How many true csrss.exe files are there in Win xp?

G

Guest

After doing a search (including hidden files and folders) for csrss.exe, I
accidentally deleted 2 csrss.exe files in:

c:\windows\system\csrss.exe
c:\windows\$NtServicePackUninstall$\csrss.exe

I hope i remember the above folders correctly. There is 1 more csrss.exe
file at c:\windows\system32 folder which I left intact. It is 6kb and version
5.1.2600.2180. I'm running win xp with service pack 2 installed.

Have I deleted any vital system files? Actually how many csrss.exe files
should there be? How do I remedy my situation, besides doing a clean
reinstallation of my win xp? Pls help. Many thanks!
 
T

Tom Porterfield

tommi said:
After doing a search (including hidden files and folders) for csrss.exe, I
accidentally deleted 2 csrss.exe files in:

c:\windows\system\csrss.exe
c:\windows\$NtServicePackUninstall$\csrss.exe

I hope i remember the above folders correctly. There is 1 more csrss.exe
file at c:\windows\system32 folder which I left intact. It is 6kb and version
5.1.2600.2180. I'm running win xp with service pack 2 installed.

Have I deleted any vital system files? Actually how many csrss.exe files
should there be? How do I remedy my situation, besides doing a clean
reinstallation of my win xp? Pls help. Many thanks!
Click to expand...

The one used by Windows is the one in the system32 folder. The copy in
$NtServicepackUninstall$ folder is a pre-SP version of the file that
would have been restored if you uninstalled the service pack. I cannot
explain the copy that you had in \windows\system as the file does not
normally reside in that folder. You should be safe. In the future,
however, I recommend you ask these types of questions *before* you
delete the file.
--
Tom Porterfield
MS-MVP Windows
http://support.telop.org

Please post all follow-ups to the newsgroup only.
 
G

Guest

I deleted them thinking that they could be infected with virus. I just did a
repair install of win xp, followed by service pack 2. And doing another
search, I now have 3 copies in -

1. windows\system32\ ------> which should be a valid file
2. windows\$NtServicePackUninstall$\ ------> Pre-sp version of file
3. WINDOWS\ServicePackFiles\i386\

As for the 3rd copy, I guess this could be the file copied over to the
system32 folder when installing sp2, cos it is of the same size (6kb) as the
one in the system32 folder.
The pre-sp copy is 4kb instead.

Thanks Porterfield.
 
T

Tom Porterfield

tommi said:
I deleted them thinking that they could be infected with virus. I just did a
repair install of win xp, followed by service pack 2. And doing another
search, I now have 3 copies in -

1. windows\system32\ ------> which should be a valid file
2. windows\$NtServicePackUninstall$\ ------> Pre-sp version of file
3. WINDOWS\ServicePackFiles\i386\

As for the 3rd copy, I guess this could be the file copied over to the
system32 folder when installing sp2, cos it is of the same size (6kb) as the
one in the system32 folder.
The pre-sp copy is 4kb instead.
Click to expand...

Yes. That third copy will be used if you install any windows component
that will force a reinstall of that file. It will make sure the SP2
version of the file is the one that gets put back if necessary, rather
than pulling an older version.
--
Tom Porterfield
MS-MVP Windows
http://support.telop.org

Please post all follow-ups to the newsgroup only.
 
D

David H. Lipman

From: "tommi" <[email protected]>

| After doing a search (including hidden files and folders) for csrss.exe, I
| accidentally deleted 2 csrss.exe files in:
|
| c:\windows\system\csrss.exe
| c:\windows\$NtServicePackUninstall$\csrss.exe
|
| I hope i remember the above folders correctly. There is 1 more csrss.exe
| file at c:\windows\system32 folder which I left intact. It is 6kb and version
| 5.1.2600.2180. I'm running win xp with service pack 2 installed.
|
| Have I deleted any vital system files? Actually how many csrss.exe files
| should there be? How do I remedy my situation, besides doing a clean
| reinstallation of my win xp? Pls help. Many thanks!

If you have; %windir%\system\csrss.exe then the chances of malware is extremely high !

Non-viral malware

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm


Viral malware


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus Command Line
Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site. The choices are;
Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *
 
G

Guest

David H. Lipman said:
If you have; %windir%\system\csrss.exe then the chances of malware is extremely high !

Non-viral malware

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm


Viral malware


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus Command Line
Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site. The choices are;
Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
Click to expand...

Hi David,

Yes, I've run ad-aware & spybot (Norton av too). My system should now be
clean.

I've also installed multi_av. I noticed that when I run startmenu in normal
mode and select 1 of the choices, the program will always automatically
download the needed files before allowing me to scan my system. Meaning to
say I have to download the components every time I want to scan my system in
normal mode, even though I may already have the components resident in the
folder? This is a predicament for me because I'm using dial-up to connect to
the net, so the 15mb trendmicro file do take some time.

But in safe mode, I can start the scan without having to download all over
again. So I guess if I want to keep my av components up-to-date, I will have
to download all the necessary files everytime I wish to perform a scan. Am I
right?

Presently, this is what I do - Run startmenu in normal mode. Slect 1 of the
choices. Download selected av components. Scan system. Reboot in safe mode.
Run startmenu again. Select a choice and scan my system straight away.

Does it matter whether I scan in normal or safe mode first?
 
D

David H. Lipman

From: "tommi" <[email protected]>


| Hi David,
|
| Yes, I've run ad-aware & spybot (Norton av too). My system should now be
| clean.
|
| I've also installed multi_av. I noticed that when I run startmenu in normal
| mode and select 1 of the choices, the program will always automatically
| download the needed files before allowing me to scan my system. Meaning to
| say I have to download the components every time I want to scan my system in
| normal mode, even though I may already have the components resident in the
| folder? This is a predicament for me because I'm using dial-up to connect to
| the net, so the 15mb trendmicro file do take some time.
|
| But in safe mode, I can start the scan without having to download all over
| again. So I guess if I want to keep my av components up-to-date, I will have
| to download all the necessary files everytime I wish to perform a scan. Am I
| right?
|
| Presently, this is what I do - Run startmenu in normal mode. Slect 1 of the
| choices. Download selected av components. Scan system. Reboot in safe mode.
| Run startmenu again. Select a choice and scan my system straight away.
|
| Does it matter whether I scan in normal or safe mode first?

What is downloaded or needs to be downloaded is based upon what needs to be updated. For
example, Kaspersky, once oroginally downloaded, will only need new signatures. McAfee will
allways be relatively the same size (as a function of time the file does increase in size.)
Trend will update Sysclean only as needed and will only update the signature as needed.,
etc...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

csrss.exe files 2
Copying XP files. 18
Windows Explorer crashes in several circumstances 6
Files/Path not found 0
csrss.exe and SYSTEM.EXE mysteries... 18
Missing csrss.exe file, how do I install it? 3
Strange Problem with CSRSS.EXE, XXCopy and Asus MOBO. 3
Windows XP Can't find csrss.exe 2

Top