csrss.exe - suspicious file detected

avast has just given me this warning, and i’m really not sure if it is a false alarm or not.

i asked a friend about a virus getting into this file in c:\windows and he said if it is a virus it would slow down your computer and it would use 100% of its capacity in almost 10 hours.

avast has given this warning again, and it has been 9 hours ever since i first saw it. what should i do, i probably shouldn’t delete it but should i ignore it?

edit: no slowdowns, no odd behaviors. yet.

Please test the file at: https://www.virustotal.com/
Post the link of the result here.

@ personaljesus
What are the full details of the alert, file name, location and malware name (or attach an image of the alert window) ?

When did this happen, e.g. around 8 minutes after boot or during a routine scan (if so what scan) ?

i really don’t know about these stuff, but here you go, the virustotal results:

SHA256: f112191239fc5a931d66b0c4764679b45822045a54cd5227e950117ce40e02dd
File name: csrss.exe
Detection ratio: 0 / 43
Analysis date: 2012-02-02 17:17:32 UTC ( 0 minutes ago )

this was a regular scan done by avast itself at the background, the “suspicious file” thing popped up when i turned my computer on at 10 am. i ignored it first, and just chatted online with the friend i mentioned already. anyway, i went outside after 2 hours, returned home at 6 pm, now it’s 8 pm here, the warning popped up again, still no slowdowns.

@DavidR

around 8 mins after boot, i turned on the computer twice today, happened each time

Looks clean, if you still have problems follow Dave’s advice.

That is the anti-rootkit scan and given that there is no way virustotal would find anything wrong as it can’t replicate the anti-rootkit scan.

So what was the reported location (to confirm if this is a legit location) or reboot and do a screenshot of the alert window.

Whatever you do, don’t delete, for the time being only Ignore (don’t check any other option s).

What is your operating system (and SP version) ?

i have no problems yet, i don’t give a damn about losing my info or so but i have some important docs and family pictures etc, so i really don’t want to format the computer at all.

the reported location was c:\windows, the operating system is… windows.

10 hours from first warning, still the same cpu usage level, no different behaviors, seems better than ever.

there is no real problem yet, just the warnings. i’m almost sure right now it was a false alarm, but dave, you seem to know a lot more than me (for sure), so if there is any other possibility i’m listening to you.

thanks already.

Format is an option of last resort and we are no where near that. Backup should be a routine and not a last minute decision when a problem rears its head. Though I suspect that given what you have said it may be a false positive (and why I said don’t delete, but choose ignore).

Windows what, win2k, XP, Vista, win7 ?

In winXP the csrss.exe file is in c:\windows\system32\ folder and I’m not getting any alert on the anti-rootkit scan (8 minutes after boot).

it’s win7, it is not in the system32 folder, simply in windows. i think it is how it’s meant to be.

Do you still get any warning…??

I have win7 starter (32bit) on my netbook and csrss.exe is in c:\windows\system32, so I don’t know if you have win7 64bit and if that might be different.

i will inform you when i reboot, thank you a lot, both of you.

You’re welcome.

You’re welcome.

If it is an FP, given the file name I would expect it to be corrected quickly.