LangaList Tips, February 1, 2007

When your antimalware tools disagree

Fred Langa By Fred Langa

One tool says your PC is infected. Another says you're clean. Which do you believe?

No need to flip a coin! With a little sleuthing, you can get to the bottom of just about any malware confusion.

How to deal with dueling malware removers

When malware-removal tools disagree on whether your PC is infected or not, how do you know which one to believe? That's the problem facing reader Thomas Trickey. But rather than focusing just on Thomas' dilemma, let's broaden the answer into a more general problem-solving approach for this type of problem. This way, Thomas' specific example can also serve as a kind of problem-solving template you can use to get to the bottom of other, similar problems:
  • "The software 'NoAdware' keeps picking up W32.Netsky.AB@mm, which I believeis a worm. It tells me it is located at C:\Windows\csrss.exe. However I cannot find the little devil. Symantec has a tool (free) that is suppose to fix the problem, but whenever I run the tool, it cannot find it. Is there anything you can guide me to, to help me eliminate this problem?"
Trying a removal tool was a logical first step, Thomas. That's what I would have tried as well. One of the best references I know for finding malware-removal tools is Secunia. This security company aggregates what each of several antivirus vendors have to say about it a given threat. Secunia's pages also offer links to each AV vendor's site (and free removal tools, if any). For example, Secunia's page on W32.Netsky.AB@mm offers links to seven different AV vendors regarding that particular worm. Very handy!

If the removal tools don't seem to work, as in Thomas' case, the next step is to try to track down the problem file itself. In this case, Thomas reports that the file is csrss.exe. What is it?

You may already have a favorite site for looking up various Windows system components, such as the programs and processes that show up in Windows' Task Manager applet. (Press Ctrl+Alt+Del and click Task Manager to bring up this useful tool.) I haven't found any one site that truly does it all, so I usually gravitate to three sites that complement each other: Answers that Work, Uniblue's Windows Process Library, and PCreview. Combining and boiling down the information from those sites, you can see that:
  • There is a system file in Windows NT4/2000/XP/2003 called csrss.exe (the Client Server Runtime SubSystem). Csrss.exe is not part of Windows ME/98 or earlier versions.
  • The real csrss.exe file is located in the \Windows\System32 folder on your PC. (Bonus tip: These sites don't say it, but there may also be a spare copy of many system files in your \Windows\ServicePackFiles\i386 folder, too. The datestamps and file sizes of the csrss.exe files in System32 and ServicePackFiles\i386 should be identical. If they are not, one of the copies may be compromised.)

  • Csrss.exe is automatically launched by smss, the Windows Session Manager Subsystem. Csrss.exe is not launched on its own, and thus should not appear in the Startup folder or list.
Therefore:
  • Any copy of csrss.exe found in a folder other than \Windows\System32 or \Windows\ServicePackFiles\i386 is most likely bogus.

  • Any copy of csrss.exe found on any Windows ME/98 installation is most likely bogus.

  • Any copy of csrss.exe found in the Startup folder or in Startup tab of msconfig is most likely bogus. (To access msconfig: Click Start, Run, then type msconfig in the Run box and click OK.)
So you see, just a little spelunking gives you a wealth of data to go on. Applying this to Thomas' PC: NoAdware reports the suspect csrss.exe file is located in C:\Windows on his PC, which is not the location of the legitimate csrss.exe file. Therefore, if the file is really there, it is indeed most likely malware.

Of course, by default, Windows hides the contents of system folders to prevent novices from getting into trouble. Advanced users can and should unhide the folders:

Step 1. In the Windows Explorer menu bar, click Tools, Folder Options, and select the View tab.

Step 2. Scroll down in the Advanced Settings list and select Display the contents of system folders and Show hidden files and folders.

Step 3. Deselect Hide protected operating system files and Hide extensions for known file types.

Step 4. In the Folder Views section of the dialog box, click Apply to all folders.

You'll now see every file and folder on your PC in full, "natural," and unmodified form. (You can undo these changes by selecting Restore defaults and Reset all folders in the Folder Options dialog box.)

