As to the hack part, this is not a clear sign.
Windows Xp search shows a csrss.exe file located @ c:\windows\servicePak\i-386\csrss.exe, but when I go to dos and enter c:\windows\servicepak I get dir dosen't excist.
Should I have 2 csrss.exe files 1 for windows service pak 3 update and one for windows?
If so why hidden?
Also, when I enter dir / ah in c:\windows I get 50+ hidden dir in the dir. This makes no sense to me.
I believe i am being hacked!
Sense posting I have located the dir and files in question. On appearance they look identical, but haven't run a file comparison yet.
I am convinced I am being hacked or have a virus that I have yet to detect.
My Ethernet 10/100 port is gone. Tried to re install windows to clear the virus and reload the Ethernet drivers but it didn't work. I get random system noises and an hourly da-ding, on the hour and my audio has a reverberation. One of my e-mail accounts was hacked had to delete the acct. Lost all music in Real Player yesterday! Lost internet connection last week and had to delete all user accts and re-establish a single administrator acct., after I did this a "quest acct" appeared some time later, that I didn't create.
Or a rootkit. I only have the clues you provided so far. Let's do the fastest rootkit detection I know. Takes me about 2 minutes even if I have to download it to a memory stick.
-> RKILL as noted by Grif at http://forums.cnet.com/7726-6132_102-5098912.html?tag=posts;msg5099421
You do worry me about the single admin account. Have you ever experienced what happens on a XP machine with one single admin account and a "CORRUPT PROFILE"?
It's another sort of hell,
never ran this utility is it for the boot sector?
BTW since i've been troubel shooting the system my sound has suddenly cleared up this afternoon, was still reverbing at 3PM and I haven't run anything since this AM!! Haven't heard the hourly da-ding either!
Someone is seeing my investigation history! I have gone to a cyber crime unit!
RKILL's use and definition has not changed recently. Let's recap.
We know the folder and files are normal.
To carry forward let's forget that folder as it's not a sign of anything other than a normal XP function.
-> Are you ready for the next steps? Can you live with those temp files or just delete them like thousands of others? Once in a while you find an user that gets hung up on temp files and thinks that's a sign of infection. In this case, no.
As the machine ages, the drive fills and folk add more protection and apps, it slows down.
There are numerous discussions about speeding up the boot time but here we are a dozen posts and we are just now getting over the temp files.
-> Why not change how you boot? Try HIBERNATION instead and see if the boot time drops.
Bob I am a disabled man, broke my neck, I do nothing quickly. Your input is helpful however please do not feel any obligation.
as for the boot time I have been in computer industry since 93', the boot time is far to long especially since I just reformatted the drive. FYI, dual core Intel, 8 gigs Kingston, 500gigHD which is virtually empty, running XP Home w/S3. Witch I built.
I am apprehensive about running rootkill.
"I am apprehensive about running rootkill."
RKILL is a tool that gives us a quick report about pests I'm running into. If folk can't bring themselves to do their own support with tools they can read about what they do and more then they have to find support where they can.
It's a basic item in my software tools to find some common pests. If you can't do that, then I've done what I could and you need to talk to those that provide you support on what to do next.
-> About the fresh install and slow. There are many good reasons for that and XP. All we need to do is forge a driver or install some TOXIC COMBINATION and it's game over. For example and this is one of many thousands is that Spybot Teatimer and McAfee. Who knows what choices you made other than you?
Hope you can get the job done with RKILL so I can see what's up.
After I see RKILL's output and it's clean we move on to HIJACKTHIS logs but look at this discussion and we are over a dozen posts and we have yet to get the first step done.
Program started at: 12/17/2012 06:07:21 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Firewall Disabled
"EnableFirewall" = dword:00000000
Checking Windows Service Integrity:
* AppMgmt [Missing ServiceDLL Value]
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
Program finished at: 12/17/2012 06:08:08 AM
Execution time: 0 hours(s), 0 minute(s), and 47 seconds(s)
1. The firewall is off. Did you install some other firewall or turn it off?
2. That was a relief to see. It's taken days to get past temp files and the first check. WHAT'S NEXT?
a. XP will boot slower as the machine ages or there are updates to antivirus/other that do more checks at boot time. Your less seasoned owners will thing something is wrong. It's not. This means that a lot of folk get taken to the cleaners by taking it to a service counter or buying those speedup apps.
b. HIJACKTHIS is next. We'll use it just for the report.
HOW TO CREATE A HIJACK THIS REPORT is at http://www.bleepingcomputer.com/tutorials/how-to-post-a-hijackthis-log/
Let's hope this doesn't take as long as RKILL took to get the results. It's a report. We are not changing a thing. I'm going to look for common issues I know about and if I don't see any we turn to the usual dissection of the PC. What is it, how old, stories about how you installed, the old XP DMA issue and more.
3. THE XP DMA ISSUE. We're at over a dozen posts and you have not revealed what this PC is. Everytime you post you see this in RED.
"If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem."
I can't tell if the XP DMA issue applies. It's an simple thing to address as you run some batch/script and no reboot is required except to see if it helped. Microsoft never issued a fix for it so we have to manually reset it.
I can't tell if the XP DMA issue applies. But now that you know about it you can research it further.
I'm unsure why dropping a hint that details can help is not resulting in more detail. I think you must think "OH, I'm going to look into the XP DMA function on my own" and don't need more about it.
hint what hint don't know what your referring to!
XP DMA issue applies, what is this? 3. THE XP DMA ISSUE. We're at over a dozen posts and you have not revealed what this PC is. Everytime you post you see this in RED.
FYI, dual core Intel, 8 gigs Kingston, 500gigHD which is virtually empty, running XP Home w/S3. Witch I built.
Again, Bob this is a clone I built it several yeas ago.
Tried to run spybot s&d, not compatible w/ MacAfee
And it might run but the install on such is beyond most. Can you share the install procedure?
McAfee's latest versions can cause a slow boot and we know that Spybot's Teatimer can cause issue with that antivirus.
Where is the log file from HIJACKTHIS?
And didn't anyone warn you about XP and new machines with more RAM than XP supports? Yes, it may have worked then but updates come in and you see such machines tank.
Get behind the wheel with Roadshow
Love cars? Climb into the driver's seat for the latest videos, reviews, shopping advice and picks by our editors delivered to your inbox every week.