Sign in with
Sign up | Sign in
Your question

CSRSS.EXE Virus That Won't Go Away

Last response: in Windows XP
Share
Anonymous
August 28, 2005 10:51:03 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

About every 30 seconds, I get a pop-up message from my anti-virus software
that says:

Dangerous Operation blocked!
Panda Titanium Antivirus 2005 has detected the execution of a dangerous
action and has blocked it.
Program:
Associated file:
C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE

So, I have found the file on my C drive, deleted it and deleted from my
Recycle Bin, but the message still continue sto annoyingly pop up.

The operating system I am using is Windows xp Home Edition, which is
completely up to date with Windowes updates.

Please can someone explain to me (in simple terms!) what I have to do to get
rid of this virus.

Any assistance would be greatly appreciated.

Many thanks

Simon (uget2nome)

More about : csrss exe virus

Anonymous
August 28, 2005 2:49:03 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "uget2nome" <uget2nome@discussions.microsoft.com>

| About every 30 seconds, I get a pop-up message from my anti-virus software
| that says:
|
| Dangerous Operation blocked!
| Panda Titanium Antivirus 2005 has detected the execution of a dangerous
| action and has blocked it.
| Program:
| Associated file:
| C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
|
| So, I have found the file on my C drive, deleted it and deleted from my
| Recycle Bin, but the message still continue sto annoyingly pop up.
|
| The operating system I am using is Windows xp Home Edition, which is
| completely up to date with Windowes updates.
|
| Please can someone explain to me (in simple terms!) what I have to do to get
| rid of this virus.
|
| Any assistance would be greatly appreciated.
|
| Many thanks
|
| Simon (uget2nome)

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

If this is adware/spyware -- Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

If this is truly a virus...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 28, 2005 7:18:16 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Turn off System Restore then download, install, update and run all of the
following. When finished reboot and turn System Restore back on. csrss.exe
is also a valid windows file located in the system32 folder, any other
location should be deleted.

Ad-Aware
http://www.pcbutts1.com/downloads/aawsepersonal.exe

Spybot search and destroy
http://www.pcbutts1.com/downloads/spybotsd14.exe

Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/ewidosetup.exe

Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads/details.aspx?FamilyI...

If none of the above fixes the issue then download Hijack this, run it, save
a copy of the log file and cut and paste it back here to this group so that
I can analyze it. Ignore anyone who tells you to post it elsewhere. I need
to see it not them.


HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
news:548CDE86-1482-4DEF-956F-DD6CBDB39B42@microsoft.com...
> About every 30 seconds, I get a pop-up message from my anti-virus software
> that says:
>
> Dangerous Operation blocked!
> Panda Titanium Antivirus 2005 has detected the execution of a dangerous
> action and has blocked it.
> Program:
> Associated file:
> C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
>
> So, I have found the file on my C drive, deleted it and deleted from my
> Recycle Bin, but the message still continue sto annoyingly pop up.
>
> The operating system I am using is Windows xp Home Edition, which is
> completely up to date with Windowes updates.
>
> Please can someone explain to me (in simple terms!) what I have to do to
> get
> rid of this virus.
>
> Any assistance would be greatly appreciated.
>
> Many thanks
>
> Simon (uget2nome)
Related resources
Anonymous
August 28, 2005 7:18:17 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Dear All...

Many thanks for all your advise. I downloaded all of the trials and ran
them, which took some time. One of them detected an infected file and
automatically removed it. However, when I start my machine, each time I get
the following message in a pop-ip box on the desktop:

"Windows cannot find 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe'. Make sure you
typed the name correctly, and then try again. To search for a file, click the
Start button, and then click search."

I press OK, and then get the following message:

"Could not run of load 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe' specified in
the registty. Make sure that the file exists on your computer or remove the
reference to it in the registry."

I select OK, and get the same messages a second time, and after that, my
computer now seems to be working fine.

Is there something else I need to do to resolve this?

Once again, many thanks, and any further assistance would be greatly
appreciated.

Simon (uget2nome)

"pcbutts1" wrote:

> Turn off System Restore then download, install, update and run all of the
> following. When finished reboot and turn System Restore back on. csrss.exe
> is also a valid windows file located in the system32 folder, any other
> location should be deleted.
>
> Ad-Aware
> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>
> Spybot search and destroy
> http://www.pcbutts1.com/downloads/spybotsd14.exe
>
> Ewido Security Suite Trial version
> http://www.pcbutts1.com/downloads/ewidosetup.exe
>
> Microsoft Windows AntiSpyware (Beta1)
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> If none of the above fixes the issue then download Hijack this, run it, save
> a copy of the log file and cut and paste it back here to this group so that
> I can analyze it. Ignore anyone who tells you to post it elsewhere. I need
> to see it not them.
>
>
> HijackThis
> http://www.pcbutts1.com/downloads/HijackThis.zip
>
> --
>
>
> The best live web video on the internet http://www.seedsv.com/webdemo.htm
> NEW Embedded system W/Linux. We now sell DVR cards.
> See it all at http://www.seedsv.com/products.htm
> Sharpvision simply the best http://www.seedsv.com
>
>
>
> "uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
> news:548CDE86-1482-4DEF-956F-DD6CBDB39B42@microsoft.com...
> > About every 30 seconds, I get a pop-up message from my anti-virus software
> > that says:
> >
> > Dangerous Operation blocked!
> > Panda Titanium Antivirus 2005 has detected the execution of a dangerous
> > action and has blocked it.
> > Program:
> > Associated file:
> > C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
> >
> > So, I have found the file on my C drive, deleted it and deleted from my
> > Recycle Bin, but the message still continue sto annoyingly pop up.
> >
> > The operating system I am using is Windows xp Home Edition, which is
> > completely up to date with Windowes updates.
> >
> > Please can someone explain to me (in simple terms!) what I have to do to
> > get
> > rid of this virus.
> >
> > Any assistance would be greatly appreciated.
> >
> > Many thanks
> >
> > Simon (uget2nome)
>
>
>
August 28, 2005 7:18:18 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

uget2nome wrote:

