Hosts file acting up?

P

Penang

Dunno what happened, but somehow my hosts file has been acting up.

This isn't a joke, it's happening !

FYI -- Dual core cpu, 4GB mem, XP SP3, 750GB hd.

I've never played with the hosts file. Never set anything, ever.
Didn't even know its existence until something gone wrong.

For no reason at all, the host file has the following entries ---

= = = = = =====================================

127.0.0.1 go.mail.ru
127.0.0.1 nova.rambler.ru
127.0.0.1 google.ad
127.0.0.1 www.google.ad
127.0.0.1 google.ae
127.0.0.1 www.google.ae
127.0.0.1 google.com.af
127.0.0.1 www.google.com.af
127.0.0.1 google.com.ag
127.0.0.1 www.google.com.ag
127.0.0.1 google.com.ai
127.0.0.1 www.google.com.ai
127.0.0.1 google.am
127.0.0.1 www.google.am
127.0.0.1 google.com.ar
127.0.0.1 www.google.com.ar
127.0.0.1 google.as
127.0.0.1 www.google.as
127.0.0.1 google.at
127.0.0.1 www.google.at
127.0.0.1 google.com.au
127.0.0.1 www.google.com.au
127.0.0.1 google.az
127.0.0.1 www.google.az
127.0.0.1 google.ba
127.0.0.1 www.google.ba
127.0.0.1 google.com.bd
127.0.0.1 www.google.com.bd
127.0.0.1 google.be
127.0.0.1 www.google.be
127.0.0.1 google.bg
127.0.0.1 www.google.bg
127.0.0.1 google.com.bh
127.0.0.1 www.google.com.bh
127.0.0.1 google.com.bn
127.0.0.1 www.google.com.bn
127.0.0.1 google.com.bo
127.0.0.1 www.google.com.bo
127.0.0.1 google.bs
127.0.0.1 www.google.bs
127.0.0.1 google.com.by
127.0.0.1 www.google.com.by
127.0.0.1 google.com.bz
127.0.0.1 www.google.com.bz
127.0.0.1 google.ca
127.0.0.1 www.google.ca
127.0.0.1 google.ch
127.0.0.1 www.google.ch
127.0.0.1 google.co.ck
127.0.0.1 www.google.co.ck
127.0.0.1 google.cl
127.0.0.1 www.google.cl
127.0.0.1 google.cn
127.0.0.1 www.google.cn
127.0.0.1 google.com.co
127.0.0.1 www.google.com.co
127.0.0.1 google.co.cr
127.0.0.1 www.google.co.cr
127.0.0.1 google.com.cu
127.0.0.1 www.google.com.cu
127.0.0.1 google.cz
127.0.0.1 www.google.cz
127.0.0.1 google.de
127.0.0.1 www.google.de
127.0.0.1 google.dj
127.0.0.1 www.google.dj
127.0.0.1 google.dk
127.0.0.1 www.google.dk
127.0.0.1 google.dm
127.0.0.1 www.google.dm
127.0.0.1 google.com.do
127.0.0.1 www.google.com.do
127.0.0.1 google.com.ec
127.0.0.1 www.google.com.ec
127.0.0.1 google.ee
127.0.0.1 www.google.ee
127.0.0.1 google.com.eg
127.0.0.1 www.google.com.eg
127.0.0.1 google.es
127.0.0.1 www.google.es
127.0.0.1 google.com.et
127.0.0.1 www.google.com.et
127.0.0.1 google.fi
127.0.0.1 www.google.fi
127.0.0.1 google.com.fj
127.0.0.1 www.google.com.fj
127.0.0.1 google.fm
127.0.0.1 www.google.fm
127.0.0.1 google.fr
127.0.0.1 www.google.fr
127.0.0.1 google.gg
127.0.0.1 www.google.gg
127.0.0.1 google.com.gh
127.0.0.1 www.google.com.gh
127.0.0.1 google.com.gi
127.0.0.1 www.google.com.gi
127.0.0.1 google.gl
127.0.0.1 www.google.gl
