Virus help?

[karohemd]

We are stuck here at work with an exe that sucks processing time, shuts down the internet connection and slows down everything.

They identified the culprit as a file called "csrsss.exe" (note three s) that sits in the Winnt/system32 folder and runs a process with the same name.

It's a nasty thing that probably sits somewhere in the network and is resurrected every time it's deleted from the folder and the registry.

Anyone familiar with it and able to suggest a remedy? Sophos doesn't recognize it (yet).

Comments

[ffutures.livejournal.com]

This sounds like a piece of spyware I came across recently, except I think the name is different (and that program didn't shut off the internet connection); I had to shut off automatic restore (from system properties) before deleting it, then run a cold boot a couple of times before switching automatic restore on again. It sounds like it may be propagating throught the network though, which will doubtless make things more complicated.

Try running lavasoft's ad-aware first, that deals with some of this stuff but isn't quite so drastic. If that doesn't work try

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

which gets rid of the particular program I had trouble with and some of its variants.

[karohemd.livejournal.com]

Hm, I've heard bad things about Automatic Restore and that one shouldn't use it but that's beside the point.

This thing seems to be very new and no virus checker or adware/spyware checker was able to find it. We searched all over in various forums and websites. A google search came up with three hits, all from people posting about problems with it.

Way OT

[zenmeisterin.livejournal.com]

This friday - HardDrive. You still wishing to go? If so, who are you bringing and where the heck is it?

Re: Way OT

[karohemd.livejournal.com]

Yes, I'm still up for it, as I really need an outlet for my frustration this week. ;o)
I was thinking of asking Robin if he wants to come along, otherwise nobody.

It's at the Carling Academy Islington.
http://www.clubharddrive.co.uk for more info.

Re: Way OT

[zenmeisterin.livejournal.com]

OK cool. I'll have a mate with me too. If you come around to Evil beforeheand then we can get to the place easily enough with a bus then Northern Line. Getting back will be doable as well because there's a nightbus from that end of the world to Waterloo.

I'll pimp it on my LJ.

Re: Way OT

[karohemd.livejournal.com]

Excellent.
And if there's four of us, a taxi won't break the bank, either.
I will definitely come to Evil first to drop my bag of night. Work permitting, I'm going to take the 19:45 train, so I should be at Evil around 9?

[martyrssmile.livejournal.com]

CSRSSS.Exe or CSRSS.exe

Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times.
Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

However it has been targeted for modification by some viruses and spyware as I understand such.

[karohemd.livejournal.com]

three s. I even pointed it out in the orginal post.

I finally managed to get of rid after it reappearing time and again but it most likely still lurks on the network somewhere. Let's hope the sysop gets it fixed. I basically lost half a day's work, while being on a tight deadline...

[martyrssmile.livejournal.com]

three s. I even pointed it out in the orginal post.

Was hoping it had been a miscommunication of some sort. Cause otherwise boggled.

Good luck with eradicating the bastard from the network. We still have a few things like that on our work network theyhaven't been able to get rid of in 2 years.

[karohemd.livejournal.com]

It seems to be mostly removed now.
Thanks for trying to help, anyway.