Jump to content

Help needed - csrss.exe winlogin.exe shows no description no username in task manager


Recommended Posts

I`ve nothing to tell you regarding infection or malware, up to now logs are clean. All we have seen is nominal potentially unwanted items, nothing major. The majority of "free to use" software will come bundled with unwanted extras, that is how the developers of such free software make their money.

 

Such unwanted baggage may not be malicious per se, it may however monitor and give information regarding what you do online, there may also be advertizing popups etc. Such baggage can also be exploited if the website itself is poisoned...

 

When free software is d/l always check that it also has an "advanced" install option as well as the default option, with the advanced option it is usually possible to untick options for unwanted baggage. Always read the EULA if offered, that can indicate some unsavory actions.

 

The two entries you mention from taskmanager are ok, nothing to worry about. If you right click on each entry then select "open file location" that will show where it runs from (System32 folder)

 

Regarding Security, this is my personal set up for Windows 7:

 

Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection.

 

As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html

 

For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....

Before using NoScript read from this link http://noscript.net/ makes it easy to understand....

 

Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings

 

Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx

 

Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100

 

Understanding WinPatrol - http://www.winpatrol.com/features.html

 

I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!.

 

I have also just started using CryptoGuard by Hitman Pro, once installed it will protect all Browsers against crypto ransomware infections, is also free. Go to following link for instructions, it will work with the set up I describe above..

 

http://www.surfright.nl/en/alert/cryptoguard'>http://www.surfright.nl/en/alert/cryptoguard

 

Let me know if there are any remaining issues concerns, if none we can clean up...

 

Kevin

Link to post
Share on other sites

This issue is that when I right click on each entry then select "open file location", nothing happens (that I can see), even when I tried doing this logged in on the admin account. Manually going to System32 folder, I do see these two exe files located there, however. Would this behavior indicate malware or some other sort of infection of major concern?

 

Is my system okay now for me to continue with core program installation? Would you recommend to continue to do this on the standard user account (and only give UAC permission when requested and for programs I know is safe)? Or should I installing programs from the admin account? As the logs show, I've only installed a handful.

 

FYI: I just realized that through this whole process, I wasn't checking to see if any of the steps taken had any effect on these two task manager items. also, I was using the infected laptop to access this forum to uploaded the logs etc. Additionally, my POP3 emails continued to be downloaded into Outlook and I did download 2 Word documents that were attached to an email from a friend....hmmm, Kaspersky was still not reinstalled (only Window Defender and Firewall were on) - all this was before running FSS again. So was this last log "clean" and that none of the above didn't re-infect my system?

 

Secondly, are the HDDs now considered 'clean'? I will definitely check into Panda USB vaccine.

 

Thank you for explaining on cautiously using freeware - I've been doing those particular steps and checking through teh EULA in case there are default check boxes embedded within. Foxit and FreeFileSync links came from similar forum as this and I was further advised to change the name of dowloaded executable to .disable as extra precaution to prevent it from running automatically.

 

Greately appreicate your sharing your system's security and browser protection - I had started using noscript after having signs of infections on laptop running XP....I haven't used Flash Block but also haven't installed Adobe Flash either (to see tutorial videos on this forum and similar ones, would VLC be sufficient or I do need to install Adobe Flash then disenable after watching the videos?

Link to post
Share on other sites

I do not see anything wrong with your system, the screenshots you post for taskmanger is a non admin account, can you select "show processes from all users" in taskmanager. What do you see now?

 

Regarding installation of programs, the majority will need admin status anyway, it is beneficial to install from an admin account and give access to other users as deem suitable.

 

The external HD`s did not show any infections or malware in ESET log. If they are to be used on a new set up maybe the best option is to wipe them first with a tool such as DBan (Darik`s Boot and Nuke) or similar.

 

VLC Player contains pretty much all the codecs you'll be likely to need in order to play the vast majority of media files, it can also play flash encoded videos with .flv extensions.  Many games, animations, and other media content on the internet are presented in flash form. Unless you have downloaded flashplayer, you wont be able to view them. A prime example is Youtube, flash is need to watch such videos....

 

Can you run FSS one more time, please use an Admin account this time. Post that log when ready..

Link to post
Share on other sites

Here are two snips of the task manager processes tab on non-admin account with "show processes from all users" selected; SYSTEM is now shown as username and there is a description but the right-click selection to open file location still does nothing. However, when log on admin account, then it does take me to the SYSTEM32 folder.

 

Also attached is the log of FSS run on admin account with LAN ethernet plugged in.

 

Sorry but I need more detailed instructions as how to "give access to other users as deem suitable" after installing programs on admin account. I felt that it was safer to install on the standard account as this is the user I'd be using most of the time and will only log on to admin for diagnostic work (versus using programs to do work) so had only installed Macrium and the drivers under the admin account (if my memory serves me right) and installed the remainder of programs so far as standard user. (Is there a way and a place (within the registry?) to check under which user a program was installed?

