Help! Can't get rid of virus/trojan/worm

[Operaghost]

I had installed the latest Utorrent the day before and noticed it added a bunch of toolbar shit to my browsers as well as changed my homepage.
I googled how to remove these things and did so.

I noticed a few days ago when playing a game that I was getting serious FPS lag.So I closed out all my programs and checked task manager.

I noticed that at idle my system was using 30-40% of my 6GB of RAM.
Then I noticed some processes that I'd never seen there before:
1. winlogon.exe
2. csrss.exe
3. nvvsvc.exe
4. nvxdsync.exe

None of these programs have any description, cannot have the properties viewed, nor can they be ended.

So I immediately ran Malwarebytes, Spybot, NOD32. None of them turned up anything and the processes persisted. Then I rebooted, and noticed after logging in that Malwarebytes had not loaded with windows.

I then followed the process found on this forum for removing malware, etc.
I made sure all my anti malware programs were up to date. I ran CCleaner and cleaned thoroughly including registry. I booted into safe mode and ran all Malwarebytes, which came up with 3 threats:
1. Trojan.Utanioz
2. Two instances of PUP.Optional.Conduit.A

I cleaned these items then ran SuperAntiSpyware, which found nothing.
I then ran Spybot which found nothing.
I then ran a full scan with MS Security Essentials, nothing
I rebooted and ran CCleaner again.

Checked Task Manager and found that the processes were still there.

So I decided I would reinstall windows 7.
I downloaded all my drivers, and the newest versions of anti malware programs.
I booted to Win7 disk, went to repair, opened command prompt, cleaned the 2 partitions of my SSD that I had windows installed to. Removed the partitions, created a new partition, formatted it.
Then I booted to disk again, went through Win7 install, formatted the partition again and installed to it.

As soon as I got to my desktop I checked task manager again, and there were the two damn processes again, with no description, no properties and unable to be ended.
1. winlogon.exe
2. csrss.exe
My RAM usage was lower at idle, but still using 10-12%.

Now I don't know how this problem persisted through a clean install of windows but it seems to have found a way.

I installed my drivers including video and I noticed that the other two suspicious un-described processes are back:
1. nvvsvc.exe
2. nvxdsync.exe
And my RAM usage at idle is up to 20% now.

I have 2 other Hardrives in my system that I install 99% of my programs to, including my antimalware programs, games, multimedia programs, etc.

1. Is it possible that the trojan or whatever it is somehow got rooted on one of these other drives, then infiltrates windows from there?

2. Does anyone have any recommendations on how to proceed?

I am going to search my drives for these 2 exe files now and will post pictures of my results.

 

[wizdum]

Nuke it and re-install. A fresh install of windows takes like 14 minutes on a modern machine. its not even worth troubleshooting anymore.

 

[Rattle]

wipe and reformat

 

[Operaghost]

I'm assuming my post was too long for you all to read through.

I already reformatted and reinstalled.
It didn't get rid of it.

 

[Rattle]

um those 4 things are normal...

the second 2 are part of the nvidia driver running.

I also have 2 csrss and winlogon and I am clean 100%

 

[wizdum]

Viruses can't survive a harddrive format, so either the format didn't work, or the virus was installed on one of your secondary drives AND you launched it again. A virus on a secondary drive can't do anything until you choose to run it.

Winlogon.exe is a normal system process, as is csrss.exe.

EDIT: also, Windows 7 loves to use RAM, my system is also at 12% of 16GB. IIRC its part of some process that loads commonly used programs into RAM to they start up faster.

 

[Deleted member 133315]

Winlogon.exe
Csrss.exe
Nvvsvc.exe
Nvxdsync.exe

Those are all normal

A quick google of those items would of saved you alot of trouble.

 

[Operaghost]

I did google it.
I saw a lot of other people inquiring about having problems with it. And even some tech sites saying that there is malware versions of them and to check where they are originating from.


If they are so normal then why do they not have a description? And why can I not view thier properties like every other windows process?

 

[LostStorm]

Too be safe wipe your HD clean and reformat. You can download programs (trial version) like Cyberscrub . When it finish wiping HD clean then reformat. GOODLUCK!

 

[Deleted member 133315]

I did google it.
I saw a lot of other people inquiring about having problems with it. And even some tech sites saying that there is malware versions of them and to check where they are originating from.


If they are so normal then why do they not have a description? And why can I not view thier properties like every other windows process?

Not every item has a description, in my task manager I have five things that have no description, vnc server being one of them, one of the vnc server.exe's has a description the other one doesnt, then I have winlogon csrss and the other two nvidia items all without a description.

Winlogon and csrss are part of windows OS, the ones that start with NV are from nvidia.

when clicking on properties, they also dont show, why ? You would have to ask microsoft that but I presume and I could be wrong, but I presume that because those items are working on a low level which is secure, thus the OS itself is denying us when trying to view its properties, that could be one explanation, but I personally dont know the true answer as to why the properties page doesnt show for them.