> Dear All...
>
> Many thanks for all your advise. I downloaded all of the trials and ran
> them, which took some time. One of them detected an infected file and
> automatically removed it. However, when I start my machine, each time I get
> the following message in a pop-ip box on the desktop:
>
> "Windows cannot find 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe'. Make sure you
> typed the name correctly, and then try again. To search for a file, click the
> Start button, and then click search."
>
> I press OK, and then get the following message:
>
> "Could not run of load 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe' specified in
> the registty. Make sure that the file exists on your computer or remove the
> reference to it in the registry."
>
> I select OK, and get the same messages a second time, and after that, my
> computer now seems to be working fine.
>
> Is there something else I need to do to resolve this?
>
> Once again, many thanks, and any further assistance would be greatly
> appreciated.
>
> Simon (uget2nome)
>
> "pcbutts1" wrote:
>
>
>>Turn off System Restore then download, install, update and run all of the
>>following. When finished reboot and turn System Restore back on. csrss.exe
>>is also a valid windows file located in the system32 folder, any other
>>location should be deleted.
>>
>>Ad-Aware
>>http://www.pcbutts1.com/downloads/aawsepersonal.exe
>>
>>Spybot search and destroy
>>http://www.pcbutts1.com/downloads/spybotsd14.exe
>>
>>Ewido Security Suite Trial version
>>http://www.pcbutts1.com/downloads/ewidosetup.exe
>>
>>Microsoft Windows AntiSpyware (Beta1)
>>http://www.microsoft.com/downloads/details.aspx?FamilyI...
>>
>>If none of the above fixes the issue then download Hijack this, run it, save
>>a copy of the log file and cut and paste it back here to this group so that
>>I can analyze it. Ignore anyone who tells you to post it elsewhere. I need
>>to see it not them.
>>
>>
>>HijackThis
>>http://www.pcbutts1.com/downloads/HijackThis.zip
>>
>>--
>>
>>
>>The best live web video on the internet http://www.seedsv.com/webdemo.htm
>>NEW Embedded system W/Linux. We now sell DVR cards.
>>See it all at http://www.seedsv.com/products.htm
>>Sharpvision simply the best http://www.seedsv.com
>>
>>
>>
>>"uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
>>news:548CDE86-1482-4DEF-956F-DD6CBDB39B42@microsoft.com...
>>
>>>About every 30 seconds, I get a pop-up message from my anti-virus software
>>>that says:
>>>
>>>Dangerous Operation blocked!
>>>Panda Titanium Antivirus 2005 has detected the execution of a dangerous
>>>action and has blocked it.
>>>Program:
>>>Associated file:
>>>C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
>>>
>>>So, I have found the file on my C drive, deleted it and deleted from my
>>>Recycle Bin, but the message still continue sto annoyingly pop up.
>>>
>>>The operating system I am using is Windows xp Home Edition, which is
>>>completely up to date with Windowes updates.
>>>
>>>Please can someone explain to me (in simple terms!) what I have to do to
>>>get
>>>rid of this virus.
>>>
>>>Any assistance would be greatly appreciated.
>>>
>>>Many thanks
>>>
>>>Simon (uget2nome)
>>
>>
>>

Please don't post HJT logs to this newsgroup, it is not the place for
it. There are specialty forums for that purpose. Here are some links
for posting HJT logs.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

--
Rock
MS MVP Windows - Shell/User
Anonymous
August 28, 2005 7:18:18 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

i think u solve what is being prompted .That is u copy csrss.exe from
somebody elses system and put it in uy SYSTEM32 folder or use this
Type msconfig in run box.
now on General tab click ExpandFile button.
And restore file
Ok
"uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
news:782F9C3E-4A8E-46E7-8F99-5A3E7D67E799@microsoft.com...
> Dear All...
>
> Many thanks for all your advise. I downloaded all of the trials and ran
> them, which took some time. One of them detected an infected file and
> automatically removed it. However, when I start my machine, each time I
get
> the following message in a pop-ip box on the desktop:
>
> "Windows cannot find 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe'. Make sure
you
> typed the name correctly, and then try again. To search for a file, click
the
> Start button, and then click search."
>
> I press OK, and then get the following message:
>
> "Could not run of load 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe' specified
in
> the registty. Make sure that the file exists on your computer or remove
the
> reference to it in the registry."
>
> I select OK, and get the same messages a second time, and after that, my
> computer now seems to be working fine.
>
> Is there something else I need to do to resolve this?
>
> Once again, many thanks, and any further assistance would be greatly
> appreciated.
>
> Simon (uget2nome)
>
> "pcbutts1" wrote:
>
> > Turn off System Restore then download, install, update and run all of
the
> > following. When finished reboot and turn System Restore back on.
csrss.exe
> > is also a valid windows file located in the system32 folder, any other
> > location should be deleted.
> >
> > Ad-Aware
> > http://www.pcbutts1.com/downloads/aawsepersonal.exe
> >
> > Spybot search and destroy
> > http://www.pcbutts1.com/downloads/spybotsd14.exe
> >
> > Ewido Security Suite Trial version
> > http://www.pcbutts1.com/downloads/ewidosetup.exe
> >
> > Microsoft Windows AntiSpyware (Beta1)
> >
http://www.microsoft.com/downloads/details.aspx?FamilyI...
A8BD-DBF62EDA9671&displaylang=en
> >
> > If none of the above fixes the issue then download Hijack this, run it,
save
> > a copy of the log file and cut and paste it back here to this group so
that
> > I can analyze it. Ignore anyone who tells you to post it elsewhere. I
need
> > to see it not them.
> >
> >
> > HijackThis
> > http://www.pcbutts1.com/downloads/HijackThis.zip
> >
> > --
> >
> >
> > The best live web video on the internet
http://www.seedsv.com/webdemo.htm
> > NEW Embedded system W/Linux. We now sell DVR cards.
> > See it all at http://www.seedsv.com/products.htm
> > Sharpvision simply the best http://www.seedsv.com
> >
> >
> >
> > "uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
> > news:548CDE86-1482-4DEF-956F-DD6CBDB39B42@microsoft.com...
> > > About every 30 seconds, I get a pop-up message from my anti-virus
software
> > > that says:
> > >
> > > Dangerous Operation blocked!
> > > Panda Titanium Antivirus 2005 has detected the execution of a
dangerous
> > > action and has blocked it.
> > > Program:
> > > Associated file:
> > > C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
> > >
> > > So, I have found the file on my C drive, deleted it and deleted from
my
> > > Recycle Bin, but the message still continue sto annoyingly pop up.
> > >
> > > The operating system I am using is Windows xp Home Edition, which is
> > > completely up to date with Windowes updates.
> > >
> > > Please can someone explain to me (in simple terms!) what I have to do
to
> > > get
> > > rid of this virus.
> > >
> > > Any assistance would be greatly appreciated.
> > >
> > > Many thanks
> > >
> > > Simon (uget2nome)
> >
> >
> >
Anonymous
August 28, 2005 7:29:02 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Dear Friends...

