As to the hack part, this is not a clear sign.
Bob
![]() | Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years. Thanks, CNET Support |
Windows Xp search shows a csrss.exe file located @ c:\windows\servicePak\i-386\csrss.exe, but when I go to dos and enter c:\windows\servicepak I get dir dosen't excist.
Should I have 2 csrss.exe files 1 for windows service pak 3 update and one for windows?
If so why hidden?
Also, when I enter dir / ah in c:\windows I get 50+ hidden dir in the dir. This makes no sense to me.
I believe i am being hacked!
Discussion is locked
Sense posting I have located the dir and files in question. On appearance they look identical, but haven't run a file comparison yet.
I am convinced I am being hacked or have a virus that I have yet to detect.
My Ethernet 10/100 port is gone. Tried to re install windows to clear the virus and reload the Ethernet drivers but it didn't work. I get random system noises and an hourly da-ding, on the hour and my audio has a reverberation. One of my e-mail accounts was hacked had to delete the acct. Lost all music in Real Player yesterday! Lost internet connection last week and had to delete all user accts and re-establish a single administrator acct., after I did this a "quest acct" appeared some time later, that I didn't create.
Do you have restore media or old fashioned load xp some hundred drivers and updates?
Bob
..not a simple driver issue. Yea, I have to re install the normal way took me 12 hours last month. Did nothing.
Or a rootkit. I only have the clues you provided so far. Let's do the fastest rootkit detection I know. Takes me about 2 minutes even if I have to download it to a memory stick.
-> RKILL as noted by Grif at http://forums.cnet.com/7726-6132_102-5098912.html?tag=posts;msg5099421
You do worry me about the single admin account. Have you ever experienced what happens on a XP machine with one single admin account and a "CORRUPT PROFILE"?
It's another sort of hell,
Bob
never ran this utility is it for the boot sector?
BTW since i've been troubel shooting the system my sound has suddenly cleared up this afternoon, was still reverbing at 3PM and I haven't run anything since this AM!! Haven't heard the hourly da-ding either!
Someone is seeing my investigation history! I have gone to a cyber crime unit!
It would have been nice to see what's up. We know the folder was expected but I've found folk freak out over temp files.
Is this discussion to be closed?
Bob
RKILL's use and definition has not changed recently. Let's recap.
We know the folder and files are normal.
To carry forward let's forget that folder as it's not a sign of anything other than a normal XP function.
-> Are you ready for the next steps? Can you live with those temp files or just delete them like thousands of others? Once in a while you find an user that gets hung up on temp files and thinks that's a sign of infection. In this case, no.
Bob
however I seem to be going backwards here. Nothing has affected the PC still same issue except now after loading and running all these dif utilities it took 5 full min, for it to cold boot this AM!
As the machine ages, the drive fills and folk add more protection and apps, it slows down.
There are numerous discussions about speeding up the boot time but here we are a dozen posts and we are just now getting over the temp files.
-> Why not change how you boot? Try HIBERNATION instead and see if the boot time drops.
Bob
Bob I am a disabled man, broke my neck, I do nothing quickly. Your input is helpful however please do not feel any obligation.
as for the boot time I have been in computer industry since 93', the boot time is far to long especially since I just reformatted the drive. FYI, dual core Intel, 8 gigs Kingston, 500gigHD which is virtually empty, running XP Home w/S3. Witch I built.
I am apprehensive about running rootkill.
that Windows XP doesn't like HHD's more than 127 GIGs?
The 127 GB limit is in old versions of BIOS, not XP. I have an XP system that easily addresses a 512 GB internal HD and an external 1 TB one. If you happen to have a BIOS earlier than mid 90s, you may see the problem, but after that, XP is just fine with larger drives.
Good luck.
"I am apprehensive about running rootkill."
RKILL is a tool that gives us a quick report about pests I'm running into. If folk can't bring themselves to do their own support with tools they can read about what they do and more then they have to find support where they can.
