Is csrss.exe a trojan?

[MichaelMarr]

This process has been running on my PC (I've just found it now) not sure what it is, I done a google search and it turned out it is a necessary windows system file I read, but also to contradict that I read it was a trojan?

Can anyone shine a light on this for me.

Thank you

 

[VistaKing]

When you open up task Manager , by right clicking on the task bar and choose Start Task Manager . On the Processes tab if you right click on the csrss and choose Properties the location should be C:\Windows\System32 .

csrss - Client Server Runtime Process

 

[LMiller7]

csrss.exe is the name of a critical system process but it is also the name of malware. Which it is depends on where it is found. The legitimate location will be in system32, elsewhere it is probably malware. The same applies for most, but not all, system processes. You also have to be very careful with the spelling of processes. Malware often uses names that are very similar to legitimate processes in the hopes that they will be overlooked. As an example, svchost.exe is a critical system process while scvhost.exe is malware.

 

[cottonball]

MichaelMarr,

Although csrss.exe is a legitimate Windows file, there are viruses that masquerade with the same name.



For peace of mind, please upload the file for a scan at VirusTotal:
http://www.virustotal.com/



If the file is listed as already analyzed, click on: Reanalyse file



Once the file is scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\... address there.


Then, provide the http:\\ address to the results page in your reply. <<---

You can also go here http://www.sevenforums.com/tutorials/277740-online-scanners-scan-suspicious-files-your-pc.html
Select Jotti, or VirScan...or both, if you wish.
Then post the results.

 

[Britton30]

If csrss.exe is anywhere other that C:\Windows\System32 it is probably some sort of malware.
Right click it in Task Manager/Go to File Location.

 

[MichaelMarr]

Thanks for the replies.

When I click properties on csrss.exe it doesn't show me anything, my PC goes really 'laggy' and I have a desktop gadget of my cpu performance and that goes crazy the graph shows really high volumes. I'm gathering this is something sinister afterall

Manged to find it in C:\Windows\System32, although when trying to upload to virustotal it disappears from the folder after I click 'Browse'. I'm really confused I can see it in the folder but not after clicking browse

Also in Task manager its the only process without a 'User' or 'Description'

 

[cottonball]

MichaelMarr,

Also in Task manager its the only process without a 'User' or 'Description'

Same here!


Click Start, and in the Search Programs and Files box, type in: cmd

In Programs (1) above, right-click the cmd icon and select: Run as Administrator

At the Command Prompt blinking cursor, paste the following info inside the quote box:

dir /s csrss.exe

Obtain the results by going to the small commmand icon on the left of the prompt, and select:
Edit > Select all
Edit > Copy

Please post the results in your reply. They should be very short...

 

[MichaelMarr]

14/07/2009 02:39 7,680 csrss.exe
1 file(s) 7,680 bytes

Total files listed:
1 File(s) 7,680 bytes
0 dir(s) 168,918,683,648 bytes free

I'm guessing that says when the file was made - 2009? That is around when I first got this PC.

If this file turns out to be safe, do you think something else could be going on to cause my cpu to randomly go crazy? I defrag and do a general cleanup every few weeks so I dont see how it is being affected lol

 

[cottonball]

Mine:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dir /s csrss.exe
Volume in drive C is eMachines
Volume Serial Number is 98D2-B205
Directory of C:\Windows\system32
07/13/2009 08:39 PM 7,680 csrss.exe
1 File(s) 7,680 bytes
Total Files Listed:
1 File(s) 7,680 bytes
0 Dir(s) 434,395,111,424 bytes free
C:\Windows\system32>


Also, please download the Farbar Recovery Scan Tool
Select the version that applies to your system, 32-bit, or, 64-bit. (See Note)



Save it to your Desktop.

• Double-click the downloaded file to run it.
• When the tool opens click Yes to disclaimer.
• Press the Scan button.
• FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply. <<---

The first time the tool is run, it also makes another log: Addition.txt
Also post the Addition.txt in your reply. <<---

Note:
You need to know if the computer is running a 32-bit or 64-bit system.
To find out, click: Start
Type System in the Start Search box
Click System in the Programs list.

The Operating System is displayed as follows under System > System type:
64-bit Operating System
32-bit Operating System

 

[Emerogork]

Thanks for the replies.

When I click properties on csrss.exe it doesn't show me anything, my PC goes really 'laggy' and I have a desktop gadget of my cpu performance and that goes crazy the graph shows really high volumes. I'm gathering this is something sinister afterall

Manged to find it in C:\Windows\System32, although when trying to upload to virustotal it disappears from the folder after I click 'Browse'. I'm really confused I can see it in the folder but not after clicking browse

Also in Task manager its the only process without a 'User' or 'Description'

I have this problem too. This is an old thread.
My Task Manager shows csrss.exe activity yet I cannot find it on the system.
(cmd) dir /s csrss.exe shows "file not found"

Updated thoughts appreciated.
I am using Win7

Is there any solution for this?

