Solved

Is csrss.exe a virus?

Posted on 2003-11-13
16
296,876 Views
Last Modified: 2011-08-18
I found this file in my pc, I don't know what is about that.
0
Comment
Question by:mikezang
16 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9744683
0
 
LVL 5

Author Comment

by:mikezang
ID: 9744709
I had read that, but I still don't understand, could you explain to me?
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9744835
Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times.
Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

wtrmk74
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 50 total points
ID: 9745352
Csrss.exe: The Client Server Runtime Subsystem process, also known as the Win32 subsystem, generates a worker thread for client requests.

Sunray
0
 
LVL 9

Expert Comment

by:activematx
ID: 10408350
It is not a virus,

However.....

some virus makers know of this, and will bind a virus to this program, or rename their virus to CSRSS.exe (so you won't think it is a virus)

You should check the particular .exe, and see whether or not it contains a virus.
0
 

Expert Comment

by:Need4Info
ID: 10687242
If you want to know if a file, such as csrss.exe, is legitimite or not, a good hint is the "Date modified" information you can view when performing a search on the filename on your hard drive.

If you suspect a file has started trying to access the network illegally in recent days, the file may have been modified by a virus just prior to the date when this unwarranted activity started.

Be careful when you use this test!

If you recently patched your system, the "Modified date" on the file will correspond to the date a file may have been changed by the software editor in order to correct a problem.

The person writing the virus may also be aware of the date the file was last modified by the software editor and try to fool you into believing the file is legitimite. This could be done if the hacker is aware of the date the software vendor last changed the file and makes the the "Modified date" on the infected file correspond to it. A little far fetched, but possible.
0
 
LVL 1

Expert Comment

by:W2k-User
ID: 10797304
There is also another way to see if it is the "authentic" CSRSS.EXE.  [Note: I am using SP4 with a whole load of other patches and updates].  

If you get the Task Manager up [CTRL+SHIFT+ESC etc.], and choose Processes, then find CSRSS.EXE.  If you then select the process (CSRSS.EXE) and choose End Process (Right Click menu or button at bottom of frame), you _should_ be presented with a dialog box that states that "This [CSRSS.EXE] is a critical system process.  Task Manager cannot end this process."  If you are presented with a box that asks whether you _want_ to end the process, it is up to you what you do (I would recommend choosing No, due to the above comments on the role of CSRSS.EXE).  If there is more than one CSRSS.EXE, then virus activity could be a possibility, and if one presents the dialog box as above when you attempt to close it, then the other one could be the virus.  

Paul.  


[Note: If you do not have SP4, then I do not know what will happen.  Be cautious, however, a restart would probably fix anything done by closing a process.]  
0
 

Expert Comment

by:moTXa
ID: 10827204
A few known viruses and worms attach themselves to (overwrite) windows executable services.
Here's a report by <a href="http://securityresponse.symantec.com/avcenter/tools.list.html">Symantec</a> about the virus/worm Nimda:

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e@mm.html
It seems to copy itself as Csrss.exe in the windows folder (the good one is under system32)

I think Blaster also behaves similarly... If you have your reasons to believe there's a virus there, then you're probably right...
Keep an antivirus close to you at all times! Here's a very nice removal tool from <a href="http://www.networkassociates.com/us/index.asp">McAfee</a> that takes care of most of the latest threats: <a href="http://vil.nai.com/vil/stinger/">Stinger</a>
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:moTXa
ID: 10827214
My bad with those tags!! =P
0
 

Expert Comment

by:ugnius2
ID: 11808830
csrss.exe is a system process, but the same filename is widelly used by various keyloggers and other parasites:
Source:
http://www.2-spyware.com/file-csrss-exe.html
0
 

Expert Comment

by:pimprich
ID: 11957901
here's a good link to look up common task list programs. could be usefull in the future.

http://answersthatwork.com/
0
 

Expert Comment

by:CALLDONE
ID: 12751517
How do I get rid of the about:blank its seem to have taken over my IE.
0
 

Expert Comment

by:grantoakley
ID: 12846261
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

For more information go to:
http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/
0
 
LVL 4

Expert Comment

by:tomerlei
ID: 13042132
i recommend using WinTask.
0
 

Expert Comment

by:mostafaberg
ID: 13275521
csrss.exe is a system executable that handles threads and some other stuff , sometimes hackers and programmers call their apps *csrss.exe* so you are unable to close it ! , check in the processes tab if you have more than once csrss.exe then you are having a virus ! , if its only one , that's the normal , but just download your latest virus definitions and scan your harddrive to make sure that there are no viruses binded to that exe.
0
 

Expert Comment

by:TheBigFoges
ID: 13952526
i once had it, it was listed as CSRSS.EXE in all caps. i would just do a virus scan and a tojan and spyware can
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now