Asked by:
help me please

Question
-
Note: I am currently using windows vista
I recently opened an e-mail which said it was from Facebook, but it turned out to be some kind of scam and as soon as i opened the attachments, it automatically downloaded vista Guardian (rogue anti-virus software),
sincethen i have successfully got rid of it and most of it's several problems, but it has left something which appears to be impossible to get rid of :(,
If i go on Task Manager it is under the name of: 'csrss.exe', i have been told that this is a trojon, but i cannot get rid of it.. when i try to download something to remove it with it blocks it and says that i have to be an administrator (even though i am), when i try to end it's processes in task manager it says: "Operation could not be completed, access is denied, if i right click on it in task manager it says "perform administrative tasks" should i click this option,
I have run out of ideas please help me!!!- Moved by Jannes12345 Saturday, February 27, 2010 9:16 PM moved from the ConfigMgr forum (From:Configuration Manager General)
Saturday, February 27, 2010 6:39 PM
All replies
-
If your spelling is correct, csrss.exe is a legitimate program if it’s located in the \Windows\System32 folder.
However, if it’s located elsewhere, it is bad news and Google will show you many solutions.
Sunday, February 28, 2010 1:44 PM -
Kill processes:
av.exe
Delete files:
%UserProfile%\\AppData\\Local\\av.exe %UserProfile%\\AppData\\Local\\WRblt8464P
Delete registry values:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
This should help!!Sunday, February 28, 2010 5:07 PM -
If I see "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"" does this mean that a virus is overriding my virus protection?
I'm using Windows 7. I searched the Reg. for "AntiVirusOverride" and found it in the following path. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
I was unable to make any changes. "Unable to delete all specified values." I am logged on as administrator why can't I make changes?
Thanks
Rick
Sunday, May 15, 2011 9:13 PM -
SAVE A COPY BEFORE YOU MODIFY YOUR REGISTRY !!!
Too many people think this answer means deleting the Keys - DON'T!!
Do more research on your problem. When you think you've found an answer, Confirm it before you act on it.
Consider solutions offered here: http://www.dougknox.com
Sunday, June 26, 2011 5:39 PM