trojan i've been hacked help!

[dormentnoobie]

error as follows:

    repeated popups leading towards registry cleaner at www. regfixit. com claiming i have registry problems

 

  when I go to process it highlights csrss. exe

  adaware doesn't fix it, what do i do? continous popups every 2 minutes, from what I can find it's not in my registry

  and it's hidden on my csrss. exe but I know this is a critical file and I don't know what to do also

  www. helpfixpc. com keeps on popping up

  Any help would be great!

  Love this site by the way so please help me out by posting any thoughts.

[VaKo]

Reinstall windows. Or ubuntu if your not attached to gaming or windows only apps.

[dormentnoobie]

Reinstall windows. Or ubuntu if your not attached to gaming or windows only apps.

do you happen to have any other suggestions?

[dormentnoobie]

update:

symantec picked up a tcp inbound attack "security alert created for default block backdoor/subseventrojanhorserule"

this occurred right after I started MIRC, I have yet to recieve any other errors post restarting my computer

but if this error is at all familiar to any of you lovely people at hak5.org please lemme know whatsup

k thanks for all your help I apperciate it!!!

[SomeoneE1se]

update:

symantec picked up a tcp inbound attack "security alert created for default block backdoor/subseventrojanhorserule"

this occurred right after I started MIRC, I have yet to recieve any other errors post restarting my computer

but if this error is at all familiar to any of you lovely people at hak5.org please lemme know whatsup

k thanks for all your help I apperciate it!!!

first off fuck symantec it sucks get http://www.kaspersky.com/ it's much better

second VaKo is right reinstall windows...  once you get infected that only way is to but the box down...

[take it take]

Try to kill off any processes running (obviously excluding the known Windows one), then try to remove the spyware/trojan from there.

[lunex]

repeated popups leading towards registry cleaner at www. regfixit. com claiming i have registry problems

I think I remember reading a messages like that when I was reading packets out of the storm using Ethereal. Once upon a time I used Ethereal to read some of the random packets that get thrown across the internet and I had seen some packets that resembled packets used by Windows Alerting Service, but such things should not be transmitted across the internet.

Only older operating systems would display those messages. New OSs generally come with adequate fire walling to prevent cheep exploits like this. An older OS like Win 95 or Win 98 that is connected directly to the internet would do exactly what you're describing.

The messages usually claim that a registry fix would make the messages go away. This may be true, but a better fix would be to get your machine updated to a more recent OS and set up a firewall. I suggest not going to any web site stated in one of those popups as that would open you up to even worse exploits.

If you are using anything older than Windows 2000, as I suspect, then I'd have to suggest getting an upgrade. In the case that you're running XP SP2 then ignore this message as XP SP2's defaults, with the affected service disabled and the associated port blocked, should make it impermeable to that exploit.

Oh, and don't delete csrss.exe or you may kill your machine.

[Sparda]

do you happen to have any other suggestions?

Kubuntu

[digip]

Reinstall might not be necessary. Try a restore to the oldest date possible before you had these problems. Then PATCH your pc, and rescan for virii. Also, make sure your MIRC is up to date and does not have any holes in the version your using. Stay away from custom mirc scripts for things like xdcc catchers. They almost always have back doors and bots in them.

What is running in task manager when you get these errors. csrss is a critical file, but if you see two of them, then one of them is bad. Boot in safe mode and search the windws folder for files that should only be in the sys folder. If csrss exists in your windows folder, then that can be deleted. It should only reside in windowssystem32. Also see if there are two smss.exe files. Do the same for this one as well and check your registry keys for start ups in the following locations:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

Also check services.msc and see if there are any new services that start automatically when your pc starts and disable anything new that is not there by one of your prgrams or windows. You will need to know a little about the services cpl but that is up to you to go through.

I only reinstall someones pc when I have no other options, but all software that gets put on, can be taken off. It's just a matter of knowing how to find it, what it is and how to remove it.

[Sparda]

Reinstall might not be necessary.

A reinstall is nessasery

[digip]

Reinstall might not be necessary.

A reinstall is nessasery

And you base this on what?

[Sparda]

There is definitely some form of malware on the computer.

[digip]

There is definitely some form of malware on the computer.

So remove it. IF he can't get it off, then go the route of reinstall, but why wipe out your pc for malware or virii.

It may be a pain in he ass to fix manually, but at least he will learn something in the process and possibly secure his pc from this happening again, even if he does reinstall, he should know what he got and how to prevent it so it does not happen again. Otherwise, he might end up with the same problem.

[Sparda]

So remove it.

You don't know when/if it's been removed.

[digip]

So remove it.

You don't know when/if it's been removed.

Then you shouln't own a pc. I have close to 80gig of files, some of which are clients files that need to be backed up. Reinstallign is not allways an option even if you wanted to. If the os was completely trashed, then boot a live cd and copy off what you need and then reinstall and reload your critical files, but one of them might still be infected, so your back at square one.

[Sparda]

Then you shouln't own a pc.

Why?

[VaKo]

My point is, if you in the position where your pc has been got a nasty on it and you need to ask for help fixing it, the safest way to handle this is to backup the data you need and reinstall windows. It doesn't mean a format, you just need to install windows over the top of the current install. If you want to piss about fixing it then go ahead, but it would be easier, faster and more efficient to start again and learn from your mistakes. AVG +  Kerio + a modicum of common sense and your fine.