With all files and folders now visible, you can navigate to the Windows folder, see if csrss.exe is there; and delete it if it is. Of course, in Tom's case, if it is there, then he will have proved that NoAdware was correct in sounding the alarm; and that the Norton removal tool wasn't doing its job.

But if Tom's csrss.exe isn't in the Windows folder, then Tom's copy of NoAdware was sounding a false alarm, and Norton's removal tool was correct in reporting no infection.

Whew — that took a bit of explaining! But now you know how to verify and remove a reported infection in what appears to be a system file. What's more, you also now know how to manually referee cases where one automated tool reports an infection while others do not.

And if you do find that a given tool routinely claims to have found infections that no other removal-tool or manual search can find, then it might be wise not to trust the tools that's crying wolf. Who has time for needless false alarms?

Speed up Opera 9 by disabling filtering

In the article Is IE 7 too slow opening new sites? in the Jan. 18 issue, I discussed several fixes for the slowdown that can occur when IE 7's Phishing Filter is engaged. Reader Fritz Reinders sent in this tip to cure a similar problem in Opera:
  • "IE7 is not the only one affected. Opera 9 has this feature also: You open a new page and another Web site is first consulted to see if it is safe. Really slows page loading.

    "To turn it on or off in Opera, select Tools, Preferences, Advanced, Security. Clear Fraud Protection to toggle the anti-phishing check."
Thanks, Fritz!

Reader-written freeware accesses XP applets

Windows Secrets readers are a diverse and talented group. What's more, you're generous in sharing your skills and knowledge, as is shown every week by the great tips we get. (E-mail your tips to Editor at WindowsSecrets dot com.) Sometimes, readers even share software they've written, like this little button bar from Anthony Kinyon that gives you one-click access to XP tools and utilities:
  • "I wrote this little app, WinToolsXP, in Visual Basic 2005 (.NET Framework 2.0 required). It is freeware. The link above has a screenshot and a more detailed description."
As you'll see from the above link, WinToolsXP is a freeware application that provides quick and easy access to a number of XP's built-in system functions, all from one convenient spot. Nice job, Anthony!

An automated fix for a missing NTLDR

In the Dec. 7 issue, What to do when missing NTLDR and Hal.dll discussed tried-and-true manual methods for solving show-stopping problems with those files. But reader "Cyurko" knows of a donationware ($5) fix that largely automates the process using a boot disk:
  • "There's a quick and easy solution at Tiny Empire's 'NTLDR is missing' page. Put the floppy in, reboot, and you're good to go. Be sure to make a floppy for the Windows and the WinNT folders [if any]."
Thanks, Cyurko. Using the above boot disk could be especially good for users who are unfamiliar with Windows or who blanch at the thought of firing up Windows' non-GUI Recovery Console. (You probably know a few people like that!) The boot disk can even be a nice shortcut for more experienced users. If the disk method doesn't work, you can always fall back on the manual methods I described on Dec. 7.

 Fred Langa is editor of the Windows Secrets Newsletter. He was editor of Byte Magazine from 1987 to 1991 and editorial director of CMP Media from 1991 to 1996, overseeing Windows Magazine and others. He edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.

Help people find this article on the Web (explain):

All articles posted on February 1, 2007:Premium content

Top Story Get Vista upgrade, never pay full price
LangaList Tips When your antimalware tools disagree
LangaList Plus Encryption, malware, and privacy, oh my! Premium content
Over the Horizon Patches are missing for Word, PowerPoint Premium content
Patch Watch MS charges $4K for W2K daylight patch Premium content
  (Show all articles on a single page)

Get the latest on Windows.

Enter your e-mail address to receive the free Windows Secrets Newsletter weekly.


For instance: jan@example.com


All subscribers are covered by our Ironclad Privacy Guarantee:

1. We will never sell, rent, or give away your address to any outside party, ever;
2. We will never send you any unrequested e-mail, besides newsletter updates; and
3. All unsubscribe requests are honored immediately, period.  Privacy policy