Many thanks for all your advise, but I'm sorry, I still don't know what to
do to solve the problem of these error messages appearing every time I switch
the machine on. Please can someone explain to me excatly what steps I need to
take.

Many thanks.

"uget2nome" wrote:

> Dear All...
>
> Many thanks for all your advise. I downloaded all of the trials and ran
> them, which took some time. One of them detected an infected file and
> automatically removed it. However, when I start my machine, each time I get
> the following message in a pop-ip box on the desktop:
>
> "Windows cannot find 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe'. Make sure you
> typed the name correctly, and then try again. To search for a file, click the
> Start button, and then click search."
>
> I press OK, and then get the following message:
>
> "Could not run of load 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe' specified in
> the registty. Make sure that the file exists on your computer or remove the
> reference to it in the registry."
>
> I select OK, and get the same messages a second time, and after that, my
> computer now seems to be working fine.
>
> Is there something else I need to do to resolve this?
>
> Once again, many thanks, and any further assistance would be greatly
> appreciated.
>
> Simon (uget2nome)
>
> "pcbutts1" wrote:
>
> > Turn off System Restore then download, install, update and run all of the
> > following. When finished reboot and turn System Restore back on. csrss.exe
> > is also a valid windows file located in the system32 folder, any other
> > location should be deleted.
> >
> > Ad-Aware
> > http://www.pcbutts1.com/downloads/aawsepersonal.exe
> >
> > Spybot search and destroy
> > http://www.pcbutts1.com/downloads/spybotsd14.exe
> >
> > Ewido Security Suite Trial version
> > http://www.pcbutts1.com/downloads/ewidosetup.exe
> >
> > Microsoft Windows AntiSpyware (Beta1)
> > http://www.microsoft.com/downloads/details.aspx?FamilyI...
> >
> > If none of the above fixes the issue then download Hijack this, run it, save
> > a copy of the log file and cut and paste it back here to this group so that
> > I can analyze it. Ignore anyone who tells you to post it elsewhere. I need
> > to see it not them.
> >
> >
> > HijackThis
> > http://www.pcbutts1.com/downloads/HijackThis.zip
> >
> > --
> >
> >
> > The best live web video on the internet http://www.seedsv.com/webdemo.htm
> > NEW Embedded system W/Linux. We now sell DVR cards.
> > See it all at http://www.seedsv.com/products.htm
> > Sharpvision simply the best http://www.seedsv.com
> >
> >
> >
> > "uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
> > news:548CDE86-1482-4DEF-956F-DD6CBDB39B42@microsoft.com...
> > > About every 30 seconds, I get a pop-up message from my anti-virus software
> > > that says:
> > >
> > > Dangerous Operation blocked!
> > > Panda Titanium Antivirus 2005 has detected the execution of a dangerous
> > > action and has blocked it.
> > > Program:
> > > Associated file:
> > > C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
> > >
> > > So, I have found the file on my C drive, deleted it and deleted from my
> > > Recycle Bin, but the message still continue sto annoyingly pop up.
> > >
> > > The operating system I am using is Windows xp Home Edition, which is
> > > completely up to date with Windowes updates.
> > >
> > > Please can someone explain to me (in simple terms!) what I have to do to
> > > get
> > > rid of this virus.
> > >
> > > Any assistance would be greatly appreciated.
> > >
> > > Many thanks
> > >
> > > Simon (uget2nome)
> >
> >
> >
Anonymous
August 28, 2005 7:31:09 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Dear Friends...

Thank yo ufor all yoru advise, but I'm sorry I'm still confused as to what I
should do to prevent these error messages appearing. Please can someone
explain to me how I solve teh problem?

Many thanks

Simon

"uget2nome" wrote:

> Dear All...
>
> Many thanks for all your advise. I downloaded all of the trials and ran
> them, which took some time. One of them detected an infected file and
> automatically removed it. However, when I start my machine, each time I get
> the following message in a pop-ip box on the desktop:
>
> "Windows cannot find 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe'. Make sure you
> typed the name correctly, and then try again. To search for a file, click the
> Start button, and then click search."
>
> I press OK, and then get the following message:
>
> "Could not run of load 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe' specified in
> the registty. Make sure that the file exists on your computer or remove the
> reference to it in the registry."
>
> I select OK, and get the same messages a second time, and after that, my
> computer now seems to be working fine.
>
> Is there something else I need to do to resolve this?
>
> Once again, many thanks, and any further assistance would be greatly
> appreciated.
>
> Simon (uget2nome)
>
> "pcbutts1" wrote:
>
> > Turn off System Restore then download, install, update and run all of the
> > following. When finished reboot and turn System Restore back on. csrss.exe
> > is also a valid windows file located in the system32 folder, any other
> > location should be deleted.
> >
> > Ad-Aware
> > http://www.pcbutts1.com/downloads/aawsepersonal.exe
> >
> > Spybot search and destroy
> > http://www.pcbutts1.com/downloads/spybotsd14.exe
> >
> > Ewido Security Suite Trial version
> > http://www.pcbutts1.com/downloads/ewidosetup.exe
> >
> > Microsoft Windows AntiSpyware (Beta1)
> > http://www.microsoft.com/downloads/details.aspx?FamilyI...
> >
> > If none of the above fixes the issue then download Hijack this, run it, save
> > a copy of the log file and cut and paste it back here to this group so that
> > I can analyze it. Ignore anyone who tells you to post it elsewhere. I need
> > to see it not them.
> >
> >
> > HijackThis
> > http://www.pcbutts1.com/downloads/HijackThis.zip
> >
> > --
> >
> >
> > The best live web video on the internet http://www.seedsv.com/webdemo.htm
> > NEW Embedded system W/Linux. We now sell DVR cards.
> > See it all at http://www.seedsv.com/products.htm
> > Sharpvision simply the best http://www.seedsv.com
> >
> >
> >
> > "uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
> > news:548CDE86-1482-4DEF-956F-DD6CBDB39B42@microsoft.com...
> > > About every 30 seconds, I get a pop-up message from my anti-virus software
> > > that says:
> > >
> > > Dangerous Operation blocked!
> > > Panda Titanium Antivirus 2005 has detected the execution of a dangerous
> > > action and has blocked it.
> > > Program:
> > > Associated file:
> > > C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
> > >
> > > So, I have found the file on my C drive, deleted it and deleted from my
> > > Recycle Bin, but the message still continue sto annoyingly pop up.
> > >
> > > The operating system I am using is Windows xp Home Edition, which is
> > > completely up to date with Windowes updates.
> > >
> > > Please can someone explain to me (in simple terms!) what I have to do to
> > > get
> > > rid of this virus.
> > >
> > > Any assistance would be greatly appreciated.
> > >
> > > Many thanks
> > >
> > > Simon (uget2nome)
> >
> >
> >
Anonymous
August 28, 2005 7:51:23 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "uget2nome" <uget2nome@discussions.microsoft.com>

