• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1520
  • Last Modified:

csrss.exe consuming nearly 100% of CPU time

Making the laptop run excruciatingly slow.  Have run virus check (AVG), spyware (Spy Sweeper) and nothing found.  Restored to an earlier version - no change.

Tried creating a new user (as had come across mention of possible corrupt user profile) and after a short while exhibited the same problem.
  • 6
  • 6
  • 2
  • +1
1 Solution
Pete LongTechnical ConsultantCommented:
This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Note: The csrss.exe file is located in the C:\Windows\System32 folder. In other cases, csrss.exe is a virus, spyware, trojan or worm!
Pete LongTechnical ConsultantCommented:
also see
Csrss.exe uses 100% of the CPU When you Right-Click an item in Explorer
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Can we look at your hijackthis log please?

Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
rsindenAuthor Commented:



Tried the ee upload but it kept telling me the file was too small...so I tried padding it out to 230kb but still too small.  Ah well...goo idea.

rsindenAuthor Commented:
After a reboot, csrsss consumes zero CPU time. Doing a few emails, running a browser for about 10-15 minutes...all OK...but then after about 20 minutes, it is back up at 99% of CPU time.
Not sure why EE upload didn't work.

I don't see any active nasty but Netmeter,
Uninstall these if listed in add/remove:

and delete their folders:
C:\Program Files\NetMeter
C:\Program Files\CashBack

Also, Go to Start  > Run  >  type


Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop BSRRI
sc delete BSRRI
sc stop CB
sc delete CB


Fix these entries if still present:
O23 - Service: BSRRI - Unknown owner - C:\DOCUME~1\ROGER~1.COM\LOCALS~1\Temp\BSRRI.exe (file missing)
O23 - Service: CB - Unknown owner - C:\DOCUME~1\ROGER~1.COM\LOCALS~1\Temp\CB.exe (file missing)

Download ATF Cleaner by Atribune.
Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If csrss cpu problem still exists:(this is a shot in the dark) just to make sure you don't have the Chod.D.worm (csrss worm)
Please Download MsnVirRem.exe to your desktop from one of the following mirrors:


* First close any other programs you have running as this will require a reboot
* Double click MsnVirRem.exe to run it
* Once open, click the button labelled "Search and Destroy"
      <<Your computer will now be scanned for Infected Files>>
* When scanning is finished you will be prompted to reboot only if infected, Click OK
* Now click the "REBOOT" Button.
* After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
* A Message should popup from MsnVirRem if not, double click the program again and it will finish

Please Post the contents of C:\msnvirrem.log
rsindenAuthor Commented:
Many thanks for excellent detailed instructions.

Uninstalled NetMeter (curious to know why you don't like this utility?)

CashbackBuddy did not exist.  

BSRRI wasn't running but deleted OK. Curious to know what BSRRI is as Googling produced no results that I could see.
CB - wasn't running but deleted OK.

I think the reference to CB (as in O23 service CB unknown owner) may have led you to suggest cashBack.  I am embarassed to admit that I think CB did in fact stand for Cablehead Blackbox which was quarantined by SpySweeper when I ran a checksweep. However, as CB was remaining as a service (although stopped) suggests that SpySweeper maybe was not as rigourous as I might have hoped.  Am embarassed to note that Blackbox can only be installed manually and so that means that I let my guard down as I am usually paranoid about downloading and installing s/w other than from reputable sources. Clearly, not as careful as I should be and, no, I cannot remember where this might have come from.

However, as far as I can tell, all traces of CB have now gone.

Ran ATF Cleaner (neat utility - thanks)

Ran MsnVirRem and that reported no viruses.

Cleaned up the registry for good measure and it certainly boots up quicker now.

Thought problem had been fixed but after a while csrss back up to 99-100% when first ran up early morning.

However, as at 10.40am BST, csrss running very low CPU usage.  Will continue to monitor.

>>Uninstalled NetMeter (curious to know why you don't like this utility?)<<
Well known antispyware databases like CastleCops classified NetMeter as a rogue apps. A lot of program out there sounds good but they also have their own hidden purpose.
For example many people might think that Cybersitter is a good program because of what it says but in reality when you install it it redirects you to advertisement sites "www.safe-site.com" is one of them and it blocks these security sites; Sysinternal.com, Kaspersky and Panda sites.

Process Name : NetMeter
File Name : NetMeter.exe
Description: NetRatings software by Opistat . "OpiStat measures Internet usage anonymously and surveys participants according to their profiles and online habits". This software has been reported to get downloaded and installed automatically after a Grokster install.
Rating:       Typically viruses, spyware, adware and resource hogs.

