Windows Legacy OS forum

Question

Should I have: 1) a windows\servicepak\i-386 dir.? 2) and a

by rlsdsurfer / December 14, 2012 3:04 AM PST

Windows Xp search shows a csrss.exe file located @ c:\windows\servicePak\i-386\csrss.exe, but when I go to dos and enter c:\windows\servicepak I get dir dosen't excist.
Should I have 2 csrss.exe files 1 for windows service pak 3 update and one for windows?

If so why hidden?

Also, when I enter dir / ah in c:\windows I get 50+ hidden dir in the dir. This makes no sense to me.

I believe i am being hacked!

Answer This Ask For Clarification
Discussion is locked
You are posting a reply to: Should I have: 1) a windows\servicepak\i-386 dir.? 2) and a
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Should I have: 1) a windows\servicepak\i-386 dir.? 2) and a
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Clarification Request
Have you read prior discussions on that folder?
by R. Proffitt Forum moderator / December 14, 2012 5:26 AM PST
Collapse -
csrss files
by rlsdsurfer / December 14, 2012 6:28 AM PST

Sense posting I have located the dir and files in question. On appearance they look identical, but haven't run a file comparison yet.

I am convinced I am being hacked or have a virus that I have yet to detect.

My Ethernet 10/100 port is gone. Tried to re install windows to clear the virus and reload the Ethernet drivers but it didn't work. I get random system noises and an hourly da-ding, on the hour and my audio has a reverberation. One of my e-mail accounts was hacked had to delete the acct. Lost all music in Real Player yesterday! Lost internet connection last week and had to delete all user accts and re-establish a single administrator acct., after I did this a "quest acct" appeared some time later, that I didn't create.

Collapse -
Sounds like the usual xp driver hell.
by R. Proffitt Forum moderator / December 14, 2012 7:49 AM PST
In reply to: csrss files

Do you have restore media or old fashioned load xp some hundred drivers and updates?
Bob

Collapse -
no..don't think so...
by rlsdsurfer / December 14, 2012 10:04 AM PST

..not a simple driver issue. Yea, I have to re install the normal way took me 12 hours last month. Did nothing.

Collapse -
Then it's bad hardware.
by R. Proffitt Forum moderator / December 14, 2012 10:09 AM PST
In reply to: no..don't think so...

Or a rootkit. I only have the clues you provided so far. Let's do the fastest rootkit detection I know. Takes me about 2 minutes even if I have to download it to a memory stick.

-> RKILL as noted by Grif at http://forums.cnet.com/7726-6132_102-5098912.html?tag=posts;msg5099421

You do worry me about the single admin account. Have you ever experienced what happens on a XP machine with one single admin account and a "CORRUPT PROFILE"?

It's another sort of hell,
Bob

Collapse -
rootkill
by rlsdsurfer / December 14, 2012 1:49 PM PST

never ran this utility is it for the boot sector?

BTW since i've been troubel shooting the system my sound has suddenly cleared up this afternoon, was still reverbing at 3PM and I haven't run anything since this AM!! Haven't heard the hourly da-ding either!

Someone is seeing my investigation history! I have gone to a cyber crime unit!

Collapse -
Is this discussion to be closed?
by R. Proffitt Forum moderator / December 14, 2012 11:27 PM PST
In reply to: rootkill

It would have been nice to see what's up. We know the folder was expected but I've found folk freak out over temp files.

Is this discussion to be closed?
Bob

Collapse -
no
by rlsdsurfer / December 15, 2012 5:02 AM PST

taking a break

Collapse -
Sorry, missed the question.
by R. Proffitt Forum moderator / December 14, 2012 11:28 PM PST
In reply to: rootkill

What is RKILL? at google should suffice.

Collapse -
(NT) nothing has changed at all!!
by rlsdsurfer / December 15, 2012 5:02 AM PST
Collapse -
You're right.
by R. Proffitt Forum moderator / December 15, 2012 5:11 AM PST

RKILL's use and definition has not changed recently. Let's recap.

We know the folder and files are normal.

