Not necessarily, csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. You need it to operate. You may have a copy or variant or corrupted program, but for anybody else reading this thread, DO NOT just go off and delete that file!

It sounds like you are using Windows XP, wouldn't have been easier to use system restore and just gone back to a date before the virus was in your system?

I often feel for people who go through hell and back and then find the solution was right under teir nose.

A well intended post, thanks anyway.

Wow! This is a disaster. I've never seen a virus hide and do as much as this one!

How can a virus which does so much have a Damage Level of low?

With apologies, I misidentified the virus initially. I now know that it's called IFrames.Exploit and I still have a major problem with it. If a mod could adjust this thread title I'd be grateful.

Online research has shown that the virus is spreading fast in Europe since 1st April and that as yet there is no known fix.

Anyone that finds a fix/patch, PLEASE, PLEASE post here!

Unless I missed something while skimming through the details, unless you are daft enough to run a .scr or .pif file attached to an email there's not much to worry about. In fact, you should never run any attached files unless you are confident of the source. Similary, you should not open documents that may contain macros. Also you should send letters in .rtf format rather .doc format.

Now the KLEZ virus really was annoying. It exploited a security hole that allowed attachments to be run automatically when the email was opened. That's the only virus that ever caught me out. I shut down immediately, rebooted in another version of windows, nuked it, and installed the security patch.

Kaled.

From what I've read the virus spreads by downloading itself through adservers - it doesn't come as an email attachment.

I recently removed a malware RPCSS+ for a client that was just as bad. Cannot even remove it in Safe Mode as it starts as a system service.

The Iframe exploit that you've mentioned seems like an old issue with unpatched Windows machine that allows launching of attachments from a html coded email.

Seems like viruses and spywares are getting rather similiar.

"I recently removed a malware RPCSS+ for a client that was just as bad"

This sounds very similar - can you tell me how u did it please?

unless you are daft enough to run a .scr or .pif file attached to an email there's not much to worry about

This is only have an issue. It also spreads over MSN Messenger. Many people are clueless and will think it's a personal message from one of the friends. They are likely to open it. I already received one of those from one of my friends.

Hello Michael

Because this malware makes RPCSS dependent on it, I started the PC in safe mode with command prompt and type;

sc config rpcss depend= ""

I got the information doing a search for "rpcss_pl.exe"

Once I disable the dependency, I start the system in recovery mode ('R') using XP CD and disable the service RPCC+ by typing disable RPCSS+ at the command prompt.

Then I go through the registry under;

HKLM\system\CurrentControlSet\Services and delete the registry key "RPCSS+"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete any suspicious looking software that runs on startup.

Then do a search for all occurrence of rpcss_pl.exe and delete the key.

Restart the PC and did a scan for all traces of spyware using Spybot Search and Destroy.

The same method can be applied for the other similiar spyware TBPS or WinToolsSvc.

Perhaps this link will help...

Trend Micro Info [trendmicro.com]

From what I've read the virus spreads by downloading itself through adservers - it doesn't come as an email attachment

Thanks for the link. On reading the bottom of the page it specifically says that the compromise vector is email and instant messaging clients.

Guess I'm going to implement a change on the mailserver from using a disallow attachment list, to a specific and tight allowed attachment list. The disallow list has served me well, but the list of extensions is just getting too long. Easier to say zips, jpgs and gifs are the only allowed attachments.

Easier to say zips, jpgs and gifs are the only allowed attachments

Not necessarily. There's one going round very quickly now called W32.Mytob.U@MM [securityresponse.symantec.com] which comes as a zip attachment.

Be cautious!

cmatcme

@cmatcme

It's just an easier way to manage the allowed attachments on the admin side.

Still have to know where the attachment comes from, whether it is expected, and how to handle it safely. Anything that does not pass the smell test is almost certainly nuked summarily without further thought.

Like today, I answered a sales query. I promptly got back a request to whitelist my account on some third party server. Fat chance of that happening.