It seems I have an 'extra' csrss.exe file. Hijack this tells the
following:

"This entry is not running from the System32 folder, so it is
probably nasty.
Possibly nasty! According to our database this process runs normally
in c:\windows\system32\! Check if you know this process and arrange a
viruscheck where required.This process is not running from the
System32 folder as it is supposed to be."
and:
"Must be fixed!Added by the CIADOOR-J TROJAN! Note - this is not the
legitimate csrss.exe process which is always located in the System (9x/
Me) or System32 (NT/2K/XP) folder and should not normally figure in
Msconfig/Startup! This file is located in the Winnt or Windows folder"
I did a search for the file and it's in both WINDOWS and WINDOWS
\system32. the first one is 144kb, version 1.0.0.0 and was added a
couple days ago when I started having problems. The second file is 6kb
version 5.1.2600.2180 (xpsp_sp2) and I'm pretty sure it's the legit
one. At this point, what steps should I take?
I'm also having the same problems with services.exe and syshost.exe.
Services.exe has a copy in both folders, syshost is only in WINDOWS
folder. All three suspect files were created last week.

thanks for the help
(E-Mail Removed)

(E-Mail Removed) wrote:
> It seems I have an 'extra' csrss.exe file. Hijack this tells the
> following:
>
> "This entry is not running from the System32 folder, so it is
> probably nasty.
> Possibly nasty! According to our database this process runs normally
> in c:\windows\system32\! Check if you know this process and arrange a
> viruscheck where required.This process is not running from the
> System32 folder as it is supposed to be."
> and:
> "Must be fixed!Added by the CIADOOR-J TROJAN! Note - this is not the
> legitimate csrss.exe process which is always located in the System (9x/
> Me) or System32 (NT/2K/XP) folder and should not normally figure in
> Msconfig/Startup! This file is located in the Winnt or Windows folder"
> I did a search for the file and it's in both WINDOWS and WINDOWS
> \system32. the first one is 144kb, version 1.0.0.0 and was added a
> couple days ago when I started having problems. The second file is 6kb
> version 5.1.2600.2180 (xpsp_sp2) and I'm pretty sure it's the legit
> one. At this point, what steps should I take?
> I'm also having the same problems with services.exe and syshost.exe.
> Services.exe has a copy in both folders, syshost is only in WINDOWS
> folder. All three suspect files were created last week.
>
> thanks for the help
> (E-Mail Removed)
>
Not running any anti-virus app?

See advice here, especially Part B:
http://www.elephantboycomputers.com/...moving_Malware

--
Lem MS MVP -- Networking

To the moon and back with 64 Kbits of RAM and 512 Kbits of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer

(E-Mail Removed) wrote:
> It seems I have an 'extra' csrss.exe file. Hijack this tells the
> following:
>
> "This entry is not running from the System32 folder, so it is
> probably nasty.
> Possibly nasty! According to our database this process runs normally
> in c:\windows\system32\! Check if you know this process and arrange a
> viruscheck where required.This process is not running from the
> System32 folder as it is supposed to be."
> and:
> "Must be fixed!Added by the CIADOOR-J TROJAN! Note - this is not the
> legitimate csrss.exe process which is always located in the System (9x/
> Me) or System32 (NT/2K/XP) folder and should not normally figure in
> Msconfig/Startup! This file is located in the Winnt or Windows folder"
> I did a search for the file and it's in both WINDOWS and WINDOWS
> \system32. the first one is 144kb, version 1.0.0.0 and was added a
> couple days ago when I started having problems. The second file is 6kb
> version 5.1.2600.2180 (xpsp_sp2) and I'm pretty sure it's the legit
> one. At this point, what steps should I take?
> I'm also having the same problems with services.exe and syshost.exe.
> Services.exe has a copy in both folders, syshost is only in WINDOWS
> folder. All three suspect files were created last week.

A few things to try:

1) Restart to a Safe Mode Command Prompt, type

CD C:\Windows

DEL csrss.exe

2) Schedule a boot scan within your a/v software so it can remove the
file before Windows starts.

3. Download software that can handle running malware. Just a couple..
I know that Avast! can be scheduled to do a boot scan:

Avast! - http://www.avast.com/eng/avast_4_home.html
AVG - http://free.grisoft.com/

--
Joe =o)