C:\WINDOWS\System32\csrss386.exe

  bamfiesler 07:49 01 Dec 04
Locked

This little B got onto mysystem when I had the Firewall turn off for loading a game!! DOH!

The Firewall now blocks it from doing anything, but it does try to connect to some site before the Firewall gets it.

ANy ideas of how to blitz it?

Thanks to all, etc.

  bamfiesler 07:51 01 Dec 04

Could I run msconfig, and delete the executable from there??

  JoeC 07:54 01 Dec 04

Go here and have a read


click here

  bamfiesler 07:57 01 Dec 04

Odd, Spybot didn't find it!

  bamfiesler 07:59 01 Dec 04

...niether did AVG.

  Jeffers22 08:13 01 Dec 04

Download HijackThis from click here Save it to it's own folder, then run it. Post the log - you will need to do it in two parts because of the 800 word limit on posts. With luck an expert (such as Nellie2) will see it and post back fairly quickly.

  bamfiesler 09:07 01 Dec 04

Logfile of HijackThis v1.98.2
Scan saved at 07:46:23, on 01/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\csrss386.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Donald\My Documents\my downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft CSRSS386 Protocol] csrss386.exe
O4 - HKLM\..\RunServices: [Microsoft CSRSS386 Protocol] csrss386.exe
O4 - HKCU\..\Run: [Microsoft CSRSS386 Protocol] csrss386.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB2757EE-A0D2-466D-828D-2D124ECAA46D}: NameServer = 158.152.1.43 158.152.1.58

  ACOLYTE 11:32 01 Dec 04

click here try dloading and running this in safe mode and with system restore off preferably.

  Nellie2 19:23 01 Dec 04

Yes it is the spybot worm, it's best to let a dedicated virus scanner deal with it.

Disable system restore and then go click here for an online scan.

Post back and let us know if the scan found anything. It should do because this worm is in it's database.

  bamfiesler 20:59 01 Dec 04

I really don't get this:
both HouseCall and Stinger found viruses that AVG had missed, but csrss386.exe is still on my system, and trying its bets to contact its homesite, or whatever.

This crap is enough to make you sick...........

  Nellie2 22:20 01 Dec 04

ok, make sure you have hidden files and folders set to show, click here for details.

Bring up task manager Ctrl-Alt-Del and end this process

csrss386.exe

Then run hijackthis again and put a tick against the following and click 'fix checked'

O4 - HKLM\..\Run: [Microsoft CSRSS386 Protocol] csrss386.exe

O4 - HKLM\..\RunServices: [Microsoft CSRSS386 Protocol] csrss386.exe

O4 - HKCU\..\Run: [Microsoft CSRSS386 Protocol] csrss386.exe

Then find and delete this file

C:\WINDOWS\System32\csrss386.exe

Reboot and post another hijack log for a check over.

This thread is now locked and can not be replied to.

Xiaomi Mi5s review: The Xiaomi flagship that could replace your Samsung, LG, HTC or Apple phone

1995-2015: How technology has changed the world in 20 years

Mental Canvas is a brand new drawing app that's quite unlike any other

New MacBook Pro 2016 review | MacBook Pro with Touch Bar review: Apple's super-expensive new…