Spyware, Viruses, & Security forum

General discussion

Virus Help - DSC.EXE overload!

My system is a DELL (old one, Intel Pentium 4, 256MB RAM) running Windows XP.

I had a pretty nasty Adware attack this weekend. I think i took care of it with instructions from this forum (ran Smitfraud; ran SuperAntiSpyware; Ran CCleaner). There's a few little glitches remaining that i'm working on fixing, but the Adware pop-ups have stopped at least.

However, I'm pretty sure I have a virus as well now (not sure if it's related, i suspect it is). Symptoms:

- Task Manager is showing multiple dsc.exe entries (like 15-20 between the 2 users on the computer) when no programs are running, using up a lot of CPU usage.

- In task manager,CSRSS.EXE showing higher than usual CPU Usage (20-40%). I know this is a part of the Windows operating system, but i've also read that it can be a bogus file associated with a virus?

- Total CPU Usage at 95-100% all the time, with no other software running.

- I'm continuously hearing mouse clicks in the background, when i'm not clicking on anything (this really freaks me out).

I ran a virus scan with McAfee Stinger, as well as with Avira AntiVir. Both turned up nothing. I'm going to try to run the Avira scan again in safe mode. But I was wondering if there were any other programs anyone could suggest, or if this sounded like a specific virus that anyone might have more info about?

thanks
Dan

PS. this weekend was my first time using this site. i'm amazed at the knowledge here and the willingness to help. very cool.

Discussion is locked
You are posting a reply to: Virus Help - DSC.EXE overload!
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Virus Help - DSC.EXE overload!
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
DSC.exe

In reply to: Virus Help - DSC.EXE overload!

Name: Desktop Service Centre

Filename: DSC.exe

Command: C:\Program Files\OptusNet DSL Internet\DSC.exe

Description: OptusNet DSL or Dial-Up connection software. Reports have shown that this file can cause a huge drain in resources and that disabling it will cause no problems.

File Location: C:\Program Files\OptusNet DSL Internet\DSC.exe

Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.

http://www.bleepingcomputer.com/startups/DSC.exe-1245.html

...

Filename: DSC.exe

Number of Processes : 6

http://www.pcreview.co.uk/startup/DSC.exe.php


.....

What is csrss.exe?

Process name: Client Server Runtime Process
Product: Windows
Company: Microsoft
File: csrss.exe

http://www.neuber.com/taskmanager/process/csrss.exe.html

I would suggest:

F-SECURE -- Vista 32-bit, XP Home Edition and Professional 32-bit, 2000 SP 4, Internet Explorer 7.0 & 6.0

Scans for malware and rootkits.

Please perform a scan with F-secure online scanner

1. Scroll to the bottom of the page and click on "Start Scanning"
You may receive an alert on the address bar at this point to install the ActiveX control, please do so.
2. After installed, click on Accept on the license agreement.
3. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
4. When the scan completes, click the "I want to decide item by item" button.
5. For each item found, Select "Disinfect" and click "Next".


Please perform a scan with TrendMicro Housecall

Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.

1. Under "Scan your PC", please click "Scan now. It's free!".
2. Then under ?Continue with your free scan? click on ?Launch Housecall Free Scan?.
A new window will open.
3. Read and put a Check next to "Yes, I accept the Terms of Use".
4. Click the "Launch HouseCall" button.
**If Java support is disabled on your system''' or no Java runtime environment is installed, click on the link in the red box to download and install Java or enable Java.
5. Next, click on "Starting HouseCall". Please be patient while Housecall downloads necessary components. You may receive a Security Warning " Do you want to install this software? Name: hcImpl.cab Publisher: Trend Micro..." Click Run when prompted.

Please be patient while Housecall downloads necessary components. You may receive a Security Warning about the TrendMicro Java applet and asking if you want to run it Click "Yes" when prompted.

Again please be patient while Trend Micro HouseCall is updated or installed. This can take some time especially if you are using a dial-up connection.

7. Under "'''Scan complete computer for malware, grayware, and vulnerabilities'''" click the "Next>>" button. It will download the latest scan engine and pattern files. When the definitions have been downloaded, the scan will start. Once the scan is complete, it will take you to the summary page.
8. Once done, it will take you to the ?Results page? In the ?cleanup options? select the first dial button "Clean all detected infections automatically".
9. Click the "Clean now>>" button.
10. When presented with a notification "According to your instructions, all detected infections were cleaned...", click "OK".

......

Operating Systems: Microsoft

Collapse -
Thanks!

In reply to: DSC.exe

Thanks for the quick reply, and detailed suggestions. Looks like i'm going to be busy tonight.