>>Curious to know what BSRRI is as Googling produced no results that I could see.<<
Malware are known to hide themselves as a service to evade detection, and because there was no hits when googling the filename and the display name, and because the service name is unknown and it was running from the temp folder, that was my reason for stopping/deleting the service.
Legit services that runs from the temp folder normally shows their display name like the SysInternal's Rootkit Revealer which also runs from the temp folder.

>>I think the reference to CB (as in O23 service CB unknown owner) may have led you to suggest cashBack.<<
Yes, because of the cb.exe file that belongs to Cashbackbuddy.

Would you like to run these diagnostic tools, one of them might led us to the culprit.
1. Please download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

2. Download and save blacklight to your desktop.
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

3. Rootkit Revealer:
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
rsindenAuthor Commented:
Understand what you say re cb.exe but equally concerned as to how it would have got onto my system!

Silent runner result URL at http://www.rafb.net/paste/results/6gAg3V67.html

Blacklight result :
07/12/06 11:53:18 [Info]: BlackLight Engine 1.0.42 initialized
07/12/06 11:53:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/12/06 11:53:19 [Note]: 7019 4
07/12/06 11:53:19 [Note]: 7005 0
07/12/06 11:53:26 [Note]: 7006 0
07/12/06 11:53:26 [Note]: 7011 1352
07/12/06 11:53:27 [Note]: 7026 0
07/12/06 11:53:27 [Note]: 7026 0
07/12/06 11:53:37 [Note]: FSRAW library version 1.7.1019
07/12/06 11:57:58 [Note]: 2000 1006
07/12/06 12:05:54 [Note]: 7007 0

It reported nothing untoward.  BTW FYI the  try.shtml link no longer works...

rootkit results

C:\Documents and Settings\Roger.COMPAQ\Application Data\Webroot\Spy Sweeper\Data\svralts.dat      12/07/2006 12:11      0 bytes      Hidden from Windows API.
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak      11/07/2006 12:10      2.54 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040451.RDB      12/07/2006 12:03      1.63 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040452.RDB      12/07/2006 12:07      1.63 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040453.mst      11/07/2006 12:10      2.54 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040454.RDB      12/07/2006 12:08      1.63 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040455.RDB      12/07/2006 12:11      1.63 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040456.RDB      12/07/2006 12:18      1.63 MB      Hidden from Windows API.
C:\WINDOWS\Internet Logs\bu_todelete.rdb      12/07/2006 12:24      1.63 MB      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Internet Logs\bu_tosave.rdb      12/07/2006 12:28      1.63 MB      Visible in directory index, but not Windows API or MFT.

The good news is that csrss.exe is sitting there quietly good as gold and consuming virtually no resources.

Even better news (for you) is that I have upped the points as I really appreciate the extra distance that you are going on this plus the excellent feedback and explanations.

>> BTW FYI the  try.shtml link no longer works...<<
oh sorry about that, I must update my links, thanks for letting me know, appreciate it.

Silent Runner's log didn't show anything suspicious,
Blacklight didn't find anything,
Rootkit Revealer didn't find any rootkit either.
though some trojans/worms can also hide from blacklight and Rootkit Revealer.

>>The good news is that csrss.exe is sitting there quietly good as gold and consuming virtually no resources.<<
fingers' crossed, let's hope it will stay that way.

>>Even better news (for you) is that I have upped the points as I really appreciate the extra distance that you are going on this plus the excellent feedback and explanations.<<
Very much appreciated thanks, I just hope I can help you.

You don't have these files do you? these are some variants of Chod.D worm.
C:\WINDOWS\System32\[random foldername]\csrss.exe
c:\documents and settings\[USERNAME]\start menu\programs\startup\csrss.exe

rsindenAuthor Commented:
No folder winsock present.  

Config folder is empty.

No other files in your list found

For good measure searched for csrss.exe and found 3 (one in $NTInstall..., one in System 32 and one in Service Pack...all with 2004 or later dates (not that that guarantees anything ;-)

csrss.exe still behaving itself.
>>For good measure searched for csrss.exe and found 3 (one in $NTInstall..., one in System 32 and one in Service Pack...all with 2004 or later dates (not that that guarantees anything ;-)<<
those csrss.exe are okay, :)

Only the ones I listed were the bad ones so it's a good sign that you don't have them.

Hopefully csrss.exe will keep behaving itself for good.
rsindenAuthor Commented:
Yes...gut feel says that it's fixed. I do remember when I ran a search for it during the time I was trying to sort this out by myself I did come up with many more instances including one in the System folder dated 10th July 2006 which clearly was wrong.  However I think a combination of a System restore to an earlier date plus all your good advice has cleaned out the 'bad' stuff
Glad to hear csrss.exe is still behaving okay, you did a good job!

Thanks for the points and the A grade :)

Best wishes!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 6
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now