 

[DonnaB]

Hi Emerogork,

Go to C:\Windows\System32\csrss.exe, right click and choose copy.

Next, go to your desktop, right click and choose paste.

Now, go to VirusTotal and click on the Choose File button and navigate to the file on the desktop to upload.

Post the link when scan has completed.

I believe the reason that the file can not be found when searching within the system32 folder from VirusTotal is because it is a protected system file. I'd love to hear what others have to say about my thoughts on this concept.

 

[Emerogork]

Hi Emerogork,

Go to C:\Windows\System32\csrss.exe, right click and choose copy.

Next, go to your desktop, right click and choose paste.

Now, go to VirusTotal and click on the Choose File button and navigate to the file on the desktop to upload.

Post the link when scan has completed.

I believe the reason that the file can not be found when searching within the system32 folder from VirusTotal is because it is a protected system file. I'd love to hear what others have to say about my thoughts on this concept.

I am not sure why I could not see it before but I looked again and there it is. I ran the VT test and it reports 0/52. Interesting that (cmd) dir /s csrss.exe did not find it but I just ran it again and it did find it now that it is on the desktop and reports only that one. (7,680 bytes)

 

[Anak]

I believe the reason that the file can not be found when searching within the system32 folder from VirusTotal is because it is a protected system file. I'd love to hear what others have to say about my thoughts on this concept.

I would say you are correct in your assumption. I looked through virustotal's faqs and documentation, but couldn't find anything on the subject.

A system file is in use when the OS is up and running and to remove or open it while it's in use would crash the system. Oh, you could open it, but you would have to jump through hoops resetting the permissions to do it.

There are other system files that need to be looked at, most notably is the .cbs file when checking for update errors, but if you try to open it you will see an Access Denied popup, what you have to do then is copy it to your desktop, open and read it there.
You can make a copy of any system file and send that to virustotal.

I just happened to come across your concept by accident, if you would really want to know what the other members think you should post it as a separate thread here in the System Security Forum, it would garner more attention that way.


Emerogork, as long as you only found one instance of csrss and it is located in C:\Windows\System32\csrss.exe you have nothing to worry about.

If your machine is slow there are two other reasons its that way, 1.) Malware, you need to do scans of a third-party tool like mbam or SAS; 2.) You have a corrupt profile.

And please, you need to create your own thread, it is impolite to hijack another thread, and for the same reason I told Donna, you will get more visibility and responses if you have a separate thread.

 

[mrick36]

I get an error message when I try to run the Farbar download.

I am finding csrss.exe in the task manager with no User Name or Description listed.
I download the Farbar file successfully yet this message comes up when I try to run the file:

"Windows cannot find................" Apparently Norton refuses to allow this FRST64 file to run. Norton says that it is unsafe.

Next suggestion?

 

[DonnaB]

Hi mrick36,

Welcome to Windows Seven Forums!

I am finding csrss.exe in the task manager with no User Name or Description listed.

That is normal. That same file is located in my Task Manager as well, without information for User Name nor Description.

What issues are you experiencing that you feel the need to download and install FRST?

You can learn more about csrss.exe in the link below:

What is the Client/Server Run-time Subsystem?

 

[mrick36]

Thanks DonnaB!

I am searching for the reason my network identification and connection process is now moving so slowly. I can literally sit and watch the entire process unfold. I posted a new thread for this problem since I could not find one that was similar. My concern here was identifying whether the csrss.exe I was finding in the task manager was the original system file or a virus posing as that file. I read this thread and was under the assumption FRST was going to identify the file. I should say that I was reading this thread and came to that assumption.

BTW, my mind goes back to Sasquatch before I can read most of what is written on that Wiki page! LOL! ADD uses up most of the memory cells. And the heart can't take the ADD meds. Aaaaahhhhhhh!

 

[DonnaB]

:roflmao: That's too funny! I guess that since your heart can't take the ADD meds you fit right in with the best of us.

I found your thread here and will follow it.

You can go ahead and follow the instructions in post #11 and upload the file to VirusTotal as I had instructed to make sure it is found to be the original file. You doing so will not interfere with oscer1's instructions. If you do follow the instructions to upload the file, please post the link to the results so I can see.

It is best to focus on one thread at a time to prevent confusion or conflicts. So do no more than what I ask in this post.

Donna

 

[mrick36]

Post the link?

This file was last analysed by VirusTotal on 2014-12-02 04:03:39 UTC, it was first analysed by VirusTotal on 2009-08-17 19:46:37 UTC.

Detection ratio: 0/55

You can take a look at the last analysis or analyse it again now.

 

[mrick36]

https://www.virustotal.com/en/file/...2e115bb0c0e1314837d77201bab37e8c03a/analysis/


VirusTotal.......got that page bookmarked now!

Thanks DonnaB! That's great page to have!

 

[DonnaB]

Looks like the file is the legit file. Make sure to delete the copy of the file from your desktop.