Is csrss.exe a trojan?

[Layback Bear]

From Anak

Layback Bear; Do you know who I am trying to think of?

No I don't remember but my brain does not have a SXS folder.

 

[iCod3r]

The reason why you cannot see any information on 'csrss.exe' in the task manager, is because you have to tick 'Show processes from all users' @ the bottom of the Processes tab.

After doing this, right click 'csrss' and choose either 'properties' or 'open file location', then you can tell what the source dir of the file is.

If it is in the \Windows\System32 folder & it is signed by Microsoft, then you're fine. If you still do not feel safe, upload the file to a virus scan website or scan with your own software.

Hope that helps.

 

[Anak]

Hi iCod3r, welcome to 7F!

If it has not been touched on before your post is a timely reminder.

 

[jalea148]

csrss.exe size conflict

In win7 System 32 csrss.exe shows as 8K. in task manager it shows using 2,076KB memory. Can this be the same file? Yesterday, I had Baidu do a deep scan. How do I determine if the csrss.exe in the task manager is the same one in System 32?

 

[UsernameIssues]

The amount of RAM used is not going to agree with the file size.

Try the tool mentioned here:
http://www.sevenforums.com/system-security/289062-csrss-exe-trojan-5.html#post3150086

 

[LMiller7]

Windows explorer shows the size of the csrss.exe file while Task Manager shows the memory that process is consuming. These are totally different things. If they ever showed the same numbers it would be pure coincidence. To see the location of the file in Task Manager you must add the "Image Path Name" column. You also need to be logged in with an admin account and select "Show processes from all users"

 

[UsernameIssues]

I'm logged in with an admin account and have selected "Show processes from all users". This is what I see:

 

[jalea148]

Windows explorer shows the size of the csrss.exe file while Task Manager shows the memory that process is consuming. These are totally different things. If they ever showed the same numbers it would be pure coincidence. To see the location of the file in Task Manager you must add the "Image Path Name" column. You also need to be logged in with an admin account and select "Show processes from all users"

This showed csrss.exe is from the System32 directory. Thank you.

 

[kristen theron]

csrss.exe might be a malware file

It is a legitimate files which was developed by Microsoft Corporation. Csrss.exe is used to manage the majority of graphical instructions set in the Client/server runtime subsystem under Microsoft windows Operating system. It is basically not a trojan file, Malware attackers create a malware file and name it as csrss.exe to spread malware over the internet. To know more about csrss.exe, have a look at file-intelligence website, which is a malware search engine, where i got to know about this file.

 

[Anak]

Hi kristen theron, welcome to 7F!

Nice explanation for the csrss file, do you have a link to this file-intelligence website? Would it possibly be? https://file-intelligence.comodo.com/exe/csrss This comodo site is one that I will save for quick reference.

One many that I use: http://www.systemlookup.com/search=csrss.exe Just as the comodo site, most larger anti-malware companies will have a searchable database.


Related:
Systemlookup with Status Key legend at top
https://Client/Server Runtime Subsystem | en.wikipedia.org

 

[UsernameIssues]

It is a legitimate files which was developed by Microsoft Corporation. Csrss.exe is used to manage the majority of graphical instructions set in the Client/server runtime subsystem under Microsoft windows Operating system. It is basically not a trojan file, Malware attackers create a malware file and name it as csrss.exe to spread malware over the internet. To know more about csrss.exe, have a look at file-intelligence website, which is a malware search engine, where i got to know about this file.

I see that you understand that an infected file can have the same name as a legitimate MS file. It is unclear to me how looking up the file's name on a website can assure a user that the file on their computer is not infected. I would suggest using the free tool named Process Explorer that I mention in this post earlier in this thread. There is nothing to install, just download and run the tool.

 

[cyrilhubert]

Hi! this question has always been bouncing back and forth.IMHO, from experience when csrss.exe is acting up (being used by Windows Update to update the Windows 7 and any malware already downloaded and running on your system). Masqueraded csrss.exe can be a real problem.

Main problem:csrss.exe taking up a lot of RAM during surfing of the WWW.

If your system is clean and the RAM memory is small (ie your system has only 2GB RAM or less ).Windows Update scheduled to update the Windows 7 using csrss.exe as the command will jammed up or slowed your system to halt just to download all the updates.
If you are browsing the WWW everything is slow.Add more RAM to speed up. Once the updating is over, the speed is up again.

Try and see if stopping updates will help.

Look out for multiples csrss.exe running as some are malware in disguise.

TQ

 

[Sparky321]

I have this same problem. I right click it, click properties, and nothing happens. Please help!

 

[Anak]

Hi Sparky and Chip welcome to 7F!

Have either of you perused the previous 70 some posts in this thread, especially the first 15? It does sound like both of you have some degree of malware infection.

The basics are:

• Use malware scans like mbam, sas, adwcleaner, and any or all online malware scanners, to make sure without a doubt that your machines are clean.

• csrss.exe is a hidden, protected file; To show protected operating system files:
  Hidden Files and Folders - Show or Hide

• Then do a start menu search for csrss.exe, if you find it anywhere other than in the C:\Windows\System32 Folder you will then need further help with better tools to eradicate the offending file.

Oh, and Chip; The appuals.com site has some good points, like scanning for malware and farbar is a legitimate tool but have you searched for reviews on Reimage Plus Software? It's up to you if you really want to try reimage, and trying the new user account is a last resort if malware scans don't help.

 

[townsbg]

From Anak

Layback Bear; Do you know who I am trying to think of?

No I don't remember but my brain does not have a SXS folder.

Best thing I've read all day.:roflmao:

 

[Layback Bear]

townsbg I'm glad I could bring a little laughter to your day.

 

[townsbg]

Totally geekish.

 

[Samuelogan987]

What's the removal treat

What will happen if if end the proses and it is the legit process, because when I went to select "Open file location", nothing happened.

 

[Anak]

Hi Samuelogan987, welcome to 7F!

A couple of things:

• Did you un-hide system files and folders? That may have caused what you saw.

• And do a search for csrss.exe if it shows up anywhere, but, the system32, syswow, winsxs, folders, then you have a problem. This is not to say you have a problem, but check there first.

• Did you read any of the previous postings like my #74?

Hi Sparky and Chip welcome to 7F!

Have either of you perused the previous 70 some posts in this thread, especially the first 15? It does sound like both of you have some degree of malware infection.

The basics are:

• Use malware scans like mbam, sas, adwcleaner, and any or all online malware scanners, to make sure without a doubt that your machines are clean.

• csrss.exe is a hidden, protected file; To show protected operating system files:
  Hidden Files and Folders - Show or Hide

• Then do a start menu search for csrss.exe, if you find it anywhere other than in the C:\Windows\System32 Folder you will then need further help with better tools to eradicate the offending file.

Oh, and Chip; The appuals.com site has some good points, like scanning for malware and farbar is a legitimate tool but have you searched for reviews on Reimage Plus Software? It's up to you if you really want to try reimage, and trying the new user account is a last resort if malware scans don't help.

 

[Amzakil]

I followed your instruction and here's the result:

"Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Asus>dir /s csrss.exe
Volume in drive C is OS
Volume Serial Number is 24AF-7AFF
File Not Found

C:\Users\Asus>"

Does it mean malware because it connot be found in C:Windows\Systems32?

I found in the other website that it is normal when you check the Show processes from all users and find the file (csrss) you can find its user name and description and can click Properties or Open File Location and there it is located in C:\Windows\System32

But what about winlogon.exe? Are their conditions the same? Thanks!