ctfmon.exe and/or csrss.exe infection?

February 14, 2011 at 19:20:59
Specs: Windows 7 64-bit

I've tried every search and internet solution possible, and I still haven't fixed the problem. I was able to run Spybot and Ad-Aware once, and then something prevented either of them from starting. HJT won't run anymore either. When I try to start these programs, they show up briefly in the task manager and then go away without loading anything else. I deleted all the malware each program found that first time. When I ran HJT, and deleted some files, they mostly kept coming back when I re-scan. The regedit fixes sprinkled around the internet do nothing. When I disconnect my computer from the internet and boot it into safe mode, the task manager shows csrss.exe and ctfmon.exe. I can end the ctfmon.exe process, but the csrss.exe forces my computer to shut down. No matter what I do in the task manager, those two processes come back every time I reboot. My internet searches are being redirected to bogus sites, my computer randomly blue screens and reboots, and it's just generally very sad times.

I'm running Windows 7 64-bit.

ETA: All programs only load for a second in task manager, and then disappear. I can load some things in explorer (like the manage accounts section in the control panel), but won't let me do very much (like actually create another account). If I need to install a program, I'll have to do it by flash drive, and I guess I'll need instructions on how to clean the flash drive to make sure the virus doesn't transfer over to a good computer.
ETA: I downloaded SUPERAntiSpyware Portable Scanner at the suggestion of another forum, renamed it, and tried to run it in safe mode from USB -- to no avail. At this point, I don't think the virus/trojan/malware is just blocking scanner applications. I can't open most things, including Chrome. It's still the same thing, anything I open will briefly show up in the task manager and then disappear. After a quick trial, I found out I can still open notepad, but not Media Player Classic or winamp. Thanks for the suggestion, though.


See More: ctfmon.exe and/or csrss.exe infection?

Report •


#1
February 14, 2011 at 23:14:21

You have a Rootkit among possible other viruses.

Let's see if we can get you cleaned up.

Download Rkill (which is a malicious process ender) and run a scan: http://download.bleepingcomputer.co... , after Rkill has finished running, please do not reboot, as this will cause the malware to respawn.

Secondly, download TDSSkiller from here: http://support.kaspersky.com/downlo...

Scan with that and reboot when prompted (If you cannot get TDSSkiller to run in normal mode, restart and run it in safe mode).

Let me know if that solves your redirect issues.

Also, rename both TDSSkiller/Rkill to something like car123.exe in order to avoid the programs from being disabled by the malware. When Rkill runs a black DOS box will pop up, and should say "Terminating known malware processes".

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#2
February 14, 2011 at 23:27:35

Thanks for your reply! Unfortunately, I can't get Rkill to run in normal or safe mode. It appeared in the processes section of the task manager like other programs, but never in the applications section. I renamed it random things as well as the name of processes already running. Nothing. :/

Report •

#3
February 15, 2011 at 09:13:42

Were you able to get TDSSkiller to run at all?.

Also both csrss.exe and csrss.exe are Microsoft Windows processes, but Trojans can and do use legit file names sometimes.

Have you tried using/installing the Registry fixes in Safe Mode?..

http://www.winhelponline.com/blog/f...

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

Related Solutions

#4
February 15, 2011 at 22:22:43

Right, I've discovered that the two .exe files are legitimate processes that sometimes get used for bad purposes. I tried both merging and just double clicking to import several of the .reg files (for .exe, folder fixes, directory fixes, and drive fixes). All but the .exe successfully completed. The .exe gives me the following error: Cannot import. Not all data was successfully written to the registry. Some keys are open by the system or other processes. I still can't open anything, in safe mode or normal mode.

Report •

#5
February 15, 2011 at 22:46:02

That's interesting. I would like to run Gmer, however, I see you're using a 64bit OS and not a 32bit. Do you have a blank CD available?..


Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#6
February 15, 2011 at 23:03:09

No, but I have a USB that I've been using Flash Disinfector on. I haven't been able to get a single program to run, but I will try Gmer if you think it might.

ETA: Nope, I can't run Gmer.


Report •

#7
February 16, 2011 at 09:35:27

Yes, Gmer only runs on 32bit systems.

I would like you to try the Kaspersky Rescue Disk (the link I've provided offers a USB option): http://support.kaspersky.com/faq/?q...

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#8
February 16, 2011 at 19:46:28

Woohoo! It booted. The first thing it found was Trojan program: Exploit.Java.Agent.a, then Exploit.Java.CVE-2009-3867.a, Exploit.Java.Agent.bu, Trojan.Java.ClassLoader.aw, many other trojans with similar names (17 total), and, finally, a virus called virus Rootkit.Win32.TDSS.rr It greys out the disinfection option, and only gives me the option to delete the archive.

Report •

#9
February 16, 2011 at 22:55:35

Where is the file/archive located?. (The TDSS.rr). I'm only asking because I don't want to delete anything that may cause your system to not boot.

Life With Out
Geek Squad: Your blog for tips, info on viruses, and more!


Report •

#10
February 17, 2011 at 14:37:24

I'm not sure where it's located. The Trojans give a path (they're under my user folder, appdata/locallow/sun/java/deployment/cache/), but that part is just blank for the virus.

ETA: Hm, I left my computer on so I could answer any replies you gave more quickly, and when I looked at it again it allowed me to just disinfect the virus. HOLY CRAP PROGRAMS RUN. The first thing I did was run Rkll, which terminated two processes: Windows\SysWOW64\infdefaultinstall.exe and \SysWOW63\runonce.exe. What do I need to do now to make sure I'm in the clear? I'm still disconnected from the internet, but it looks like I can run programs as usual.


Report •

#11
February 18, 2011 at 19:22:11

Run CCleaner from here: http://www.piriform.com/ccleaner

As for your internet, go to Start > Run > type "Services.msc", and scroll down to make sure "Windows Wireless Zero Configuration" is enabled. If it is, and you still don't have internet, try resetting your Host file with HostXpert from here: http://forums.majorgeeks.com/showth...

If you still don't have a connection after that, you'll have to open up the command prompt and followng command:

netsh winsock reset catalog (resets winsock entries)
netsh int ip reset reset.log hit (resets TCP/IP stack)

After entering the command, please reboot your PC and let me know if that fixes your connection issue.

Life With Out
Geek Squad: Your blog for tips, info on viruses, and more!


Report •


Ask Question