I got a serious problem with a virus I got, seems that it is infecting the csrss.exe file of my OS (windows 7 64bit). My antivirus MSE (Microsoft security essentials) gets to block the program and also the Malwarebytes does blocks it, but the thing is that they never get to find the infected file and delete it 'cause the treat disappears. I got only 3 csrss.exe files on my pc, on system32, system64 and a folder named AMD which I checked and is legitimate. I have run the scaner on safe mode, without being connected to the internet, I tried the Regedit thing and the values are ok, I tried the CCleaner, I have tried everything and I still have the virus on my pc, and I have had to restore the pc to a previous date 3 times already cause although the virus is being blocked it is damaging my system somehow. BTW the task manager only have 1 csrss.exe running. I'll appreciate a LOT any response, thanks ahead.
After I deleted the Value on the the registry (it was located on HKEY Local Machine/Software/Microsoft/Internet Explorer/Search Scopes/758D57A1-E85D-4873-BBEE-7D83FE2D5515) and then deleted the bassmod.dll file I run a quick scan and the antivirus found a malware on C:\Windows\system32\consrv.dll, the virus is named Trojan:Win64 Sirefef.B
After I deleted that virus and run the scanner again in search of any other malware or virus the MSE didnt find anything, but after 5 mins the same alert came up again, the same virus Sireref.B infecting another file:
But when I hit clean or remove the treat just disappears and the antivirus is unable to delete the file.
The Trojan Horse Siresef B. is not a real menace other than being detected by Microsoft Security Essentials and may not be detected by any other antivirus. Actually the detection by MSE is the only symptom.
ZHP Diag is a top notch diagnostic tool and did not see the Trojan Horse roaming in the stable, hence to prove that it's just an annoying nuisance.
I suggest that:
1. You update MSE
2. Turn off your system restore
3. Search for this file and delete it if found :
2. You should now see a window that shows all of your desktop icons, including the rkill.com program.
3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.
Please, DO NOT REBOOT your computer or the processes will come back to haunt you!