PDA

View Full Version : csrsc.exe "Teenslook"



james1
2008-12-02, 13:53
I seemed to have picked up a nasty: csrsc.exe.

Searched forums and found this:http://forums.spybot.info/showthread.php?t=40326&highlight=csrsc.exe

I can not start Spybot S&D, and a search of my computer does not turn up csrsc.exe. I was able to run Spybot S&D in safe mode, but it did not turn up anything.

Can you help?

Thanks,

james

james1
2008-12-02, 15:06
Here is log from hijack this. Thought it might be of help. Tried everything I know to start S&D, but no luck.



Logfile of HijackThis v1.99.1
Scan saved at 07:59:20, on 12/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\FreePOPs\freepopsservice.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\csrsc.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Sound Drive] C:\WINDOWS\SYSTEM32\Explorer5.vbs
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - Startup: Shortcut to fdm.lnk = C:\Program Files\Free Download Manager\fdm.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - http://download.verizon.net/sfp/Cabs/max_update/VOLUpdate_1-0-0.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBA0173B-E923-4D1A-BCAB-9E7B586C219C}: NameServer = 71.242.0.12 71.252.0.12
O18 - Protocol: bw+0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw+0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw-0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw-0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw00 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw00s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw10 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw10s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw20 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw20s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw30 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw30s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw40 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw40s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw50 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw50s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw60 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw60s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw70 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw70s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw80 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw80s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw90 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bw90s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwa0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwa0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwb0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwb0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwc0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwc0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwd0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwd0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwe0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwe0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwf0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwf0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - blank (file missing)
O18 - Protocol: bwg0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwg0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwh0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwh0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwi0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwi0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwj0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwj0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwk0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwk0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwl0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwl0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwm0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwm0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwn0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwn0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwo0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwo0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwp0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwp0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwq0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwq0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwr0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwr0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bws0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bws0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwt0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwt0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwu0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwu0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwv0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwv0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bww0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bww0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwx0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwx0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwy0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwy0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwz0 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: bwz0s - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: offline-8876480 - {2F1B42DC-7338-49DF-86C5-FD2E89CFD81C} - blank (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FreePOPs - Unknown owner - C:\Program Files\FreePOPs\freepopsservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O23 - Service: Windows Spool Services (WinSpoolSvc) - Unknown owner - C:\WINDOWS\system32\csrsc.exe

pskelley
2008-12-05, 16:31
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

James, I apologize for the wait, we pin (sticky) the instructions at the top of the forum for you to read, this is why the wait:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.

This is a backdoor trojan and I am not 100% sure what it is after, but you can bet the hacker is up to no good and I think you should read this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

If you still need help, read the directions and post the correct HJT log which is plainly described in those directions and I will respond as soon as I see the correct log.

Thanks

pskelley
2008-12-12, 14:21
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.