Leftovers of a trojan cause popups saying "crss.exe" cannot be found

Question

I am helping out a coworker with Winodws XP 32-bit, and took off a Trojan using Malwarebytes, Spy-bot Search and Destroy, and Trojan remover with total annihilation of the Trojan. I also had to find the folder and delete the folder that the Trojan was living in. There are four pops ups (below) that keep coming up when the user logs in though, all warning about not being able to find some crss.exe.

I checked in the run and runonce areas in the registry (both of them) to see for leftovers of the Trojan to no avail. I then made a backup of the registry and let CCleaner "try" to clean the registry (but we know how registry cleaners can be). This didn't help either. Does anyone know anything that could help remove these pop-ups. The computer runs perfect now (no more Trojan), other than these four pop ups. Once you lick "OK" they go away, but they are irritating.

Thanks in advance for the help!

Pop-up 1 Pop-up 2 Pop-up 3 Pop-up 4

ChrisF · Accepted Answer · 2016-05-12T14:47:04.890

6

Have you searched the registry for csrss.exe?

It could well be that there are entries that CCleaner left. A search and manual delete should remove the final vestiges of the trojan.

Having heard bad things about CCleaner I'd want to double check that it had gone completely myself.

edited May 12 '16 at 14:47

answered Dec 08 '10 at 20:46

ChrisF

41,540

WernerCD · Answer 2 · 2010-12-10T15:02:25.857

Step one:) back up computer.
Step two:) format
Step three:) reinstall

Only 100% sure way to kill a bad infection

edit: Despite kill joy calling me a quitter... There is no way I'd use a computer after it's been infected. Even after using multiple popular and trustworthy tools, you are still infected.

How can you ever be sure that your not infected now? 100% confident? Guaranteed that some kind of back-door hasn't been installed? Something small time that hasn't been found by the other tools?

Answer: You can't. Time to format and start over.

I'm all for trying to fix it to learn the guts. I've learned a lot trying to fix various issues. But the issue is that you CAN NOT trust a computer that's been infected.

score 1 · Answer 3 · answered Dec 08 '10 at 20:57

1

Open up msconfig and go to the Startup tab. If they're not in there, check out autoruns from SysInternals.

answered Dec 08 '10 at 20:57

Leftovers of a trojan cause popups saying "crss.exe" cannot be found

3 Answers3