Solved

csrss.exe consuming nearly 100% of CPU time

Posted on 2006-07-11
15
1,499 Views
Last Modified: 2008-12-10
Making the laptop run excruciatingly slow.  Have run virus check (AVG), spyware (Spy Sweeper) and nothing found.  Restored to an earlier version - no change.

Tried creating a new user (as had come across mention of possible corrupt user profile) and after a short while exhibited the same problem.
0
Comment
Question by:rsinden
  • 6
  • 6
  • 2
  • +1
15 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 17081172
This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Note: The csrss.exe file is located in the C:\Windows\System32 folder. In other cases, csrss.exe is a virus, spyware, trojan or worm!
http://www.neuber.com/taskmanager/process/csrss.exe.html
0
 
LVL 16

Expert Comment

by:glenn_1984
ID: 17081178
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 17081182
also see
Csrss.exe uses 100% of the CPU When you Right-Click an item in Explorer
http://support.microsoft.com/?kbid=555021
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17081274
Can we look at your hijackthis log please?

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 

Author Comment

by:rsinden
ID: 17083893


rpggamergirl

http://www.rafb.net/paste/results/tjxCGe85.html

Tried the ee upload but it kept telling me the file was too small...so I tried padding it out to 230kb but still too small.  Ah well...goo idea.



0
 

Author Comment

by:rsinden
ID: 17084320
After a reboot, csrsss consumes zero CPU time. Doing a few emails, running a browser for about 10-15 minutes...all OK...but then after about 20 minutes, it is back up at 99% of CPU time.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17086269
Not sure why EE upload didn't work.

I don't see any active nasty but Netmeter,
Uninstall these if listed in add/remove:
"CashBackBuddy"
"NetMeter"

and delete their folders:
C:\Program Files\NetMeter
C:\Program Files\CashBack


Also, Go to Start  > Run  >  type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop BSRRI
sc delete BSRRI
sc stop CB
sc delete CB

exit

Fix these entries if still present:
O23 - Service: BSRRI - Unknown owner - C:\DOCUME~1\ROGER~1.COM\LOCALS~1\Temp\BSRRI.exe (file missing)
O23 - Service: CB - Unknown owner - C:\DOCUME~1\ROGER~1.COM\LOCALS~1\Temp\CB.exe (file missing)


Download ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


If csrss cpu problem still exists:(this is a shot in the dark) just to make sure you don't have the Chod.D.worm (csrss worm)
Please Download MsnVirRem.exe to your desktop from one of the following mirrors:

http://downloads.malwareremoval.com/MsnVirRem.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9
http://www.greyknight17.com/spy/MsnVirRem.exe

* First close any other programs you have running as this will require a reboot
* Double click MsnVirRem.exe to run it
* Once open, click the button labelled "Search and Destroy"
      <<Your computer will now be scanned for Infected Files>>
* When scanning is finished you will be prompted to reboot only if infected, Click OK
* Now click the "REBOOT" Button.
* After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
* A Message should popup from MsnVirRem if not, double click the program again and it will finish

Please Post the contents of C:\msnvirrem.log
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:rsinden
ID: 17089042
Many thanks for excellent detailed instructions.

Uninstalled NetMeter (curious to know why you don't like this utility?)

CashbackBuddy did not exist.  

BSRRI wasn't running but deleted OK. Curious to know what BSRRI is as Googling produced no results that I could see.
CB - wasn't running but deleted OK.

I think the reference to CB (as in O23 service CB unknown owner) may have led you to suggest cashBack.  I am embarassed to admit that I think CB did in fact stand for Cablehead Blackbox which was quarantined by SpySweeper when I ran a checksweep. However, as CB was remaining as a service (although stopped) suggests that SpySweeper maybe was not as rigourous as I might have hoped.  Am embarassed to note that Blackbox can only be installed manually and so that means that I let my guard down as I am usually paranoid about downloading and installing s/w other than from reputable sources. Clearly, not as careful as I should be and, no, I cannot remember where this might have come from.

However, as far as I can tell, all traces of CB have now gone.

Ran ATF Cleaner (neat utility - thanks)

Ran MsnVirRem and that reported no viruses.

Cleaned up the registry for good measure and it certainly boots up quicker now.

Thought problem had been fixed but after a while csrss back up to 99-100% when first ran up early morning.

However, as at 10.40am BST, csrss running very low CPU usage.  Will continue to monitor.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17089269
>>Uninstalled NetMeter (curious to know why you don't like this utility?)<<
Well known antispyware databases like CastleCops classified NetMeter as a rogue apps. A lot of program out there sounds good but they also have their own hidden purpose.
For example many people might think that Cybersitter is a good program because of what it says but in reality when you install it it redirects you to advertisement sites "www.safe-site.com" is one of them and it blocks these security sites; Sysinternal.com, Kaspersky and Panda sites.

Process Name : NetMeter
File Name : NetMeter.exe
Description: NetRatings software by Opistat . "OpiStat measures Internet usage anonymously and surveys participants according to their profiles and online habits". This software has been reported to get downloaded and installed automatically after a Grokster install.
Rating:       Typically viruses, spyware, adware and resource hogs.


