Nerdz

On The assumption my comp is infected..I curiosly hit CTRL-ALT-DELETE, Ive went though and researched some of the processes that were running..

Everything looked NOrmal..except some process I did reconize..I noticed my comp was using 100% cpu went booting...and i remeber it hasnt used that much...now lets look at what we have...


csrss.exe - Process Information

Process File: csrss or csrss.exe
Process Name: Microsoft Client/Server Runtime Server Subsystem

Description:
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated. Note: csrss.exe is also process which is registered as the W32.Netsky.AB@mm worm, the W32.Webus Trojan, Win32.Ladex.a and more. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open itÂ’s hostile attachment. The worm has itÂ’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process



smss.exe - Process Information

Process File: smss or smss.exe
Process Name: Session Manager Subsystem

Description:
smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated. Note: smss.exe is also a process which is registered as the Win32.Ladex.a Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.


And there was one more I could remeber because it came up so quickly when I booted.


But Im screwed Arent I? Im using AVG for Free...=/ and oddly hasnt seen these. I cant disable them using task manager...nor using msconfig.


I think it all started when I installed Java..All I wanted to do was do an online scan..but no..I think java did something to my comp also..I deleted it.


I'll try searching for those files, go into safe mode and delete them. If Not, Back up and Format.


I wish I knew what file they came in though...


EDIT: I would also notice my comp would be using 100% CPU when I was just sitting there. Doing Nothing.

One question to, If A port is forwarded on my router is it left open all the time? OR is it only opened when requested? If So, how does the router know if its a trojan and not the program?

btw I am not using a software firewall. I am using the router as a firewall. I was told I did not need one.

Belgianwaffles

sounds like it's time to reformat

Nerdz

Also..when I started up..My comp made noises...weird ones like a tone though..a song..

j-dogg

Hit it with some HiJack This!, had the EXACT same problem. It's a free download, look in the Essential Freeware Listing! thread.

I think the other one is Lsass.exe.

Nerdz

Opps yea I thought that was an I not an L

Nerdz

heres the log file..what am i looking for?

Attached Files

hijackthis.txt (7.0 KB, 20 views)

jhoop2002

Well, first off, you can never have too much security, and the fact that you got a virus is proof. I think that when you use port forwarding it is open all the time, not just when requested. I wouldn't use it, but i don't know what you need it for.

also, i don't think any home router can tell what type of activity, actual program or virus is going on, i know some commercial products from hp and cisco can with their virus throttling technology. One of the approaches i like to take towards security, is only enable what you need and leave everything else closed off.

j-dogg

Quote: Originally Posted by jhoop2002 I wouldn't use it, but i don't know what you need it for.

Server applications, especially Counterstrike and Halflife. They use Ports 27015 and 27016.