Collection of manual detection and removal methods for suspicious processes (Trojans)

Csrss-csrss.exe-Process Information

Process file: csrss or csrss.exe

Process name: Microsoft Client/Server Runtime Server Subsystem

Description:

Csrss.exe is the runtime subsystem of the Microsoft Client/Server. This process manages Windows Graphics related tasks. This program is very important to the normal operation of your system. Note: csrss.exe may also be created by viruses such as W32.Netsky. AB @ mm, W32.Webus Trojan, and Win32.Ladex.. The virus is transmitted by Email. When you open the attachment, It is infected. The worm creates an SMTP service on the victim machine for its own propagation. This virus allows attackers to access your computer and steal Trojans and personal data. The security level of this process is recommended to be deleted immediately.

Prepared by: Microsoft Corp

Microsoft Windows Operating System

System Process: Background Program: network used: no hardware related: No

Common error: Unknown N/A memory usage: Unknown N/? Security grade (0-5): 0

Spyware: No advertising software: no virus: No Trojan: No



Normally, there is only one csrss.exe process in the Windows NT/2000/XP/2003 system. Normally, the process is in the System32 folder, if two csrss.exe processes (one in the Windows folder) or Windows 9X/Me processes appear in the above system, they are infected with a virus. The true csrss.exe is only 4 k, and is located in C: \ Windows \ Syetem32. The csrss.exe Trojan generates a netstart.exe1_winsocks.dll1_netserv.exe file and a 0-byte tmp. out file in the 52736 section under C: \ windows. The size of netstart.exe is 117786 bytes, and the other two are also 52736 bytes. The first two are in C: \ Windows \ System32, and the last two are in the Temp folder of the current user. Delete the values in [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run] and v [Runservice] in the advanced registry. log out and log on again. The process disappears and the generated files are deleted.



Explorer-assumer.exe-Process Information

Process file: explorer or assumer.exe

Process name: Microsoft Windows Explorer

Description:

Assumer.exe is a Windows program manager or Windows resource manager used to manage Windows Graphics shells, including Start menus, taskbar, desktop, and file management. Deleting this program will make the Windows GUI unavailable. Note: assumer.exe may also have w32.Codered and w32.mydoom. B @ mm viruses. The virus is transmitted by email. when you open an attachment sent by the virus, it is infected. The virus creates an SMTP service on the victim's machine. The virus allows attackers to access your computer and steal passwords and personal data. The security level of the process is recommended to be deleted.

Prepared by: Microsoft Corp.

Microsoft Windows Operating System

System Process: Background Program: network used: no hardware related: No

Common error: Unknown N/A memory usage: Unknown N/? Security grade (0-5): 0

Spyware: No advertising software: no virus: No Trojan: No

After the trojan enters the computer, the three main files are generated: interapi32.dll, interapi64.dll, and exp1orer.exe is easy to confuse with javaser.exe. It is the number 1, not the letter l. After the virus enters the process, it will consume a lot of system resources and start with the resource manager. The removal method is as follows:
1. Disable the restore function of the XP system. Specifically, you can go to the Group Policy search or right-click my computer properties to disable the system restoration function.
2. Enter regedit at run and open registry editor. Delete the following key values
[HKEY_CLASSES_ROOT \ CLSID \ {081FE200-A103-11D7-A46D-C770E4459F2F}]
@ = "Hookmir"



[HKEY_CLASSES_ROOT \ CLSID \ {081FE200-A103-11D7-A46D-C770E4459F2F} \ InprocServer32]
@ = "C :\\\\ WINNT \\\\ system32 \\\\ interapi64.dll"
"ThreadingModel" = "Apartment"

[HKEY_CLASSES_ROOT \ CLSID \ {081FE200-A103-11D7-A46D-C770E4459F2F} \ ProgID]
@ = "Interapi64.classname"
[HKEY_CLASSES_ROOT \ interapi64.classname]
@ = "Hookmir"

[HKEY_CLASSES_ROOT \ interapi64.classname \ Clsid]
@ = "{081FE200-A103-11D7-A46D-C770E4459F2F }"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ShellExecuteHooks]
"{081FE200-A103-11D7-A46D-C770E4459F2F}" = "hookmir"

1 2 3 4 5 Next Page

[Content navigation]
Page 1st: a collection of manual detection and removal methods to prevent suspicious processes (Trojans)	Page 2nd: a collection of manual detection and removal methods to prevent suspicious processes (Trojans)
Page 3rd: a collection of manual detection and removal methods to prevent suspicious processes (Trojans)	Page 4th: a collection of manual detection and removal methods to prevent suspicious processes (Trojans)
Page 5th: a collection of manual detection and removal methods to prevent suspicious processes (Trojans)