>>Curious to know what BSRRI is as Googling produced no results that I could see.<<
Malware are known to hide themselves as a service to evade detection, and because there was no hits when googling the filename and the display name, and because the service name is unknown and it was running from the temp folder, that was my reason for stopping/deleting the service.
Legit services that runs from the temp folder normally shows their display name like the SysInternal's Rootkit Revealer which also runs from the temp folder.


>>I think the reference to CB (as in O23 service CB unknown owner) may have led you to suggest cashBack.<<
Yes, because of the cb.exe file that belongs to Cashbackbuddy.

http://72.14.203.104/search?q=cache:U_JTnZlVEB4J:www.symantec.com/avcenter/venc/data/adware.cashbackbuddy.html+CB.exe&hl=en&gl=au&ct=clnk&cd=5&lr=lang_en


Would you like to run these diagnostic tools, one of them might led us to the culprit.
1. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

2. Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

3. Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
0
 

Author Comment

by:rsinden
ID: 17089503
Understand what you say re cb.exe but equally concerned as to how it would have got onto my system!

Silent runner result URL at http://www.rafb.net/paste/results/6gAg3V67.html

Blacklight result :
07/12/06 11:53:18 [Info]: BlackLight Engine 1.0.42 initialized
07/12/06 11:53:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/12/06 11:53:19 [Note]: 7019 4
07/12/06 11:53:19 [Note]: 7005 0
07/12/06 11:53:26 [Note]: 7006 0
07/12/06 11:53:26 [Note]: 7011 1352
07/12/06 11:53:27 [Note]: 7026 0
07/12/06 11:53:27 [Note]: 7026 0
07/12/06 11:53:37 [Note]: FSRAW library version 1.7.1019
07/12/06 11:57:58 [Note]: 2000 1006
07/12/06 12:05:54 [Note]: 7007 0

It reported nothing untoward.  BTW FYI the  try.shtml link no longer works...

rootkit results

C:\Documents and Settings\Roger.COMPAQ\Application Data\Webroot\Spy Sweeper\Data\svralts.dat      12/07/2006 12:11      0 bytes      Hidden from Windows API.
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak      11/07/2006 12:10      2.54 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040451.RDB      12/07/2006 12:03      1.63 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040452.RDB      12/07/2006 12:07      1.63 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040453.mst      11/07/2006 12:10      2.54 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040454.RDB      12/07/2006 12:08      1.63 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040455.RDB      12/07/2006 12:11      1.63 MB      Hidden from Windows API.
C:\System Volume Information\_restore{B3E0BECA-1C80-4ECF-89AB-F1298AF6D006}\RP272\A0040456.RDB      12/07/2006 12:18      1.63 MB      Hidden from Windows API.
C:\WINDOWS\Internet Logs\bu_todelete.rdb      12/07/2006 12:24      1.63 MB      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Internet Logs\bu_tosave.rdb      12/07/2006 12:28      1.63 MB      Visible in directory index, but not Windows API or MFT.

The good news is that csrss.exe is sitting there quietly good as gold and consuming virtually no resources.

Even better news (for you) is that I have upped the points as I really appreciate the extra distance that you are going on this plus the excellent feedback and explanations.


0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17089838
>> BTW FYI the  try.shtml link no longer works...<<
oh sorry about that, I must update my links, thanks for letting me know, appreciate it.

Silent Runner's log didn't show anything suspicious,
Blacklight didn't find anything,
Rootkit Revealer didn't find any rootkit either.
though some trojans/worms can also hide from blacklight and Rootkit Revealer.


>>The good news is that csrss.exe is sitting there quietly good as gold and consuming virtually no resources.<<
fingers' crossed, let's hope it will stay that way.


>>Even better news (for you) is that I have upped the points as I really appreciate the extra distance that you are going on this plus the excellent feedback and explanations.<<
Very much appreciated thanks, I just hope I can help you.


You don't have these files do you? these are some variants of Chod.D worm.
C:\WINDOWS\System32\[random foldername]\csrss.exe
c:\documents and settings\[USERNAME]\start menu\programs\startup\csrss.exe
C:\WINDOWS\winsock\csrss.exe
C:\WINDOWS\config\svchost.exe
C:\WINDOWS\winsock\services.exe


0
 

Author Comment

by:rsinden
ID: 17090070
No folder winsock present.  

Config folder is empty.

No other files in your list found

For good measure searched for csrss.exe and found 3 (one in $NTInstall..., one in System 32 and one in Service Pack...all with 2004 or later dates (not that that guarantees anything ;-)

csrss.exe still behaving itself.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17090413
>>For good measure searched for csrss.exe and found 3 (one in $NTInstall..., one in System 32 and one in Service Pack...all with 2004 or later dates (not that that guarantees anything ;-)<<
those csrss.exe are okay, :)

Only the ones I listed were the bad ones so it's a good sign that you don't have them.

Hopefully csrss.exe will keep behaving itself for good.
0
 

Author Comment

by:rsinden
ID: 17091315
Yes...gut feel says that it's fixed. I do remember when I ran a search for it during the time I was trying to sort this out by myself I did come up with many more instances including one in the System folder dated 10th July 2006 which clearly was wrong.  However I think a combination of a System restore to an earlier date plus all your good advice has cleaned out the 'bad' stuff
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17095192
Glad to hear csrss.exe is still behaving okay, you did a good job!

Thanks for the points and the A grade :)

Best wishes!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now