05 May 2010

Yet another backdoor: lsasvc.exe and csrss.exe

Due to my stubborness of ignoring Antivirus for the sake of "performance", once again another backdoor under filename lsasvc.exe in (C:\Windows\system32) and csrss.exe (C:\Windows)  infiltrate my aging XP. Not sure which browser that let them break free :) but they always appeared together every reboot (which is rare) and like most backdoor they break some winsock policies and eat my internet bandwidth for their own activities.

What can I do? simple! since they always use the same filename and path I create a folder named "lsasvc.exe" under Windows\system32 and "csrss.exe" under Windows directory. done, it's just impossible to create that filename there anymore

Of course it's not fully done, but I really don't care whether they still hiding somewhere as long as they never activated :)

edit: of course I did that after killing the processes (which is very self explanatory using plain task manager or process explorer) then delete the virus and optionally run "sc delete LSAService" and delete csrss' registry run entry.

1 comment:

  1. When I start my computer and I check processes with task manager I see a csrss process running that has no information, it does not allow yoi to see any property or file location. I can remove or stop 0r kill this process.I got help from here you can try it.