127.0.0.1 google.gm
127.0.0.1 www.google.gm
127.0.0.1 google.gp
127.0.0.1 www.google.gp
127.0.0.1 google.gr
127.0.0.1 www.google.gr
127.0.0.1 google.com.gt
127.0.0.1 www.google.com.gt
127.0.0.1 google.gy
127.0.0.1 www.google.gy
127.0.0.1 google.com.hk
127.0.0.1 www.google.com.hk
127.0.0.1 google.hn
127.0.0.1 www.google.hn
127.0.0.1 google.hr
127.0.0.1 www.google.hr
127.0.0.1 google.ht
127.0.0.1 www.google.ht
127.0.0.1 google.hu
127.0.0.1 www.google.hu
127.0.0.1 google.co.id
127.0.0.1 www.google.co.id
127.0.0.1 google.ie
127.0.0.1 www.google.ie
127.0.0.1 google.co.il
127.0.0.1 www.google.co.il
127.0.0.1 google.im
127.0.0.1 www.google.im
127.0.0.1 google.co.in
127.0.0.1 www.google.co.in
127.0.0.1 google.is
127.0.0.1 www.google.is
127.0.0.1 google.it
127.0.0.1 www.google.it
127.0.0.1 google.je
127.0.0.1 www.google.je
127.0.0.1 google.jo
127.0.0.1 www.google.jo
127.0.0.1 google.co.jp
127.0.0.1 www.google.co.jp
127.0.0.1 google.co.ke
127.0.0.1 www.google.co.ke
127.0.0.1 google.com.kh
127.0.0.1 www.google.com.kh
127.0.0.1 google.ki
127.0.0.1 www.google.ki
127.0.0.1 google.kg
127.0.0.1 www.google.kg
127.0.0.1 google.co.kr
127.0.0.1 www.google.co.kr
127.0.0.1 google.la
127.0.0.1 www.google.la
127.0.0.1 google.li
127.0.0.1 www.google.li
127.0.0.1 google.lk
127.0.0.1 www.google.lk
127.0.0.1 google.co.ls
127.0.0.1 www.google.co.ls
127.0.0.1 google.lt
127.0.0.1 www.google.lt
127.0.0.1 google.lu
127.0.0.1 www.google.lu
127.0.0.1 google.lv
127.0.0.1 www.google.lv
127.0.0.1 google.com.ly
127.0.0.1 www.google.com.ly
127.0.0.1 google.md
127.0.0.1 www.google.md
127.0.0.1 google.mn
127.0.0.1 www.google.mn
127.0.0.1 google.ms
127.0.0.1 www.google.ms
127.0.0.1 google.com.mt
127.0.0.1 www.google.com.mt
127.0.0.1 google.mu
127.0.0.1 www.google.mu
127.0.0.1 google.mv
127.0.0.1 www.google.mv
127.0.0.1 google.mw
127.0.0.1 www.google.mw
127.0.0.1 google.com.mx
127.0.0.1 www.google.com.mx
127.0.0.1 google.com.my
127.0.0.1 www.google.com.my
127.0.0.1 google.com.na
127.0.0.1 www.google.com.na
127.0.0.1 google.com.nf
127.0.0.1 www.google.com.nf
127.0.0.1 google.com.ng
127.0.0.1 www.google.com.ng
127.0.0.1 google.com.ni
127.0.0.1 www.google.com.ni
127.0.0.1 google.nl
127.0.0.1 www.google.nl
127.0.0.1 google.no
127.0.0.1 www.google.no
127.0.0.1 google.com.np
127.0.0.1 www.google.com.np
127.0.0.1 google.nr
127.0.0.1 www.google.nr
127.0.0.1 google.nu
127.0.0.1 www.google.nu
127.0.0.1 google.co.nz
127.0.0.1 www.google.co.nz
127.0.0.1 google.com.om
127.0.0.1 www.google.com.om
127.0.0.1 google.com.pa
127.0.0.1 www.google.com.pa
127.0.0.1 google.com.pe
127.0.0.1 www.google.com.pe
127.0.0.1 google.com.ph
127.0.0.1 www.google.com.ph
127.0.0.1 google.com.pk
127.0.0.1 www.google.com.pk
127.0.0.1 google.pl
127.0.0.1 www.google.pl
127.0.0.1 google.pn
