help me please RRS feed

  • Question

  • Note: I am currently using windows vista

    I recently opened an e-mail which said it was from Facebook, but it turned out to be some kind of scam and as soon as i opened the attachments, it automatically downloaded vista Guardian (rogue anti-virus software),
    sincethen i have successfully got rid of it and most of it's several problems, but it has left something which appears to be impossible to get rid of :(,
    If i go on Task Manager it is under the name of: 'csrss.exe', i have been told that this is a trojon, but i cannot get rid of it.. when i try to download something to remove it with it blocks it and says that i have to be an administrator (even though i am), when i try to end it's processes in task manager it says: "Operation could not be completed, access is denied, if i right click on it in task manager it says "perform administrative tasks" should i click this option,
    I have run out of ideas please help me!!!
    • Moved by Jannes12345 Saturday, February 27, 2010 9:16 PM moved from the ConfigMgr forum (From:Configuration Manager General)
    Saturday, February 27, 2010 6:39 PM

All replies

  • If your spelling is correct, csrss.exe is a legitimate program if it’s located in the \Windows\System32 folder.

    However, if it’s located elsewhere, it is bad news and Google will show you many solutions.

    Sunday, February 28, 2010 1:44 PM
  • Kill processes:

    Delete files:

    %UserProfile%\\AppData\\Local\\av.exe %UserProfile%\\AppData\\Local\\WRblt8464P

    Delete registry values:

    HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
    HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
    HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
    HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

    This should help!!
    Sunday, February 28, 2010 5:07 PM
  • If I see "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"" does this mean that a virus is overriding my virus protection?

    I'm using Windows 7. I searched the Reg. for "AntiVirusOverride" and found it in the following path. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc

    I was unable to make any changes. "Unable to delete all specified values."  I am logged on as administrator why can't I make changes?



    Sunday, May 15, 2011 9:13 PM

    Too many people think this answer means deleting the Keys - DON'T!!

    Do more research on your problem. When you think you've found an answer, Confirm it before you act on it.

    Consider solutions offered here: http://www.dougknox.com

    Sunday, June 26, 2011 5:39 PM