CSRSS.EXE & WINLOGON.EXE - is it a virus?

G

Gil

Sleep Guru
Hi all.
I'm running Windows 7 Ultimate 64bit and I see that I have 2 running processes csrss.exe and winlogon.exe.

I've tried to search info in google but I didn't get a conclusive decision. It seems that the info I found was related to WinXP.

I have NOD32 and except for shark007 codecs that are by mistake considered as tojan, my computer checks out fine.

So how can I verify the authenticity of these files?

 

My Computer

Computer type
PC/Desktop
OS
Windows 7 x64
CPU
Core i7 3770K @ 4.5Ghz
Motherboard
Asus P8Z77-V-Deluxe
Memory
4x4 Corsair Vengence 1600
Graphics Card(s)
Sepphire HD 6970
Hard Drives
Intel 520 SSD 240GB
PSU
Thermaltake 750W
Case
Antec P2
Cooling
Corsair H100i
Keyboard
Razer blackwidow 2012
Mouse
Roccat Kone XTD
Antivirus
Bitdefender
Browser
Chrome
These are windows processes. No need to worry.
 

My Computer

Computer Manufacturer/Model Number
Samsung NP530U4B-S02IN
OS
Windows® 8 Pro (64-bit)
CPU
Intel® Core™ i5 Processor 2467M (1.60GHz, 3MB L3 Cache)
Motherboard
Samsung Electronics
Memory
6GB DDR3 System Memory at 1,333MHz (on BD 4GB + 2GB x 1)
Graphics Card(s)
AMD Radeon™ HD7550M 1GB DDR3 (Ext. Graphic)
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
35.56cm (14.0) SuperBright 300nit HD LED Display
Screen Resolution
1366x768
Hard Drives
1TB S-ATA II Hard Drive (5400RPM) with ExpressCache 16GB SSD
Internet Speed
sucks
Antivirus
Microsoft Security Essentials
Browser
Google Chrome (Sync enabled)

My Computer

Computer type
PC/Desktop
OS
Windows 7 x64
CPU
Core i7 3770K @ 4.5Ghz
Motherboard
Asus P8Z77-V-Deluxe
Memory
4x4 Corsair Vengence 1600
Graphics Card(s)
Sepphire HD 6970
Hard Drives
Intel 520 SSD 240GB
PSU
Thermaltake 750W
Case
Antec P2
Cooling
Corsair H100i
Keyboard
Razer blackwidow 2012
Mouse
Roccat Kone XTD
Antivirus
Bitdefender
Browser
Chrome
theog said:
Have a read here:

Winlogon - Wikipedia, the free encyclopedia

Client/Server Runtime Subsystem - Wikipedia, the free encyclopedia
Click to expand...

The reason I'm asking this, is because I have 2 strange bugs in my OS:
1. Folder names are being cut short.
2. Error message stating that I don't have admin permission to save files (JPG).

Here are screenshots of error No.1. See the highlighted folder name:


Now here's another:




And this is the real name:



It happens with several folders.

Here's the screenshot of my second error message:



That's why I think there's a virus but NOD32 and other scans I've made point to nothing.
 

My Computer

Computer type
PC/Desktop
OS
Windows 7 x64
CPU
Core i7 3770K @ 4.5Ghz
Motherboard
Asus P8Z77-V-Deluxe
Memory
4x4 Corsair Vengence 1600
Graphics Card(s)
Sepphire HD 6970
Hard Drives
Intel 520 SSD 240GB
PSU
Thermaltake 750W
Case
Antec P2
Cooling
Corsair H100i
Keyboard
Razer blackwidow 2012
Mouse
Roccat Kone XTD
Antivirus
Bitdefender
Browser
Chrome
Gil said:
theog said:
1. Folder names are being cut short.
Click to expand...
10.02.03_Avatar, the O3_Avatar part is seen as an extension because it comes after the last dot (period).

2. Error message stating that I don't have admin permission to save files (JPG).
Click to expand...
You need to reset the permissions of the extra partition. I assume you are coming from another system if so it still has its permissions set.

