csrss.exe ??

I

Ivan Debono

Hi all,

Norton said that the above file was a threat so it deleted it. The file was
located in c:\windows\winsock. I still have a csrss.exe in system32 and a
task with the same name is running under the SYSTEM user.

So I guess the file in the winsock folder was actually a threat. On startup
I get an error msg that the winsock\csrss.exe is missing.

Now I have the following registry entries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell="Explorer.exe c:\windows\winsock\csrss.exe"
Userinit="C:\WINDOWS\system32\userinit.exe,c:\windows\winsock\csrss.exe"

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\ControlSet001\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKLM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\ControlSet003\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKLM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\CurrentControlSet\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows
load="C:\WINDOWS\winsock\csrss.exe"

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows
load="C:\WINDOWS\winsock\csrss.exe"

What should I do with all these entries??

Thanks,
Ivan
 
P

Peter Sommer

Ivan said:
Hi all,

Norton said that the above file was a threat so it deleted it. The file was
located in c:\windows\winsock. I still have a csrss.exe in system32 and a
task with the same name is running under the SYSTEM user.

So I guess the file in the winsock folder was actually a threat. On startup
I get an error msg that the winsock\csrss.exe is missing.

Now I have the following registry entries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell="Explorer.exe c:\windows\winsock\csrss.exe"
Userinit="C:\WINDOWS\system32\userinit.exe,c:\windows\winsock\csrss.exe"

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\ControlSet001\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKLM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\ControlSet003\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKLM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\CurrentControlSet\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows
load="C:\WINDOWS\winsock\csrss.exe"

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows
load="C:\WINDOWS\winsock\csrss.exe"

What should I do with all these entries??

Thanks,
Ivan
Click to expand...
This is the user-mode portion of the Win32 subsystem (with Win32.sys
being the kernel-mode portion). Csrss stands for client/server run-time
subsystem and is an essential subsystem that must be running at all
times. Csrss is responsible for console windows, creating and/or
deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Note: The csrss.exe file is located in the C:\Windows\System32 folder.
In other cases, csrss.exe is a virus, spyware, trojan or worm!

Virus with same name: Nimda.E

MfG
 
I

Ivan Debono

Peter Sommer said:
This is the user-mode portion of the Win32 subsystem (with Win32.sys being
the kernel-mode portion). Csrss stands for client/server run-time
subsystem and is an essential subsystem that must be running at all times.
Csrss is responsible for console windows, creating and/or deleting
threads, and some parts of the 16-bit virtual MS-DOS environment.

Note: The csrss.exe file is located in the C:\Windows\System32 folder. In
other cases, csrss.exe is a virus, spyware, trojan or worm!

Virus with same name: Nimda.E

MfG
Click to expand...

That's what I thought. What should I do with the above registry entries?

Thanks,
Ivan
 
I

Ivan Debono

I've reformatted the PC, installed Windows XP Home SP1, then Norton IS 2005,
then downloaded all updates of NIS to make sure I'm not prone to attacks.
Then I downloaded all patches of WinXP (including SP2 and it's patches).
Both WinXP and NIS were uptodate. During this process I monitored csrss.exe
and it still kept doing it, so I guess it's normal or?

Ivan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

New worm appears as 'Windows Genuine Advantage Validation Notific 1
Firewall start/stop with registry-keys 3
Firewall start/stop with registry-keys 2
GloballyOpenPorts 5
Folder opening on startup 1
How to find this entry (HKLM\SYSTEM....) 3
Permitted? History Item - should I be concerned? 2
Unknown Program 4

Top