I rebooted and started running F-Secure, but my system is freezing, saying i'm running low on virtual memory. It's stuck at the "preparing to scan" screen. Is there anything i can do??

i hate computers. Plain

Collapse -
Cancel the F-Secure scan......

In reply to: Thanks!

and try to download MalwareBytes and run it......... could well be, malware is interfering.

Tru to stay calm, cool and collected Devil

Collapse -
the f-secure scan started working...

In reply to: Cancel the F-Secure scan......

but at a snail's pace. if it's going to do my entire C: drive (which was 130,000 files for the superantispyware scan) it might take 24hrs+. i may abort and try the malwarebytes route instead.

unfortunately staying calm is not something i excel at. my neighbour has heard an inordinate amount of F-bombs this weekend. Plain

Collapse -
DSC.exe... in addition.......

In reply to: Virus Help - DSC.EXE overload!

I don't know IF you saw it, but

This is a valid program but it is not required to run on startup.

This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.

Collapse -
Re: in addition...

In reply to: DSC.exe... in addition.......

sorry... which program are you referring to?

Collapse -
I am referring to the DSC.EXE

In reply to: Re: in addition...

as I wasn't sure IF you had seen the info about disabling it as it does NOT have to run at startup.

Collapse -
Re: DSC.exe disabling

In reply to: I am referring to the DSC.EXE

i don't know which programs it's starting from though? (sorry if i'm being dense)

this is seriously f-d. i just went into task manager. i have about 100 dsc.exe listed there. maybe more. they seem to be multiplying on their own now.

Collapse -
How about going the route via.......

In reply to: Re: DSC.exe disabling

Start > run > type: services.msc o.k.

and look for: Desktop Service Centre

When you find it/them, double-click on it/them. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Collapse -
i'll give it a try...

In reply to: How about going the route via.......

and then i'm going to bed.

oh... and my f-secure scan had gotten to 26000 files scanned, and had found 4 viruses, 3 spyware, with 7 skipped files (what does that mean, PS?) it just crashed on me so i have to start the scan again.

people who make viruses are not very nice people.

Collapse -
skipped files.......

In reply to: i'll give it a try...

without knowing "which files", could well be the scan is skipping the files in System Restore.

Right, take a good night's rest and do NOT dream of your computer ... is NOT worth it Wink ..... tomorrow is another day Happy

Collapse -
weird...

In reply to: How about going the route via.......

no sign of "desktop service centre" in my list of services. but there's about 40 dsc.exe in my task manager process list.

Collapse -
Can you SEE anything like.......

In reply to: weird...

OptusNet DSL or Optusnet DSL Internet

or

Dial-Up connection software

Collapse -
nope...

In reply to: Can you SEE anything like.......

nothing like that. quite a mystery.

Re: Malwarebytes AntiMalware... in your instructions it says to click "perform quick scan", but when i do that it doesn't prompt me for drives to check. should i be doing the full scan?

Collapse -
(NT) FULL scan...... o.k.

In reply to: nope...

Collapse -
Have you ENABLED to see hidden files?

In reply to: weird...

As I just found a HJT log with exactly the same service:

O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe


To "see" hidden files:

Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Collapse -
hidden files are now enabled...

In reply to: Have you ENABLED to see hidden files?

but still no sign of it in the services list. i'll do a search.

btw...i really appreciate your help. it's really great of you to volunteer your time like this.

Collapse -
Great,...I would think ...

In reply to: hidden files are now enabled...

it is BETTER you take your Good Night BREAK and relax Happy

You Are Very Welcome, hope we can "nail down" your problem tomorrow Happy

Good Night !

Collapse -
while i'm here...

In reply to: hidden files are now enabled...

my C: drive doesn't show up under "My Computer" anymore. Any idea how to get it back there?

(i know it's unrelated, but we're the only 2 in this thread...)

Collapse -
hmm......

In reply to: while i'm here...

Collapse -
It could well be due to malware........

In reply to: while i'm here...

After you scanned your computer with MalwareBytes Anti-Malware, pls. save your log and post it, so I can see what was found. Thanks Happy

Btw. can you SEE the C drive via Start\explore ?

Collapse -
Oops...

In reply to: It could well be due to malware........

Sorry, didn't see your post until this morning. I had ran the Malwarebytes overnight, 34 infections found (17 registry, 17 files), and i removed them - and i didn't save the Log. Does it get saved somewhere?

The good news is my Logoff button has reappeared, as has the C: drive in My Computer. Damn Malware!! *shakes fist at sky*

Collapse -
Re: Oops

In reply to: Oops...

