Multiple Infection-suspicious Files: Csrss, Dwm And Conhost.exe Files
Hi there everyone,
Yesterday I was browsing someone's myspace page, when I got prompted by active virus control to either block/allow the file csrss.exe. Alas, I decided on the wrong move to allow it, which immediately prompted active virus control to block/allow the file dwm.exe, which I also allowed. Admittedly I didn't think this through properly and I had felt quite confident up til now that these were both harmless, because I have never received serious infection before since I installed BD TS 2010 in December 2009. Now, here's what happened: browsing with google search resulted in redirecting the search results to all manner of advertising pages, rather than showing me the results page. Shortly after, I was prompted by active virus control to block/allow the file conhost.exe, a file I had never noticed before and this time around I blocked it, becoming suspicious. However, I got continuous notices from BD's tray message balloon that this file won't run, having blocked it.
Windows task manager lists these files (csrss.exe, dwm.exe and conhost.exe) as running in the background, with another csrss.exe task. Now, I have no clue what csrss.exe actually does, but I suspect one of these two csrss.exe files would be a genuine one, the other being an infection disguising as a genuine file ? I decided to scan the maps containing these folders only to find out that BD didn't list them as problematic. (probably because I allowed at least two of those)
However, I also decided to scan issues with Spybot S&D and found that the csrss.exe file in the user/Local Settings/Temp/ map was listed as a Trojan by the name of Win32.FakeAlert.ttam. Spybot didn't list the other two files, though.
Next up, I decided to have a manual look (in windows XP) in the maps for the two other files, based on the BD log info.
Documents and Settings/User/ Application Data/dwm.exe
Documents and Settings/User/ Application Data/Microsoft/conhost.exe
When I browse the map where dwm.exe is found I get an antivirus notification dwm.exe virus name Gen:Variant.Kazy.22500 "BD can't disinfect, delete or quarantine this file.Access to this file has been denied."
I get the exactly the same message when I browse the map that contains conhost.exe: conhost.exe virus name Gen:Variant.Kazy.22500 "BD can't disinfect, delete or quarantine this file.Access to this file has been denied."
For some reason or another the conhost.exe file has renamed itself to zislhecf.svl since last reboot of the PC, a type of random filename. I didn't find any information about this file by right-clicking, other than it was made yesterday.
I have also checked dwm.exe file and found that it seems to be associated with two other suspicious files in the same directory, a file named 3482.8B3 (also made yesterday) and possibly a file called bdfvconp.ini However, I can't be sure the latter file has anything to do with it, because the properties say this file was made on February 18, 2010 and has never changed since !
Yesterday, I decided to remove the files with ccleaner.exe with a 35 passes shred, which didn't work. Then I decided to remove them with a 35 passes shred in Spybot's shred.exe app. Trying to remove the file dwm.exe this way, I noticed the association between the file and the 3482.8B3 file. dwm.exe disappears but somehow gets replaced by a file with a random filename, including a totally random extension. Trying to remove that file, results in the file renaming itself again randomly, and so on. In any case I noticed that both files can't be shredded with BD, either. Plus, the dwm.exe tends to reappear of its own accord after a while. The same happened yesterday with the conhost.exe file, also associated with a 3482.8B3 file found in its own map. However, as noted above, this file seems to have renamed itself to zislhecf.svl, while the 3482.8B3 seems to have disappeared altogether.
In any case, when I rebooted the PC today, I ascertained that both browsers I am using, Opera 11.10 and Firefox 4.0.1 redirected my searches, making it impossible to browse anything, including bookmarks. I always got the message "can't connect to proxy server....blablabla" when in fact, I never use a proxy server. Curiously enough, I went to Opera settings and found that 127.0.0.1 was added to the proxy server entry. Deleting this entry solved that issue.
At least, temporarily. I am suspecting that those 3 exe files will return after reboot, and will reappear as background processes where they are not wanted. I also suspect both browsers will encounter the same issues again after reboot.
So I have a few questions:
1) How am I going to make sure I can get rid of these files for sure ?
2) How will I be able to avoid deleting a genuine csrss.exe file, assuming that one of these is in fact necessary and genuine and the other isn't ?
3) I am also unsure how to access the User/Local Settings/Temp/ map, because I can't find it listed anywhere in Windows explorer.
Seeing as I am a bit wary when it comes to fiddling with the registry and such, any help would be gladly appreciated on the subject.
Many thanks in advance,
Comments
-
Seeing as no one is particularly interested in solving this issue, I have taken the necessary steps to do things my own way. For the benefit of those who have a similar problem, I will post how I tried to solve it:
1) deleted all above mentioned suspicious files found in their specific folders in Safe Mode
2) scanned the registry with freeware reg tools such as Registrar Lite, Regseeker and hijackthis.
3) removed all traces and reference paths to those files in the registry
Apparently, everything works fine now.0 -
Seeing as no one is particularly interested in solving this issue, I have taken the necessary steps to do things my own way. For the benefit of those who have a similar problem, I will post how I tried to solve it:
1) deleted all above mentioned suspicious files found in their specific folders in Safe Mode
2) scanned the registry with freeware reg tools such as Registrar Lite, Regseeker and hijackthis.
3) removed all traces and reference paths to those files in the registry
Apparently, everything works fine now.
