Dell XPS 13 9370 (2018) review
When my son logs onto his WinXP account he gets a series of warnings that C:\windows\system32\ujmqqefx\csrss.exe cannot be found. Indeed, there is no ujmqqefx subdirectory. I think NOD32 AV got it.
But, if I use regedit and search for ujmqqefx\csrss.exe I see that it tries to load the file, net message is no, nullport is none, and programs are com exe bat pif cmd, and then it tries to run ujmqqefx\csrss.exe. All are of the type REG_SZ.
None of this appears when I search with regedit from my XP account.
Any ideas how I can fix this?
Run a registry cleaner......regseeker is excellent click here
Run it and delete all that it finds(it might find a large number of issues)......you can make a backup of deleted items with it,just in case.
What has happened is,most likely, that NOD32 has identified and removed the active folders leaving the registry values and behind causing error messages when Windows can't find the file.RegSeeker will remove references to the missing .exe from the registry which should sort the problem.
You don't need to repair the registry, Philbert, you need to delete that key in the registry. It looks like NOD32 has got rid of the virus but the command to launch it is still present in the registry. Go back to where you found the entry in the registry and backup the key by going to File > Export and export the key to your desktop as a backup. Then delete the key by right-clicking on it and choosing delete. If something goes wrong you can re-integrate the backup by double-clicking on it, but I think that should cure the error messages your son is getting at startup.
Uhh. What's a key? I found the lines about csrss.exe by doing a search. I don't know where in the registry the lines are. How do I find them? This is scaring me. But I've tried about three different registry cleaners (also scary) and none have helped.
I did some reading in the regedit help. The lines that search is giving me is from a subkey, "Windows". It includes 5 lines I didn't mention that refer to our printer. Do I delete the entire key, or just the lines referring to the virus?
Click Start> Run and type "msconfig" without the quotes.
Click the Startup tab and have a look through the list for a line like this:
If you find it, remove the tick from the box to the left-hand side of the entry.
Close msconfig and reboot.
A message will appear after boot, put a tick in the box in the lower left-hand side and close the message.
That should be it- no more messages at startup.
That works. I was surprised to find the line invoking the virus twice in the startup list. Then another was csrss with no path but a location of "Startup". I unchecked all. When I used msconfig under my own XP account I found 2 csrss commands with a path including NT in it. A third reference was with a location of "common startup". All were unchecked already. Does XP run csrss without the commands in the msconfig startup list?
My son was having problems with getting disconnected from DSL a lot. Much more than the rest of the family. I had hopes that this would fix it. But I am now skeptical that it will.
Thank you for the help though. I appreciate it.
It's not invoked at all in my startup list, but it is running in the background - any references to it are likely to have been added by the trojan when it was started.
This thread is now locked and can not be replied to.