Cannot find 'C:WINDOWS\config\csrss.exe'

[Martini]

I was getting this message at start-up:
Windows cannot find 'C:WINDOWS\config\csrss.exe'

I started with a scan using Avira and found detections. I included the Avira log along with the others.

 

[B00kWyrm]

Initial detection - gaobot - WINDOWS\config\csrss.exe

Re: Initial detection, Windows cannot find 'C:WINDOWS\config\csrss.exe'
see http://www.vub.ac.be/BFUCC/virus/gaobot.html

RE: AV scan…numerous issues related to P2P/Filesharing and/or Cracks/Warez/KeyGen/Piracy.


RE: HJT Running processes
C:\WINDOWS\System32\TUProgSt.exe ? a component of the TuneUp Software from Tuneup Software GmbH,

In addition to the file name, tuprogst.exe, the following version information is used to identify the file. If the file does not match this information, it may be a different file. To ensure the file is absolutely correct, run a free and comprehensive scan.

Vendor contains: TuneUp Software
Product contains: TuneUp Utilities
File name contains: \WINDOWS\system32
To view version information with Windows Explorer, right-click the file and click Properties, Version.

Appears to be legitimate… you will need to decide.

RE: HJT - R0 & R1

If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can have HijackThis safely fix these, as they will not be detrimental to your Internet Explorer install. If you would like to see what sites they are, you can go to the site, and if it's a lot of popups and links, you can almost always delete it. It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have to do it manually.

 

[Martini]

Thanks, B00kWyrm.

 

[Bobbye]

RE: AV scan…numerous issues related to P2P/Filesharing and/or Cracks/Warez/KeyGen/Piracy.Please rescan with Avira and post new log, showing that these issues have been resolved.

Combofix
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
Link 3

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  
  
  
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
  
  Click on Yes, to continue scanning for malware.
  
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Credits to Blind Dragon

 

[Martini]

I followed the instructions but the Microsoft Windows Recovery Console did not get installed properly. I also got a pop-up that files failed to download.

When I run Hijack this, I get the following error message (I think I got it the first time I ran it too).:

Error details: An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument

 

[Martini]

Is there anything else I should do?

 

[B00kWyrm]

I am not trying to jump in ahead of Bobbye. Bobbye is among the best for this kind of help! and Bobbye stays pretty busy helping people.
I just saw it had been a couple of days, so I thought I would look at your logs,
to see if maybe there was an issue with which an inexperienced / untrained helper like myself might help.
Your combofix log shows Torrent directories, created within the last month. IF you have not done so, then...
From the Eight Steps...

Please also ensure you complete ALL steps in this thread, BEFORE you post the requested log files.
DO NOT SKIP ANY OF THE INSTRUCTIONS
If you have any problems following any of the instructions, please ask for assistance.

and

Uninstall File Sharing/P2P Programs

During the cleaning process all File Sharing Programs should be uninstalled
This is to avoid any possible reinfection of any malwares through file sharing

We reserve the right to withdraw our support:

* If such programs are found in your logs
* Should you not agree to their removal.

As they are normally set to bypass your Firewall and Anti-Virus software
Filesharing/P2P Programs serves as a constant threat to your computer

Also, if any crack/keygen/warez or other evidence of piracy is found... the helpers are likely simply to withdraw.
I am not experienced at reading these logs.
So these should be understood as general foundational principles, rather than specific comments regarding your logs.

 

[Martini]

I uninstalled UTorrent and LimeWire before posting here. After seeing I had so much spyware, I decided to download Ubuntu. I attempted to use the Ubuntu disc I created to partition my drive and install it, but it wouldn't work. Some Googling revealed that I may have to create an Ubuntu alternate install CD and I had to download this in the form of a torrent, so I re-installed UTorrent. The installation was legit. I hope I'm not being left hanging because of this.

 

[Bobbye]

Original problem:

Original problem: "Windows cannot find 'C:WINDOWS\config\csrss.exe'"
Verify location:
The csrss.exe file is located in the folder C:\Windows\System32. In other cases, csrss.exe is a virus, spyware, Trojan or worm!

Combofix shows you are still using uTorrent and SlySoft. I am still uncertain of the extent of the cracks, keygens and pirated software.

Remove the cleaning tools:
To remove all of the tools used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

EDIT: Apparently the last 2 posts above were being done while I rechecked the logs. My reply still stands.

 

[Martini]

I didn't realize anything was wrong with SlySoft products? Okay, I uninstalled Utorrent, the Slysoft product and used OTCleanIt.

 

[Bobbye]

The SlySoft apps are AnyDVD, CloneDVD, CloneDVD mobile, CloneCD:

AnyDVD is a Microsoft Windows driver allowing decryption of DVDs on-the-fly, as well as targeted removal of copy preventions and user operation prohibitions (UOPs). With an upgrade, it will also do the same for HD DVD and Blu-ray. The AnyDVD program runs in the background, making discs unrestricted and region-free. In addition to removing digital restrictions, AnyDVD will also defeat Macrovision analog copy prevention. Analog prevention distorts the video signal to prevent high quality copying from the output. AnyDVD is also able to remove copy-prevention from audio CDs.

Now you know.

 

[Martini]

The SlySoft apps are AnyDVD, CloneDVD, CloneDVD mobile, CloneCD:



Now you know.

No, I meant I didn't realize anything was wrong with SlySoft products as far as getting help here is concerned. The only thing that is mentioned as not being okay in the 8 Steps thread is file sharing programs due to them being a source of malware.

Why should you refuse to help me because of what you've selectively chosen isn't okay in your book? I have no moral issues with backing up my DVDs.

I have been compliant with your wishes so far except for installing uTorrent to obtain a legal copy of Ubuntu. I have then deleted it and also deleted the SlySoft product as you're not okay with it. Why are you not telling me if PC cleaning is finished or if I need to do something further?

 

[Bobbye]

I have been compliant with your wishes so far except for installing uTorrent to obtain a legal copy of Ubuntu.

I am a volunteer here, like everyone else. I choose not to continue. I have the right to do this.

 

[Martini]

I am a volunteer here, like everyone else. I choose not to continue. I have the right to do this.

Oh, I know you have the right; I wasn't talking about you breaking any laws or violating the Constitution. I'm talking about common courtesy. By participating here, you've effectively stopped anyone else from helping me. And for what? Because I used uTorrent to download Ubuntu? It honestly slipped my mind that having uTorrent installed was part of the agreement in the 8 Step thread.

My use of a SlySoft product was not in any violation of any rules, but you mentioned it as if I should have known that this was going to stop you from helping me.

So, I delete both the SlySoft product and uTorrent. You then tell me to use OTCleanIt by OldTimer. I do that and post back here. Do you post back with further instructions? No. You post back about what SlySoft products do. This makes no sense. Why tell me to use OTCleanIt and drop further support because I had used Utorrent and a SlySoft product earlier, but uninstalled them and after that you posted with advice about using OTCleanIt?

I'll PM a mod and see if I can get help from here on from someone else.

 

[Martini]

B00kWyrm, would you mind passing this thread along to a mod? I don't have enough posts to PM. Thanks.