127.0.0.1 www.google.pn
127.0.0.1 google.com.pr
127.0.0.1 www.google.com.pr
127.0.0.1 google.pt
127.0.0.1 www.google.pt
127.0.0.1 google.com.py
127.0.0.1 www.google.com.py
127.0.0.1 google.com.qa
127.0.0.1 www.google.com.qa
127.0.0.1 google.ro
127.0.0.1 www.google.ro
127.0.0.1 google.ru
127.0.0.1 www.google.ru
127.0.0.1 google.com.ru
127.0.0.1 www.google.com.ru
127.0.0.1 google.rw
127.0.0.1 www.google.rw
127.0.0.1 google.com.sa
127.0.0.1 www.google.com.sa
127.0.0.1 google.com.sb
127.0.0.1 www.google.com.sb
127.0.0.1 google.sc
127.0.0.1 www.google.sc
127.0.0.1 google.se
127.0.0.1 www.google.se
127.0.0.1 google.com.sg
127.0.0.1 www.google.com.sg
127.0.0.1 google.sh
127.0.0.1 www.google.sh
127.0.0.1 google.si
127.0.0.1 www.google.si
127.0.0.1 google.sk
127.0.0.1 www.google.sk
127.0.0.1 google.sn
127.0.0.1 www.google.sn
127.0.0.1 google.sm
127.0.0.1 www.google.sm
127.0.0.1 google.st
127.0.0.1 www.google.st
127.0.0.1 google.com.sv
127.0.0.1 www.google.com.sv
127.0.0.1 google.co.th
127.0.0.1 www.google.co.th
127.0.0.1 google.com.tj
127.0.0.1 www.google.com.tj
127.0.0.1 google.tl
127.0.0.1 www.google.tl
127.0.0.1 google.tm
127.0.0.1 www.google.tm
127.0.0.1 google.to
127.0.0.1 www.google.to
127.0.0.1 google.com.tr
127.0.0.1 www.google.com.tr
127.0.0.1 google.tt
127.0.0.1 www.google.tt
127.0.0.1 google.com.tw
127.0.0.1 www.google.com.tw
127.0.0.1 google.com.ua
127.0.0.1 www.google.com.ua
127.0.0.1 google.co.ug
127.0.0.1 www.google.co.ug
127.0.0.1 google.co.uk
127.0.0.1 www.google.co.uk
127.0.0.1 google.com.uy
127.0.0.1 www.google.com.uy
127.0.0.1 google.com.vc
127.0.0.1 www.google.com.vc
127.0.0.1 google.co.ve
127.0.0.1 www.google.co.ve
127.0.0.1 google.vg
127.0.0.1 www.google.vg
127.0.0.1 google.co.vi
127.0.0.1 www.google.co.vi
127.0.0.1 google.com.vn
127.0.0.1 www.google.com.vn
127.0.0.1 google.vu
127.0.0.1 www.google.vu
127.0.0.1 google.rs
127.0.0.1 www.google.rs
127.0.0.1 google.com
127.0.0.1 www.google.com
127.0.0.1 google.us
127.0.0.1 www.google.us
127.0.0.1 google.vc
127.0.0.1 www.google.vc
127.0.0.1 google.tc
127.0.0.1 www.google.tc
127.0.0.1 google.com.pl
127.0.0.1 www.google.com.pl
127.0.0.1 google.com.ca
127.0.0.1 www.google.com.ca
127.0.0.1 google.com.ch
127.0.0.1 www.google.com.ch
127.0.0.1 google.co.hu
127.0.0.1 www.google.co.hu
127.0.0.1 google.ge
127.0.0.1 www.google.ge
127.0.0.1 google.kz
127.0.0.1 www.google.kz
127.0.0.1 google.co.uz
127.0.0.1 www.google.co.uz
127.0.0.1 search.msn.com
127.0.0.1 search.live.com
127.0.0.1 search.msn.com.hk
127.0.0.1 search.prodigy.msn.com
127.0.0.1 cnweb.search.live.com
127.0.0.1 search.msn.co.jp
127.0.0.1 livesearch.msn.co.kr
127.0.0.1 search.msn.com.my
127.0.0.1 search.msn.com.ph
127.0.0.1 search.msn.com.sg
127.0.0.1 search.msn.com.tw
127.0.0.1 search.msn.at
