This forum is closed. Thank you for your contributions.

Remove From My Forums

help me please

Question
0

Sign in to vote
Note: I am currently using windows vista

I recently opened an e-mail which said it was from Facebook, but it turned out to be some kind of scam and as soon as i opened the attachments, it automatically downloaded vista Guardian (rogue anti-virus software),
sincethen i have successfully got rid of it and most of it's several problems, but it has left something which appears to be impossible to get rid of :(,
If i go on Task Manager it is under the name of: 'csrss.exe', i have been told that this is a trojon, but i cannot get rid of it.. when i try to download something to remove it with it blocks it and says that i have to be an administrator (even though i am), when i try to end it's processes in task manager it says: "Operation could not be completed, access is denied, if i right click on it in task manager it says "perform administrative tasks" should i click this option,
I have run out of ideas please help me!!!
- Moved by Jannes12345 Saturday, February 27, 2010 9:16 PM moved from the ConfigMgr forum (From:Configuration Manager General)
Saturday, February 27, 2010 6:39 PM

All replies

0

Sign in to vote

If your spelling is correct, csrss.exe is a legitimate program if it’s located in the \Windows\System32 folder.

However, if it’s located elsewhere, it is bad news and Google will show you many solutions.

Sunday, February 28, 2010 1:44 PM
0

Sign in to vote

Kill processes:
av.exe

Delete files:
%UserProfile%\\AppData\\Local\\av.exe %UserProfile%\\AppData\\Local\\WRblt8464P

Delete registry values:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

This should help!!

Sunday, February 28, 2010 5:07 PM
0

Sign in to vote

If I see "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"" does this mean that a virus is overriding my virus protection?

I'm using Windows 7. I searched the Reg. for "AntiVirusOverride" and found it in the following path. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc

I was unable to make any changes. "Unable to delete all specified values." I am logged on as administrator why can't I make changes?

Thanks

Rick

Sunday, May 15, 2011 9:13 PM
0

Sign in to vote

SAVE A COPY BEFORE YOU MODIFY YOUR REGISTRY !!!

Too many people think this answer means deleting the Keys - DON'T!!

Do more research on your problem. When you think you've found an answer, Confirm it before you act on it.

Consider solutions offered here: http://www.dougknox.com

Sunday, June 26, 2011 5:39 PM