Hi there,
I accidentally downloaded a trojan via emule. It generated dwm.exe and csrss.exe . I deleted that file immediately. BtDef keeps terminating dwm.exe and csrss.exe but thery're still sitting in C:\Windows\System32\ and I can't get rid of them! It says it needs some Installer permission. How do I get rid of them?
Please help. My browsers won't load!0 -
Hi there,
I accidentally downloaded a trojan via emule. It generated dwm.exe and csrss.exe . I deleted that file immediately. BtDef keeps terminating dwm.exe and csrss.exe but thery're still sitting in C:\Windows\System32\ and I can't get rid of them! It says it needs some Installer permission. How do I get rid of them?
Please help. My browsers won't load!
Please send me by PM a BDSYS log.
http://kb.bitdefender.com/site/article/490/
If you still suspect an infection you can also send me back a log to make sure the system is clean.0 -
Please send me by PM a BDSYS log.
http://kb.bitdefender.com/site/article/490/
If you still suspect an infection you can also send me back a log to make sure the system is clean.
Hi there,
Have managed to fix the browser: the trojan must have meddled with that and set the browser to work through a proxy server which is not how we use it. I will be sending you last night's Deep Scan log (Gen:Variant.Kazy.7104 quarantined) and bdsyslog.zip. Today BitDefender's main screen was blank. I think it's the trojan (see picture attached).
0 -
Please send me by PM a BDSYS log.
http://kb.bitdefender.com/site/article/490/
If you still suspect an infection you can also send me back a log to make sure the system is clean.
I can't upload the bdsyslog.zip because the form doesn't upload zip files (Upload failed. You are not permitted to upload this type of file) Can't send you the zip file through PM. What should I do?0 -
Upload the file to http://www.sendspace.com/ which is a free file sharing website. After the file is uploaded, you will be shown a page which includes a download link. Copy the download link and paste it in a PM to Cristi Raducu. Also include a link to this topic for cross-reference.
Regards,0 -
Please send me by PM a BDSYS log.
http://kb.bitdefender.com/site/article/490/
If you still suspect an infection you can also send me back a log to make sure the system is clean.
Hi there,
I haven't noticed any suspicious behavior on the PC going on since I deleted all the files like mentioned above. As far as I am aware, all these files have been successfully eradicated. However, there is 1 thing I want to mention.
I was able to remove all the files manually, subsequently removing their registry entries with either HijackThis or other registry tools, with the exception of the registry entry of the csrss.exe file in the user/Local Settings/Temp/ folder. Every time I used these applications, the registry entry to this file started reoccurring after every reboot, giving me an error message that this file (obviously) couldn't be found. I decided to locate this specific file path in the Registrar Lite registry tool.
The only entry referring to it was HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load which indeed contained the value Data c:/documents and settings/user/local settings/temp/csrss.exe. Not being able to remove it with the registry tools, I decided to 'render' this key useless by manually changing the value data to c:/documents and settings/user/
Scanning again with HijackThis afterwards, I consequently also found F3 - REG:win.ini: load=c:/documents and settings/user/ As I have found out at every reboot, this automatically opens up windows explorer in the c:/documents and settings/user/ folder, with no further consequences. I am rather confident this is a minor issue that doesn't interfere with the rest of the system.
The only thing I was wondering is if the load key in the registry is a necessary registry key that should remain there or can it be deleted altogether ? I suspect this key will be added by some applications, including malwares, but is not dangerous to add or delete by the user, unless the value data point towards a malware file path ? Or, alternatively, should I edit the win.ini file ?0 -
Hi there,
I accidentally downloaded a trojan via emule. It generated dwm.exe and csrss.exe . I deleted that file immediately. BtDef keeps terminating dwm.exe and csrss.exe but thery're still sitting in C:\Windows\System32\ and I can't get rid of them! It says it needs some Installer permission. How do I get rid of them?
Please help. My browsers won't load!
It seems like your problem is far worse than mine was, because your malwares are residing in the system32 folder, whereas those I found where either in a temp folder or an application data (sub)folder. And those are easier to remove. There needs to be a genuine csrss.exe file in the system32 folder as far as I know, and the malware disguised as this file apparently has replaced it, carrying the same name.
The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. As such Csrss.exe provides the critical functions of the operating system, and its termination can result in the Blue Screen of Death being displayed.
http://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem0 -
Please send me by PM a BDSYS log.
http://kb.bitdefender.com/site/article/490/
If you still suspect an infection you can also send me back a log to make sure the system is clean.
I can't attach the file in this forum post. It says "Attachment space used 657.11K of 92.77MB" ???0 -
I can't attach the file in this forum post. It says "Attachment space used 657.11K of 92.77MB" ???
You can upload the file to www.sendspace.com and post here the generated download link.
Thank you !0 -
I am afraid I am developing a serious issue with regards to this infection which has influenced nvata.sys on this computer, resulting in boot problems. I suspect this issue is related to the infection, somehow. I don't know who to turn to in order to solve this problem.
0 -
My goodness; looks like this was never solved. Bitdefender doesn't give a hoot about this scrss.exe troj? It is very common and not easy to solve. Why just let it be?
0 -
Hello
This is an old subject from 2011.
I am sure the issue was resolved via another channel.
Do you encounter the same issue on your PC?
Thank you!0
