| By Fred Langa |
One tool says your PC is infected. Another says you’re clean. Which do you believe?
No need to flip a coin! With a little sleuthing, you can get to the bottom of just about any malware confusion.
How to deal with dueling malwareremovers
When malware-removal tools disagree on whether your PC is infected or not, how do you know which one to believe? That’s the problem facing reader Thomas Trickey. But rather than focusing just on Thomas’ dilemma, let’s broaden the answer into a more general problem-solving approach for this type of problem. This way, Thomas’ specific example can also serve as a kind of problem-solving template you can use to get to the bottom of other, similar problems:
- "The software ‘NoAdware’ keeps picking up W32.Netsky.AB@mm, which I believeis a worm. It tells me it is located at C:Windowscsrss.exe. However I cannot find the little devil. Symantec has a tool (free) that is suppose to fix the problem, but whenever I run the tool, it cannot find it. Is there anything you can guide me to, to help me eliminate this problem?"
If the removal tools don’t seem to work, as in Thomas’ case, the next step is to try to track down the problem file itself. In this case, Thomas reports that the file is csrss.exe. What is it?
You may already have a favorite site for looking up various Windows system components, such as the programs and processes that show up in Windows’ Task Manager applet. (Press Ctrl+Alt+Del and click Task Manager to bring up this useful tool.) I haven’t found any one site that truly does it all, so I usually gravitate to three sites that complement each other: Answers that Work, Uniblue’s Windows Process Library, and PCreview. Combining and boiling down the information from those sites, you can see that:
- There is a system file in Windows NT4/2000/XP/2003 called csrss.exe (the Client Server Runtime SubSystem). Csrss.exe is not part of Windows ME/98 or earlier versions.
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!
- The real csrss.exe file is located in the WindowsSystem32 folder on your PC. (Bonus tip: These sites don’t say it, but there may also be a spare copy of many system files in your WindowsServicePackFilesi386 folder, too. The datestamps and file sizes of the csrss.exe files in System32 and ServicePackFilesi386 should be identical. If they are not, one of the copies may be compromised.)
- Csrss.exe is automatically launched by smss, the Windows Session Manager Subsystem. Csrss.exe is not launched on its own, and thus should not appear in the Startup folder or list.
- Any copy of csrss.exe found in a folder other than WindowsSystem32 or WindowsServicePackFilesi386 is most likely bogus.
- Any copy of csrss.exe found on any Windows ME/98 installation is most likely bogus.
- Any copy of csrss.exe found in the Startup folder or in Startup tab of msconfig is most likely bogus. (To access msconfig: Click Start, Run, then type msconfig in the Run box and click OK.)
Of course, by default, Windows hides the contents of system folders to prevent novices from getting into trouble. Advanced users can and should unhide the folders:
Step 1. In the Windows Explorer menu bar, click Tools, Folder Options, and select the View tab.
Step 2. Scroll down in the Advanced Settings list and select Display the contents of system folders and Show hidden files and folders.
Step 3. Deselect Hide protected operating system files and Hide extensions for known file types.
Step 4. In the Folder Views section of the dialog box, click Apply to all folders.
You’ll now see every file and folder on your PC in full, "natural," and unmodified form. (You can undo these changes by selecting Restore defaults and Reset all folders in the Folder Options dialog box.)
With all files and folders now visible, you can navigate to the Windows folder, see if csrss.exe is there; and delete it if it is. Of course, in Tom’s case, if it is there, then he will have proved that NoAdware was correct in sounding the alarm; and that the Norton removal tool wasn’t doing its job.
But if Tom’s csrss.exe isn’t in the Windows folder, then Tom’s copy of NoAdware was sounding a false alarm, and Norton’s removal tool was correct in reporting no infection.
Whew — that took a bit of explaining! But now you know how to verify and remove a reported infection in what appears to be a system file. What’s more, you also now know how to manually referee cases where one automated tool reports an infection while others do not.
And if you do find that a given tool routinely claims to have found infections that no other removal-tool or manual search can find, then it might be wise not to trust the tools that’s crying wolf. Who has time for needless false alarms?
Speed up Opera 9 by disabling filtering
In the article Is IE 7 too slow opening new sites? in the Jan. 18 issue, I discussed several fixes for the slowdown that can occur when IE 7′s Phishing Filter is engaged. Reader Fritz Reinders sent in this tip to cure a similar problem in Opera:
- "IE7 is not the only one affected. Opera 9 has this feature also: You open a new page and another Web site is first consulted to see if it is safe. Really slows page loading.
"To turn it on or off in Opera, select Tools, Preferences, Advanced, Security. Clear Fraud Protection to toggle the anti-phishing check."
Reader-written freeware accesses XP applets
Windows Secrets readers are a diverse and talented group. What’s more, you’re generous in sharing your skills and knowledge, as is shown every week by the great tips we get. (E-mail your tips to Editor at WindowsSecrets dot com.) Sometimes, readers even share software they’ve written, like this little button bar from Anthony Kinyon that gives you one-click access to XP tools and utilities:
- "I wrote this little app, WinToolsXP, in Visual Basic 2005 (.NET Framework 2.0 required). It is freeware. The link above has a screenshot and a more detailed description."
An automated fix for a missing NTLDR
In the Dec. 7 issue, What to do when missing NTLDR and Hal.dll discussed tried-and-true manual methods for solving show-stopping problems with those files. But reader "Cyurko" knows of a donationware ($5) fix that largely automates the process using a boot disk:
- "There’s a quick and easy solution at Tiny Empire’s ‘NTLDR is missing’ page. Put the floppy in, reboot, and you’re good to go. Be sure to make a floppy for the Windows and the WinNT folders [if any]."
Fred Langa is editor of the Windows Secrets Newsletter. He was editor of Byte Magazine from 1987 to 1991 and editorial director of CMP Media from 1991 to 1996, overseeing Windows Magazine and others. He edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.