Solve : system32?

1.	Solve : system32?
Answer» A while back I received a virus Cleaned out virus but in the mean time it also removed part of my system32. Specifically, when the computer reboots I get the message cannot find or load C:WINDOWS\system32\eepjvoay\csrss.exe My is how can I get this back without having to REDO entire comp. Please and Thank youI think the infected file is being called from the registry. Do you have system restore possibilities?I did have system restore but for some reason it comes up as being turned off by group policy. Contact domain administrator. I have not been able to find it. It is not listed in my system on control panel I run XP home edition and believe it was a worm or trojan that originally did this and it is only when I first start up but is seems as certain pragrams can not install properly or then uninstall Have a read here (but don't buy anything) http://www.neuber.com/taskmanager/process/csrss.exe.htmlI read thru and does not look good for me. This occurs only after initial boot up. Both logons receive this message. This leads me to believe I might have to wipe the comp clean. i don't want to, like everyone else I have too much to try and back up Where can I go to find out how to get my system restore back and could it be hidden as on of the admin accounts is password protected.Your computer can't find or run the C:WINDOWS\system32\eepjvoay\csrss.exe file it's probably not there. Have you looked for it there? Because it's not listed as being in the correct directory it's probably a leftover startup call from a virus infection. Run a Hijackthis log & see what is trying to start it, then get rid of the entry. Just don't get confused with the real csrss.exe in the system32 directory.okay here my Hijackthis. log not even sure what i am looking for thanks for all your help so far there was lots more stuff but would not let me post oops found it but can I delete it F3 - REG:win.ini: load=C:\WINDOWS\system32\eepjvoay\csrss.exe F3 - REG:win.ini: run=C:\WINDOWS\system32\eepjvoay\csrss.exe Logfile of HijackThis v1.99.1 Scan SAVED at 9:50:47 PM, on 21/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Command Software\dvpapi.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Creative\Shared Files\CAMTRAY.EXE C:\WINDOWS\system32\S3tray2.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\WINDOWS\system32\ntvdm.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\TELUS\TELUS Security service\Freedom.exe C:\WINDOWS\System32\rsvp.exe C:\PROGRA~1\INCRED~1\bin\IncMail.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe QUOTE This leads me to believe I might have to wipe the comp clean. i don't want to, like everyone else I have too much to try and back up You should back important files up anyway on some sort of regular basis. All hard drives die. It's just a matter of when! Quote F3 - REG:win.ini: load=C:\WINDOWS\system32\eepjvoay\csrss.exe F3 - REG:win.ini: run=C:\WINDOWS\system32\eepjvoay\csrss.exe Use Hijackthis & mark them for removal.Process File: csrss or csrss.exe Process Name: Microsoft Client/Server Runtime Server Subsystem Description: csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated. Note: csrss.exe is also a process which is registered as the [email protected] worm, the W32.Webus Trojan, Win32.Ladex.a, [email protected] and more. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it's hostile attachment. The worm has it's own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Determining WHETHER this process is a virus or a Windows process depends on the directory location it executes or runs from. Thanks a bunch everyone it worked and now I can boot up and not get it. I now will CAREFULLY go thru the list Hijack gave me and try and get rid of more stuff.

Answer»

A while back I received a virus Cleaned out virus but in the mean time it also removed part of my system32. Specifically, when the computer reboots I get the message cannot find or load C:WINDOWS\system32\eepjvoay\csrss.exe My is how can I get this back without having to REDO entire comp. Please and Thank youI think the infected file is being called from the registry. Do you have system restore possibilities?I did have system restore but for some reason it comes up as being turned off by group policy. Contact domain administrator. I have not been able to find it. It is not listed in my system on control panel
I run XP home edition and believe it was a worm or trojan that originally did this and it is only when I first start up but is seems as certain pragrams can not install properly or then uninstall
Have a read here (but don't buy anything)

http://www.neuber.com/taskmanager/process/csrss.exe.htmlI read thru and does not look good for me. This occurs only after initial boot up. Both logons receive this message. This leads me to believe I might have to wipe the comp clean. i don't want to, like everyone else I have too much to try and back up

Where can I go to find out how to get my system restore back and could it be hidden as on of the admin accounts is password protected.Your computer can't find or run the C:WINDOWS\system32\eepjvoay\csrss.exe file it's probably not there.
Have you looked for it there?
Because it's not listed as being in the correct directory it's probably a leftover startup call from a virus infection.
Run a Hijackthis log & see what is trying to start it, then get rid of the entry.
Just don't get confused with the real csrss.exe in the system32 directory.okay here my Hijackthis. log not even sure what i am looking for
thanks for all your help so far there was lots more stuff but would not let me post

oops found it but can I delete it

F3 - REG:win.ini: load=C:\WINDOWS\system32\eepjvoay\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\eepjvoay\csrss.exe
Logfile of HijackThis v1.99.1
Scan SAVED at 9:50:47 PM, on 21/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\WINDOWS\System32\rsvp.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

QUOTE

This leads me to believe I might have to wipe the comp clean. i don't want to, like everyone else I have too much to try and back up

You should back important files up anyway on some sort of regular basis. All hard drives die. It's just a matter of when!
Quote

F3 - REG:win.ini: load=C:\WINDOWS\system32\eepjvoay\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\eepjvoay\csrss.exe

Use Hijackthis & mark them for removal.Process File: csrss or csrss.exe
Process Name: Microsoft Client/Server Runtime Server Subsystem

Description:
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

Note: csrss.exe is also a process which is registered as the [email protected] worm, the W32.Webus Trojan, Win32.Ladex.a, [email protected] and more. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it's hostile attachment. The worm has it's own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.

It is a registered security risk and should be removed immediately.

Determining WHETHER this process is a virus or a Windows process depends on the directory location it executes or runs from.

Thanks a bunch everyone it worked and now I can boot up and not get it. I now will CAREFULLY go thru the list Hijack gave me and try and get rid of more stuff.

Solve : system32?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment