We checked some samples of CSRSS32.DLL and detected the file CSRSS32.DLL as threat.
Remove the CSRSS32.DLL file from your computer right now.
Removal tool: http://www.unhackme.com
Malware Analysis of CSRSS32.DLL
Full path on a computer: %SysDir%\csrss32.dll
Detected by UnHackMe:
CSRSS32.DLL
Default location: %SysDir%\csrss32.dll
Removal Results: Success
Number of reboot: 1
CSRSS32.DLL is known as:
Trojan.Ransom.Foreign.ook, RDN.Ransom.w, Trojan.Foreign.ook, Trojan.Fakealert.qunox, Trojan-Ransom.Foreign.ook, Trojan.Filecoder.PFz9mptfb6A, Troj.Ransom-LA, Trojan.ArchiveLock.1, Trojan.FakeAlert, TR.Zusy.2985.9, Trojan.Foreign.aab, Trojan.Porchanspi.B, Trojan.A.Foreign.179200.D, Trojan.Foreign, Hoax.Foreign, a variant of Win32.Filecoder.NAC, Virus.Filecoder, W32.Filecoder.NAC, Filecoder
CSRSS32.DLL hash:
- MD5: 202ceb4563623c8d7ca58b8997a57190
How to quickly detect CSRSS32.DLL presence?
![]( "Registry")
Registry:
![]( "Folders")
Folders:
![]( "Files")
Files:
Registry:- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost: “C:\abwvrpcm\svchost.exe”
- HKLM\System\CurrentControlSet\Services\NIaSvc\ErrorControl: 0×00000001
- HKLM\System\CurrentControlSet\Services\NIaSvc\ImagePath: “%SysDir%\svschost.exe”
- HKLM\System\CurrentControlSet\Services\NIaSvc\DisplayName: “Network Locatlon Awareness”
- HKLM\System\CurrentControlSet\Services\NIaSvc\ObjectName: “LocalSystem”
- HKLM\System\CurrentControlSet\Services\NIaSvc\Description: “Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to starts.”
Folders:- C:\Documents and Settings\LocalService\Application Data\WinRAR
- C:\abwvrpcm
- C:\plbbqirj
- C:\ProgramData
- C:\ProgramData\cbojrhub
- C:\ProgramData\kxhafmyp
- C:\ProgramData\rkbttpwo
- C:\ProgramData\stppthmain
- C:\ProgramData\tklidtjy
Files:- %Common Desktopdirectory%\omixdmvn.txt
- %Common Desktopdirectory%\whrryggn.bat
- %SysDir%\cfwin32.dll
- %SysDir%\csrss32.dll
- %SysDir%\csrss64.dll
- %SysDir%\default2.sfx
- %SysDir%\NoSafeMode.dll
- %SysDir%\nsf.exe
- %SysDir%\sdelete.dll
- %SysDir%\svschost.exe
- C:\abwvrpcm\svchost.exe
- C:\plbbqirj\dc.exe
- C:\ProgramData\cbojrhub\svchost.exe
- C:\ProgramData\kxhafmyp\svchost.exe
- C:\ProgramData\rkbttpwo\nprkyfbl.dlls
- C:\ProgramData\rkbttpwo\qqcrwxmn.dlls
- C:\ProgramData\stppthmain\stppthmain.dll
- C:\ProgramData\tklidtjy\eifiodcn.dll
- C:\ProgramData\tklidtjy\eifiodcn.dll.dlls
- C:\ProgramData\tklidtjy\xwhljjdr.dll