127.0.0.1 search.msn.dk
127.0.0.1 search.msn.fi
127.0.0.1 search.msn.fr
127.0.0.1 search.msn.ie
127.0.0.1 search.msn.co.il
127.0.0.1 search.msn.it
127.0.0.1 search.msn.nl
127.0.0.1 search.msn.no
127.0.0.1 search.msn.es
127.0.0.1 search.msn.se
127.0.0.1 search.msn.ch
127.0.0.1 search.msn.com.tr
127.0.0.1 search.msn.co.uk
127.0.0.1 search.yahoo.com
127.0.0.1 ca.search.yahoo.com
127.0.0.1 ar.search.yahoo.com
127.0.0.1 cl.search.yahoo.com
127.0.0.1 co.search.yahoo.com
127.0.0.1 mx.search.yahoo.com
127.0.0.1 espanol.search.yahoo.com
127.0.0.1 qc.search.yahoo.com
127.0.0.1 ve.search.yahoo.com
127.0.0.1 pe.search.yahoo.com
127.0.0.1 at.search.yahoo.com
127.0.0.1 ct.search.yahoo.com
127.0.0.1 dk.search.yahoo.com
127.0.0.1 fi.search.yahoo.com
127.0.0.1 fr.search.yahoo.com
127.0.0.1 de.search.yahoo.com
127.0.0.1 it.search.yahoo.com
127.0.0.1 nl.search.yahoo.com
127.0.0.1 no.search.yahoo.com
127.0.0.1 ru.search.yahoo.com
127.0.0.1 es.search.yahoo.com
127.0.0.1 se.search.yahoo.com
127.0.0.1 ch.search.yahoo.com
127.0.0.1 uk.search.yahoo.com
127.0.0.1 asia.search.yahoo.com
127.0.0.1 au.search.yahoo.com
127.0.0.1 one.cn.yahoo.com
127.0.0.1 hk.search.yahoo.com
127.0.0.1 in.search.yahoo.com
127.0.0.1 id.search.yahoo.com
127.0.0.1 search.yahoo.co.jp
127.0.0.1 kr.search.yahoo.com
127.0.0.1 malaysia.search.yahoo.com
127.0.0.1 nz.search.yahoo.com
127.0.0.1 ph.search.yahoo.com
127.0.0.1 sg.search.yahoo.com
127.0.0.1 tw.search.yahoo.com
127.0.0.1 th.search.yahoo.com
127.0.0.1 vn.search.yahoo.com
127.0.0.1 images.google.com
127.0.0.1 images.google.ca
127.0.0.1 images.google.co.uk
127.0.0.1 news.google.com
127.0.0.1 news.google.ca
127.0.0.1 news.google.co.uk
127.0.0.1 video.google.com
127.0.0.1 video.google.ca
127.0.0.1 video.google.co.uk
127.0.0.1 blogsearch.google.com
127.0.0.1 blogsearch.google.ca
127.0.0.1 blogsearch.google.co.uk
127.0.0.1 searchservice.myspace.com
127.0.0.1 search.comcast.net
127.0.0.1 youtube.com
127.0.0.1 www.youtube.com
127.0.0.1 ask.com
127.0.0.1 www.ask.com
127.0.0.1 search.aol.com
127.0.0.1 search.netscape.com
127.0.0.1 my.att.net
127.0.0.1 yandex.ru
127.0.0.1 www.yandex.ru
127.0.0.1 yandex.ua
127.0.0.1 www.yandex.ua
127.0.0.1 baidu.com
127.0.0.1 www.baidu.com
127.0.0.1 shop.ebay.com
127.0.0.1 shop.ebay.co.uk
127.0.0.1 search.ebay.com
127.0.0.1 search.ebay.co.uk
127.0.0.1 motors.shop.ebay.com
127.0.0.1 motors.shop.ebay.co.uk
127.0.0.1 motors.search.ebay.com
127.0.0.1 motors.search.ebay.co.uk
127.0.0.1 en.search.wordpress.com
127.0.0.1 en.wikipedia.org
127.0.0.1 search.cnn.com
127.0.0.1 information.com
127.0.0.1 www.information.com
127.0.0.1 search.microsoft.com
127.0.0.1 search.about.com
127.0.0.1 search.icq.com
127.0.0.1 www.icq.com
127.0.0.1 www.verizon.net
127.0.0.1 verizon.net
127.0.0.1 search.lycos.com

