This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

W32/Autorun-BHO

Hi Sophos Community,

I would like to ask for help regarding the problem with csrss.exe worm or a.k.a W32/Autorun-BHO from Sophos AV. I don't know how to clean this worm from preventing it running to startup. Do i need to use other 3rd party software or Sophos AV 9.7 is enough to clean this worm? Thanks in advance.

This thread was automatically locked due to age.

0 QC over 14 years ago

Hello Sergie,
as W32/Autorun-BHO "installs" itself in the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options keys as "debugger" for various programs/dlls it is started whenever one of these programs is about to run. Thus it might be hard (but not impossible) to remove it from a "live" system.
If only a very few clients are affected the easiest way is probably to boot from clean medium and run sav32cli.exe. If you're unsure how to do it ask Support - they will give you a link to the Sophos Bootable Anti-Virus Creator . While I haven't encountered Autorun-BHO I've seen some similar threats - if you are still able to set policies on the clients from SEC the use of aggressive settings (scan on read/write/rename, automatic cleanup/delete) for on-access and scheduled scans and one or two reboots might enable you to eventually get rid of it.
Christian
:14951
Cancel
Vote Up 0 Vote Down

Cancel