When your antimalware tools disagree

Fred langa By Fred Langa

One tool says your PC is infected. Another says you’re clean. Which do you believe?

No need to flip a coin! With a little sleuthing, you can get to the bottom of just about any malware confusion.


How to deal with dueling malware removers

When malware-removal tools disagree on whether your PC is infected or not, how do you know which one to believe? That’s the problem facing reader Thomas Trickey. But rather than focusing just on Thomas’ dilemma, let’s broaden the answer into a more general problem-solving approach for this type of problem. This way, Thomas’ specific example can also serve as a kind of problem-solving template you can use to get to the bottom of other, similar problems:
  • "The software ‘NoAdware’ keeps picking up W32.Netsky.AB@mm, which I believeis a worm. It tells me it is located at C:Windowscsrss.exe. However I cannot find the little devil. Symantec has a tool (free) that is suppose to fix the problem, but whenever I run the tool, it cannot find it. Is there anything you can guide me to, to help me eliminate this problem?"
Trying a removal tool was a logical first step, Thomas. That’s what I would have tried as well. One of the best references I know for finding malware-removal tools is Secunia. This security company aggregates what each of several antivirus vendors have to say about it a given threat. Secunia’s pages also offer links to each AV vendor’s site (and free removal tools, if any). For example, Secunia’s page on W32.Netsky.AB@mm offers links to seven different AV vendors regarding that particular worm. Very handy!

If the removal tools don’t seem to work, as in Thomas’ case, the next step is to try to track down the problem file itself. In this case, Thomas reports that the file is csrss.exe. What is it?

You may already have a favorite site for looking up various Windows system components, such as the programs and processes that show up in Windows’ Task Manager applet. (Press Ctrl+Alt+Del and click Task Manager to bring up this useful tool.) I haven’t found any one site that truly does it all, so I usually gravitate to three sites that complement each other: Answers that Work, Uniblue’s Windows Process Library, and PCreview. Combining and boiling down the information from those sites, you can see that:
  • There is a system file in Windows NT4/2000/XP/2003 called csrss.exe (the Client Server Runtime SubSystem). Csrss.exe is not part of Windows ME/98 or earlier versions.

  • The real csrss.exe file is located in the WindowsSystem32 folder on your PC. (Bonus tip: These sites don’t say it, but there may also be a spare copy of many system files in your WindowsServicePackFilesi386 folder, too. The datestamps and file sizes of the csrss.exe files in System32 and ServicePackFilesi386 should be identical. If they are not, one of the copies may be compromised.)

  • Csrss.exe is automatically launched by smss, the Windows Session Manager Subsystem. Csrss.exe is not launched on its own, and thus should not appear in the Startup folder or list.
Therefore:
  • Any copy of csrss.exe found in a folder other than WindowsSystem32 or WindowsServicePackFilesi386 is most likely bogus.

  • Any copy of csrss.exe found on any Windows ME/98 installation is most likely bogus.

    This article is part of our premium content. Join Now.

    Already a paid subscriber? Click here to login.



= Paid content

All Windows Secrets articles posted on 2007-02-01:

Fred Langa

About Fred Langa

Fred Langa is senior editor. His LangaList Newsletter merged with Windows Secrets on Nov. 16, 2006. Prior to that, Fred was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others.