CSRSS64.DLL is Trojan Filecoder.NAC

Removal Results: Success
Number of reboot: 1

CSRSS64.DLL is known as:

Trojan.Filecoder.NAC, Trojan.Dacromf, Filecoder

CSRSS64.DLL hash:

• MD5: 1937d80784d952cb6cfa710641bc8989

Registry:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost: “C:\abwvrpcm\svchost.exe”
• HKLM\System\CurrentControlSet\Services\NIaSvc\ImagePath: “%SysDir%\svschost.exe”
• HKLM\System\CurrentControlSet\Services\NIaSvc\DisplayName: “Network Locatlon Awareness”
• HKLM\System\CurrentControlSet\Services\NIaSvc\ObjectName: “LocalSystem”
• HKLM\System\CurrentControlSet\Services\NIaSvc\Description: “Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to starts.”

Folders:

• C:\Documents and Settings\LocalService\Application Data\WinRAR
• C:\abwvrpcm
• C:\plbbqirj
• C:\ProgramData
• C:\ProgramData\cbojrhub
• C:\ProgramData\kxhafmyp
• C:\ProgramData\rkbttpwo
• C:\ProgramData\stppthmain
• C:\ProgramData\tklidtjy

Files:

• %Common Desktopdirectory%\omixdmvn.txt
• %Common Desktopdirectory%\whrryggn.bat
• %SysDir%\cfwin32.dll
• %SysDir%\csrss32.dll
• %SysDir%\csrss64.dll
• %SysDir%\default2.sfx
• %SysDir%\NoSafeMode.dll
• %SysDir%\nsf.exe
• %SysDir%\sdelete.dll
• %SysDir%\svschost.exe
• C:\abwvrpcm\svchost.exe
• C:\plbbqirj\dc.exe
• C:\ProgramData\cbojrhub\svchost.exe
• C:\ProgramData\kxhafmyp\svchost.exe
• C:\ProgramData\rkbttpwo\nprkyfbl.dlls
• C:\ProgramData\rkbttpwo\qqcrwxmn.dlls
• C:\ProgramData\stppthmain\stppthmain.dll
• C:\ProgramData\tklidtjy\eifiodcn.dll
• C:\ProgramData\tklidtjy\eifiodcn.dll.dlls
• C:\ProgramData\tklidtjy\xwhljjdr.dll