|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
03-02-2005, 03:21 PM
|
#1 |
|
Member (9 bit)
Premium Member
Join Date: Dec 2003
Location: England
Posts: 492
|
csrss.exe missing
deleted csrss.exe by mistake and then made it worse by pressing the wrong button in directory snoop and purged the file.
 tried an over the top install but the file is still missing and getting error at startup from win.ini is it ok to edit this process out of the win.ini file? here are the first 20 lines or so. [windows] NullPort=None MouseTrails=-7 ;Rem TShoot: noload= noload=C:\WINDOWS\csrss.exe C:\WINDOWS\csrss.exe ;Rem TShoot: norun= norun=C:\WINDOWS\csrss.exe C:\WINDOWS\csrss.exe load=C:\WINDOWS.\csrss.exe Run=C:\WINDOWS.\csrss.exe device=EPSON Stylus COLOR 440 (Copy 2),EPIJNL20,LPT1: [Desktop] Wallpaper=C:\WINDOWS\ACDWAL~1.BMP TileWallpaper=1 WallpaperStyle=0 Pattern=(None) [intl] iCountry=44 ICurrDigits=2 iCurrency=0 iDate=1 iDigits=2 iLZero=1 iMeasure=0 iNegCurr=1 iTime=1 iTLZero=1 s1159=AM s2359=PM sCountry=United Kingdom Csrss.exe can be over written by several virii, which is why i deleted it. tried to find the csrss.exe on other 98 systems but cant seem to get a copy. is there anywhere i can get this exe? tried driverguide, googled but no joy. |
|
|
|
03-02-2005, 04:16 PM
|
#2 |
|
Member (12 bit)
Join Date: Nov 2001
Location: Woodland Hills, CA (suburb of Los Angeles)
Posts: 4,014
|
Hi lostplanet
Anytime you're not sure about a process running on your computer, check over at the TaskList on the AnswersThatWork website - http://www.answersthatwork.com/Taskl...s/tasklist.htm There is also another fine list available from links at pacs-portal, from the Startup Tips section http://www.pacs-portal.co.uk You have an infected system: that's why the over-the-top didn't work - it doesn't remove the virus. The csrss.exe file wasn't overwritten by a virus, it IS the virus. Csrss.exe is only a valid process on a Windows NT kernel based system (WinNT/2000/XP). The TaskList blurb for it reads: "Windows NT4//2000/XP/2003 only. CSRSS is the Client Server Runtime SubSystem". Anytime you see that process on Win9x, it's a problem - it doesn't belong. The directory "snoop" doesn't belong either. One activity of some of the malware using this filename is keylogging - so if you've done any online banking or made any online purchases from this infected machine, be sure to immediately change your passwords from a known clean computer - and alert your bank. Watch your statements for any fraudulent charges. Identity theft is a main reason keyloggers exist. The blurb for csrss.exe at the Tasklist mentions the following: "You have the Trojan.Gutta or W32.Netsky.AB@mm or W32.Buchon.A@mm virus if you have Windows 95/98/ME or if the full path to this program is either C:\Windows\csrss.exe or C:\WinNT\csrss.exe. . . . (could also be a Bagle variant, or keylogger). Check the website of your AntiVirus vendor for removal instructions. If you can boot to Safe Mode, do so - (tap the F8 key during the system startup). Run a full-system "thorough" antivirus scan. It may be that your current antivirus program has been compromised by malware already = so you may also want to try an emergency standalone tool like McAfee's "Stinger" - which is a removal tool for the most-common pests (you're not alone if you've been infected by Netsky). You can download Stinger from this link: http://vil.nai.com/vil/stinger/ [the NAI in the web address stands for Network Associates Inc., McAfee's former corporate name] Best of luck . . . Gary |
|
|
|
|
03-03-2005, 07:51 AM
|
#3 |
|
Member (9 bit)
Premium Member
Join Date: Dec 2003
Location: England
Posts: 492
|
HI and thanks gary
seems like i have removed the virus but still getting the 98 .INI complaining. is it ok to remove these entries from the win.ini file? ;Rem TShoot: noload= noload=C:\WINDOWS\csrss.exe C:\WINDOWS\csrss.exe ;Rem TShoot: norun= norun=C:\WINDOWS\csrss.exe C:\WINDOWS\csrss.exe load=C:\WINDOWS.\csrss.exe Run=C:\WINDOWS.\csrss.exe or is there more to it? should i expect any anti malware apps to edit the win.ini? TiA |
|
|
|
|
03-03-2005, 04:26 PM
|
#4 |
|
Member (12 bit)
Join Date: Nov 2001
Location: Woodland Hills, CA (suburb of Los Angeles)
Posts: 4,014
|
Yes, you can remove those entries. On the Symantec link, the user has to remove some of the Registry entries. Since each antivirus vendor might vary, I'm not sure how thorough your antivirus is. Whenever you encounter an infection, it's a good idea to check your antivirus vendor's manual removal instructions, so that you can double-check the automated removal, and manually clean up anything the automated removal missed.
If your system scans clean, then you should be OK = to be extra sure, you could try an online scan (like Housecall - http://housecall.trendmicro.com ) And, since you've reinstalled, don't forget to visit Windows Update for the Security patches. . . . Gary |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