[tanda333]

one: its eqsy to tell if his malware is stille there as it has definate symptoms....

two: with adaware, spybot S & D, ccleaner, and avg spyware and avg antivir (or any good anti virus) you should be fine so long as you run them regularily, these 5 will get about 95-100% of the crap outta your system, if syuptoms persist, then try restore to previous point, if that fails, THEN reinstall

anybody who says reinstall right off the bat is a noob or has nothing but an OS on thier hardrvie

[VaKo]

anybody who says reinstall right off the bat is a noob or has nothing but an OS on thier hardrvie

Everything on your hard drive will be fine, the windows installer can replace windows in situ, without touching anything else. Even if for some reason you have your OS and data on the same partition you won't lose it, you will just need to update windows and reinstall your applications. If your machine has been compromised, its best just to replace it with something you can trust again. Call me paranoid if you want, i'll accept that, but if you read what I've said n00b is far from the mark.

[SomeoneE1se]

So remove it.

You don't know when/if it's been removed.

Then you shouln't own a pc. I have close to 80gig of files, some of which are clients files that need to be backed up. Reinstallign is not allways an option even if you wanted to. If the os was completely trashed, then boot a live cd and copy off what you need and then reinstall and reload your critical files, but one of them might still be infected, so your back at square one.

every windows virus ishould be treated like necrotizing fasciitis [ http://en.wikipedia.org/wiki/Necrotizing_fasciitis ]  Rapid, aggressive medical treatment, specifically, antibiotic therapy and surgical debridement [ http://en.wikipedia.org/wiki/Debridement ], is imperative. Antibiotics may include penicillin, an aminoglycoside or third-generation cephalosporin, and clindamycin or metronidazole. Analgesics are employed for pain control. During surgical debridement, dead tissue is stripped away. After surgery, patients are rigorously monitored for continued infection, shock, or other complications. If available, hyperbaric oxygen therapy has also be used.[source http://www.healthatoz.com/healthatoz/Atoz/...ing_disease.jsp ]

[tanda333]

anybody who says reinstall right off the bat is a noob or has nothing but an OS on thier hardrvie

Everything on your hard drive will be fine, the windows installer can replace windows in situ, without touching anything else. Even if for some reason you have your OS and data on the same partition you won't lose it, you will just need to update windows and reinstall your applications. If your machine has been compromised, its best just to replace it with something you can trust again. Call me paranoid if you want, i'll accept that, but if you read what I've said n00b is far from the mark.

to be honest, yes you can reinstall windows over itself and not worry much, but it will cause some headaches, alot of headaches if you are unprepared and have a single partition, so im saying that anyone who suggests somone else do this right off the bat is a noob because we can know thier particular setup. and from experience i can say sometimes reinstalling windows in situ can be a cakewalk, sometimes it can be abitch and take a shitloard of time to get all your stuff up and running again, unlike a restore point or a good scrubbing.

just because its quick and easy for you, doesnt mean it will be the same for him/her

also, you lose (in XP) any access to any documents and settings folders for the first admin (root admin) as no other account can access it....

so it can be a very unforgiving move if you are not prepared.

also: seriously, ditch symantec.

[Sparda]

You can never trust an OS once it's been compromised. Don't leave all your stuff on a known to be compromised OS, you are even more likely to get owned one way or another. Reinstall that OS with known good uncomprimised media (i.e. not a Ubuntu image you got off the pirate bay) or a known good uncomprimised image, and system restore won't help you so don't even waste your time.

[moonlit]

1) Restoring using System Restore: Not an option, malware often inserts itself in to the backups.

2) Reinstalling Windows over itself: Not always an option, there is malware that can and will every exe file it comes in contact with. Reinstalling over Windows without first erasing the HDD and then running some program you thought was fine puts you right back to square one.

3) Formatting and reinstalling from scratch: The only sure way to eradicate malware in an OS install. If you do any less you potentially have problems.

I'm not going to sit here and argue the merits of knowing how to remove malware manually or tell anyone they shouldn't be using a computer if they can't do so because neither of those statements are relevant.

In a world of clever malware writers, mutating software, rootkits and a million other anti-detection possibilities you need to know exactly what's happening on your system. If that requires a full format/reinstall then so be it, it's better than having 700 pieces of malware you didn't know you had.

[VaKo]

Its only easy because I invested the time and effort to learn how to do it. As for NTFS permissions, you could just use a *nix disc or make sure to remove restrictive permissions before you reinstall. But in all honesty, I've done this 30-40 times and its never been an issue for me.

[digip]

anybody who says reinstall right off the bat is a noob or has nothing but an OS on thier hardrvie

Everything on your hard drive will be fine, the windows installer can replace windows in situ, without touching anything else. Even if for some reason you have your OS and data on the same partition you won't lose it, you will just need to update windows and reinstall your applications. If your machine has been compromised, its best just to replace it with something you can trust again. Call me paranoid if you want, i'll accept that, but if you read what I've said n00b is far from the mark.

So long as you move all important files out of your mydocs and off the desktop thread to somewhere in the root drive. I have seen windows wipe out these folders and all files in them and leave everything else in tact. Not sure why, or if it was something missed when going through the setup, but always make sure you backup your work first, even if not formatting your HD.