csrss.exe files

R

ron.morse

It seems I have an 'extra' csrss.exe file. Hijack this tells the
following:

"This entry is not running from the System32 folder, so it is
probably nasty.
Possibly nasty! According to our database this process runs normally
in c:\windows\system32\! Check if you know this process and arrange a
viruscheck where required.This process is not running from the
System32 folder as it is supposed to be."
and:
"Must be fixed!Added by the CIADOOR-J TROJAN! Note - this is not the
legitimate csrss.exe process which is always located in the System (9x/
Me) or System32 (NT/2K/XP) folder and should not normally figure in
Msconfig/Startup! This file is located in the Winnt or Windows folder"
I did a search for the file and it's in both WINDOWS and WINDOWS
\system32. the first one is 144kb, version 1.0.0.0 and was added a
couple days ago when I started having problems. The second file is 6kb
version 5.1.2600.2180 (xpsp_sp2) and I'm pretty sure it's the legit
one. At this point, what steps should I take?
I'm also having the same problems with services.exe and syshost.exe.
Services.exe has a copy in both folders, syshost is only in WINDOWS
folder. All three suspect files were created last week.

thanks for the help
(e-mail address removed)
 
L

Lem

It seems I have an 'extra' csrss.exe file. Hijack this tells the
following:

"This entry is not running from the System32 folder, so it is
probably nasty.
Possibly nasty! According to our database this process runs normally
in c:\windows\system32\! Check if you know this process and arrange a
viruscheck where required.This process is not running from the
System32 folder as it is supposed to be."
and:
"Must be fixed!Added by the CIADOOR-J TROJAN! Note - this is not the
legitimate csrss.exe process which is always located in the System (9x/
Me) or System32 (NT/2K/XP) folder and should not normally figure in
Msconfig/Startup! This file is located in the Winnt or Windows folder"
I did a search for the file and it's in both WINDOWS and WINDOWS
\system32. the first one is 144kb, version 1.0.0.0 and was added a
couple days ago when I started having problems. The second file is 6kb
version 5.1.2600.2180 (xpsp_sp2) and I'm pretty sure it's the legit
one. At this point, what steps should I take?
I'm also having the same problems with services.exe and syshost.exe.
Services.exe has a copy in both folders, syshost is only in WINDOWS
folder. All three suspect files were created last week.

thanks for the help
(e-mail address removed)
Click to expand...
Not running any anti-virus app?

See advice here, especially Part B:
http://www.elephantboycomputers.com/page2.html#Removing_Malware
 
E

Elmo

It seems I have an 'extra' csrss.exe file. Hijack this tells the
following:

"This entry is not running from the System32 folder, so it is
probably nasty.
Possibly nasty! According to our database this process runs normally
in c:\windows\system32\! Check if you know this process and arrange a
viruscheck where required.This process is not running from the
System32 folder as it is supposed to be."
and:
"Must be fixed!Added by the CIADOOR-J TROJAN! Note - this is not the
legitimate csrss.exe process which is always located in the System (9x/
Me) or System32 (NT/2K/XP) folder and should not normally figure in
Msconfig/Startup! This file is located in the Winnt or Windows folder"
I did a search for the file and it's in both WINDOWS and WINDOWS
\system32. the first one is 144kb, version 1.0.0.0 and was added a
couple days ago when I started having problems. The second file is 6kb
version 5.1.2600.2180 (xpsp_sp2) and I'm pretty sure it's the legit
one. At this point, what steps should I take?
I'm also having the same problems with services.exe and syshost.exe.
Services.exe has a copy in both folders, syshost is only in WINDOWS
folder. All three suspect files were created last week.
Click to expand...

A few things to try:

1) Restart to a Safe Mode Command Prompt, type

CD C:\Windows

DEL csrss.exe

2) Schedule a boot scan within your a/v software so it can remove the
file before Windows starts.

3. Download software that can handle running malware. Just a couple..
I know that Avast! can be scheduled to do a boot scan:

Avast! - http://www.avast.com/eng/avast_4_home.html
AVG - http://free.grisoft.com/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How many true csrss.exe files are there in Win xp? 6
Windows Explorer crashes when I try to view a file property 2
Windows Explorer crashes in several circumstances 6
csrss.exe 3
csrss.exe ?? 4
Is csrss.exe a virus? 6
Troj_servu.q trojan 3
Where does the HOSTS file go in XP/2K 13

Top