| Dear All...
|
| Many thanks for all your advise. I downloaded all of the trials and ran
| them, which took some time. One of them detected an infected file and
| automatically removed it. However, when I start my machine, each time I get
| the following message in a pop-ip box on the desktop:
|
| "Windows cannot find 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe'. Make sure you
| typed the name correctly, and then try again. To search for a file, click the
| Start button, and then click search."
|
| I press OK, and then get the following message:
|
| "Could not run of load 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe' specified in
| the registty. Make sure that the file exists on your computer or remove the
| reference to it in the registry."
|
| I select OK, and get the same messages a second time, and after that, my
| computer now seems to be working fine.
|
| Is there something else I need to do to resolve this?
|
| Once again, many thanks, and any further assistance would be greatly
| appreciated.
|
| Simon (uget2nome)
|
| "pcbutts1" wrote:

Please do NOT post the HiJack This (HJT) log as requested. This replier, pcbutts1, has been
asked nicely, and has then been told bluntly [by an employee of the Microsoft Corporation,
the host of this server], not to request HJT logs to be posted here.

HJT logs should *ONLY* be posted in a qualified Web Forum. This is not one of them.

That being said...

Please execute; MSCONFIG.EXE and search for a startup item that would have loaded
VIVNUFFTO\CSRSS.EXE and then disable that item

If you feel comfortable editing the Registry, you can search for the string;
VIVNUFFTO\CSRSS.EXE
find where it is being loaded and remove that key.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 28, 2005 9:27:14 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "Swapnesh" <swap_par205@sancharnet.in>

| i think u solve what is being prompted .That is u copy csrss.exe from
| somebody elses system and put it in uy SYSTEM32 folder or use this
| Type msconfig in run box.
| now on General tab click ExpandFile button.
| And restore file
| Ok


NO !

CSRSS.EXE was an infector. It was removed from the PC as it should have been. However, the
application that removed the EXE file failed to remove the Registry entry that called the
EXE file to execute. therefore it didn't fully do its job. Copying the file from another
PC is NOT the solution.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 28, 2005 9:27:15 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

But CSRSS is a system service.and it uses CSRSS.exe.If u want to varify u
can press CTRL+ALT+DEL.
u can see there under PROCESS tab.OK
And it says its a system service .

Now when window starts it will try to run CSRR.exe and when anything is not
found it symply tell File not found.

So give it the file it wants. Though file was infected and was removed u
can give it a fresh one.Its like giving missing DLL. Havent u tried it yet
????
If n then u should try .
And has "ugetnome" tried to remove registry and seen that it works ??

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:#NvbDdBrFHA.2876@TK2MSFTNGP12.phx.gbl...
> From: "Swapnesh" <swap_par205@sancharnet.in>
>
> | i think u solve what is being prompted .That is u copy csrss.exe from
> | somebody elses system and put it in uy SYSTEM32 folder or use this
> | Type msconfig in run box.
> | now on General tab click ExpandFile button.
> | And restore file
> | Ok
>
>
> NO !
>
> CSRSS.EXE was an infector. It was removed from the PC as it should have
been. However, the
> application that removed the EXE file failed to remove the Registry entry
that called the
> EXE file to execute. therefore it didn't fully do its job. Copying the
file from another
> PC is NOT the solution.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
Anonymous
August 28, 2005 10:09:39 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "Swapnesh" <swap_par205@sancharnet.in>

| But CSRSS is a system service.and it uses CSRSS.exe.If u want to varify u
| can press CTRL+ALT+DEL.
| u can see there under PROCESS tab.OK
| And it says its a system service .
|
| Now when window starts it will try to run CSRR.exe and when anything is not
| found it symply tell File not found.
|
| So give it the file it wants. Though file was infected and was removed u
| can give it a fresh one.Its like giving missing DLL. Havent u tried it yet
| ????
| If n then u should try .
| And has "ugetnome" tried to remove registry and seen that it works ??
|

It is a well established methodology to use the name of legitimate MS Windows Kernel files
for the name of viral and non-viral malware. This is designed to lure you into a false
sense of security. You see the name of the excutable running, assume that it is a OS file
and think it is OK. -- WRONG. One must examine WHERE the excutable is being excuted from.
Since replacing a a OS Kernel file could break the OS, it has to be executed from a non OS
standard location.

In the case of this infector; %windir%\SYSTEM32\VIVNUFFTO\CSRSS.EXE
%windir%\SYSTEM32\VIVNUFFTO is not a Windows OS folder. It was created by the infector.

Sample infectors that use the name CSRSS.EXE are...

C:\CSRSS.EXE
W32/Buchon.c@MM -- http://vil.nai.com/vil/content/v_130857.htm

%WinDir%\MSAGENT\WIN32\CSRSS.EXE
W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm

%WinDir%\CSRSS.EXE
W32/Melare@MM -- http://vil.nai.com/vil/content/v_100306.htm

%WinDir%\CSRSS.EXE
W32/Netsky.ab@MM -- http://vil.nai.com/vil/content/v_124873.htm

%WinDir%\CSRSS.EXE
MultiDropper-JW -- http://vil.nai.com/vil/content/v_101115.htm

%WinDir%\CSRSS.EXE
Downloader-MC -- http://vil.nai.com/vil/content/v_126644.htm



An example of a file name that is the most often used is; SVCHOST.EXE. There are *many*
viral and non-viral infectors that use this name. If this file is found on a Win9x/ME PC
then you are almost guarateed to be infected. If it is found on a NT based PC then one must
look at the location of where it is being executed. In addition many use variations upon
this name such as; SCVHOST.EXE

Examples:
If SVCHOST.EXE is found in the root of C: (C:\SVCHOST.EXE) then there is a high chance of
this being the CodeBlue worm.
W32/CodeBlue.worm -- http://vil.nai.com/vil/content/v_99202.htm

If SVCHOST.EXE is found in %windir% then there is a high chance of this being the Cozit
worm.
W32/Cozit.worm -- http://vil.nai.com/vil/content/v_99761.htm

