pcowen
asked on
W32/Areses.j@MM
Hi there,
Had this virus on a machine - it is detailed at http://vil.nai.com/vil/content/v_139458.htm - Panda detects the files and removes them but doesn't actually remove the virus. Have removed the entry in the registry but still keeps coming back with avengence - have tried changing the csrss.exe file
Any ideas
I will try and get a Hijackthis scan done on system
Thanks
Paul
Had this virus on a machine - it is detailed at http://vil.nai.com/vil/content/v_139458.htm - Panda detects the files and removes them but doesn't actually remove the virus. Have removed the entry in the registry but still keeps coming back with avengence - have tried changing the csrss.exe file
Any ideas
I will try and get a Hijackthis scan done on system
Thanks
Paul
zephyr_hex (Megan)
run a virus scan with updated definitions in SAFE MODE.
NOD32 is able to detect this virus (also known as Scano.AA) with the latest definitions.
free download: http://www.majorgeeks.com/download3704.html
delete your restore points (right click my computer, go to restore and uncheck the enabled box. this will delete the restore files. once your computer is clean of the virus, you can re-enable the restore).
run your scan in safe mode
free download: http://www.majorgeeks.com/download3704.html
delete your restore points (right click my computer, go to restore and uncheck the enabled box. this will delete the restore files. once your computer is clean of the virus, you can re-enable the restore).
run your scan in safe mode
Yes, please post the link to the HJT log:
Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
AVG is a nice free virus scanner with definitions comprable with Symantecs in my opinion.
www.grisoft.com
www.grisoft.com
ASKER
This virus is rather horrible and NOD32 didn't remove it
Hijack this when I posted to the site didn't report anything untoward
The virus keeps replicating - think because of csrss.exe
Will try a few antispyware tools e.g. Lavasoft Ad-Aware and Spybot S+D and see if they can sort it
Windows Defender didn't get rid of it (used to be Antispyware)
Hijack this when I posted to the site didn't report anything untoward
The virus keeps replicating - think because of csrss.exe
Will try a few antispyware tools e.g. Lavasoft Ad-Aware and Spybot S+D and see if they can sort it
Windows Defender didn't get rid of it (used to be Antispyware)
If the csrss.exe file is in the \windows\system32 folder, then it is the legit Windows file.
However, if it is in some other folder (such as c:\windows) then it is a virus, and here is what you can do:
(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)
(1) Right click on the file (csrss.exe) in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Close all windows.
(6) Reboot.
After reboot the file will be unable to run (because no one can access it any more). The symptoms should be gone.
At this point you can clean up with a standard anti-spyware or anti-virus program.
However, if it is in some other folder (such as c:\windows) then it is a virus, and here is what you can do:
(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)
(1) Right click on the file (csrss.exe) in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Close all windows.
(6) Reboot.
After reboot the file will be unable to run (because no one can access it any more). The symptoms should be gone.
At this point you can clean up with a standard anti-spyware or anti-virus program.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.