5 Replies Latest reply on Jan 2, 2011 7:01 PM by Peter M

    CSRSS.EXE

      Hello,

       

      First time poster here.....McAfee virus scanner recently quarantined a file titled "C:\DOCUME~1\owner\locals~1\Temp\csrss.exe".  I deleted the quarantined file after researching and learning this was indeed a Trojan virus.  However the next time I restarted my computer I received a warning message that windows could not locate the mentioned file and then another followed suggesting the item may need to be deleted from the registry if   it doesn't exist.  I then went into my startup folder and noticed this file was listed in there, I disabled the file (could not delete it, if there is a way let me know), and restarted the computer successfully without the warning.  Unfortunately the files still sits in my startup folder disabled and is still in my registry in the file "load".  I do not feel comfortable touching the registry as I realize the problems that I can make from it.  So I come to you, you can see the attached screen shots of the instance on the registry where this file occurs?  What should I do?  Delete the entry in the registry?  Can I delete from the startup menu?

       

      Thanks

       

       

      Message was edited by: SantaKlauz on 12/30/10 11:28:26 PM CST
        • 1. Re: CSRSS.EXE
          Peter M

          According to what I read:

           

          This is the user-mode portion of the Win32 subsystem; Win32.sys is the kernel-mode portion. Csrss stands for Client/Server Run-Time
          Subsystem, and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or
          deleting threads, and implementing some portions of the 16-bit virtual MS-DOS environment.

          http://www.neuber.com/taskmanager/process/csrss.exe.html

          Note:
          The csrss.exe file is located in the folder C:\Windows\System32. In other cases, csrss.exe is a virus, spyware, trojan or worm! Virus with same name: Nimda.E

          From the document you attached it was a temporary document file anyway so not sure why Windows is now stating it's missing something as temps are ditched eventually anyway - you would have had to remove the one situated in system32 for Windows to start posting a problem.

           

          I don't know what system you have but you might try the following:

           

          If XP:  Go to Start/Run and type in sfc /scannow (with that space) click OK.  (Must be done when signed in as an Administrator - level user).

           

          If Vista/Windows 7 go to Start and type cmd in the Search box

           

          In the menu above right-click CMD and select 'Run as Administrator'

           

          Type in the Command Prompt window sfc /scannow and hit the Enter key.  OK any prompts.

           

          See if that can repair the system.

           

          It may prompt you for the System CD/DVD, which may or may not work, depending on whether or not the CD/DVD is the same service pack level as the installed system.

           

          If it doesn't then I suggest posting for help on a PC help forum.  Tell me what you system is and I might be able to recommend one.

           

           


           

           

          Message was edited by: Ex_Brit on 31/12/10 7:42:52 EST AM
          • 2. Re: CSRSS.EXE
            Peter M

            You also might want to do the following in order to get an independent opinion on what to do next...

             

            DOWNLOAD HIJACKTHIS

             

             

            Do not post Hijackthis logs here, we can't help with  those!

             

             

            Post the logs at one of these specialist Forums:

             

             

            AUMHA

             

             

            BLEEPINGCOMPUTER

             

             

            MAJOR GEEKS

             

             

            MALWAREBYTES

             

             

            MALWARE REMOVAL

             

             

            SPYWAREHAMMER

             

             

            SPYWARE INFO

             

             

            WHATTHETECH

             

             

            Be sure to read all the sticky announcements/instructions at the top of each malware forum!

            • 3. Re: CSRSS.EXE

              Hello,

               

              The file in question has been removed...what you are left with is a registry value found in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key.

               

              You can remove this entry by clicking start>run>type msconfig> startup tab> remove csrss.exe found only in the location you have mentioned.

               

              Reboot.

               

               

              on 01/01/11 23:09:54 GMT
              • 4. Re: CSRSS.EXE

                I wound up using CCleaner to delete the file from startup.  Thank you for your assistance and quick responses!  I will still be trying the HiJack This program to test for other errors.  Again thanks!

                • 5. Re: CSRSS.EXE
                  Peter M

                  Good luck.