Is csrss.exe a trojan?

DonnaB · 08 Nov 2014

Hi Emerogork,

Go to C:\Windows\System32\csrss.exe, right click and choose copy.

Next, go to your desktop, right click and choose paste.

Now, go to VirusTotal and click on the Choose File button and navigate to the file on the desktop to upload.

Post the link when scan has completed.

I believe the reason that the file can not be found when searching within the system32 folder from VirusTotal is because it is a protected system file. I'd love to hear what others have to say about my thoughts on this concept.

Emerogork · 08 Nov 2014

DonnaB said:

Hi Emerogork,

Go to C:\Windows\System32\csrss.exe, right click and choose copy.

Next, go to your desktop, right click and choose paste.

Now, go to VirusTotal and click on the Choose File button and navigate to the file on the desktop to upload.

Post the link when scan has completed.

I believe the reason that the file can not be found when searching within the system32 folder from VirusTotal is because it is a protected system file. I'd love to hear what others have to say about my thoughts on this concept.

I am not sure why I could not see it before but I looked again and there it is. I ran the VT test and it reports 0/52. Interesting that (cmd) dir /s csrss.exe did not find it but I just ran it again and it did find it now that it is on the desktop and reports only that one. (7,680 bytes)

Anak · 10 Nov 2014

I believe the reason that the file can not be found when searching within the system32 folder from VirusTotal is because it is a protected system file. I'd love to hear what others have to say about my thoughts on this concept.

I would say you are correct in your assumption. I looked through virustotal's faqs and documentation, but couldn't find anything on the subject.

A system file is in use when the OS is up and running and to remove or open it while it's in use would crash the system. Oh, you could open it, but you would have to jump through hoops resetting the permissions to do it.

There are other system files that need to be looked at, most notably is the .cbs file when checking for update errors, but if you try to open it you will see an Access Denied popup, what you have to do then is copy it to your desktop, open and read it there.
You can make a copy of any system file and send that to virustotal.

I just happened to come across your concept by accident, if you would really want to know what the other members think you should post it as a separate thread here in the System Security Forum, it would garner more attention that way. :)

Emerogork, as long as you only found one instance of csrss and it is located in C:\Windows\System32\csrss.exe you have nothing to worry about.

If your machine is slow there are two other reasons its that way, 1.) Malware, you need to do scans of a third-party tool like mbam or SAS; 2.) You have a corrupt profile.

And please, you need to create your own thread, it is impolite to hijack another thread, and for the same reason I told Donna, you will get more visibility and responses if you have a separate thread.

mrick36 · 01 Dec 2014

I get an error message when I try to run the Farbar download.

I am finding csrss.exe in the task manager with no User Name or Description listed.
I download the Farbar file successfully yet this message comes up when I try to run the file:

"Windows cannot find................" Apparently Norton refuses to allow this FRST64 file to run. Norton says that it is unsafe.

Next suggestion?

DonnaB · 01 Dec 2014

Hi mrick36,

Welcome to Windows Seven Forums! :)

I am finding csrss.exe in the task manager with no User Name or Description listed.

That is normal. That same file is located in my Task Manager as well, without information for User Name nor Description.

What issues are you experiencing that you feel the need to download and install FRST?

You can learn more about csrss.exe in the link below:

What is the Client/Server Run-time Subsystem?

mrick36 · 01 Dec 2014

Thanks DonnaB!

I am searching for the reason my network identification and connection process is now moving so slowly. I can literally sit and watch the entire process unfold. I posted a new thread for this problem since I could not find one that was similar. My concern here was identifying whether the csrss.exe I was finding in the task manager was the original system file or a virus posing as that file. I read this thread and was under the assumption FRST was going to identify the file. I should say that I was reading this thread and came to that assumption.

BTW, my mind goes back to Sasquatch before I can read most of what is written on that Wiki page! LOL! ADD uses up most of the memory cells. And the heart can't take the ADD meds. Aaaaahhhhhhh!

DonnaB · 01 Dec 2014

That's too funny! I guess that since your heart can't take the ADD meds you fit right in with the best of us.

I found your thread here and will follow it.

You can go ahead and follow the instructions in post #11 and upload the file to VirusTotal as I had instructed to make sure it is found to be the original file. You doing so will not interfere with oscer1's instructions. If you do follow the instructions to upload the file, please post the link to the results so I can see.

It is best to focus on one thread at a time to prevent confusion or conflicts. So do no more than what I ask in this post.

Donna :)

mrick36 · 01 Dec 2014

Post the link?

This file was last analysed by VirusTotal on 2014-12-02 04:03:39 UTC, it was first analysed by VirusTotal on 2009-08-17 19:46:37 UTC.

Detection ratio: 0/55

You can take a look at the last analysis or analyse it again now.

mrick36 · 01 Dec 2014

https://www.virustotal.com/en/file/c...c03a/analysis/

VirusTotal.......got that page bookmarked now!

Thanks DonnaB! That's great page to have!

DonnaB · 02 Dec 2014

Looks like the file is the legit file. :) Make sure to delete the copy of the file from your desktop.