csrss.exe ??

  • Thread starter Thread starter Ivan Debono
  • Start date Start date
I

Ivan Debono

Hi all,

Norton said that the above file was a threat so it deleted it. The file was
located in c:\windows\winsock. I still have a csrss.exe in system32 and a
task with the same name is running under the SYSTEM user.

So I guess the file in the winsock folder was actually a threat. On startup
I get an error msg that the winsock\csrss.exe is missing.

Now I have the following registry entries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell="Explorer.exe c:\windows\winsock\csrss.exe"
Userinit="C:\WINDOWS\system32\userinit.exe,c:\windows\winsock\csrss.exe"

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\ControlSet001\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKLM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\ControlSet003\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKLM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\CurrentControlSet\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows
load="C:\WINDOWS\winsock\csrss.exe"

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows
load="C:\WINDOWS\winsock\csrss.exe"

What should I do with all these entries??

Thanks,
Ivan
 
Ivan said:
Hi all,

Norton said that the above file was a threat so it deleted it. The file was
located in c:\windows\winsock. I still have a csrss.exe in system32 and a
task with the same name is running under the SYSTEM user.

So I guess the file in the winsock folder was actually a threat. On startup
I get an error msg that the winsock\csrss.exe is missing.

Now I have the following registry entries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell="Explorer.exe c:\windows\winsock\csrss.exe"
Userinit="C:\WINDOWS\system32\userinit.exe,c:\windows\winsock\csrss.exe"

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\ControlSet001\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKLM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\ControlSet003\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKLM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\winsock\csrss.exe="C:\WINDOWS\winsock\csrss.exe:*:Enabled:Microsoft
(R) Windows TCP/IP Socket Driver"

HKLM\SYSTEM\CurrentControlSet\Services\winsck
ImagePath="C:\WINDOWS\winsock\csrss.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows
load="C:\WINDOWS\winsock\csrss.exe"

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows
load="C:\WINDOWS\winsock\csrss.exe"

What should I do with all these entries??

Thanks,
Ivan
Click to expand...
This is the user-mode portion of the Win32 subsystem (with Win32.sys
being the kernel-mode portion). Csrss stands for client/server run-time
subsystem and is an essential subsystem that must be running at all
times. Csrss is responsible for console windows, creating and/or
deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Note: The csrss.exe file is located in the C:\Windows\System32 folder.
In other cases, csrss.exe is a virus, spyware, trojan or worm!

Virus with same name: Nimda.E

MfG
 
Peter Sommer said:
This is the user-mode portion of the Win32 subsystem (with Win32.sys being
the kernel-mode portion). Csrss stands for client/server run-time
subsystem and is an essential subsystem that must be running at all times.
Csrss is responsible for console windows, creating and/or deleting
threads, and some parts of the 16-bit virtual MS-DOS environment.

Note: The csrss.exe file is located in the C:\Windows\System32 folder. In
other cases, csrss.exe is a virus, spyware, trojan or worm!

Virus with same name: Nimda.E

MfG
Click to expand...

That's what I thought. What should I do with the above registry entries?

Thanks,
Ivan
 
I've reformatted the PC, installed Windows XP Home SP1, then Norton IS 2005,
then downloaded all updates of NIS to make sure I'm not prone to attacks.
Then I downloaded all patches of WinXP (including SP2 and it's patches).
Both WinXP and NIS were uptodate. During this process I monitored csrss.exe
and it still kept doing it, so I guess it's normal or?

Ivan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

TCP/IP not installed on XP Pro 3
New worm appears as 'Windows Genuine Advantage Validation Notific 1
Firewall start/stop with registry-keys 3
Firewall start/stop with registry-keys 2
GloballyOpenPorts 5
Unknown Program 4
How to find this entry (HKLM\SYSTEM....) 3
Permitted? History Item - should I be concerned? 2

Back
Top