= = = = = =====================================

Again, I never touched it before. It wasn't there to begin with.

The above entries caused a lot of problem for me. With the above
entries in the hosts file, I can't access gmail, and lots of other
places.

It took me some time to realize that it was the entries inside the
hosts file that was the culprit of me not able to access gmail and so
on. So I delete all those entries, returning the hosts file to "0"
byte.

I thought that was the end of the story.

However, 15 minutes later, I can't get to gmail again. So I check the
hosts file --- those entries that I've just deleted were back !!

I deleted them again. And moments later, they returned.

So the cycle begin.

I did a check on the Net, and found ONE link that has the exact same
entry in hosts file.

http://forum.te.ua/showthread.php?p=729935

Unfortunately the above page is in Russian, and I don't read Russian.

I figure that there might be a trojan or virus or spyware or something
that is playing havoc on my machine, so I scanned it with everything I
can find.

Found nothing.

But them entries keeps coming back.

I even tried to change the attribute of the hosts file, set it to
system, hidden, read-only, and that thing inside my PC has managed
write a NEW hosts file, and rename the old one (with all the file
attribute set) as hosts.bak

Now I dunno what the next step might be.

Has anyone ever met with this problem before??

Please advise.

Thank you !
 
1

1PW

Dunno what happened, but somehow my hosts file has been acting up.

This isn't a joke, it's happening !

FYI -- Dual core cpu, 4GB mem, XP SP3, 750GB hd.

I've never played with the hosts file. Never set anything, ever.
Didn't even know its existence until something gone wrong.

For no reason at all, the host file has the following entries ---

= = = = = =====================================

127.0.0.1 go.mail.ru
127.0.0.1 nova.rambler.ru
Click to expand...


Snip, snip...
Again, I never touched it before. It wasn't there to begin with.

The above entries caused a lot of problem for me. With the above
entries in the hosts file, I can't access gmail, and lots of other
places.

It took me some time to realize that it was the entries inside the
hosts file that was the culprit of me not able to access gmail and so
on. So I delete all those entries, returning the hosts file to "0"
byte.

I thought that was the end of the story.

However, 15 minutes later, I can't get to gmail again. So I check the
hosts file --- those entries that I've just deleted were back !!

I deleted them again. And moments later, they returned.

So the cycle begin.

I did a check on the Net, and found ONE link that has the exact same
entry in hosts file.

http://forum.te.ua/showthread.php?p=729935

Unfortunately the above page is in Russian, and I don't read Russian.
http://translate.google.com/


I figure that there might be a trojan or virus or spyware or something
that is playing havoc on my machine, so I scanned it with everything I
can find.

Found nothing.

But them entries keeps coming back.

I even tried to change the attribute of the hosts file, set it to
system, hidden, read-only, and that thing inside my PC has managed
write a NEW hosts file, and rename the old one (with all the file
attribute set) as hosts.bak

Now I dunno what the next step might be.

Has anyone ever met with this problem before??

Please advise.

Thank you !
Click to expand...

What protection software are you running?
 
J

Justin

Penang said:
Dunno what happened, but somehow my hosts file has been acting up.




Has anyone ever met with this problem before??

Please advise.

Thank you !
Click to expand...

Yes, I have seen this sort of thing before.
Bring up your task manager and tell me what;s running - every process name.
Sounds like you have a spyware infection. Do what the other two people
said, but let me see what processes you're running to see if something
jumps out at me.
 
P

Penang

Yes, I have seen this sort of thing before.
Bring up your task manager and tell me what;s running - every process name.
Sounds like you have a spyware infection. Do what the other two people
said, but let me see what processes you're running to see if something
jumps out at me.
Click to expand...


