new virus in the last few days?

lmathews · October 28, 2005, 8:54pm

Anybody else run into a nasty little csrss.exe virus? I’ve had four machines now in two days that have this infection, and it’s been a real pain in the ass to get rid of - and so far, I haven’t been sane enough to figure out how I got it off the first two.

Tried stinger and AVG with mixed results, anyone got a better solution?

Matt555 · October 28, 2005, 9:04pm

I have csrss.exe currently running when I do CRTL+ALT+DEL on my rig, the thing is I can’t see the file-path of the executed file and can’t tell where it’s coming from, a google search brough up this

Addis · October 28, 2005, 9:27pm

It depends on were the program is located, if its in the Windows system32 folder then its *probably legitimate. So seeing that process isn’t a sign of infection.

StimpE · October 28, 2005, 9:55pm

Got it, and I figured out how to get rid of it.

download a process viewer, the one I used is here
go to /windows/system32/rpowaxdanz/
make sure you can view hidden files
in process viewer, right click on the csrss.exe and click Kill to terminate the process
delete the entire /rpowaxdanz/ folder.
open regedit, find and delete all entries of “rpowaxdanz”
reboot, problem solved.

Edit the “rpowaxdanz” folder can be created as anything, so navigate to the folder which the process viewer tells you to, and just follow the above steps.

Edit2 upon further investigation, it appears to be the “KELVIR.CP” worm, which sends itself through MSN and AIM, or so HouseCall tells me o.O

lmathews · October 28, 2005, 9:58pm

Awesome Lan, good catch

Matt555 · October 28, 2005, 10:37pm

Hmm mine is fine…phew…that Process program is good though, I downloaded another one that didn’t even recognise the csrss.exe process…

StimpE · October 28, 2005, 10:38pm

Yes I was quite impressed with it too

Impotence · October 28, 2005, 11:25pm

Great find, i often have problems trying to work out what a process is actuall doing (ie why is it running) so having this little tool in my collection wil help greatly!

Thanks lot

Willz · October 29, 2005, 11:51pm

csrss.exe ? are you sure thats a virus? i have it on my computer in processes, i thought it was somthing to do with counter strike source :s

what exatly does it do, if it does nothign but just sit there, i aint too botherd.

are you sure its a virus?

csrss.exe Windows process - What is it?

Matt555 · October 29, 2005, 11:57pm

It can be a virus but it depends where the process is running from…(file directory)

Willz · October 30, 2005, 12:01am

on my computer its running from C:/WINDOWS/SYSTEM32/CSRSS.EXE

Matt555 · October 30, 2005, 12:04am

http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/
csrss.exe Windows process - What is it?
Try them for an explanation, it should be alryt running from C:/WINDOWS/SYSTEM32/CSRSS.EXE

StimpE · October 30, 2005, 1:16am

if its from /system32/csrss.exe it should be fine.
if its being run from say /system32/bleh/csrss.exe, its bad news.