Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Run Value=Client Server Runtime Process. Is this FP? [NO it is not!]


Recommended Posts

Posted

Hi,

 

Every time I run IO360 I get this come up:-

 

Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=Client Server Runtime Process, 4-25528

 

I get it from other cleaner software also, and they point to csrs.exe

 

Is this an FP?

 

TIA

Posted
Hi,

 

Every time I run IO360 I get this come up:-

 

Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=Client Server Runtime Process, 4-25528

 

I get it from other cleaner software also, and they point to csrs.exe

 

Is this an FP?

 

TIA

 

Hi lufc71

 

After scanning, please save a report of the scanning result and send to us.

 

Did you mean they point to csrss.exe ? This is a system file. If the file is ok, it will start with system startup and it does not need to write the following value in the run.

 

You can send us your suspicious file (csrs.exe) by uploading to http://www.wikisend.com and give us the download link. Or you can upload your suspicious file to http://www.virustotal.com for analyzing, and post your analysis report.

 

We are looking forward to your reply.

Posted
...Did you mean they point to csrss.exe ? This is a system file. If the file is ok, it will start with system startup and it does not need to write the following value in the run...

 

Hi,

 

Many thanks for your prompt reply.

 

When running 360 the error is reported as a trojan in the registry (see above quote) as a runtime process of a file called 'csrs.exe' in the c:\windows\system32 directory. However, the file is not there; although of course csrss.exe is there. I have explorer set to show hidden files but I still cannot find it. If I delete the entry after running 360 or try to delete it manually from the registry it immediately re-appears.

Posted

http://www.wikisend.com/download/451296/

 

I looked in C:\WINDOWS\ServicePackFiles\i386 and csrss.exe is not there.

 

csrss.exe in the system32 directory is 6kb.

 

Also, here's a new report:-

 

IObit Security 360

 

OS:Windows XP

Version:1.4.5.67

Define Version:1620

Time Elapsed:00:32:00

Objects Scanned:89195

Threats Found:4

 

|Name|Type|Description|ID|

Tracking Cookies, Cookies, http://googleads.g.doubleclick.net/pagead/test_domain.txt, 7-1379

Tracking Cookies, Cookies, Cookie:peter@quantserve.com/, 7-2072

Tracking Cookies, Cookies, Cookie:peter@atdmt.com/, 7-1541

Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=Client Server Runtime Process, 4-25528

Posted
http://www.wikisend.com/download/451296/

 

I looked in C:\WINDOWS\ServicePackFiles\i386 and csrss.exe is not there.

 

csrss.exe in the system32 directory is 6kb.

 

Also, here's a new report:-

 

IObit Security 360

 

OS:Windows XP

Version:1.4.5.67

Define Version:1620

Time Elapsed:00:32:00

Objects Scanned:89195

Threats Found:4

 

|Name|Type|Description|ID|

Tracking Cookies, Cookies, http://googleads.g.doubleclick.net/pagead/test_domain.txt, 7-1379

Tracking Cookies, Cookies, Cookie:peter@quantserve.com/, 7-2072

Tracking Cookies, Cookies, Cookie:peter@atdmt.com/, 7-1541

Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=Client Server Runtime Process, 4-25528

 

Hi

 

PLS update and full scan your PC again.

Posted
Hi

 

PLS update and full scan your PC again.

 

Thanks again for your help fellas :)

 

IObit Security 360

 

OS:Windows XP

Version:1.4.5.67

Define Version:1624

Time Elapsed:00:30:47

Objects Scanned:92835

Threats Found:3

 

|Name|Type|Description|ID|

Tracking Cookies, Cookies, Cookie:peter@atdmt.com/, 7-1541

Tracking Cookies, Cookies, Cookie:peter@nspmotion.com/, 7-2012

Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=Client Server Runtime Process, 4-25528

Posted
Thanks again for your help fellas :)

 

IObit Security 360

 

OS:Windows XP

Version:1.4.5.67

Define Version:1624

Time Elapsed:00:30:47

Objects Scanned:92835

Threats Found:3

 

|Name|Type|Description|ID|

Tracking Cookies, Cookies, Cookie:peter@atdmt.com/, 7-1541

Tracking Cookies, Cookies, Cookie:peter@nspmotion.com/, 7-2012

Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=Client Server Runtime Process, 4-25528

 

Hi lufc71

 

You can use the Hijack Scan to fix it or give us a report.

 

PS: Do you have an antivirus software? If you have, PLS full scan and fix it; If not, you can download AntiVir or Avast,(cnet) Then do it.

Posted
Hi lufc71

 

"You can use the Hijack Scan to fix it or give us a report."

 

Logfile of IObit HijackScan v1.0.0.0

Scan saved at 11:46:17, on 2010-7-12

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: - -

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe

O9 - Extra button: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -

O9 - Extra button: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}TheFacebook.FacebookPhotoUploader5.5.1 - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968}TheFacebook.FacebookPhotoUploader5.5.1 - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_20 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}Java Plug-in 1.6.0_20 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_20 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Apple Mobile Device (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus (avast! Antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner (avast! Mail Scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner (avast! Web Scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: GSService (GSService) - Unknown - C:\WINDOWS\system32\GSService.exe

O23 - Service: iPod Service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: SMServer (SMServer) - SMServer - C:\WINDOWS\system32\snmvtsvc.exe

O23 - Service: Boot Security (xmukjuuho) - Unknown -

 

 

"PS: Do you have an antivirus software?"

 

Yes. Avast Professional, but it does report this error.

Posted

Hi lufc71,

 

For your Information:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run Value=Client Server Runtime Process

 

Is added by the LINKBOT.M WORM! a variant of AGOBOT/GAOBOT WORM!

 

Cheers.

Posted

Yep, an oldie from 2006 (even 2005).

 

The file isn't there anymore (lufc71 looked hard and well), plus it isn't seen running in processes.

 

The Run value won't go because SpyBot's Tea Timer is protecting it.

 

There is also an empty - and strange - Service key showing in the log, but it appears orphaned as well (the last line > "Boot Security" Service).

 

===

 

lufc71 : please uninstall SpyBot completely, then restart the computer. Once restarted, delete ("fix") the Run value and it won't come back.

 

You can re-install SpyBot if you want, but I wouldn't bother.

 

Avast! version 4 has the older engine ; you should contact Avast! to see if you can get version 5 Pro, which is better than the one you have.

 

Good luck.

 

===

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...