Your problems nothing to do with any virus or malware.
Click to expand...
 

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Alienware Aurora ALX R4
OS
Windows 10 Pro (x64)
CPU
Intel Core i7-3930K (3.2GHz - 4.5GHz)
Motherboard
Alienware Aurora-R4 x79
Memory
4x Samsung 4GB PC3-12800 DDR3 (16GB 1600MHz)
Graphics Card(s)
Nvidia Geforce GTX 690
Sound Card
SteelSeries Siberia Elite
Monitor(s) Displays
Dell UltraSharp U3011
Screen Resolution
2560x1600
Hard Drives
Samsung 850 Pro 256 GB, Seagate 1TB Desktop Hybrid HDD, 2x Western Digital 4TB Green HDD
PSU
875W Some Dell PSU <.<
Case
Alienware Aurora ALX
Cooling
Custom Liquid Cooling (EK CPU & GPU blocks) dual EK 480RAD
Keyboard
Logitech G710+ Mechanical
Mouse
Logitech G700s
Internet Speed
Verizon Fios (50 mbps average)
Other Info
Server: Intel NUC D54250WYK: i5-4250U, 16GB, 256 GB mSATA, Windows Server 2012 R2
logicearth said:
Gil said:
theog said:
1. Folder names are being cut short.
Click to expand...
10.02.03_Avatar, the O3_Avatar part is seen as an extension because it comes after the last dot (period).

2. Error message stating that I don't have admin permission to save files (JPG).
Click to expand...
You need to reset the permissions of the extra partition. I assume you are coming from another system if so it still has its permissions set.

Your problems nothing to do with any virus or malware.
Click to expand...

Thanks for the reply.

Actually I installed Win7 from scratch. There was no upgrade.

About the folder names, as of now when I look at the folder, I see the entire name. That's what I'm talking about, it's not consistent. Sometimes the name is shorter sometimes I see the full name:

Click to expand...
 

My Computer

Computer type
PC/Desktop
OS
Windows 7 x64
CPU
Core i7 3770K @ 4.5Ghz
Motherboard
Asus P8Z77-V-Deluxe
Memory
4x4 Corsair Vengence 1600
Graphics Card(s)
Sepphire HD 6970
Hard Drives
Intel 520 SSD 240GB
PSU
Thermaltake 750W
Case
Antec P2
Cooling
Corsair H100i
Keyboard
Razer blackwidow 2012
Mouse
Roccat Kone XTD
Antivirus
Bitdefender
Browser
Chrome
Gil said:
About the folder names, as of now when I look at the folder, I see the entire name. That's what I'm talking about, it's not consistent. Sometimes the name is shorter sometimes I see the full name:
Click to expand...

One is though the Library which hides the extension, the other is though normal file and folder interactions that is traditional in Explorer.
 

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Alienware Aurora ALX R4
OS
Windows 10 Pro (x64)
CPU
Intel Core i7-3930K (3.2GHz - 4.5GHz)
Motherboard
Alienware Aurora-R4 x79
Memory
4x Samsung 4GB PC3-12800 DDR3 (16GB 1600MHz)
Graphics Card(s)
Nvidia Geforce GTX 690
Sound Card
SteelSeries Siberia Elite
Monitor(s) Displays
Dell UltraSharp U3011
Screen Resolution
2560x1600
Hard Drives
Samsung 850 Pro 256 GB, Seagate 1TB Desktop Hybrid HDD, 2x Western Digital 4TB Green HDD
PSU
875W Some Dell PSU <.<
Case
Alienware Aurora ALX
Cooling
Custom Liquid Cooling (EK CPU & GPU blocks) dual EK 480RAD
Keyboard
Logitech G710+ Mechanical
Mouse
Logitech G700s
Internet Speed
Verizon Fios (50 mbps average)
Other Info
Server: Intel NUC D54250WYK: i5-4250U, 16GB, 256 GB mSATA, Windows Server 2012 R2
Hi guys. I have 9 instances of "svchost.exe" running in Task Manager. Is this normal as well?
Just out of interest, if the "csrss" or "winlogon" or "svchost.exe" were or were not dodgy "how can I verify the authenticity of these files?" (I would also like to know ) :-)
 