To carry forward let's forget that folder as it's not a sign of anything other than a normal XP function.

-> Are you ready for the next steps? Can you live with those temp files or just delete them like thousands of others? Once in a while you find an user that gets hung up on temp files and thinks that's a sign of infection. In this case, no.
Bob

Collapse -
the files are not an issue
by rlsdsurfer / December 15, 2012 11:44 PM PST
In reply to: You're right.

however I seem to be going backwards here. Nothing has affected the PC still same issue except now after loading and running all these dif utilities it took 5 full min, for it to cold boot this AM!

Collapse -
5 minutes can be normal.
by R. Proffitt Forum moderator / December 16, 2012 1:08 AM PST

As the machine ages, the drive fills and folk add more protection and apps, it slows down.

There are numerous discussions about speeding up the boot time but here we are a dozen posts and we are just now getting over the temp files.

-> Why not change how you boot? Try HIBERNATION instead and see if the boot time drops.
Bob

Collapse -
Time
by rlsdsurfer / December 16, 2012 1:51 AM PST

Bob I am a disabled man, broke my neck, I do nothing quickly. Your input is helpful however please do not feel any obligation.

as for the boot time I have been in computer industry since 93', the boot time is far to long especially since I just reformatted the drive. FYI, dual core Intel, 8 gigs Kingston, 500gigHD which is virtually empty, running XP Home w/S3. Witch I built.

I am apprehensive about running rootkill.

Collapse -
Clarification Request
didn't I read somewhere
by itsdigger / December 16, 2012 1:58 AM PST

that Windows XP doesn't like HHD's more than 127 GIGs?

Collapse -
It's the BIOS that's the limiting factor
by wpgwpg / December 16, 2012 2:04 AM PST

The 127 GB limit is in old versions of BIOS, not XP. I have an XP system that easily addresses a 512 GB internal HD and an external 1 TB one. If you happen to have a BIOS earlier than mid 90s, you may see the problem, but after that, XP is just fine with larger drives.

Good luck.

Collapse -
BIOS
by rlsdsurfer / December 16, 2012 4:32 AM PST

Have an ASUS MB maybe 4 years old, don't seem ot have ha dany issues with the HDD.

All Answers

Collapse -
Answer
I fear you may be beyond help for now.
by R. Proffitt Forum moderator / December 16, 2012 2:42 AM PST

"I am apprehensive about running rootkill."

RKILL is a tool that gives us a quick report about pests I'm running into. If folk can't bring themselves to do their own support with tools they can read about what they do and more then they have to find support where they can.

It's a basic item in my software tools to find some common pests. If you can't do that, then I've done what I could and you need to talk to those that provide you support on what to do next.


-> About the fresh install and slow. There are many good reasons for that and XP. All we need to do is forge a driver or install some TOXIC COMBINATION and it's game over. For example and this is one of many thousands is that Spybot Teatimer and McAfee. Who knows what choices you made other than you?

Hope you can get the job done with RKILL so I can see what's up.
After I see RKILL's output and it's clean we move on to HIJACKTHIS logs but look at this discussion and we are over a dozen posts and we have yet to get the first step done.

Bob

Collapse -
(NT) will attempt to run rkill tommorrow
by rlsdsurfer / December 16, 2012 4:35 AM PST
Collapse -
(NT) Should be interesting. Always is!
by R. Proffitt Forum moderator / December 16, 2012 4:39 AM PST
Collapse -
rkill output
by rlsdsurfer / December 16, 2012 10:11 PM PST

Program started at: 12/17/2012 06:07:21 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* AppMgmt [Missing ServiceDLL Value]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 12/17/2012 06:08:08 AM
Execution time: 0 hours(s), 0 minute(s), and 47 seconds(s)

Collapse -
rkill was run from cmd
by rlsdsurfer / December 16, 2012 10:15 PM PST
In reply to: rkill output

from within windows XP if I should run it differently please advice.

Still think this engineer has programmed his own access. All he would need is an IP address.

