Unable to end/remove a process I think is a keylogger

3

1

I have a suspicion that the process "OSRSS", shown below, is some sort of virus, although I believe it is more specifically a keylogger.

The Process called OSRSS


When I check its file location, it directs me to "C:\WINDOWS\System32\svchost" which, as far as I can tell, is a legitimate file in it's proper location. When I go to end the task via task manager however, I am denied access as the image below shows.

Being denied access to end task

I have scanned it both with Kaspersky and Malwarebytes, and both tell me the file "svchost" in the location stated is virus-free. However I feel that they are incorrect, as I checked several other Windows 10 computers and none of them have a process called "OSRSS"

I believe that this issue occurred when I video game called "Old School Runescape", along with various related-programs I'm told, were downloaded to the computer. I've since-then uninstalled anything downloaded in the past several days that I could easily find. It is my belief, and perhaps a paranoid one, that this "OSRSS" loosely ties into this video game "Old School Runescape", or "OSRS".

My question effectively breaks down into three parts:

  1. Would both Malwarebytes and Kaspersky guarantee my computer is fine, and I'm just being paranoid?
  2. How would I remove this process from my computer entirely, assuming it is a virus?
  3. In a worst-case scenario, would resetting my computer to factory default solve this solution, or is this keylogger embedded in the files needed to run Windows, preventing this from being a solution?

TheJarrHead

Posted 2018-02-12T15:33:14.297

Reputation: 41

What research have you done toward this? I quickly found https://www.bleepingcomputer.com/startups/ctfnom.exe-12370.html which suggests where to look for it, and that in turn should suggest ways to get rid of it - perhaps booting up in safe mode and then logging in as the computer administrator will allow you to clear it out.

– Jeff Zeitlin – 2018-02-12T15:45:09.377

What you’re looking at is a service host. The actual process is in the “Details” tab. Because it runs as a service, you cannot stop it without Task Manager running elevated. If you don’t stop the service, it will most likely also restart automatically. – Daniel B – 2018-02-12T16:16:26.187

Answers

2

Others have asked the same question of Microsoft found at this link below

https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/os-remediation-system-service/671c62b2-705a-44c1-870d-e1ed6555be37

Quote from the above webpage: "OS Remediation System Service is a legit service from Microsoft included in KB4056254 update. We are still looking for additional documentation that shows the full description of the service. In the meantime, you can check this link about the update where osrss is included."

Link on OSRSS https://support.microsoft.com/en-us/help/4056254/windows-10-update-facilitation-service

MEZ

Posted 2018-02-12T15:33:14.297

Reputation: 41

0

Your safest bet is to use Safe Mode, change the service to disabled or if need be then remove it from the registry HKLM\SYSTEM\CurrentControlSet\Services (you'll have to check for the service with the appropriate name within this Key).

Alternatively, without booting into safe mode I have found success in first changing a service from AUTO -> MANUAL (aka On Demand), stopping the service, and then disabling it. You can actually achieve this using a few commands:

sc config "service name" start=demand​
net stop "service name"​
sc config "service name" start=disabled​

Dailen

Posted 2018-02-12T15:33:14.297

Reputation: 108

You can also use Sysinternals' (now part of MS) Autoruns to disable the service. Run Autoruns as Administrator. – DrMoishe Pippik – 2018-02-12T18:46:10.797

0

I got a similar problem not a lot of time ago. Locate the file with the task manager (right clic button, go to file location). It'll probably open a file explorer and throw the same permission error, but try to get at leas the folder. Then, get a linux bootable usb, boot from it and delete the file/folder where the suspicious program is.

Also, two notes:

First, be sure it's not a system process. Check the other answers or search through microsoft support page.

And two, at least in my case, the f*****g thing created a redundant yet excluding group of admins, which even with my user I couldn't manage, and I don't know if microsoft has found a solution to this (probably not), so keep in mind you might need to restore/reinstall the system.

Good luck.

dCarMal

Posted 2018-02-12T15:33:14.297

Reputation: 276

-1

You should have a look at Hiren's Boot. I've been using this for about 4 years now and it's very easy to use for all sort of computer problems.
You can simply follow the guide on how to use Hiren's Boot from a CD.
Once you've made a bootable USB or CD (depends on what you prefer) you can boot up a mini Windows XP version. From there you have acces to all kinds of software like virus and malware scanners. There are also some tools that will make it available for you to delete things from your pc which you weren't able to before.

But be carefull because a lot of those tools are powerfull.

Thimo Demey

Posted 2018-02-12T15:33:14.297

Reputation: 154

Asked: 2018-02-12T15:33:14.297

Viewed: 9 602 times

Active: 2018-08-31T14:08:38.477