Help me KILL this TROJAN...

[ShekharPalash]

My system is infected with Backdoor.Ciadoor It's a Trojan... don't know how, when it came in my computer... today morning when I opened TaskManager I found one extra entry for CSRSS.EXE ... when I checked the location of this extra CSRSS.EXE process I found it was in
C:\WINDOWS ... I was sure this something worng stuff came in my PC... I have Norton AntiVirus 2005 & Microsft AntiSpyware and whenever I'm online I keep them on... and they worked very well... but this Backdoor.Ciadoor by passed them and still living in my C:\WINDOWS directory... NAV & Windows AntiSpyware both not detecting it as a Trojan... This Trojan just tried to Hijack my IE7, which was blocked by Windows AntiSpyware... It also tried to download an ugly spywared toolbar for IE...

I can manually delete this CSRSS.EXE in C:\WINDOWS, but everytime I start it again recreate itself. I've checked all start-up entries, start-up services... and did all removal excersises suggested by Symantec... on THIS PAGE... I uninstalled NAV2005 & Installed McAfee AntiVirus... it also didn't detected it, even then I istalled AVG... it also didn't... now and then I'm getting unwanted stuff on my PC... like unwanted toolbars & unwanted folders in my Program Files... this is getting rediculous... Is it some *new/advanced* version of Backdoor.Ciadoor ??

I'm stuck... ya'll know I've got a *customized* desk which I love... this trojan thing creating lot of pain in neck..... help me out...

I did all REGEDIT stuff described in this page... ... and I didn't find any matching entry with that CSRSS.EXE located in WINDOWS Diretory... it's just 8KB in size... I just wanna KILL it forver....

Here's my HJT Logfile with that Trojan running..

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 6:56, on 9/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\csrss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Opera\opera.exe
C:\Program Files\TuneUp Utilities 2004\ProcessManager.exe
C:\Program Files\HijackThis\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://127.0.0.1:4664/&s=2-kkBWkRZE8Q6VbOeUH54S41R04
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?c3cc844c73894990811af8b49e953035
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?c3cc844c73894990811af8b49e953035
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{78020BCC-7D44-4DA6-9D73-67B41E2D4DC7}: NameServer = 202.138.103.100 202.138.96.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O21 - SSODL: System - {AF1E3716-71C7-4C2E-BF3D-106EED8B390B} - kmc.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Asprtp0qsnsw - Unknown owner - C:\WINDOWS\system32\PowerCalc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

[QwertyManiac]

Well CSRSS is this :
Process File: csrss or csrss.exe
Process Name: Microsoft Client/Server Runtime Server Subsystem

So it shud not be closed anytime
Also it is a Backdoor type of trojan by the name so it must be difficult to remove.

So,
see wat F-Secure has to say - http://www.f-secure.com/v-descs/ciadoor.shtml

This site tells some removal tools - http://www.spywareguide.com/product_show.php?id=882

Well, as it is an sys service no tools from any anti company can remove it using a tool, best will be to follow the instructions care fully .

Disable ur System Restore else the virus will popup again.

Also if the file is present in the winxp cd , jus replace it via dos and try, else if problem persists, do a repair installation .
that will help (repair)

[anandk]

whats norton upto ? it just identifies but fails to remove infections. a great brand, but a not-so-great-product, if i may dare to say so, sir !

run a good antivirus like avast or bitdefender at boot time or in safe mode. run adaware (itl help) in safe mode. else 'ewido security suite' will help u. then run ccleaner to clear ur pc junk.

click http://www.auditmypc.com/process/csrss.asp
http://www.doxdesk.com/parasite/

[swatkat]

Hi,
Download WinPFind and extract it to a folder. Then in safe mode, run WinPFind.exe and click "Start Scan". Save the log file it gives after the scan and post it here.

Also, while you are in safe mode, run HijackThis and fix this entry:-

O21 - SSODL: System - {AF1E3716-71C7-4C2E-BF3D-106EED8B390B} - kmc.dll (file missing)

[debiprasad_sahoo]

Whatever antivirus or spy removal you use, the best way to remove is boot time. And anther important factor is to update your antivirus at regular interval. I suggest to install avast 4.8 and update it, then have a boot time scan.

[zyberboy]

^wow u just replied to a 3 year old thread....lolz

[Plasma_Snake]

Well it sounded like a Marine Distress call straight out of Fallujah !

[debiprasad_sahoo]

Quote:

Originally Posted by zyberboy

^wow u just replied to a 3 year old thread....lolz

U r right. i didn't checked d date while replying.

[Ecko]

^LoL
BTW how the hell u got this thread

[Sridhar_Rao]

Hi guys, I think the date, "Scan saved at 6:56, on 9/6/2005" merely reflects the date on his computer, which might have been altered and not the real date. Was the internet explorer v 7.0 and XP SP2 released in 2005? Internet Explorer 7 was released on October 18, 2006, so I believe this is a recent problem with a wrong date.

[Psychosocial]

What's going on here ?? People posting stuff in 3 year old threads. Lolz.

[amrawtanshx]

^^
Bumping for fun.

[silenthill84]

simply install AVAST and schedule a BOOT TIME scanning in it. trust me its the best one.