Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Think I have the Dalbug worm

Feb 26, 2004 9:59PM PST

I saw some processes in task manager I was unfamimilar with, googled them, and it seems I may have the Dalbug worm- also known by many other names. One of the processes, csrcss.exe caught my eye; it happens to be a legitimate file also. But after reading about it the last 2 nights, my system is showing symptoms- the tcp/ip netbios helper service is one example.

I believe I may have gotten it from a file for a program called CakeWalk Guitar Studio.zip given to me by a musician friend. The program worked fine, and my system doesn't even seem affected. What made me suspicious was when I tried to delete the file off my HD, where I copied the file to before installing.

I've done full virus scans at trendmicro, pandasoftware, and my Norton 2003 pro- I keep coming up "clean"- still, I can't delete the file, and I'm showing symptoms as outlined here and at various anti-virus sites. I can't find any reference for a manual removal of this virus.

Assuming I DON'T have a virus, how can I remove the file CakeWalk Guitar Studio.zip.exe- I didn't notice the ".exe" until I tried deleting it. I did do a virus scan of the file before extracting the files and installing the program and came up clean. But seeing a file ending in "zip.exe" made me suspicious. I don't have any restore points to go back to, btw- Norton suggested I turn off SR, run my AV program, but I'm still stuck with the above file, and certain file entries in my registry that may or may not be actually a virus, but certainly symptomatic that I do in fact have one.

Someone enlighten me, please. Thanks in advance!

Discussion is locked

- Collapse -
Re:Think I have the Dalbug worm
Feb 26, 2004 11:53PM PST

Hi Brandon,

here is a write-up from Symantec:

http://www.symantec.com/avcenter/venc/data/w32.dalbug.worm.html

During its execution W32.Dalbug.Worm will periodically (every 10 seconds) also add the following registry values:

Smss.exe %windir%\smss.exe
Csrss.exe %windir%\csrss.exe

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In addition, it tries to kill the Regedit.exe process if it is activated.

Here is a write-up from Network Associates: http://vil.nai.com/vil/content/v_99590.htm

- Collapse -
Think I have the Dalbug worm
Feb 27, 2004 1:00AM PST

Hi Brandon

you may want to go to

http://www.lavasoftusa.com

and download and run Ad-Aware 6.0. it is free and should catch and remove this worm.

in the alternative, go to your search function and type in the information, select and delete.

david williams

- Collapse -
Brandon, Do The Deletions In Safe Mode
Feb 27, 2004 2:13AM PST

After rebooting the computer into "Safe Mode", you should be able to delete the intected ".zip.exe" file. In addition, per the articles that Marianna posted, try checking for the file names and registry entries listed below. If found, delete the registry entries and the files. Remember, although there may be a legitimate file on the computer, the infected files below are in the "Windows" directory as indicated:

Smss.exe %windir%\smss.exe
Csrss.exe %windir%\csrss.exe

The registry key key where the entries will be found, if they are there.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Hope this helps, too.

Grif

- Collapse -
False Positive, or just paranoia?
Feb 27, 2004 7:24AM PST

First, thank you, Marianna, David, and Grif for responding.

Sorry I wasn't more explicit in my post this morn- I dashed it off before running off to work knowing there'd be some responses Happy.

Using the find function, I tracked down CSRss.exe- in one site it said the caps were supposed to be indicative of the wrong csrss file, so I deleted that. I'm not a genius of registry editing, but I did go in there and deleted a bunch of reg entries outlined in a post I found in a different computer forum. Also, the fact that I'm able to open up regedit is a good sign, no?

I've already run Ad-aware and just came up with tracking cookies.

I've tried going into safe-mode to try deleting that program file- no go. This happened to me before, but can't remember exactly how I deleted the file. Hopefully, I'll remember and get that stupid thing off somehow.

I've just rechecked the registry, and have found no entries per the Symantic site...maybe I got rid of it last night...not sure.

