Posted on 2006-05-17
Medium Priority
Last Modified: 2010-04-11
Hi there,

Had this virus on a machine - it is detailed at http://vil.nai.com/vil/content/v_139458.htm - Panda detects the files and removes them but doesn't actually remove the virus.  Have removed the entry in the registry but still keeps coming back with avengence - have tried changing the csrss.exe file

Any ideas

I will try and get a Hijackthis scan done on system


Question by:pcowen
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 16701899
run a virus scan with updated definitions in SAFE MODE.
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 16701964
NOD32 is able to detect this virus (also known as Scano.AA) with the latest definitions.
free download: http://www.majorgeeks.com/download3704.html

delete your restore points (right click my computer, go to restore and uncheck the enabled box.  this will delete the restore files.  once your computer is clean of the virus, you can re-enable the restore).

run your scan in safe mode
LVL 32

Expert Comment

ID: 16703064
Yes, please post the link to the HJT log:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Expert Comment

ID: 16706413
AVG is a nice free virus scanner with definitions comprable with Symantecs in my opinion.

Author Comment

ID: 16733319
This virus is rather horrible and NOD32 didn't remove it
Hijack this when I posted to the site didn't report anything untoward
The virus keeps replicating - think because of csrss.exe

Will try a few antispyware tools e.g. Lavasoft Ad-Aware and Spybot S+D and see if they can sort it

Windows Defender didn't get rid of it (used to be Antispyware)
LVL 32

Expert Comment

ID: 16734711
If the csrss.exe file is in the \windows\system32 folder, then it is the legit Windows file.

However, if it is in some other folder (such as c:\windows) then it is a virus, and here is what you can do:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file (csrss.exe) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot.

After reboot the file will be unable to run (because no one can access it any more). The symptoms should be gone.

At this point you can clean up with a standard anti-spyware or anti-virus program.
LVL 47

Accepted Solution

rpggamergirl earned 1400 total points
ID: 16735831
It behaves like a startpage trojan, don't kill the file -->C:\WINDOWS\csrss.exe
because it is hook up with the Image file Executions Options which has that file as a value under debugger. If the file is gone and the registry entry is still there your explorer.exe won't load.
"Image File Execution Options" loads before everything loads.

You need to remove the registry entry first, then delete the file.
Can we look at your hijackthis log?

Here's where it is in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger: "C:\WINDOWS\csrss.exe"

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question