I'm at work now and have left F-Secure and Housecall both doing scans while I'm gone. Before I left though I checked task manager... there were zero dsc.exe processes running, and csrss.exe was taking little to no CPU usage. looks like Malwarebytes got rid of a lot of the problem!

Collapse -
Re: Oops...

In reply to: Virus Help - DSC.EXE overload!

Well, I guess, Malwarebytes Anti-Malware did a terrific job Happy

Sounds GOOD so far !

Pls. let me know IF the 2 on-line scans did find anything Wink

Hope you are "feeling better" today without "F-bombs" Devil

Collapse -
I'm cured! (i think, touch wood)

In reply to: Re: Oops...

i've run malwarebytes, housecall and f-scanner. malware found the most, f-secure and housecall both found a handful. (I have the logs for malwarebytes and f-secure, i'll copy and paste them below.) no pop-ups, and no weird processes running in the background. my crappy old 256-MB Ram Dell is running about as good as can be expected. thanks again for your help on this!!

cheers
dan

Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2

7:07:27 AM 21/07/2008
mbam-log-7-21-2008 (07-07-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 156821
Time elapsed: 4 hour(s), 32 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{18b843ee-ce5c-4f1a-b2d1-48cc4afaf4a8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{471c56ea-2927-401b-9610-cc863f7a56ff} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5b93a9a-49d1-467b-8774-bc7ea5c4d003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9f97f2a9-c10e-4ad3-9874-1974d5981251} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fdxbameg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fsrpknov (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55277-OEM-0011903-00102) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213986.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213987.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213988.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213990.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213993.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213994.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213996.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213997.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213999.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0214000.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\erem.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clbdll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\gpefaowr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dannyd\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\DannyD\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\DannyD\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.


F-Secure Scanning Report
Monday, July 21, 2008 19:37:22 - 22:56:50
Computer name: D8DRB821
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 7 malware found
Hoax.Win32.Renos (virus)
System
Hoax.Win32.Renos.vaoz (virus)
C:\WINDOWS\SYSTEM32\IEDFIX.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1404\A0222230.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\RALSA\DESKTOP\SMITFRAUDFIX\IEDFIX.C.EXE
C:\DOCUMENTS AND SETTINGS\RALSA\DESKTOP\SMITFRAUDFIX\IEDFIX.EXE
RiskTool.Win32.Reboot (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 75520
System: 4872
Not scanned: 12
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 7
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
C:\WINDOWS\$NTUNINSTALLQ828026$\WMPCORE.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1402\A0213998.DLL
C:\PROGRAM FILES\AUDIBLE\BIN\DETAILS.HTML
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B3FF776F22E1E51EE89A9214013F4076_1DCE0E75-1303-433A-BFC1-6B582BD25551

Collapse -
damn it! spoke too soon.

In reply to: Re: Oops...

logged into my wife's profile. she's still showing a whole whack of dsc.exe processes and her computer's running slow. i guess i'll have to run the scans from her profile as well. F.

Collapse -
Yes, you have to clean ALL users.......

In reply to: damn it! spoke too soon.

...... but hey, "you now know the drill" Devil

After you went through ALL users with MBAM and F-Secure...... I also would run CCleaner:

Download: CCleaner
http://www.majorgeeks.com/download4191.html
http://www.ccleaner.com/
Once installed, disable your protection programs that could prevent registry changes, run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right)
after the scan is done Exit (reboot)

Then I would:

Restore Point creating

? Create a new Restore Point:
- Go to Start -> All Programs -> Accessories -> System Tools -> System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

? Delete the old Restore Points:
- Go to Start -> All Programs -> Accessories -> System Tools -> Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

Good Luck Happy

Collapse -
Re: Clean all users...

In reply to: Yes, you have to clean ALL users.......

I ran Malwarebytes on her profile, it didn't find anything. Hopefully housecall or f-secure find whatever it is that's messing her profile up.

I've run CCleaner on my profile already, i'll be sure to run it on hers as well once it's 'disinfected'.

Collapse -
Don't forget to UPDATE Malwarebytes Anti-Malware.......

In reply to: Re: Clean all users...

as they update every day Wink

Keep up the good work !

Collapse -
Done, for real this time

In reply to: Don't forget to UPDATE Malwarebytes Anti-Malware.......

i was mistaken... malwarebytes found these 2 items on my wife's profile:

Registry Data Items Infected:
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) G

removing these got rid of the multiple dsc.exe processes that were slowing the computer down. f-secure and housecall found a few items each as well, and i think we're good to go. thanks again for your help.

cheers
dan

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.