If SVCHOST.EXE is found in %windir%\SYSTEM32\DRIVERS then there is a high chance of this
being a nachi worm variant.
W32/Nachi.worm.c -- http://vil.nai.com/vil/content/v_101025.htm




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 28, 2005 10:40:11 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Yes, I need to see your hijackthis log run it, save the log and cut and
paste back here so I can read it.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
news:782F9C3E-4A8E-46E7-8F99-5A3E7D67E799@microsoft.com...
> Dear All...
>
> Many thanks for all your advise. I downloaded all of the trials and ran
> them, which took some time. One of them detected an infected file and
> automatically removed it. However, when I start my machine, each time I
> get
> the following message in a pop-ip box on the desktop:
>
> "Windows cannot find 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe'. Make sure
> you
> typed the name correctly, and then try again. To search for a file, click
> the
> Start button, and then click search."
>
> I press OK, and then get the following message:
>
> "Could not run of load 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe' specified
> in
> the registty. Make sure that the file exists on your computer or remove
> the
> reference to it in the registry."
>
> I select OK, and get the same messages a second time, and after that, my
> computer now seems to be working fine.
>
> Is there something else I need to do to resolve this?
>
> Once again, many thanks, and any further assistance would be greatly
> appreciated.
>
> Simon (uget2nome)
>
> "pcbutts1" wrote:
>
>> Turn off System Restore then download, install, update and run all of the
>> following. When finished reboot and turn System Restore back on.
>> csrss.exe
>> is also a valid windows file located in the system32 folder, any other
>> location should be deleted.
>>
>> Ad-Aware
>> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>>
>> Spybot search and destroy
>> http://www.pcbutts1.com/downloads/spybotsd14.exe
>>
>> Ewido Security Suite Trial version
>> http://www.pcbutts1.com/downloads/ewidosetup.exe
>>
>> Microsoft Windows AntiSpyware (Beta1)
>> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>>
>> If none of the above fixes the issue then download Hijack this, run it,
>> save
>> a copy of the log file and cut and paste it back here to this group so
>> that
>> I can analyze it. Ignore anyone who tells you to post it elsewhere. I
>> need
>> to see it not them.
>>
>>
>> HijackThis
>> http://www.pcbutts1.com/downloads/HijackThis.zip
>>
>> --
>>
>>
>> The best live web video on the internet http://www.seedsv.com/webdemo.htm
>> NEW Embedded system W/Linux. We now sell DVR cards.
>> See it all at http://www.seedsv.com/products.htm
>> Sharpvision simply the best http://www.seedsv.com
>>
>>
>>
>> "uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
>> news:548CDE86-1482-4DEF-956F-DD6CBDB39B42@microsoft.com...
>> > About every 30 seconds, I get a pop-up message from my anti-virus
>> > software
>> > that says:
>> >
>> > Dangerous Operation blocked!
>> > Panda Titanium Antivirus 2005 has detected the execution of a dangerous
>> > action and has blocked it.
>> > Program:
>> > Associated file:
>> > C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
>> >
>> > So, I have found the file on my C drive, deleted it and deleted from my
>> > Recycle Bin, but the message still continue sto annoyingly pop up.
>> >
>> > The operating system I am using is Windows xp Home Edition, which is
>> > completely up to date with Windowes updates.
>> >
>> > Please can someone explain to me (in simple terms!) what I have to do
>> > to
>> > get
>> > rid of this virus.
>> >
>> > Any assistance would be greatly appreciated.
>> >
>> > Many thanks
>> >
>> > Simon (uget2nome)
>>
>>
>>
Anonymous
August 28, 2005 11:22:22 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "uget2nome" <uget2nome@discussions.microsoft.com>

| Dear Friends...
|
| Thank yo ufor all yoru advise, but I'm sorry I'm still confused as to what I
| should do to prevent these error messages appearing. Please can someone
| explain to me how I solve teh problem?
|
| Many thanks
|
| Simon

Simon:

In case you missed it. Do NOT post a HiJack This (HJT) log here ! Do NOT follow pcbutts1's
direction to do so. His advice is contrary to all the expeerts in this news Group and by
Microsoft.

Do execute; MSCONFIG.EXE

Choose; Startup

Find the line that loads...
C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE

Uncheck the box for that line.

Click on "Apply" then "Close" then "Restart"..

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 28, 2005 11:22:23 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

http://www.auditmypc.com/free-spyware-removal.asp

Look there and see if it helps you. If not, perhaps you need to unplug and
take the tower in to a repair shop. Not a "Big box computer sales" store,
but somewhere they can help you.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eW45YdCrFHA.716@TK2MSFTNGP10.phx.gbl...
> From: "uget2nome" <uget2nome@discussions.microsoft.com>
>
> | Dear Friends...
> |
> | Thank yo ufor all yoru advise, but I'm sorry I'm still confused as to
> what I
> | should do to prevent these error messages appearing. Please can someone
> | explain to me how I solve teh problem?
> |
> | Many thanks
> |
> | Simon
>
> Simon:
>
> In case you missed it. Do NOT post a HiJack This (HJT) log here ! Do NOT
> follow pcbutts1's
> direction to do so. His advice is contrary to all the expeerts in this
> news Group and by
> Microsoft.
>
> Do execute; MSCONFIG.EXE
>
> Choose; Startup
>
> Find the line that loads...
> C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
>
> Uncheck the box for that line.
>
> Click on "Apply" then "Close" then "Restart"..
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
Anonymous
August 28, 2005 11:22:23 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Dear Dave...

Please can you help me, I'm not sure exactly hoe to execute MSCONFIG.EXE
I use xp Home Edition. Please can you tell me where I can find 'Start Up'
and find the line that says 'C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE', with
the check box.

Is this something I type in a line when I click 'Start' and then choose 'Run'?

Sorry to be so pinnicky, but I'm, really not very good with these things and
I want to make sure before I go ahead and do any chanegs!

Many thanks

Simon



"David H. Lipman" wrote:

> From: "uget2nome" <uget2nome@discussions.microsoft.com>
>
> | Dear Friends...
> |
> | Thank yo ufor all yoru advise, but I'm sorry I'm still confused as to what I
> | should do to prevent these error messages appearing. Please can someone
> | explain to me how I solve teh problem?
> |
> | Many thanks
> |
> | Simon
>
> Simon:
>
> In case you missed it. Do NOT post a HiJack This (HJT) log here ! Do NOT follow pcbutts1's
> direction to do so. His advice is contrary to all the expeerts in this news Group and by
> Microsoft.
>
> Do execute; MSCONFIG.EXE
>
> Choose; Startup
>
> Find the line that loads...
> C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
>
> Uncheck the box for that line.
>
> Click on "Apply" then "Close" then "Restart"..
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
August 28, 2005 11:58:55 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Simon,

Click on Start, then run

In the box that pops up, type " msconfig" without the quotation marks, and
click ok

This will bring up the System Configuration Utility.

