R
ron.morse
It seems I have an 'extra' csrss.exe file. Hijack this tells the
following:
"This entry is not running from the System32 folder, so it is
probably nasty.
Possibly nasty! According to our database this process runs normally
in c:\windows\system32\! Check if you know this process and arrange a
viruscheck where required.This process is not running from the
System32 folder as it is supposed to be."
and:
"Must be fixed!Added by the CIADOOR-J TROJAN! Note - this is not the
legitimate csrss.exe process which is always located in the System (9x/
Me) or System32 (NT/2K/XP) folder and should not normally figure in
Msconfig/Startup! This file is located in the Winnt or Windows folder"
I did a search for the file and it's in both WINDOWS and WINDOWS
\system32. the first one is 144kb, version 1.0.0.0 and was added a
couple days ago when I started having problems. The second file is 6kb
version 5.1.2600.2180 (xpsp_sp2) and I'm pretty sure it's the legit
one. At this point, what steps should I take?
I'm also having the same problems with services.exe and syshost.exe.
Services.exe has a copy in both folders, syshost is only in WINDOWS
folder. All three suspect files were created last week.
thanks for the help
(e-mail address removed)
following:
"This entry is not running from the System32 folder, so it is
probably nasty.
Possibly nasty! According to our database this process runs normally
in c:\windows\system32\! Check if you know this process and arrange a
viruscheck where required.This process is not running from the
System32 folder as it is supposed to be."
and:
"Must be fixed!Added by the CIADOOR-J TROJAN! Note - this is not the
legitimate csrss.exe process which is always located in the System (9x/
Me) or System32 (NT/2K/XP) folder and should not normally figure in
Msconfig/Startup! This file is located in the Winnt or Windows folder"
I did a search for the file and it's in both WINDOWS and WINDOWS
\system32. the first one is 144kb, version 1.0.0.0 and was added a
couple days ago when I started having problems. The second file is 6kb
version 5.1.2600.2180 (xpsp_sp2) and I'm pretty sure it's the legit
one. At this point, what steps should I take?
I'm also having the same problems with services.exe and syshost.exe.
Services.exe has a copy in both folders, syshost is only in WINDOWS
folder. All three suspect files were created last week.
thanks for the help
(e-mail address removed)