Here are the process ---

chrome.exe
taskmgr.exe
cmd.exe
explorer.exe
Safari.exe
firefox.exe
GoogleUpdate.exe
NMIndexStoreSvr.exe
ctfmon.exe
RTHDCPL.exe
YPTray.exe
ccApp.exe
VTTimer.exe
svchost.exe
NMIndexingService.exe
spoolsv.exe
csrss.exe
ccEvtMgr.exe
ccSetMgr.exe
Rtvscan.exe
smartd.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
MDM.exe
DefWatch.exe
System
System Idle Process
alg.exe
wdfmgr.exe

I am downloading HJ at the moment. I'll run it and post the result
asap.

Thanks !!
 
T

thanatoid

(e-mail address removed) wrote in
http://flickr.com/photos/sirberus/2976709620/in/set-72157608
401752187/
Click to expand...

WHY a bear? And I really don't understand why all the comments
are so enthusiastic. In all honesty, I found the whole idea a
little unsavory. The girl in the fishnets in the last photo was
kind of cute, I'll admit.

The world is getting weirder and weirder.


--
Of course, it is no easy matter to be polite; in so far, I mean,
as it requires us to show great respect for everybody, whereas
most people deserve none at all; and again in so far as it
demands that we should feign the most lively interest in people,
when we must be very glad that we have nothing to do with them.

- Arthur Schopenhauer
 
P

Penang

Post it here:http://hijackthis.de/en
No registration required
Click to expand...



Thanks for the link you provide.

Here's the result, and I only post the "Nasty" entry here ----

= = = = = ================================================

C:\Documents and Settings\All Users\Application Data\csrss.exe


This entry is not running from the System32 folder, so it is probably
nasty.
Possibly nasty! According to our database this process runs normally
in c:\windows\system32\! Check if you know this process and arrange a
viruscheck where required. This process is not running from the
System32 folder as it is supposed to be.

= = = = = ================================================

Just performed a full-scan using Norton Anti-Virus, and it didn't flag
that csrss.exe entry.

So what do I do?

Do I delete that file, as HJT has instructed, or do I leave it alone??

Please help !

Thank you !!
 
P

Pennywise

Penang said:
C:\Documents and Settings\All Users\Application Data\csrss.exe


This entry is not running from the System32 folder, so it is probably
nasty.
Possibly nasty! According to our database this process runs normally
in c:\windows\system32\! Check if you know this process and arrange a
viruscheck where required. This process is not running from the
System32 folder as it is supposed to be.

= = = = = ================================================

Just performed a full-scan using Norton Anti-Virus, and it didn't flag
that csrss.exe entry.

So what do I do?

Do I delete that file, as HJT has instructed, or do I leave it alone??
Click to expand...


csrss.exe should only found in the directories:

X:\WINDOWS\system32\csrss.exe
It runs from this directory

and

X:\WINDOWS\ServicePackFiles\i386\csrss.exe
This is for file protection (SFC) and used if the one in the System32
directory is deleted (replaces it on the next reboot)

Delete C:\Documents and Settings\All Users\Application Data\csrss.exe
Keep the two listed above. If it can't be deleted normally, use
MoveOnBoot
http://www.softwarepatch.com/software/moveonboot.html

Googling CSRSS (the one in the system32 directory is ok):
Note: csrss.exe is a process which is registered as a trojan. This
Trojan allows attackers to access your computer from remote locations,
stealing passwords, Internet banking and personal data. This process
is a security risk and should be removed from your system.
http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/
(don't use the websites services - I can't vouch for them)


So I would do a credit check if you do any online banking.
https://www.annualcreditreport.com/cra/index.jsp (this is free, no
charge). I've used it, it only ask for your SSN.
 
P

Penang

| = = = = = ================================================

| C:\Documents and Settings\All Users\Application Data\csrss.exe

| This entry is not running from the System32 folder, so it is probably
| nasty.
| Possibly nasty! According to our database this process runs normally
| in c:\windows\system32\! Check if you know this process and arrange a
| viruscheck where required. This process is not running from the
| System32 folder as it is supposed to be.

Your assertion is correct. Many forms of malware use the names of legitimate files to
obfiscate their malicious intent. It is not the name of the file that it is always
important but the fully qualified name and path. In this case the name and path indicates
its maliciousness.
Click to expand...
The first think to do is to find how the OS loads that file disable it such that when you
reboot the PC it will not load. Then you can rename the file such as "csrss.exe.vir".
Click to expand...


This is the part I have difficulty performing.

