csrss.exe infected with trojan

Symantec Endpoint has indicated that the csrss.exe on a server is infected with a trojan anti virus.  Symantec seemed to have quaranteened it once, but it is back.

Can this file be replaced?  If so, how would one take it out of service to replace it?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gerwin Jansen, EE MVETopic Advisor Commented:
What is the trojan and where is the csrss.exe located? Trojans often copy themselves as a normal filename to a different location.
WilfAuthor Commented:
The locaction is WINDOWS\mui\csrss.exe and the trojan is Trojan.Dropper
Hi wilf_thorburn,
I have requested that this question be added to the antivirus section as well. The "csrss" program is by default located in the system32 directory.

Open in new window

You say it is located here:

Open in new window

Do you mean csrss.exe or csrss.exe.mui? Can you give a picture of the infection window that better describes the virus or even better a link that Symantec End Point gives you to explain the infection?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

WilfAuthor Commented:
Here is a segment of the report from Endpoint symantec-rep.pdf
I never did like how symantec never gives you real detailed information about what is finds. That and the fact the time dates for the file it found in the report you gave are bogus. This doesn't help much. Have you isolated this computer and ran a copy of malwarebytes? To get a second opinion?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WilfAuthor Commented:
I cannot get to the computer til the weekend but will do that then.  Is the mui directory for real?
Yes, The MUI(Multilingual User Interface) directory is used to store multilingual support for different languages on the so named software. I am not sure if I will be at desktop on the weekend. However I will be have my phone.
I would be more worried about why it keeps getting infected. Please consider that the result is a false positive.
Does Symantec have the option to submit suspicious files for analysis?
Yes, it does. It's not false positive either. The csrss is a dropper which downloads other items to the system. Problem is we don't know kind of malware this dropper is.
WilfAuthor Commented:
I ran malwarebytes.  I have had the program remove the first two items in the temp folder.  I did not remove C:\WINDOWS\ime\lsass.exe because earlier I ran End Point Sep_SupportTool.exe, and it suggested the lsass was suspect.  I removed it, and then the server came up with a device allready exists error, and would reboot.  I was able to restore the deletion with the symantec tool, but was not sure if I could with malwarebytes  if the same reaction occurred.  I will run the longer test and post the log from it also.
WilfAuthor Commented:
I have posted the malwarbytes result as a separate question.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.