Fast Antivirus Spot

Everytime I start up my computer a note from vipre pops up saying it blocked a known bad file named csrss(Trojan) so I ran a quick scan and a deep scan and they found something called Trojan win32 generic. I then cleaned it from my computer but the note from viper keeps popping up and saying it blocked csrss(Trojan). What is this and should I get my computer checked out by a computer doctor?

Chosen Answer:

The csrss.exe is a Microsoft Client/Server Runtime Server Subsystem. Located in the folder C:\Windows\System32. In other cases, csrss.exe is a virus, spyware, trojan or worm! This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

To detect and remove this threat and other malicious software that may be installed in your computer follow the steps carefully or ask a computer savy friend to do this:

+First download the latest versions of the following on +another, clean machine+ and burn to CD or copy to a USB memory stick+

Malwarebytes: http://www.malwarebytes.org/mbam.php
ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
FixNCR.reg http://download.bleepingcomputer.com/reg/FixNCR.reg
RKill http://www.bleepingcomputer.com/download/anti-virus/rkill- this page has a variety of different filenames to download to fool the virus, which will try to block RKill from running. Remember the filename of the version you downloaded.
CCleaner (cleans out caches) http://www.ccleaner.com

Avast! 4 Home: http://www.avast.com/eng/download-avast-home.html

Download these to your desktop and before running them, then change the names of the malwarebyte and combofix files to
Malwarebytes: mblah.scr
ComboFix: comfix.exe

Follow these steps in order Don’t skip ahead.

Now, start the machine in Safe Mode with networking (hit the F8 function key as the machine boots up, and choose Safe mode)

Turn off System Restore on your machine, but only until you get this fixed – many of these trojans get copied into the System Restore files, which anti-virus programs aren’t allowed to touch and the viruses could reinstall themselves from there. My Computer > Properties > System Restore.

The malware actively blocks programs and tools, so before you can start cleaning, you need to get the malware entries out of the registry, and stop the malware’s current processes from running.

Double-click FixNCR.reg to run it to clean the registry

Now double click the RKill file (whatever name you downloaded it as) to run it. Wait for it, it could take a while. If the fake antivirus program throws a warning on the screen and blocks RKill, leave the warning up on the screen and run RKill again.

Do not reboot your computer If you reboot it will just load the malware in again.

Then run CCleaner (it’ll make scanning faster because it will delete a bunch of temp files and save you from having to scan those.) If the virus blocks CCleaner from running, proceed to the next step.

Then run Malwarebytes (mblah), and clean everything it says.

Then run ComboFix (comfix), and clean everything it says. If it tells you to reboot your machine during the process, do so immediately.

Then install and run Avast – tell Avast to do a boot-scan – click on “schedule boot-scan” – and restart the computer

Let it start and do the Avast boot scan

Then turn System Restore back on.

Now install the antivirus program of your choice to do continuous scanning, and make sure you keep it up to date

Always keep your Windows, web browser and Java software up to date – frequent patches are released to plug security holes.

Regards,
Tamim
by:
on: 11th July 11