Jump to content

CSRSS.exe -- What should I do?


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hi! I am not sure when the file was created, but my quick scan on malewarebytes Premium finished at 12:23pm today and it was clean.
Then I visited a website that had a popup ad on it, closed out said ad, and then got anxious and scanned my computer.

1. It found what it labels Backdoor.Quasar and the file and location was: C:\$SYSRESET\SCRATCH\CSRSS.EXE

I removed the virus, rebooted. Action says Replaced, so I'm not sure what that is.

2. I did a new quick scan, the results are attached and I did a scan with FRST + Addition and that is also attached. I use premium and I scan my computer honestly too often. I'm in the process of moving all of my files to an external after removing the virus.

3. But I wanted to make sure my computer is clean. And what do you think could have been compromised? I have a few sites I signed into today, but I'm not sure if this type of virus can see those things?

4. Can it access my emails without me viewing them or access a txt file I had open at the time?

 

I did download some packs off of deviantart last night as well that people put out for graphic designers. My adaware cleaner (adwcleaner_8.3.0) found a PUP in the folder?
Here: PUP.Optional.CrossAd            C:\Users\Kaci\Downloads\ChristmasTextures
I didn't see anything in there. There were credit txt files of the uploaders from deviantart and PSD/png files but that's about it.

I'll also be restoring my computer to factory settings soon.

Malwarebytes.jpg

quickscan.txt Addition.txt FRST.txt

Edited by kelizabeth
Link to post
Share on other sites

  • Root Admin

Hello @kelizabeth

Please run the following

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

Thank you

 

 

  • Thanks 1
Link to post
Share on other sites

@AdvancedSetup Hi! Thank you so much for your help! I ran a Quick Scan and I have attached it to this reply

I'm really scared of this, I have been a Malewarebytes Premium user for years because of how often I scan my computer. Do you think my text file info or my emails could have been compromised with this? I signed into a few sites today but I'll change the passwords to those I actively signed into and to my email as well (though I didn't sign into it, firefox just kept it logged in)

msert.log

Link to post
Share on other sites

  • Root Admin

It's very possible that at some point some new threat took advantage of some exploit or something like that.

Please relax and try not to stress out over this. Do not change passwords from this computer until we're done scanning to make sure it's clean. Once we're done we can do that.

 

Let me have you run the following for me.

 

STEP 01

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 2

STEP 02
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thank you

 

  • Thanks 1
Link to post
Share on other sites

  • Root Admin
  • Solution

Hi @kelizabeth

It looks like this was a False Positive. Let me have you get me the following logs from this detection.

You can find the Scan and Protection logs from the following

 

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

 

  • Thanks 1
Link to post
Share on other sites

@AdvancedSetup A false positive? Really? Oh thank goodness! I went ahead and scanned again with the adaware program and the farber one and both were the same exact as before, nothing came up on adaware apart from HP preinstalled things.

I have attached the exported file in detection history here, does it really look like a false positive? The file is no longer there now though, is that okay?

detection.txt

Link to post
Share on other sites

  • Root Admin

Yes, this was a False Positive. You can restore the file if wanted, but the folder really isn't needed.

Please see the following and if you have questions or issues still let me know

https://www.tenforums.com/tutorials/95043-how-delete-sysreset-folder-windows-10-a.html

Thanks @kelizabeth

 

 

  • Thanks 1
Link to post
Share on other sites

Oh my gosh thank you! I will be resetting the system at some point in the future, but this being a false positive has made my day. Thank you so much again! I truly appreciate it so much! @AdvancedSetup

I was prepared to reset all passwords and everything, you're the best! I'll look at that and remove the folder too so hopefully no issues in future. Have a great day!

Link to post
Share on other sites

My system is just a little slow lately, so I thought I would do a reset, the reset will make be a fresh install of windows later on down the line (I'll move all of my files out of it and onto an external, then do the fresh windows install). My system I believe is all clean, I just wanted to reset it to see if it loads quicker @AdvancedSetup Though firefox eating up most of my CPU could be doing the slowness xD

Link to post
Share on other sites

  • Root Admin

Save your bookmarks. Write down the current extensions you're using. Then in Firefox click on Help -> More Troubleshooting Information

Then click on the Refresh Firefox... link.

image.png

 

Uninstall the following from Control Panel, Programs, Programs and Features

Bonjour
 

Then restart the computer and see if things are better or not.

 

If or when you do decide to do a fresh clean install of Windows here are some links to help. Note: Windows 11 is out as well now but not sure I'd jump on that just yet as it keeps having minor issues reported.

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

Let me know if you need or want anything else @kelizabeth

 

 

  • Thanks 1
Link to post
Share on other sites

@AdvancedSetupI did all of that and updated some drivers, then the HP BIOS update ran when I restarted it. It seems to be running a bit faster now, thank you so much!

 

Also about the false positive, do you think the file was there already and MB just flagged it today randomly?

 

Thank you again so much for all of your help! Those links are a huge help too! I'll keep away from windows 11 for now, I really enjoy windows 10 at the moment

Link to post
Share on other sites

  • Root Admin

Yes, the FP was due to a rule that triggered on it when it should not have. Completely safe to ignore.

If there is nothing else we should be done here.

You're quite welcome for the help and information.

 

The closing speech will leave you with a link to other information to help you keep the computer safer as well as your privacy

Take care

 

Edited by AdvancedSetup
updated information
  • Thanks 1
Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

  • Thanks 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.