Recently We’ve come across a virus that replaces a critical file in Spybot S&D causing the program to malfunction. If you notice your Spybot installation acting up or behaving strangely (wont start, wont update, does not allow you to scan), please re-download Spybot and re-install it.
Posts Tagged Malware News
Virus Targets Spybot S&D
Dec 16
csrss.exe Virus Solved!
Nov 4
We’ve now developed a reliable method for removing the USB csrss.exe virus that cropped up recently. While this virus proliferates very quickly and is annoying to deal with, the fix for it is quite simple.
- Attach any USB drives you know to be infected to the system you plan to disinfect.
- Enable viewing of hidden files and folders
- Delete ONLY the autorun.inf from each infected drive
- If running WindowsXP or a 32bit version of Vista or Win7, run Combofix
- If running a 64bit operating system, navigate to C:\Users\%username%\AppData\Roaming\Microsoft\
- Under this directory you will find a copy of csrss.exe. You will need to use ProcXP64 to kill the process before deleting the file.
- After the csrss.exe has been cleaned from the computer, you can now safely delete the copies on the USB drives without them returning
A new strain of infection has sprung up that imitates the real windows process Microsoft Client Server Runtime, but modifies itself to allow for a hacker to have a free backdoor into your system. The virus runs silently in the background and collects information like your network configuration, IP address, and system passwords and stores them. When the hacker wishes to intrude on your system through this virus he has all this information readily available to make the process of hijacking your computer easier.
There is a very simple and easy way to tell if this virus is on your system. The newest versions copy themselves to thumbdrives in the form of two hidden files: autorun.inf & csrss.exe which you will find on the root of any attached device including iPods. The other place the virus will hide is in %systemroot%\Users\%username%\Application Data\Temp\
As far as we can etll so far it only installs a single fraudulent csrss.exe file to that one location and to any attached removable media. Its very hard to tell if it is active on your system without looking for those files specifically as t does not directly attack the computer.
***Also note that to find these files you will need to have “hide hidden files” in your folder options turned off.
A round of Combofix and cleaning off the files from your USB drives will fix the issue in most cases.