Collapse -
What engineer?
by R. Proffitt Forum moderator / December 16, 2012 11:29 PM PST
In reply to: rkill was run from cmd

And RKILL is detailed on it and other web sites. It's a tool to see what's going on and to allow other virus/trojan/other removal tools to work.

I can't tell what your concern is here.
Bob

Collapse -
There is 1 line that cause more questions.
by R. Proffitt Forum moderator / December 16, 2012 11:27 PM PST
In reply to: rkill output

1. The firewall is off. Did you install some other firewall or turn it off?

2. That was a relief to see. It's taken days to get past temp files and the first check. WHAT'S NEXT?

a. XP will boot slower as the machine ages or there are updates to antivirus/other that do more checks at boot time. Your less seasoned owners will thing something is wrong. It's not. This means that a lot of folk get taken to the cleaners by taking it to a service counter or buying those speedup apps.

b. HIJACKTHIS is next. We'll use it just for the report.
HOW TO CREATE A HIJACK THIS REPORT is at http://www.bleepingcomputer.com/tutorials/how-to-post-a-hijackthis-log/

Let's hope this doesn't take as long as RKILL took to get the results. It's a report. We are not changing a thing. I'm going to look for common issues I know about and if I don't see any we turn to the usual dissection of the PC. What is it, how old, stories about how you installed, the old XP DMA issue and more.

3. THE XP DMA ISSUE. We're at over a dozen posts and you have not revealed what this PC is. Everytime you post you see this in RED.
"If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem."

I can't tell if the XP DMA issue applies. It's an simple thing to address as you run some batch/script and no reboot is required except to see if it helped. Microsoft never issued a fix for it so we have to manually reset it.
Bob

Collapse -
sorry
by rlsdsurfer / December 17, 2012 12:51 AM PST

THE XP DMA ISSUE. We're at over a dozen posts and you have not revealed what this PC is. Everytime you post you see this in RED.

It is a clone I built, I did state that when I described the unit.

Collapse -
spybot?
by rlsdsurfer / December 17, 2012 12:54 AM PST
In reply to: sorry

HijackThis should only be used if your browser or computer is still having problems after running Spybot or another Spyware/Hijacker remover.

Should I run Spybot first?

Collapse -
Your choice. But the log should have been your next post.
by R. Proffitt Forum moderator / December 17, 2012 1:05 AM PST
In reply to: spybot?

If this gets to 1 week of posts I'm going to have to say the machine is unrecoverable and you should reload the OS and if it's still slow or buggy then it's time for the shop.

At some point you cut bait.
Bob

Collapse -
WIth only that amount of detail.
by R. Proffitt Forum moderator / December 17, 2012 12:55 AM PST
In reply to: sorry

I can't tell if the XP DMA issue applies. But now that you know about it you can research it further.

I'm unsure why dropping a hint that details can help is not resulting in more detail. I think you must think "OH, I'm going to look into the XP DMA function on my own" and don't need more about it.
Bob

Collapse -
dma funtion
by rlsdsurfer / December 17, 2012 1:32 AM PST

hint what hint don't know what your referring to!

XP DMA issue applies, what is this? 3. THE XP DMA ISSUE. We're at over a dozen posts and you have not revealed what this PC is. Everytime you post you see this in RED.
FYI, dual core Intel, 8 gigs Kingston, 500gigHD which is virtually empty, running XP Home w/S3. Witch I built.
Again, Bob this is a clone I built it several yeas ago.

Tried to run spybot s&d, not compatible w/ MacAfee

Collapse -
8GB with XP can be trouble.
by R. Proffitt Forum moderator / December 17, 2012 1:37 AM PST
In reply to: dma funtion

And it might run but the install on such is beyond most. Can you share the install procedure?

McAfee's latest versions can cause a slow boot and we know that Spybot's Teatimer can cause issue with that antivirus.

Where is the log file from HIJACKTHIS?

And didn't anyone warn you about XP and new machines with more RAM than XP supports? Yes, it may have worked then but updates come in and you see such machines tank.
Bob

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Smartphone tip

Hoarding photos on your phone?

Those picture are hogging memory and could be slowing down your phone.