i am receiving virus scan alerts dealing with csrss.exe in folder c:\windows.... detected as newmalware.j trojan.... it constantly pops up every couple of hours...it says it cannot delete (moved, cleaned failed because file isn't cleanable) but it quarantined it.... how can i remove this virus from my computer....i am currently running mcafee virus scan enterprise 8.0 i cannot seem to delete this thing no matter what i do... please help someone.....

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue. Put a check by "Create a desktop icon" then click "Next" again. Continue to follow the rest of the prompts from there. At the final dialogue box click "Finish" and it will launch Hijack This. Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly. Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop. !!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!! Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd" Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

here is my hijack this log Logfile of HijackThis v1.99.1 Scan saved at 3:52:39 PM, on 1/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\stsystra.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\WINDOWS\System32\DLA\DLACTRLW.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\LOGI_MWX.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\winlogon.exe C:\program files\steam\steam.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\ABC\ABC.exe C:\Program Files\TrojanHunter 4.6\THGuard.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FOR... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FOR... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FOR... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [nvchost] C:\WINDOWS\winlogon.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe" O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menu... O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing) O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe here is my smitfraudfix report SmitFraudFix v2.132 Scan done at 15:57:18.74, Sun 01/07/2007 Run from C:\Documents and Settings\Rpawlak\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rpawlak »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rpawlak\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Rpawlak\FAVORI~1 C:\DOCUME~1\Rpawlak\FAVORI~1\Online Security Test.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End thank you for your help

Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ We will need it later in safe mode Download and install AVG Anti-Spyware We will need this later in safe mode Be sure to update AVG Anti- Spyware Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd" Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt http://download.bleepingcomputer.com/sUBs/combofix.exe Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) Please post the combofix.txt log.