 

I had planned to add shortcuts to the installed programs to a folder in the Public Documents for the admin account be able to access those shortcuts and I can run the programs from there as needed. But Windows 7 seems to segegrate each account despite the higher level of permissions on admin accounts (versus In XP, the admin account has access to all users' accounts data.) This line of thinking does not seem to work as I have found just now - I've had downloaded all the programs you listed to a folder on the destop and to run FSS on the admin account, I thought I just needed to put a shortcut of that program in the public folder, which should be accessible to all users on this laptop. But after logging on the admin account, I could not run FSS through that shortcut....finally had to copy the program itself to the public folder. Why did this not work?

 

As for the external HDDs, I cannot wipe them since they hold all the backups of my main work data. I will use Panda USB vaccine (on both the laptop and the HDDs, right and not just the HDDs?)

 

Is there a small and simple flashplayer program other than AdobeFlash? or it that program safe enough and to just enable only when I want to see a particular video? ---Many thanks!

post-167405-0-96965800-1403745648_thumb.

post-167405-0-39342600-1403745661_thumb.

FSS - as admin.txt

Link to post
Share on other sites

Applications such as FSS do not work for multiple users through a shortcut, tools like this are specialist tools and really need to be run through an administrator account so it has full access to your system. If you look at the logs from a none admin account and an admin account you can see the difference.

Taskmanager show similar differences between different accounts, access permissions increase via an admin account as opposed to a basic user account.

 

Look at the two following links, they will cover what information you need regarding user account and differences.

 

http://windows.microsoft.com/en-gb/windows/what-is-user-account-control#1TC=windows-7

 

http://windows.microsoft.com/en-gb/windows/security-privacy-accounts-help#security-privacy-accounts-help=windows-7&v0h=win8tab1&v1h=win8tab1&v2h=win7tab1&v3h=winvistatab1

 

Regarding Adobe Flash, I do not use any other substitute myself and see no reason why I should. Flash player is only used inside a browser such as IE or Firefox. VLC is used for media outside of browsers...

Maybe you can try Google Chrome as a browser, I believe that uses its own  flash player (pepper flash) as opposed to adobe flash.....

 

Panda USB vaccine is installed to your Laptop, if that is your main system. The external HD`s are vaccinated when plugged in and used via the laptop. the following quote is from the Panda website regarding the tool and its uses:

 

 

There is an increasing amount of malware which, like the dangerous Conficker worm, spreads via removable devices and drives such as memory sticks, MP3 players, digital cameras, etc. To do this, these malicious codes modify the AutoRun file on these devices.

 

Panda USB Vaccine is a free solution designed to protect against this threat. It offers a double layer of preventive protection, allowing users to disable the AutoRun feature on computers as well as on USB drives and other devices:

Vaccine for computers: This is a ‘vaccine' for computers to prevent any AutoRun file from running, regardless of whether the device (memory stick, CD, etc.) is infected or not.

Vaccine for USB devices: This is a ‘vaccine' for removable USB devices, preventing the AutoRun file from becoming a source of infection. The tool disables this file so it cannot be read, modified or replaced by malicious code.

This is a very useful tool as there is no simple way of disabling the AutoRun feature in Windows. This provides users with a simple way of disabling this feature, offering a high degree of protection against infections from removable drives and devices.

 

 

Back to your own system, run the following tool to clean up tools we have used, it will also make a full registry back up, reset system restore, UAC, and basic system functions.

 

Download "Delfix by Xplode" and save it to your desktop.

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me if there are any remaining issues or concerns regarding malware/infection,

 

Kevin

Link to post
Share on other sites

Uh oh....when I downloaded the programs for this process, it was on a non-admin account but ran it as administrator whenever prompted for it or as instructed to right-click. Hope doing it that way still had the tests vet out all possible malware or viruses!

 

Ok...onto downloading the clean up tools and running them.

 

As for the USBVaccine, I haven't plugged in either of external HDDs as yet but have marked 'vaccine computer' for now.

 

Thank you for all your help and I'll check the links provided to hopefully ensure no infection. What would be good indication on the log to show that all is well?

Link to post
Share on other sites

Yes, Delfix completed ok and I've installed MSE for now since Kaspersky 2014 add-ons are no longer compatible with current Firefox version. In addition to uninstalling ESET, should I also delete all the exe files downloaded to run those tests - no needed to keep for future use? they are still in the folder on the desktop - I'll archive the log files for now.

 

I had chosen to use Ixquick search engine instead of google but briefly saw one of the tests deleted something associated with firefox.- what was wrong with this? could you explain the possible unwanted items so I know which ones I had installed that made the laptop more vulnerable?

 

Firefox bookmark toolbar keeps getting "invisible" even with the choice checked - I'd have to uncheck and re-check for it to be visible and my Ixquick homepage doesn't get loaded anymore. How do I go about fixing this?

 

I plan to use USBVaccine on the laptop and on my two external HDDs but what about when I plug in someone else's flash drive or USB HDD - should I vaccinatw all devices by default or already vaccinating my laptop would be enough to protect me - as I don't want to cause permanent effect to legitimate autorun programs on others' devices?

 

By the way, for some reason, some of the tools you had me downloaded showed up as having "malware, trojans", or "suspicious" etc when scanned with VirusTotal or Anubis....similarly with the FreeFileSync program recommended by similar forum as this.