But for aslong as I can remember winlogon and csrss have always been like that, the nvidia ones are newish as they only appeared not that long ago when nvidia changed their drivers and added extras to it like auto update etc.

My pc is not infected with any virus, trojan or any other type of malware.

 

[Liger88]

All those are absolutely normal programs. A few months ago I noticed the csrss.exe process was bogging down my system and taking incredibly amounts of CPU cycles (60% total) and using more RAM than normal. Google'd it and found out it just bugs out every now and then. Best way to usually solve it is when you notice it kill it or restart your machine. Googling those process along with what you see usually will pop up more people seeing similar things and how to go about troubleshooting it, but in my case with the csrss.exe process there wasn't really a cure besides killing it/restarting machine when it happens.


It's absolutely normal for Windows to use more RAM over time (not necessarily from a fresh install) if you have more RAM available. That's just Windows taking advantage of the extra hardware. Now if it was at like 60% idle then you'd probably have a memory leak or some program/Windows acting up.

My laptop freshly installed Windows 7 uses 750MB/2GB just after 10-15 minutes idle time after boot. My desktop uses 2GB/8GB give or take after 10-15 minutes of idle after boot. A lot of memory is reserved by Windows for a ton of stuff, not all of which is very clear, so the more memory you have the more it'll reserve.

 

[Operaghost]

How do you kill the process?

Last time I tried, it told me "Access Denied"

 

[Liger88]

How do you kill the process?

Last time I tried, it told me "Access Denied"

My bad apparently you can't, the only thing you can do is restart the machine if you notice it acting up, which in all my years has happened out of nowhere once. Yours seems to be part of the virus/trojan that was on your system and it appears you already solved any negative problems since then.

Those processes listed are completely normal and based off the new results you are back to normal, so I don't think there is anything else you need to do except for running regular weekly full virus scans and trying to stay away from the whores of the internet.

 

[tangoseal]

I read that you cleaned your hard drive already. Are you using pirated software? If not maybe you are installing a package that is coming up as a false positive detection.

A virus can survive a format, YES IT CAN! But ... a virus can't survive a secure wipe of the drive where you use a program to write all zero's then 1's then random. Called a low level format. Absolutely no way for data to be retained on the drive.

When you do a basic format you are simple changing each sector to show as "Lookie here I am able to be written to, I am empty space". The data is still retained but subject to be overwritten and it appears as free space to the end user.

I think the problem with this discussion is the lack of the understanding of how a format works.

 

[Deleted member 133315]

I think the problem with this discussion is the lack of the understanding of how a format works.

No, I think the problem with the discussion is that the processes he is querying and wondering if they are bad are nothing more than Normal Processes.

He may of originally had a problem, but even after a "quick format" it should now be all good unless he was using a non legit version of windows. If he is using a legit copy of windows then those process are always there, especially winlogon and csrss, the other two only appear after installing nvidia video drivers.

 

[RocketTech]

Yeah, the whole OP is based on false assumptions- if you see a normal process, but suspect it is malware... run a malware scan. Which you did. With multiple engines. Nothing found, end there (except I would have done an offline scan with MS Safety Scanner or Avira Rescue Disk). Should have stopped there. Running CC cleaner, Malware Bites, and all the other tools that bork your registry is just asking for it.
If you can't trust your tools, what is the point of using them?

If you were experiencing slowdowns, you should have opened up Task Manager and looked at running processes. I'd recommend Russinovich's Process Explorer or Resource Monitor for a more complete look, but the process is the same- look for programs with high CPU and/or memory utilization. Investigate those. Both programs mentioned will also allow you to look at network and storage utilization. For all you know, your Justin Bieber photo journal was updating and causing the slowdown.

 

[boss99]

The OP could just run SFC /scannow and that would verify the system files as being ok.

 

[RocketTech]

The OP could just run SFC /scannow and that would verify the system files as being ok.

It wouldn't verify the NVidia drivers.

 

[wizdum]

I read that you cleaned your hard drive already. Are you using pirated software? If not maybe you are installing a package that is coming up as a false positive detection.

A virus can survive a format, YES IT CAN! But ... a virus can't survive a secure wipe of the drive where you use a program to write all zero's then 1's then random. Called a low level format. Absolutely no way for data to be retained on the drive.

When you do a basic format you are simple changing each sector to show as "Lookie here I am able to be written to, I am empty space". The data is still retained but subject to be overwritten and it appears as free space to the end user.

I think the problem with this discussion is the lack of the understanding of how a format works.

You sure a program can still run once its been deleted? I know the data is still there, but there would be no way for it to run. Its location is marked as free space. Any files that it tries to access are not going to be there.