csrss.exe virus problemSolved/Closed

Question

Hello, 

I got a serious problem with a virus I got, seems that it is infecting the csrss.exe file of my OS (windows 7 64bit). My antivirus MSE (Microsoft security essentials) gets to block the program and also the Malwarebytes does blocks it, but the thing is that they never get to find the infected file and delete it 'cause the treat disappears. I got only 3 csrss.exe files on my pc, on system32, system64 and a folder named AMD which I checked and is legitimate. I have run the scaner on safe mode, without being connected to the internet, I tried the Regedit thing and the values are ok, I tried the CCleaner, I have tried everything and I still have the virus on my pc, and I have had to restore the pc to a previous date 3 times already cause although the virus is being blocked it is damaging my system somehow. BTW the task manager only have 1 csrss.exe running. I'll appreciate a LOT any response, thanks ahead.

Jav · Accepted Answer

Has this been resolved I have the same exact problem to the "T".

Ambucias · Answer

To help you, I must make a diagnostic and to do so, I require a log. 

Open this link and download ZHPDiag : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 


Register the file on your Desktop. 

Double click on ZHPDiag.exe and follow the instructions. 

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step). 

Double click on the short cut ZHPDiag on your Destktop. 

Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

Close ZHPDiag. 


To transmit the report, click on this link : 

https://authentification.site 

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag). 

Select the file ZHPDiag.txt. 

Click on "upload » 

Copy the url and post it here

Ambucias · Answer

Miguel,

I have found two malware.  To remove them:

1. Run regedit, locate and delete the following value:

HKCU {758D57A1-E85D-4873-BBEE-7D83FE2D5515} - (Ask.com) 

2. Open Explorer and delete the following .dll file:

C:\Users\buyer\AppData\Local\Temp\bassmod.dll   

Finally if the antivirus applications still find malware, they are possibly in the quarantine files.  Empty the quarantine files.

Let me know

P.S. The malware you first got no doubt came from Limewire (should be deleted) and Azereus

Miguel · Answer

After I deleted the Value on the the registry (it was located on HKEY Local Machine/Software/Microsoft/Internet Explorer/Search Scopes/758D57A1-E85D-4873-BBEE-7D83FE2D5515) and then deleted the bassmod.dll file I run a quick scan and the antivirus found a malware on C:\Windows\system32\consrv.dll, the virus is named Trojan:Win64 Sirefef.B

After I deleted that virus and run the scanner again in search of any other malware or virus the MSE didnt find anything, but after 5 mins the same alert came up again, the same virus Sireref.B infecting another file:
Items: 
file:C:\Windows\assembly	mp\U\800000cb.@
file:C:\Windows\assembly	mp\U\800000cf.@
But when I hit clean or remove the treat just disappears and the antivirus is unable to delete the file.

Ambucias · Answer

The Trojan Horse Siresef B. is not a real menace other than being detected by Microsoft Security Essentials and may not be detected by any other antivirus.  Actually the detection by MSE is the only symptom. 

ZHP Diag is a top notch diagnostic tool and did not see the Trojan Horse roaming in the stable, hence to prove that it's just an annoying nuisance.

I suggest that:

1. You update MSE

2. Turn off your system restore

3. Search for this file and delete it if found :
da4b90ab5e376fc4cdbaa567bbbe0d68 

4. Delete: 

C:\Windows\assembly	mp\U\800000cb.@ 
file:C:\Windows\assembly	mp\U\800000cf.@ 

5. Download and run this free but very efficient registry cleaner:

https://ccm.net/download/download-13339-eusing-free-registry-cleaner

6. Turn your system restore back on.

Good luck

Ambucias · Answer

Miguel,

I have one more solution to rid your computer of this rogue.

Lets fist kill the evil process.

1. Download to your desktop and run Rogue Kill: 

https://download.bleepingcomputer.com/grinler/rkill.com 

2. You should now see a window that shows all of your desktop icons, including the rkill.com program. 

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. 

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running. 

Please, DO NOT REBOOT your computer or the processes will come back to haunt you! 

Download to your desktop Malwarebyte. 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ 

Once on your desktop, we must still outwit the virus. 

Right click on the MBAM icon and click on rename. Rename it kioskea.exe. 

Install Malwarebyte and launch it. From the second tab, update it. 

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

Ambucias · Answer

Go to your control panel and then to security centre, you will find your Windows Firewall there.

duma ndugu · Answer

Thank you so very much! now I know how the registry acts like a central commmand for a root kit

Csrss.exe virus problem

8 replies

Similar discussions

Subscribe To Our Newsletter!