Posted on 2006-05-17
Last Modified: 2010-04-11
Hi there,

Had this virus on a machine - it is detailed at - Panda detects the files and removes them but doesn't actually remove the virus.  Have removed the entry in the registry but still keeps coming back with avengence - have tried changing the csrss.exe file

Any ideas

I will try and get a Hijackthis scan done on system


Question by:pcowen
    LVL 42

    Expert Comment

    run a virus scan with updated definitions in SAFE MODE.
    LVL 42

    Expert Comment

    NOD32 is able to detect this virus (also known as Scano.AA) with the latest definitions.
    free download:

    delete your restore points (right click my computer, go to restore and uncheck the enabled box.  this will delete the restore files.  once your computer is clean of the virus, you can re-enable the restore).

    run your scan in safe mode
    LVL 32

    Expert Comment

    Yes, please post the link to the HJT log:

    Download and run HijackThis from
    Copy-and-paste the resulting log back to that same web site (not here)
    Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
    Finally post a link here to the saved analyzed page.
    LVL 2

    Expert Comment

    AVG is a nice free virus scanner with definitions comprable with Symantecs in my opinion.

    Author Comment

    This virus is rather horrible and NOD32 didn't remove it
    Hijack this when I posted to the site didn't report anything untoward
    The virus keeps replicating - think because of csrss.exe

    Will try a few antispyware tools e.g. Lavasoft Ad-Aware and Spybot S+D and see if they can sort it

    Windows Defender didn't get rid of it (used to be Antispyware)
    LVL 32

    Expert Comment

    If the csrss.exe file is in the \windows\system32 folder, then it is the legit Windows file.

    However, if it is in some other folder (such as c:\windows) then it is a virus, and here is what you can do:

    (0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

    (1) Right click on the file (csrss.exe) in Windows Explorer or My Computer, select Properties

    (2) Click on the Security tab.

    (3) Click on the Advanced button.

    (4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

    (5) Close all windows.

    (6) Reboot.

    After reboot the file will be unable to run (because no one can access it any more). The symptoms should be gone.

    At this point you can clean up with a standard anti-spyware or anti-virus program.
    LVL 47

    Accepted Solution

    It behaves like a startpage trojan, don't kill the file -->C:\WINDOWS\csrss.exe
    because it is hook up with the Image file Executions Options which has that file as a value under debugger. If the file is gone and the registry entry is still there your explorer.exe won't load.
    "Image File Execution Options" loads before everything loads.

    You need to remove the registry entry first, then delete the file.
    Can we look at your hijackthis log?

    Here's where it is in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger: "C:\WINDOWS\csrss.exe"

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now