My Computer

Computer Manufacturer/Model Number
Toshiba
OS
Windows 7 Ultimate 6.1.7600 Build 7600 X86-based PC
CPU
Intel(R) Core(TM)2 Duo CPU T7100 @1.8GHz, 1801Mhz. 2 Cores
Motherboard
not sure - Satellite A200 ???
Memory
2.0 GB
Graphics Card(s)
ATI Mobility Radeon HD 2600 1012MB
Sound Card
High Definition Audio Device
Monitor(s) Displays
Generic PnP Monitor
Screen Resolution
1280 x 800 (32 bit)(60 HZ)
Hard Drives
FUJITSU MHW2160BH PL ATA Device 150 GB
PSU
External ?
Case
Toshiba LapTop
I have 12 currently so yes it would be. You can do this which will help you see whats running in svhost:

1. open task manager
2. click on processes tab
3. click view menu and then select columns
4. tick command line

now go back to task manager and on the right youl see a new column showing you what svhost is running.
 

My Computer

Computer Manufacturer/Model Number
self built
OS
Windows 7 Professional 64-bit
CPU
Intel E8400 3GHz
Motherboard
Intel DX48BT2
Memory
Kingston PC3-10700H 4Gb
Graphics Card(s)
XFX Radeon HD 5850 BlackEd.
Sound Card
Asus Xonar DG
Monitor(s) Displays
2x Samsung SM-T220HD 22"
Screen Resolution
1680x1050 on two monitors
Hard Drives
OCZ Vertex 2 120gb 3.5" (OS)
Seagate Momentus XT 500gb
Samsung F3 1Tb (games)
2x Samsung F1 1Tb
PSU
Thermaltake ToughPower 850w
Case
Thermaltake Armor
Cooling
Scythe Mugen II
Keyboard
Microsoft Comfort Curve USB
Mouse
Razer Diamondback 3G
Internet Speed
8128/443
Thanks.

Would I need to look for something specific/out of the ordinary ?
 

My Computer

Computer Manufacturer/Model Number
Toshiba
OS
Windows 7 Ultimate 6.1.7600 Build 7600 X86-based PC
CPU
Intel(R) Core(TM)2 Duo CPU T7100 @1.8GHz, 1801Mhz. 2 Cores
Motherboard
not sure - Satellite A200 ???
Memory
2.0 GB
Graphics Card(s)
ATI Mobility Radeon HD 2600 1012MB
Sound Card
High Definition Audio Device
Monitor(s) Displays
Generic PnP Monitor
Screen Resolution
1280 x 800 (32 bit)(60 HZ)
Hard Drives
FUJITSU MHW2160BH PL ATA Device 150 GB
PSU
External ?
Case
Toshiba LapTop
If you have TWO csrss when you pull up Task Manager it's a VIRUS!! I know because my mom's Dell computer had it. I called them and they told me it was a VIRUS, but they wanted 149.99 to clean it up. I used malwarebytes and norton's
 

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
dell
OS
Windows 7 Home Premium 32bit.
Welcome to the forum.

Trinaty said:
If you have TWO csrss when you pull up Task Manager it's a VIRUS!!
Click to expand...

No.

In Vista and later there will be one instance of csrss.exe for the system session plus one for each logged in user. Thus there will be at least 2 instances shown in Task Manager, 3 or more if users are using Fast User Switching.

It is more meaningful to look at the "Image Path Name" column. If the file is in the system 32 folder it is probably legitimate. But when dealing with viruses very little can be relied on entirely. Sufficiently sophisticated malware can manipulate the display of Task Manager and other utilities.
 

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 Pro 64 bit
CPU
Xeon W3520
Memory
8 GB
Graphics Card(s)
Nvidia Geforce 210
You must log in or register to reply here.
Back
Top