Look at the tabs at the top, the one furthers to the right is the startup
tab, click on it.

You will see most likely several startup items, with check marks in their
respective boxes.

Look for the one David pointed you too,and remove the checkmark from it,
then click ok.

You will get a message that you need to restart your system for your changes
to take effect, click ok to restart your system.

After it boots up, you will get a message that you are running in selective
startup, put a check mark in the box to not display that message again, and
click ok.


Hope this helps,


Don Burnette



uget2nome wrote:
> Dear Dave...
>
> Please can you help me, I'm not sure exactly hoe to execute
> MSCONFIG.EXE
> I use xp Home Edition. Please can you tell me where I can find 'Start
> Up'
> and find the line that says
> 'C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE', with the check box.
>
> Is this something I type in a line when I click 'Start' and then
> choose 'Run'?
>
> Sorry to be so pinnicky, but I'm, really not very good with these
> things and I want to make sure before I go ahead and do any chanegs!
>
> Many thanks
>
> Simon
>
>
>
> "David H. Lipman" wrote:
>
>> From: "uget2nome" <uget2nome@discussions.microsoft.com>
>>
>>> Dear Friends...
>>>
>>> Thank yo ufor all yoru advise, but I'm sorry I'm still confused as
>>> to what I should do to prevent these error messages appearing.
>>> Please can someone explain to me how I solve teh problem?
>>>
>>> Many thanks
>>>
>>> Simon
>>
>> Simon:
>>
>> In case you missed it. Do NOT post a HiJack This (HJT) log here !
>> Do NOT follow pcbutts1's direction to do so. His advice is contrary
>> to all the expeerts in this news Group and by Microsoft.
>>
>> Do execute; MSCONFIG.EXE
>>
>> Choose; Startup
>>
>> Find the line that loads...
>> C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
>>
>> Uncheck the box for that line.
>>
>> Click on "Apply" then "Close" then "Restart"..
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 29, 2005 12:58:20 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "uget2nome" <uget2nome@discussions.microsoft.com>

| Dear Dave...
|
| Please can you help me, I'm not sure exactly hoe to execute MSCONFIG.EXE
| I use xp Home Edition. Please can you tell me where I can find 'Start Up'
| and find the line that says 'C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE', with
| the check box.
|
| Is this something I type in a line when I click 'Start' and then choose 'Run'?
|
| Sorry to be so pinnicky, but I'm, really not very good with these things and
| I want to make sure before I go ahead and do any chanegs!
|
| Many thanks
|
| Simon

Yes...

Go to; Start --> Run

type; MSCONFIG

Click on OK.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
August 29, 2005 1:49:27 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Swapnesh wrote:

> But CSRSS is a system service.and it uses CSRSS.exe.If u want to varify u
> can press CTRL+ALT+DEL.
> u can see there under PROCESS tab.OK
> And it says its a system service .
>
> Now when window starts it will try to run CSRR.exe and when anything is not
> found it symply tell File not found.
>
> So give it the file it wants. Though file was infected and was removed u
> can give it a fresh one.Its like giving missing DLL. Havent u tried it yet
> ????
> If n then u should try .
> And has "ugetnome" tried to remove registry and seen that it works ??
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:#NvbDdBrFHA.2876@TK2MSFTNGP12.phx.gbl...
>
>>From: "Swapnesh" <swap_par205@sancharnet.in>
>>
>>| i think u solve what is being prompted .That is u copy csrss.exe from
>>| somebody elses system and put it in uy SYSTEM32 folder or use this
>>| Type msconfig in run box.
>>| now on General tab click ExpandFile button.
>>| And restore file
>>| Ok
>>
>>
>>NO !
>>
>>CSRSS.EXE was an infector. It was removed from the PC as it should have
>
> been. However, the
>
>>application that removed the EXE file failed to remove the Registry entry
>
> that called the
>
>>EXE file to execute. therefore it didn't fully do its job. Copying the
>
> file from another
>
>>PC is NOT the solution.
>>
>>--
>>Dave
>>http://www.claymania.com/removal-trojan-adware.html
>>http://www.ik-cs.com/got-a-virus.htm
>>
>>
>
>
>

Correct your system date.

--
Rock
MS MVP Windows - Shell/User
Anonymous
August 29, 2005 2:40:06 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Download Hijack this from the link below, unzip it, double click on the
unzipped file to run it, save a copy of the log file by clicking on the save
log button, it will open in notepad. Cut and paste the log back here to this
group so that I can analyze it. Ignore the replies by Rock or David or
anyone who tells you to post it elsewhere. I need to see it so I can tell
you how to fix it not them.


HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
news:A6E9C86C-9772-4782-A9A0-1622FA78D08B@microsoft.com...
> Dear Friends...
>
> Many thanks for all your advise, but I'm sorry, I still don't know what to
> do to solve the problem of these error messages appearing every time I
> switch
> the machine on. Please can someone explain to me excatly what steps I need
> to
> take.
>
> Many thanks.
>
> "uget2nome" wrote:
>
>> Dear All...
>>
>> Many thanks for all your advise. I downloaded all of the trials and ran
>> them, which took some time. One of them detected an infected file and
>> automatically removed it. However, when I start my machine, each time I
>> get
>> the following message in a pop-ip box on the desktop:
>>
>> "Windows cannot find 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe'. Make sure
>> you
>> typed the name correctly, and then try again. To search for a file, click
>> the
>> Start button, and then click search."
>>
>> I press OK, and then get the following message:
>>
>> "Could not run of load 'C:WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.exe' specified
>> in
>> the registty. Make sure that the file exists on your computer or remove
>> the
>> reference to it in the registry."
>>
>> I select OK, and get the same messages a second time, and after that, my
>> computer now seems to be working fine.
>>
>> Is there something else I need to do to resolve this?
>>
>> Once again, many thanks, and any further assistance would be greatly
>> appreciated.
>>
>> Simon (uget2nome)
>>
>> "pcbutts1" wrote:
>>
>> > Turn off System Restore then download, install, update and run all of
>> > the
>> > following. When finished reboot and turn System Restore back on.
>> > csrss.exe
>> > is also a valid windows file located in the system32 folder, any other
>> > location should be deleted.
>> >
>> > Ad-Aware
>> > http://www.pcbutts1.com/downloads/aawsepersonal.exe
>> >
>> > Spybot search and destroy
>> > http://www.pcbutts1.com/downloads/spybotsd14.exe
>> >
>> > Ewido Security Suite Trial version
>> > http://www.pcbutts1.com/downloads/ewidosetup.exe
>> >
>> > Microsoft Windows AntiSpyware (Beta1)
>> > http://www.microsoft.com/downloads/details.aspx?FamilyI...
>> >
>> > If none of the above fixes the issue then download Hijack this, run it,
>> > save
>> > a copy of the log file and cut and paste it back here to this group so
>> > that
>> > I can analyze it. Ignore anyone who tells you to post it elsewhere. I
>> > need
>> > to see it not them.
>> >
>> >
>> > HijackThis
>> > http://www.pcbutts1.com/downloads/HijackThis.zip
>> >
>> > --
>> >
>> >
>> > The best live web video on the internet
>> > http://www.seedsv.com/webdemo.htm
>> > NEW Embedded system W/Linux. We now sell DVR cards.
>> > See it all at http://www.seedsv.com/products.htm
>> > Sharpvision simply the best http://www.seedsv.com
>> >
>> >
>> >
>> > "uget2nome" <uget2nome@discussions.microsoft.com> wrote in message
>> > news:548CDE86-1482-4DEF-956F-DD6CBDB39B42@microsoft.com...
>> > > About every 30 seconds, I get a pop-up message from my anti-virus
>> > > software
>> > > that says:
>> > >
>> > > Dangerous Operation blocked!
>> > > Panda Titanium Antivirus 2005 has detected the execution of a
>> > > dangerous
>> > > action and has blocked it.
>> > > Program:
>> > > Associated file:
>> > > C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
>> > >
>> > > So, I have found the file on my C drive, deleted it and deleted from
>> > > my
>> > > Recycle Bin, but the message still continue sto annoyingly pop up.
>> > >
>> > > The operating system I am using is Windows xp Home Edition, which is
>> > > completely up to date with Windowes updates.
>> > >
>> > > Please can someone explain to me (in simple terms!) what I have to do
>> > > to
>> > > get
>> > > rid of this virus.
>> > >
>> > > Any assistance would be greatly appreciated.
>> > >
>> > > Many thanks
>> > >
>> > > Simon (uget2nome)
>> >
>> >
>> >
Anonymous
August 29, 2005 1:22:02 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Dear Don & Dave

Thank you for your help and advise. I followed your instructions, and this
is now working perfectly.

I simply wouldn't have known where to start otherwise!

Once again, many thanks.

Kind Regards

Simon

"Don Burnette" wrote:

> Simon,
>
> Click on Start, then run
>
> In the box that pops up, type " msconfig" without the quotation marks, and
> click ok
>
> This will bring up the System Configuration Utility.
>
> Look at the tabs at the top, the one furthers to the right is the startup
> tab, click on it.
>
> You will see most likely several startup items, with check marks in their
> respective boxes.
>
> Look for the one David pointed you too,and remove the checkmark from it,
> then click ok.
>
> You will get a message that you need to restart your system for your changes
> to take effect, click ok to restart your system.
>
> After it boots up, you will get a message that you are running in selective
> startup, put a check mark in the box to not display that message again, and
> click ok.
>
>
> Hope this helps,
>
>
> Don Burnette
>
>
>
> uget2nome wrote:
> > Dear Dave...
> >
> > Please can you help me, I'm not sure exactly hoe to execute
> > MSCONFIG.EXE
> > I use xp Home Edition. Please can you tell me where I can find 'Start
> > Up'
> > and find the line that says
> > 'C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE', with the check box.
> >
> > Is this something I type in a line when I click 'Start' and then
> > choose 'Run'?
> >
> > Sorry to be so pinnicky, but I'm, really not very good with these
> > things and I want to make sure before I go ahead and do any chanegs!
> >
> > Many thanks
> >
> > Simon
> >
> >
> >
> > "David H. Lipman" wrote:
> >
> >> From: "uget2nome" <uget2nome@discussions.microsoft.com>
> >>
> >>> Dear Friends...
> >>>
> >>> Thank yo ufor all yoru advise, but I'm sorry I'm still confused as
> >>> to what I should do to prevent these error messages appearing.
> >>> Please can someone explain to me how I solve teh problem?
> >>>
> >>> Many thanks
> >>>
> >>> Simon
> >>
> >> Simon:
> >>
> >> In case you missed it. Do NOT post a HiJack This (HJT) log here !
> >> Do NOT follow pcbutts1's direction to do so. His advice is contrary
> >> to all the expeerts in this news Group and by Microsoft.
> >>
> >> Do execute; MSCONFIG.EXE
> >>
> >> Choose; Startup
> >>
> >> Find the line that loads...
> >> C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
> >>
> >> Uncheck the box for that line.
> >>
> >> Click on "Apply" then "Close" then "Restart"..
> >>
> >> --
> >> Dave
> >> http://www.claymania.com/removal-trojan-adware.html
> >> http://www.ik-cs.com/got-a-virus.htm
>
>
>
>
>
>
Anonymous
August 29, 2005 4:34:17 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "uget2nome" <uget2nome@discussions.microsoft.com>

| Dear Don & Dave
|
| Thank you for your help and advise. I followed your instructions, and this
| is now working perfectly.
|
| I simply wouldn't have known where to start otherwise!
|
| Once again, many thanks.
|
| Kind Regards
|
| Simon

You're welcome Simon and thank you for updating the thread.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 30, 2005 12:08:27 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Well, David did all the work, but you are very welcome!

