Jump to content

RECURRING CSRSS.EXE INFECTION


MickP
 Share

Recommended Posts

Hi. I use both Malwarebytes and Trendmicro on my laptop. Trendmicro shows that it removes a recurring Malware infection called CSRSS.EXE, located at folder C:\Users\mick\AppData\Local\Temp\phantomows\bin\.

I have scanned with Malwarebytes to try and locate the what is causing this, but with no luck in doing so.

The Trendmicro program indicates that the root cause is from Java.

Can you provide any assistance in getting this infection cleared?

Link to post
Share on other sites

Hello and :welcome:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. button.

    x5o4gh.png

  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to post
Share on other sites

Please download Zemana AntiMalware and save it to your  Desktop.

  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scanto begin.
  • After the short scan is finished, if threats are detected press Next to remove them.


Note:
If restart is required to finish the cleaning process, you should click
Reboot
. If reboot isn't required, please restart your computer manually.

  • Open Zemana AntiMalware again.
  • Click on 4zu6vb.jpg icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • The only left thing is to attach saved report in your next message.

Link to post
Share on other sites

Hello,

I'm having the exact same issue and I'm finding very little online about it. Maybe whatever it is is brand new? I haven't resolved it as yet. I've deleted the same folder but it reappears. Tried a different anti virus, Avast, just for kicks and it blocks the same exact Csrss.exe file but does not delete it. Nothing seems to detect a problem with it. I also blocked the exe file with a firewall rule, just in case. Not sure if this helped. But I still randomly get the popup that it's been blocked. Any idea what actually fixed it for you? Thanks in advance!

Link to post
Share on other sites

Hey Uknowbigdee. Had heaps of trouble finding out about it as well. In addition to the assistance that TwinHeadedEagle provided, which I think fixed the problem completely, I also deleted the Java folder in its entirety as this was the program that Trendmicro was telling me that was creating the rogue CSRSS.EXE file.

Link to post
Share on other sites

2 hours ago, MickP said:

Hey Uknowbigdee. Had heaps of trouble finding out about it as well. In addition to the assistance that TwinHeadedEagle provided, which I think fixed the problem completely, I also deleted the Java folder in its entirety as this was the program that Trendmicro was telling me that was creating the rogue CSRSS.EXE file.

Can you tell me which folder you deleted exactly? I am having this EXACT same problem right now. I delete the folder and zip from my TEMP but the folder keeps coming back with the zip file.

Link to post
Share on other sites

Hi bw1. As i stated above, TrendMicro was telling me that the CSRSS.EXE was being created by Java. In addition to following the instructions as detailed by TwinHeadedEagle, I also uninstalled Java from my computer as it seems that the Java exe file had been hacked. I haven't had the problem since.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.