Wednesday, February 25, 2009

csrcs.exe Virus Manual Removal Steps

csrcs.exe

Don't confuse csrcs.exe with csrss.exe, csrss.exe is a legitimate windows service, whereas the csrcs.exe is a Trojan, or a virus. It resides in the

C:\Windows\System32\
folder.

To remove csrcs.exe and all its effects, first take
regedit
( Start > Run : regedit ). Then search for the string "csrcs.exe", and remove all occurrence of the string from the values. If there is a path given like "C:\Windows\System32\csrcs.exe" delete the entire value from the registry.

Next delete the file, from C:\Windows\System32.
If you do not find it, first show all hidden files. You may have to fix that in the registry to show hidden files. This has been covered in an earlier post. So once thats done delete the exe file.

Restart.
Hope that does it.
If not do comment,
I will get back to you ....

23 comments:

bhushan sohani said...

Actually, there was no file in the System32 folder,
I did unhide the system and hidden files..
But it wasnt there.

I do get a message "csrcs.exe not found" at the startup.

and also, it has created a prob with my usb fone-laptop connection..
i mean the internet sharing..

The problem persists
please help.

Thanks in advance

Arun Prabhakar said...

Do you have any antivirus installed?
I think the virus has been deleted, but changes to the registry was not restored.

Please search the registry for csrcs.exe and remove the occurences. Remove the csrcs.exe from a key with value "explorer.exe csrcs.exe".

And about the prob with usb fone, check you're not infected with other viruses.

Anonymous said...

Thanks.
It helped me!
Lior

Effendy said...

thanks

retex said...

hello. Very important method to remove csrcs.exe. It worked but the problem is when i restart my pc , csrcs.exe still runs on Process explorer. I preffer to use Process explorer and not task manager from windows.i ve deleted it from registry as you show here but it still runs. why? what should i do?

Arun Prabhakar said...

Did u delete all registry entries ??
See if there are autorun on ur hard disk drives...

retex said...

how can i See if there are autorun on ur hard disk drives??

Arun Prabhakar said...

unhide all files and check for autorun.inf file on the drives like
C:\autorun.inf
D:\autorun.inf

etc..

retex said...

i dont have some kinds of autorun on my PC

Arun Prabhakar said...

Please find and delete all occurences of csrcs.exe from the regedit in Safe Mode.

The virus re infects if it is already running, so end the process before doing the same.

retex said...

i will enter in safe mode right now and clean the registry. i will come back here in a few minutes

retex said...

yah... seems it worked for the momen. I ve deleted csrcs.exe from registry in safe mode. Then restart pc , and now it doesnt appear in process explorer.I hope never show up here. Thenx for the tip.

B. Par said...

ive done everything said but prevx still detects csrcs.exe, it wasnt in the c:\windows\system32 folder, i deleted it from registry in safe mode, heck i even used HJT but prevx still detects it. I searched the registry and autoruns but i cant find any csrcs.exe anywhere

Anonymous said...

I tried everything you said, but prevx still detects it in my pc.

Help

Anonymous said...

You must use a DOS window and use the old and good ATTRIB -s -h to the csrcs.exe file in system32 folder.
Even if the file is not showed by
the DIR command
After,just give it a DEL.
The file is not visible to explorer,will be intersting discover how it does it.
Someone knows?
Hope it help.

Flames said...

U don'thv to use the DOS way...
just go to the folder options nd uncheck the "hide protected system operating files".... and the csrcs.exe file will be visible..then just delete it!!!

peace\/

John said...

I found and deleted both "csrcs.exe" and "explorer.exe csrcs.exe" from the system registry. However, if I search for "csrcs" only, I found the entry in HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

Should I delete this one as well, or "csrcs" is different than "csrcs.exe" ???

Anonymous said...

thanks , it helped alot , btw avg antivir said that infected file was Autorun.inf (system32 folder) , so i had to delete it cuz csrcs.exe kept appearing in process list

Anonymous said...

By the time I installed my antivirus (NOD32 Business Edition) it detected this csrcs.exe without any scan and deleted, then at every restart I had the startup message that csrcs wasn't found. Now all I had to do was to delete the "csrcs.exe" and "explorer.exe csrcs.exe" from regedit.exe to stop this message.

So after deleting the file through your antivirus:
Open "C:\WINDOWS\regedit.exe".
Click Edit and Find.
Type "csrcs" to search and delete the two of them.

AlyceOoi said...

Thanks, it really work... appreciate ;)

Rasared said...

Thank you. It has worked for me. However, I have a new problem now - the System32 folder will open up whenever I start up. Have I not deleted the values correctly or completely?

Anonymous said...

Please help. Despite going through the Regedit find and delete and restart, this csrcs.exe still persist! I am unable to download attachements anymore.

Anonymous said...

thanks, it works for me as well.