debugging has to close. I've run several full scans with AVG to no avail. Now, as I look through GlockTalk certain words are highlighted once again as hyperlinks that should not be there. A spyware problem of some sort, but one that has also affected much more of my computer. It has gotten into my display settings. Hopefully I can get this nailed down.
  9. Z34Lee

    Z34Lee Rush is Right!

    Feb 13, 2001
    Indianapolis, Indiana
    The Avast did pick up a trojan horse or two, but still isn't solving my csrss.exe problems. My other user account has basically become unusable. If it's any use, here's my Hijack This log

    Logfile of HijackThis v1.98.2
    Scan saved at 1:36:07 AM, on 12/6/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\D-Link\Air Utility\AirCFG.exe
    C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Documents and Settings\Uncle Jesse\My Documents\hijackthis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\system32\mskceo.dll
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\system32\mskhhe.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\system32\msfaol.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\msnkmi.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) -
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) -
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) -
    O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) -
    O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} -
  10. sdakota

    sdakota señor member

    Sep 5, 2001
    Here, Now
    First, you really should do a search and find out where csrss.exe is located on your computer - there may be more than one occurrence. If there is one in c:\ or c:\windows it's probably a virus - the valid csrss.exe should be in c:\windows\system32

    Second, go to and paste in your Hijack This! log. This will return an analysis of your log and you can (CAREFULLY) remove the items that are marked as "nasty" and any others that you know shouldn't be in your system. I say to be careful because Hijack This! is very powerful and can remove things that you don't want removed.

    Thirdly, I would suggest you go to TrendMicro and read the info and then go to "Scan your PC" to run their online virus scan. You don't need to uninstall or disable whatever antivirus you already have running on your PC.

    Hope this helps !
  11. Z34Lee

    Z34Lee Rush is Right!

    Feb 13, 2001
    Indianapolis, Indiana
    Thanks..the csrss.exe file was not in that directory. From what I've read, it sure seems like it's acting like a virus, but neither AVG 7 or Avast pick it up. I've done the trend micro scanner, and it didn't find anything. I will post on hijack this site.
  12. RaiderRodney

    RaiderRodney Just Win Baby

    May 22, 2003
    North Carolina
    May or may not help but I always scan weekly with Ad-aware SE and Spybot Search & Destroy. Sometimes Spybot finds things that Ad-aware doesn' things in the memory. It will then ask you to reboot and let Spybot run on startup...this should take care of the problem because I had a friend with this exact problem last week. Hope it works :)
  13. Sulaco

    Sulaco Guest