I typed in csrss.exe in the run box, hit enter, and get a message that this is not a valid win32 application. The only "symptom" I can find left, is in the Services- I still have the TCP/IP NetBios helper service, which I've disabled. I'm not sure if this is a native XP Service- I'll have to check my laptop, or google it.

So, is it reasonable for me to feel safe at this point? And even if I am/were infected, this isn't a terrible worm to have, correct?

Thanks much to all for responding.

Brandon

- Collapse -
Re:False Positive, or just paranoia?
Feb 27, 2004 8:41AM PST

Hi Brandon,

You're Welcome ! As I don't have win XP I'll send Grif an e-mail as he knows a LOT about XP Happy

- Collapse -
Brandon, Just Some Info
Feb 27, 2004 1:53PM PST

Brandon,

It sounds like you're getting a handle on it. Doing a quick search on this WinXP HOME machine shows two files named "csrss.exe" (both lower cased) and they reside in the "C\Windows\System32" and the "C\Windows\System32\dllcache" folder. Likewise, the "smss.exe" file was found in five different places. Once again, in the "C\Windows\System32" or System32\dllcache" or "I386" folders. The "smss.exe" file were in BOTH lower and upper case letters. They are genuine XP files. The "infected" versions of BOTH of these files, if you had them, would reside in the "C\Windows" directory, NOT in the directories I indicated above..

The "TCP/IP NetBios helper service" is a legitimate service on this XP machine as well.

Sometimes you have to tinker with deleting unwanted files. Usually, removing the registry 'call" first will allow you to remove the entry in "Safe Mode". Sometimes, I've been able to delete the file from a command window using DOS commands in "Safe Mode". (This usually works.)

Yes, if the program hasn't disabled "regedit", that's a good thing. Unfortunately, you'll notice that IF the comp is infected it can create the "bad" registry entries every ten seconds. It's important to clean out the bad file as quickly as possible.

Here are some other files that can be installed and the directories where they can reside:

%windir%\inf\Cdrom.sys
%windir%\Fonts\Dosoem.fon
%windir%\Help\Dosapp.hlp

Terrible Worm to have?...Anytime that a virus can disable my "regedit", it's not a good thing, in my opinion.

Hope this helps.

Grif

- Collapse -
Re:Brandon, Just Some Info- Morning Grif (and Marianna)!
Feb 27, 2004 10:58PM PST

Thank you both for all the info.

I guess the best sign I'm not infected is that there are no files in the Windows folders (?). I, like you, Grif, have csrss files in the same places as you. On the other hand, I have only 3 entries of the smss file- in: C:\I386\system32, Windows\System32, and the dllcache folder; maybe because I have Pro. I've yet to look into my laptop where I have XP Home (btw, sorry I didn't mention my OS in my original post- I forgot what area of the forums I was in, duh.)

I've looked for all the files you posted- first by copying and pasting it in the run box, then via Explorer and by the search function. Nothing- actually, I had done that prior to my original post. I guess I'm just looking for assurances that I'm not infected. I didn't know that tcp/ip NetBios Helper service was native to XP- if it said that in any of the anti-virus sites, I sure missed it. It was THAT service that had me most concerned when I saw it.

I really appreciate the input from both to you. I'm reasonably sure I'm not infected- or if I was, not any longer. And I agree with you, Grif, that anything disabling regedit isn't a good thing...guess I wanted to hear, "not good, but you can live with it" as opposed to, "REFORMAT! REFORMAT!" lol. Thanks again, and have a great day.

Brandon

- Collapse -
Brandon, Looks Like You've Got It Under Control..
Feb 28, 2004 9:35AM PST

...and most likely, you weren't truly infected. It appears like the infected file was found and stopped before it could do any real damage. I would keep an eye on it.

Glad we could help and keep up the good work.

Grif

- Collapse -
(NT) Thanks again. PS: got rid of file via command line. ;-)
Feb 29, 2004 9:48AM PST

.

- Collapse -
(NT) Brandon : SUPER DUPER - Great Job !!
Feb 29, 2004 10:01AM PST

.

- Collapse -
(NT) Way To Go Brandon !
Mar 1, 2004 3:41AM PST

.