Link to post
Share on other sites

Also, could you explain more about these deleted items (ESET log)?

 

G:\autorun.inf    Win32/AutoRun.ZB worm    cleaned by deleting - quarantined

H:\autorun.inf    Win32/AutoRun.ZB worm    cleaned by deleting - quarantined

 

Is it possible to know whether it was due to whaich program, or in particuar the program FoxitReader620.0429_enu_Setup.exe, (which again came from link give on reputable forum)?

Link to post
Share on other sites

Win32 autorun infection is a type of malicious worm that spreads via removable USB media, It manipulates the autorun feature of windows to install its payload to wherever the media is plugged in and used. That is the main reason Panda Vaccine is highly recommended....

 

It is difficult to say exactly how/where the infection was picked up originally.

 

I as I previously stated any FREE software can come with unwanted baggage, never use the default install option, always choose an advanced option if provided, untick any/all extras. Where the program is offered and and links used makes no difference. A prime example is Avast free AV program, that is recommended by many places, unfortunately the free version comes loaded with ASK and its toolbar.....

 

Kevin

Link to post
Share on other sites

Thank you for all the help to clear up the isues on my laptop and external HDDs....I'd appreciate if you could comment on the last few questions posted earlier before considering this thread as 'solved':

 

should I also delete all the exe files downloaded to run those tests - no need to keep for future use?

 

I had chosen to use Ixquick search engine instead of google but briefly saw one of the tests deleted something associated with firefox.- what was wrong with this? could you explain the possible unwanted items so I know which ones I had installed that made the laptop more vulnerable?

 

what about when I plug in someone else's flash drive or USB HDD - should I vaccinatw all devices by default or already vaccinating my laptop would be enough to protect me - as I don't want to cause permanent effect to legitimate autorun programs on others' devices?

Link to post
Share on other sites

 

I'd appreciate if you could comment on the last few questions posted earlier before considering this thread as 'solved':

Tell me the questions again, i`ll answer if I can....

 

Next,

 

Yes to question related to exe files we`ve used, delete any that remain...

 

Next,

 

Ixquick is also known to come with an unwanted toolbar, maybe that is why AdwCleaner removed the entries, it will use a "Black List" during scan function, possibly the name was enough to action a deletion during the clean option. If you trust Ixquick just reinstall it, is no big deal....

 

During the clean action, Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine

To restore an item that has been deleted unnecessarily open AdwCleaner, Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

As long as Panda Vaccine is running on your system any USB devices that are plugged into your system cannot use the autorun feature, that is your safety net. There will also be the option to vaccinate any such devices so they will be safe for future use on other systems.... If plugged in for the first time and you are unsure what is on the USB device, always scan it with your chosen security system, definitely Malwarebytes and an AV scanner...

 

Kevin

Link to post
Share on other sites

Thank you...I've repeated the key questions in that last post so your last reply had addressed them. The security system I have now installed is MS Essentials (and still have free edition of Malwarebytes to do manual scans) and will look into WinPatrol and the other programs you've share in earlier post. Your help have been tremendous in cleaning the embedded autorun files on the external HDDs along with additonal links / information on security and protection programs to prevent future infections! Good to know that this forum is available in case the laptop does act up later!

Link to post
Share on other sites

It was a pleasure to work with you, take care and surf safe....

 

One point, I highly recommend that you upgrade Malwarebytes to the Pro version, it really is the best anti-malware tool available. However, without realtime protection your system is not fully protected in my opinion.

I am a volunteer here at Malwarebytes so have nothing to gain with that recommendation.....

 

Thank you,

 

Kevin....

Link to post
Share on other sites

The Pro version on the website (https://store.malwarebytes.org) is an annual subscription but from various other sites, there are also the option for "lifetime" license - how valid are those offers? Also, when programs subch as Kaspersky or Malwarebytes etc are scanning, I should not be running any work programs, right? Lastly, how do I copy the Firefox settings I've done on the standard user account (with Noscripts, AdBlock etc.) to use in setting up Firefox on the admin account? or would I need to the setup manually again? Many thanks!

Link to post
Share on other sites

As far as i`m aware Malwarebytes is now on a yearly subscription for any new user. If you have a previous license key that will keep its original lifetime status.

 

I would not personally trust any link to Malwarebytes from any other website than Malwarebytes.org. Just rember 3rd party sites often have unwanted baggage. Such sites would have to be researched or use the help function on the GUI of the free version to ask advice, or at the Malwarebytes.org website

 

Please be aware I have no links to Malwarebytes.org, I am a volunteer on the Malware forum. Malwarebytes staff are usually listed over there profile image as "Staff" under profile image will be their status such as "Root Admin" or just "Admin" etc etc...

 

Regarding Security scans, It is always best practice to have scheduled scans run at a time of inactivity, if you are using your system when scans are running it can cause system freezing or an outright crash. The same is recommended for custom or adhoc scans you do yourself....

 

For the Firefox query see if this link helps: http://kb.mozillazine.org/Transferring_data_to_a_new_profile_-_Firefox

 

Regards,

 

Kevin....

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.