Announcement

Collapse
No announcement yet.

Windows cannot find crsvc.exe & how to fix it.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows cannot find crsvc.exe & how to fix it.

    My configuration:

    OS: Clean installation of XP professional SP3 volume license (downloaded from MSDN website, not a slipstream)

    Hardware: Asus p5gdc-v deluxe MOBO, RAID0 using the onboard ICH6R controller, Nvidia quadro FX 1300 GPU


    My error: three network drives are mapped during login process. when trying to access them (double click) I receive an error: "windows cannot find crsvc.exe". when right-clicking them the second item on the drop-down menu is "ZAYLE". upon further investigation I discovered a corruption in the "MountPoints2" registry key (see attachments).
    symantec antivirus and spybot, both up to date, found no virus/spyware presence.

    does anyone know how to fix this?


    thanks...

    Ron
    Attached Files

  • #2
    Re: Wierd error, little info in the web

    Well, are you sure you installed the English version of SP3?
    What do I know, I am only 26.

    Comment


    • #3
      Re: Wierd error, little info in the web

      As I said, it's the official "windows XP with SP3" iso from MSDN website.

      I tried deleting all subkeys under MountPoints2 - but it gets recreated every login (as it should), corrupted (as it shouldn't...).
      deleting the entire user profile folder (domain user) also does not help.

      Comment


      • #4
        Re: Wierd error, little info in the web

        Didn't you googled for crsvc.exe or zayle ???

        It is a worm and it has its installation file on the networkshare.
        Scan the server for virussus.
        For safety, do not open the folder that is shared if you logged on to the server.

        The installation file if called: AUTORUN.INF And it is on the share <- that explains the "Autoplay" in the context menu.
        The second name in the menu list is the name of the virus:
        - http://www.trendmicro.com/vinfo/viru..._VB.AD&VSect=T
        - http://hrivera99.blogspot.com/2007/11/zayle-zavher.html


        It is recommended to let an AntiVirus program do the cleanup!! before trying to manualy delete just the main virus files.

        AUTORUN.INF files are most of them hidden files. Delete it from each share.
        On the clients (and possibly the file server), remove the entry Syslog = "C:\crsvc.exe "
        from key: HKEY_CURRENT_USER\Software\Microsoft\Windows\C urrentVersion\Run (for every user that logon)
        and (if the users have admin rights) from the key:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C urrentVersion\Run

        scan every usb device that users plugin the computer.


        \Rems

        btw. symantec antivirus should have found crsvc.exe on the clients, so there is more to concern about.
        http://www.symantec.com/security_res...020-99&tabid=2

        .
        Last edited by Rems; 11th June 2008, 22:32.

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Wierd error, little info in the web

          there is no autorun.inf, nor Syslog = "C:\crsvc.exe" entry.
          I already scanned the server and the client with the most up to date symantec AV and spybot.

          that is exactly why I called the error "weird".

          Comment


          • #6
            Re: Wierd error, little info in the web

            Oh that Autorun.inf file is out there where the mapping is connected/redirected to.
            That explains the AutoPlay in the context menu, and the mesage "windows cannot find crsvc.exe" after double clicking the mapped drive.

            It is not weird, you just being tricked by a virus.
            The virus it self is probably corrupted.


            Just what first comes up to mind:

            Open the Run box and type: cmd /k net use
            check if the driveletters actually are connected to the server.
            (is it an unc path directly to the server or do you use dfs names?)

            Are there usb storage devices attached to the computer?

            Is 'off line files' activated in folder options?


            Can you export the key ##terminalserver#Quilsoft ERP and post it here.
            I am curious what is in the subkeys, specially the shell key.


            \Rems
            Last edited by Rems; 11th June 2008, 23:44.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Wierd error, little info in the web

              Hi Rems,

              I did "cmd /k net use" as you suggested, drive letters ARE connected to the server as they should (see attachment). I also exported the key you requested.

              no USB devices were connected to the computer.

              off line files is activated on G: only.
              Attached Files

              Comment


              • #8
                OK guys, I got it.

                autorun.inf was in fact present and super hidden, which is why I didn't see it the first time I checked.

                the steps to get rid of this virus (which seems to be a modern love poem of a super-geek to his girlfriend) are:

                On the server machine (server as in hosting the mapped folder): open a COMMAND window. "CD\" your way to the folder and type
                attrib -s -h autorun.inf
                ENTER, and
                del autorun.inf
                ENTER.

                On the client machine: open regedit, navigate to
                [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2, and delete all subkeys.
                open windows explorer, right click any mapped drive and disconnect it.
                restart the computer, you're good to go.

                It is highly recommended to scan both the server and client computers with an antivirus/antispyware to eliminate the presence of any malicious files such as crsvc.exe.

                feel free to leave feedback if you followed the instructions and let me know if it helped you or not.

                Comment


                • #9
                  Re: windows cannot find crsvc.exe (was: Wierd error, little info in the web)

                  Title changed.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Windows cannot find crsvc.exe &amp; how to fix it.

                    (Title changed again to reflect that it now also provides a solution.)

                    Ronrose, thanks for posting back with a solution to your problem. We appreciate that here.

                    Would also be a nice gesture to give Rems with some Reputation Points as his Google put you on the solution track.
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment

                    Working...
                    X