It's a basic item in my software tools to find some common pests. If you can't do that, then I've done what I could and you need to talk to those that provide you support on what to do next.
-> About the fresh install and slow. There are many good reasons for that and XP. All we need to do is forge a driver or install some TOXIC COMBINATION and it's game over. For example and this is one of many thousands is that Spybot Teatimer and McAfee. Who knows what choices you made other than you?
Hope you can get the job done with RKILL so I can see what's up.
After I see RKILL's output and it's clean we move on to HIJACKTHIS logs but look at this discussion and we are over a dozen posts and we have yet to get the first step done.
Bob
Program started at: 12/17/2012 06:07:21 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Firewall Disabled
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000
Checking Windows Service Integrity:
* AppMgmt [Missing ServiceDLL Value]
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 12/17/2012 06:08:08 AM
Execution time: 0 hours(s), 0 minute(s), and 47 seconds(s)
from within windows XP if I should run it differently please advice.
Still think this engineer has programmed his own access. All he would need is an IP address.
And RKILL is detailed on it and other web sites. It's a tool to see what's going on and to allow other virus/trojan/other removal tools to work.
I can't tell what your concern is here.
Bob
1. The firewall is off. Did you install some other firewall or turn it off?
2. That was a relief to see. It's taken days to get past temp files and the first check. WHAT'S NEXT?
a. XP will boot slower as the machine ages or there are updates to antivirus/other that do more checks at boot time. Your less seasoned owners will thing something is wrong. It's not. This means that a lot of folk get taken to the cleaners by taking it to a service counter or buying those speedup apps.
b. HIJACKTHIS is next. We'll use it just for the report.
HOW TO CREATE A HIJACK THIS REPORT is at http://www.bleepingcomputer.com/tutorials/how-to-post-a-hijackthis-log/
Let's hope this doesn't take as long as RKILL took to get the results. It's a report. We are not changing a thing. I'm going to look for common issues I know about and if I don't see any we turn to the usual dissection of the PC. What is it, how old, stories about how you installed, the old XP DMA issue and more.
3. THE XP DMA ISSUE. We're at over a dozen posts and you have not revealed what this PC is. Everytime you post you see this in RED.
"If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem."
I can't tell if the XP DMA issue applies. It's an simple thing to address as you run some batch/script and no reboot is required except to see if it helped. Microsoft never issued a fix for it so we have to manually reset it.
Bob
THE XP DMA ISSUE. We're at over a dozen posts and you have not revealed what this PC is. Everytime you post you see this in RED.
It is a clone I built, I did state that when I described the unit.
HijackThis should only be used if your browser or computer is still having problems after running Spybot or another Spyware/Hijacker remover.
Should I run Spybot first?
If this gets to 1 week of posts I'm going to have to say the machine is unrecoverable and you should reload the OS and if it's still slow or buggy then it's time for the shop.
At some point you cut bait.
Bob
I can't tell if the XP DMA issue applies. But now that you know about it you can research it further.
I'm unsure why dropping a hint that details can help is not resulting in more detail. I think you must think "OH, I'm going to look into the XP DMA function on my own" and don't need more about it.
Bob
hint what hint don't know what your referring to!
XP DMA issue applies, what is this? 3. THE XP DMA ISSUE. We're at over a dozen posts and you have not revealed what this PC is. Everytime you post you see this in RED.
FYI, dual core Intel, 8 gigs Kingston, 500gigHD which is virtually empty, running XP Home w/S3. Witch I built.
Again, Bob this is a clone I built it several yeas ago.
Tried to run spybot s&d, not compatible w/ MacAfee
And it might run but the install on such is beyond most. Can you share the install procedure?
McAfee's latest versions can cause a slow boot and we know that Spybot's Teatimer can cause issue with that antivirus.
Where is the log file from HIJACKTHIS?
And didn't anyone warn you about XP and new machines with more RAM than XP supports? Yes, it may have worked then but updates come in and you see such machines tank.
Bob