So I am having troubles with a virus on Sofia.
I... honestly don't know what's wrong I just lagged waaaay too much today in the morning when I turned it on.
So I opened the task manager to see what was eating me up and I found myself to be spammed by this "Rundll32.exe". It created various of the same process and then it finished them and so on.. Everytime I lagged was when it started a new one ... and that was 3 times per second.. lol.

Anyway, the thing is that right now I just turned on Sofia again and as it turns out.. It didn't start... I could log in to my windows account and everything but for some reason the desktop wouldn't load up (30 mins to load up is too much even for Vista, I guess). Now, this wasn't the first time that that happened so I knew what to do. I pressed ctrl + alt + del, cause for some reason that worked the first time, and then I manually started explorer.exe and it loaded up pretty quickly, even faster than when virus free (I actually thought it was pretty kewl).

The thing is that after starting I started lagging again so I went to look at the processes and there it was again. I was being spammed with Rundll32.exe.
I opened the directory where it is found and looked at the properties and scanned it and it looks fine, it's even a microsoft component (or at least that's what it says).
So I just started looking at the processes and the one that was leeching the most resources was this guy called csrcs.exe (next to the other windows stuff that I already know) and below this fella there was this microsoft thingy called almost the same, csrss.exe. "Oh, what a coincidence", I thought.


Now, it will eventually ask for a sb4tuk.exe (or something like it) on an F:/ directory that I would assume it's my USB stick. Since it's not plugged in right now I guess it has troubles accessing the file it needs, what a bummer for this guy
The thing is that I want Sofia to be virus free and scans won't detect this, I have tried the norton crap that came with my HP and AVG and Spybot, hell, I even tried to go hardcore and manually delete it but it is kinda hiding.

I suspect that the source (more like I am pretty sure) was my universities computers, seeing how they actually ARE virus infected and everyone knows it.

halp plz?

EDIT: I just tried with kaspersky and nothing. Going to dl NOD32 now.

Get Process Explorer, use it to find where the .exe of the program is, and any handles it is using, delete those, you may need to go into safe mode.

Tried, it didn't show up in the list.

If NOD32 can't nail it, you should consider a format my friend. NOD32 should be the final nail in any virus's coffin. If it isn't, try pairing NOD32 with Ad-Aware SE. If all else fails, I have had a record of only one time that they both failed, and I turned to SuperAntiSpyware, which nailed it.


Good hunting.

Are you quite certain that process is the virus? If it is, it should have shown up, even tasks hidden to task manager show up in Process Explorer.

Falkoner is on the right track, but you should also use Autoruns to kill any boot entries relating to it (anything with a weird name or that points to csrcs).

csrcs.exe is the offending file according to Google.

If you've managed to get all the boot entries and to kill enough of the virus with Process Explorer, it shouldn't come back on reboot and then you can delete the files without being prevented to do so.

If you still can't manage it, I suggest you look at this article. I found it very helpful.

I use four virus-specific thingies: Adaware, SuperAntiSpyware (I wish they would rename it..), Avast and Malwarebytes. I think those should do it, but that Process Explorer looks nice too . I should try manual deletion sometime..

Post has been edited 2 time(s), last time on Nov 28 2008, 3:53 pm by Centreri.

Well, I just know how to manually delete, because when I was 9 we had some major infections, and I didn't know that there were free scanners [i]and[i] deleters out there, so I would track them down myself, it was a fun pasttime on Sunday, now it's only useful if my other programs don't pick it up to begin with

I tend to have bad luck with antivirus software, the rare times I actually get a virus (maybe once a year), the av never picks it up, whichever I use (that includes norton, mcafee, nod32, fprot, trying out avast on my new laptop now). So I do manual deletion.

Rundll32.exe is a required application for the computer to work efficiently, but you should have only 1 or so running on the computer.

Ex, for the record:

You mentioned csrss.exe :
http://www.neuber.com/taskmanager/process/csrss.exe.html

It's running on my computer as well, as it should be. ;o
And:
Not exactly sure if that's 100% true, but Rundll32 is a legit program.
http://www.neuber.com/taskmanager/process/rundll32.exe.html
I believe the problem is if Rundll32 loads a virus dll, and some people say that in their comments on that page.

I see. Interesting, I'll try it later when I wake up.

Yes, that is the problem.

The problem isn't that process, which is in fact a normal Windows process, but csrcs.exe, which is a virus. Do NOT touch csrss.exe.

Yeah, it's just trying to hide behind a similar name. I never got that... why can't they just use the same name?

Hiding under the same name can have all sorts of consequences that aren't necessarily desirable even for viruses, especially keyloggers and botnet clients. Just look up dll hell in Google (or your favourite search engine).

It could have buried itself into that directory IP was talking about, so to the scanner it wouldn't look malicious, then the virus runs rundll23.exe to take up space on your computers processes, therefore running you down...

Did you try disabling the csrcs.exe on run up using msconfig? That would stop the whole problem.

Also, IP, you looked up cssrs, he also has csrcs. 2 viruses ftw.

No moar pr0n k?

I hunted it down. Now I can at least start windows without running explorer.exe manually.

I figured that it must have done something on start up but didn't show up on any "start up modificators" programs I tried. So I went hunting and somehow I ended up in the registry deleting random crap (I hope I didn't delete anything important, though).
So the mean guy had edited the explorer.exe entry to not start up but instead run itself. Thus, on the start up programs thingy it appear as it was explorer.exe running on start up but it was actually csrcs.exe
I lol'd at the entry, though. Cause it was literally something like "explorer.exe csrcs.exe". It just added itself at the end of the line


Although I still get randomly spammed with rundll32.exe. And yes I do know it's a windows process, I always knew it ;D, although I read that it could get infected with a virus and then try to load other dlls.

NO VIRUS BEATS CORBO, So I guess I'll finish cleaning up when I find the time, that is until after next week.