Glad you got your issue resolved.
Thanks for letting us know,



Don Burnette


uget2nome wrote:
> Dear Don & Dave
>
> Thank you for your help and advise. I followed your instructions, and
> this is now working perfectly.
>
> I simply wouldn't have known where to start otherwise!
>
> Once again, many thanks.
>
> Kind Regards
>
> Simon
>
> "Don Burnette" wrote:
>
>> Simon,
>>
>> Click on Start, then run
>>
>> In the box that pops up, type " msconfig" without the quotation
>> marks, and click ok
>>
>> This will bring up the System Configuration Utility.
>>
>> Look at the tabs at the top, the one furthers to the right is the
>> startup tab, click on it.
>>
>> You will see most likely several startup items, with check marks in
>> their respective boxes.
>>
>> Look for the one David pointed you too,and remove the checkmark from
>> it, then click ok.
>>
>> You will get a message that you need to restart your system for your
>> changes to take effect, click ok to restart your system.
>>
>> After it boots up, you will get a message that you are running in
>> selective startup, put a check mark in the box to not display that
>> message again, and click ok.
>>
>>
>> Hope this helps,
>>
>>
>> Don Burnette
>>
>>
>>
>> uget2nome wrote:
>>> Dear Dave...
>>>
>>> Please can you help me, I'm not sure exactly hoe to execute
>>> MSCONFIG.EXE
>>> I use xp Home Edition. Please can you tell me where I can find
>>> 'Start Up'
>>> and find the line that says
>>> 'C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE', with the check box.
>>>
>>> Is this something I type in a line when I click 'Start' and then
>>> choose 'Run'?
>>>
>>> Sorry to be so pinnicky, but I'm, really not very good with these
>>> things and I want to make sure before I go ahead and do any chanegs!
>>>
>>> Many thanks
>>>
>>> Simon
>>>
>>>
>>>
>>> "David H. Lipman" wrote:
>>>
>>>> From: "uget2nome" <uget2nome@discussions.microsoft.com>
>>>>
>>>>> Dear Friends...
>>>>>
>>>>> Thank yo ufor all yoru advise, but I'm sorry I'm still confused as
>>>>> to what I should do to prevent these error messages appearing.
>>>>> Please can someone explain to me how I solve teh problem?
>>>>>
>>>>> Many thanks
>>>>>
>>>>> Simon
>>>>
>>>> Simon:
>>>>
>>>> In case you missed it. Do NOT post a HiJack This (HJT) log here !
>>>> Do NOT follow pcbutts1's direction to do so. His advice is
>>>> contrary to all the expeerts in this news Group and by Microsoft.
>>>>
>>>> Do execute; MSCONFIG.EXE
>>>>
>>>> Choose; Startup
>>>>
>>>> Find the line that loads...
>>>> C:\WINDOWS\SYSTEM32\VIVNUFFTO\CSRSS.EXE
>>>>
>>>> Uncheck the box for that line.
>>>>
>>>> Click on "Apply" then "Close" then "Restart"..
>>>>
>>>> --
>>>> Dave
>>>> http://www.claymania.com/removal-trojan-adware.html
>>>> http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 30, 2005 1:14:16 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "Swapnesh" <swap_par205@sancharnet.in>


To add to my previous information...

I pulled the following from email, which is a Virus Total report, I received from helping
someone else with a suspicious CSRSS.EXE file.


This was the results of the csrss.exe scan in the c:\windows\ziplog
directory [ c:\windows\ziplog\csrss.exe ]

Antivirus Version Update Result
AntiVir 6.31.1.0 07.29.2005 no virus found
AVG 718 07.28.2005 no virus found
Avira 6.31.1.0 07.29.2005 no virus found
BitDefender 7.0 07.29.2005 no virus found
CAT-QuickHeal 7.03 07.30.2005 no virus found
ClamAV devel-20050725 07.29.2005 no virus found
DrWeb 4.32b 07.29.2005 BackDoor.Generic.977
eTrust-Iris 7.1.194.0 07.30.2005 no virus found
eTrust-Vet 11.9.1.0 07.29.2005 no virus found
Fortinet 2.36.0.0 07.30.2005 no virus found
F-Prot 3.16c 07.29.2005 no virus found
Ikarus 0.2.59.0 07.29.2005 no virus found
Kaspersky 4.0.2.24 07.30.2005 Trojan-Spy.Win32.WinSpy.a
McAfee 4546 07.29.2005 potentially unwanted program Winspy
NOD32v2 1.1183 07.29.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 07.28.2005 no virus found
Panda 8.02.00 07.29.2005 no virus found
Sophos 3.96.0 07.30.2005 no virus found
Sybari 7.5.1314 07.30.2005 Trojan-Spy.Win32.WinSpy.a
Symantec 8.0 07.29.2005 no virus found
TheHacker 5.8.2.077 07.29.2005 no virus found
VBA32 3.10.4 07.29.2005 no virus found


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 30, 2005 6:22:22 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Virus reports are not acceptable in this group, you should be banned for
posting it. There are virus forums for logs like that please use them.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:o 8K2mAQrFHA.2596@TK2MSFTNGP09.phx.gbl...
> From: "Swapnesh" <swap_par205@sancharnet.in>
>
>
> To add to my previous information...
>
> I pulled the following from email, which is a Virus Total report, I
> received from helping
> someone else with a suspicious CSRSS.EXE file.
>
>
> This was the results of the csrss.exe scan in the c:\windows\ziplog
> directory [ c:\windows\ziplog\csrss.exe ]
>
> Antivirus Version Update Result
> AntiVir 6.31.1.0 07.29.2005 no virus found
> AVG 718 07.28.2005 no virus found
> Avira 6.31.1.0 07.29.2005 no virus found
> BitDefender 7.0 07.29.2005 no virus found
> CAT-QuickHeal 7.03 07.30.2005 no virus found
> ClamAV devel-20050725 07.29.2005 no virus found
> DrWeb 4.32b 07.29.2005 BackDoor.Generic.977
> eTrust-Iris 7.1.194.0 07.30.2005 no virus found
> eTrust-Vet 11.9.1.0 07.29.2005 no virus found
> Fortinet 2.36.0.0 07.30.2005 no virus found
> F-Prot 3.16c 07.29.2005 no virus found
> Ikarus 0.2.59.0 07.29.2005 no virus found
> Kaspersky 4.0.2.24 07.30.2005 Trojan-Spy.Win32.WinSpy.a
> McAfee 4546 07.29.2005 potentially unwanted program Winspy
> NOD32v2 1.1183 07.29.2005 probably unknown NewHeur_PE virus
> Norman 5.70.10 07.28.2005 no virus found
> Panda 8.02.00 07.29.2005 no virus found
> Sophos 3.96.0 07.30.2005 no virus found
> Sybari 7.5.1314 07.30.2005 Trojan-Spy.Win32.WinSpy.a
> Symantec 8.0 07.29.2005 no virus found
> TheHacker 5.8.2.077 07.29.2005 no virus found
> VBA32 3.10.4 07.29.2005 no virus found
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
January 30, 2009 1:29:28 AM

Just go to this site I built, http://connectionwizard.comoj.com/ there are the programs you need (FREE) and full instructions telling you how to install and uninstall them. When you are done you will be able to get you updates again, your machine will be like you first bought it as well. Take Care
!