Tried to delete the file, couldn't.

Even when I booted in safe mode, still couldn't get rid of that file.
Couldn't rename the file either.

So how to disable the file in the first place??

Is there a "standard procedure" to disable such malicious malware?
Then you can submit it to Virus Total ...http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors. This also may give a hint of
what further actions may need to be taken.
Click to expand...

I will do it when I disable that file. Till now, I can't.


Please help !
 
P

Penang

csrss.exe should only found in the directories:

X:\WINDOWS\system32\csrss.exe
It runs from this directory

and

X:\WINDOWS\ServicePackFiles\i386\csrss.exe
This is for file protection (SFC) and used if the one in the System32
directory is deleted (replaces it on the next reboot)

Delete C:\Documents and Settings\All Users\Application Data\csrss.exe
Keep the two listed above. If it can't be deleted normally, use
MoveOnBoothttp://www.softwarepatch.com/software/moveonboot.html
Click to expand...

Whoa, bad !

My PC refuse to allow me to visit www.softwarepatch.com !!

I have deleted the hosts file, and still I can't access the link you
provided above !!
 
P

Penang

From: "Penang" <[email protected]>

| Thanks for the link you provide.

| Here's the result, and I only post the "Nasty" entry here ----

| = = = = = ================================================

| C:\Documents and Settings\All Users\Application Data\csrss.exe

| This entry is not running from the System32 folder, so it is probably
| nasty.
| Possibly nasty! According to our database this process runs normally
| in c:\windows\system32\! Check if you know this process and arrange a
| viruscheck where required. This process is not running from the
| System32 folder as it is supposed to be.

Your assertion is correct. Many forms of malware use the names of legitimate files to
obfiscate their malicious intent. It is not the name of the file that it is always
important but the fully qualified name and path. In this case the name and path indicates
its maliciousness.

| = = = = = ================================================

| Just performed a
| full-scan using Norton Anti-Virus, and it didn't flag
| that csrss.exe entry.

| So what do
| I do?

| Do I delete that file, as HJT has instructed, or do I leave it alone??

| Please
| help !

| Thank you !!

The first think to do is to find how the OS loads that file disable it such that when you
reboot the PC it will not load. Then you can rename the file such as "csrss.exe.vir".

Then you can submit it to Virus Total ...http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors. This also may give a hint of
what further actions may need to be taken.
Click to expand...



Okay, finally successfully copied it and renamed that file, and sent
it for analysis

Result is at http://www.virustotal.com/analisis/45568dff2bb5ef8fdd562ba6948679d2

It's a trojan, and unfortunately, the NAV that I am using never flag
it !

I'm downloading that "autorun" and will try to disable the thing.

Thanks for all your help !!
 
P

Penang

I reckon you'll find it loading from this registry entry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Svchost

I will also speculate that you're running an unpatched Adobe Acrobat
browser plugin and were infected by a PDF exploit. Disable automatic
loading of PDFs until you've updated it.
Click to expand...


Please tell me where I can get that patch for the Acrobat browser
plugin?

Thank you !
 
P

Penang

From: "Penang" <[email protected]>

| Okay, finally successfully copied it and renamed that file, and sent
| it for analysis

| Result is athttp://www.virustotal.com/analisis/45568dff2bb5ef8fdd562ba6948679d2

| It's a trojan, and unfortunately, the NAV that I am using never flag
| it !

| I'm downloading that "autorun" and will try to disable the thing.

| Thanks for all your help !!

Not just a trojan, a trojan proxy.

You PC has been a proxy agent of the malware's author.

Start with the Sophos module of the following Multi AV Scanning Tool...

Download MULTI_AV.EXE from the URL --http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
orhttp://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
orhttp://212.98.39.7/downloads/dl/35905.asp

English:http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-wit...

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:http://pcdid.com/Multi_AV.htm

* * * Please report back your results * * *
Click to expand...


Am downloading it the Sophos module, and will run it.

Many thanks !!!!!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

HOSTS FILE NOT WORKING 4
question about the hosts file 2
Hosts file 6
Using HOSTS file questions 2
HOSTS file 8
hosts file 3
HOSTS ascii file question... 5
HOSTS file problem! 2

Top