Csrss.exe (The bad one)

I know there is a Csrss.exe that is essential to the working function of windows but that is not the one I am talking about. Whenever I try to delete it using Task Manager, I can’t. It doesn’t even have a description and user name. It’s also using about 3 MB of my RAM. I’m pretty sure this is a virus.

I tried scanning my computer using boot-time but Avast! still doesn’t detect it. Can someone please tell me how to remove this thing?

What is the file location c:\windows\system32\csrss.exe

There is no Csrss.exe under System32 and I can’t open the file location of the process. Please help.

Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

I did the settings and still no Csrss.exe there…

Ok lets go a hunting then

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Also what is your operating system ? As in windows 7 and Vista you need to show all users to access the properties and file location elements

I have Windows 7 but this computer only has one user.

I am the only user on mine - but it must be done that way

Looking at the log now

There appears to be a big chunk of the log missing, the registry entries and file enumeration

Could you re-attach the log please

I messed up the last scan…

I’m 10 minutes into the correct scan, sorry!

Here you go:

Nothing readily apparent there - a few redundant items and some very full temp folders

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[File - Lop Check]
NY ->  Uwlezy -> C:\Users\Joshua Pili\AppData\Roaming\Uwlezy
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

I will review the information when it comes back in.

THEN we will do a fullsearch for the csrss file in all its variants. Did you select show all users in task manager ? as that will enable you to locate the file

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under the Custom Scan box paste this in


/md5start
Csrss.*
/md5stop

[*]Now click the Quick Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Here!

[Custom Scans] < MD5 Scans Start> < %systemdrive%\CSRSS.EXE /md5 /s > csrss.exe : MD5=342271F6142E7C70805B8A81E1BA5F5C -> C:\Windows\System32\csrss.exe -> [2009/07/14 09:14:16 | 000,006,144 |---- | M] (Microsoft Corporation) csrss.exe : MD5=342271F6142E7C70805B8A81E1BA5F5C -> C:\Windows\winsxs\x86_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_58ba39fb456943bd\csrss.exe -> [2009/07/14 09:14:16 | 000,006,144 | ---- | M] (Microsoft Corporation) < %systemdrive%\CSRSS.EXE.MUI /md5 /s > csrss.exe.mui : MD5=EA2C607C908AEB268FB76FE278085443 -> C:\Windows\System32\en-US\csrss.exe.mui -> [2009/07/14 10:09:48 | 000,002,048 | ---- | M] (Microsoft Corporation) csrss.exe.mui : MD5=EA2C607C908AEB268FB76FE278085443 -> C:\Windows\winsxs\x86_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_da67613a42c43476\csrss.exe.mui -> [2009/07/14 10:09:48 | 000,002,048 | ---- | M] (Microsoft Corporation) < MD5 Scans End> < End of report >
All copies of csrss on your computer are legitimate, made by MS

Oh okay! I guess I was just being paranoid…

Thanks for all the help! ;D