Csrss.exe

[Robski]

I'm always trying to keep my PC tip top, but it's had a few issues with slow down and not finding pages,

and lately I've been getting a notification that windows is shutting down 'csrss.exe'

Looking into this I found I had two system files of that name, suspicious.

One is in C:\i386 it's 6kb and properties show it as version 5.1.2600.2180

the other is in C:\WINDOWS\system32 again 6kb and version 5.1.2600.2180

Then looking through some sites relating to 'csrss.exe' I came accross comments like these;

Its fake if anywhere else but in windows/system32/csrss.exe

SAFE if in c:\windows\system32, VIRAL if anywhere else - usually a keylogger in this case

this is part of the windows messaging service that can cause unwanted pop ups and ads to appear on your computer. it communicates with a remote server without your knowledge and is usually overlooked by many av's and spyware programs because it is a legitimate system process. spysweeper specifically shuts down the windows messaging service and kills this process on my computer with no ill effects whatsever. a few times i've gotten warnings from spysweeper that csrss was tampering with it and caused spysweeper to kill the csrss thread. the tampering csrss.exe was in the system32 folder

Windows calls it a system file that you cannot delete. It's a very nice curtian for trojans to hide behind.

It cannot be terminated, it is a client server service, so it will be exchanging data over the internet every so often, and apparently, it is modifyable.

Proceed with caution

and many others along the same lines.

So what do you think guys? I'd like to set a restart point and remove the one in the i386 file, but I feel like the guy on the bus in the movie Speed when he's trying to decide wether to cut the blue wire or the er.. other blue wire.. or both!?

[Guest Reimar]

I'm always trying to keep my PC tip top, but it's had a few issues with slow down and not finding pages,

and lately I've been getting a notification that windows is shutting down 'csrss.exe'

Looking into this I found I had two system files of that name, suspicious.

One is in C:\i386 it's 6kb and properties show it as version 5.1.2600.2180

the other is in C:\WINDOWS\system32 again 6kb and version 5.1.2600.2180

Then looking through some sites relating to 'csrss.exe' I came accross comments like these;

Its fake if anywhere else but in windows/system32/csrss.exe

SAFE if in c:\windows\system32, VIRAL if anywhere else - usually a keylogger in this case

this is part of the windows messaging service that can cause unwanted pop ups and ads to appear on your computer. it communicates with a remote server without your knowledge and is usually overlooked by many av's and spyware programs because it is a legitimate system process. spysweeper specifically shuts down the windows messaging service and kills this process on my computer with no ill effects whatsever. a few times i've gotten warnings from spysweeper that csrss was tampering with it and caused spysweeper to kill the csrss thread. the tampering csrss.exe was in the system32 folder

Windows calls it a system file that you cannot delete. It's a very nice curtian for trojans to hide behind.

It cannot be terminated, it is a client server service, so it will be exchanging data over the internet every so often, and apparently, it is modifyable.

Proceed with caution

and many others along the same lines.

So what do you think guys? I'd like to set a restart point and remove the one in the i386 file, but I feel like the guy on the bus in the movie Speed when he's trying to decide wether to cut the blue wire or the er.. other blue wire.. or both!?

That is an Cliet Server Runtime file which is need by windows to work.

The on in the i386 folder not delete but you can compress to .zip or .rar

I'll checkout later what to do with the one in /windows/system32 folder and come back here.

Cheers.

[Guest Reimar]

First at all: you need to run CSRSS at all times. Take a look at the following description:

Csrss is the user-mode portion of the Win32 subsystem. Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

This applies for all Windows versions include Vista.

The filesize should be 6144 bytes.

To get more info about this and other files running as Service, Program or whatever in Windows, I suggest you download Whatsrunning 2.2. The program is Freeware and you can download from HERE

Anyway you may use Whatsrunning as an replacement for the Windows Taskmanager becaus t gives you much more options. You should really take a very close look at this program.

To be sure that your File has the original checksum, you can veryfying the checksum by using FastSum which you can download from HERE, it's also Freeware.

Later the day I'll upload this 2 programs to the Download Section of TV.

Hope this helps but if you have still mor problems let us know.

Cheers.

[bkkmick]

Now I'm worried. I installed a game I bought for my daughter from Seri Center. Then I noticed csrss.exe in the task manager sometimes using a lot of CPU time and I'm sure that I never noticed that program before. When installing the game it kept popping up asking for csrss.exe to be a part of the start of suite of programs I kept trying to say No but allowed it in the end ("can I play my game yet daddy?")...Will check that out when I get home.

[Guest Reimar]

Now I'm worried. I installed a game I bought for my daughter from Seri Center. Then I noticed csrss.exe in the task manager sometimes using a lot of CPU time and I'm sure that I never noticed that program before. When installing the game it kept popping up asking for csrss.exe to be a part of the start of suite of programs I kept trying to say No but allowed it in the end ("can I play my game yet daddy?")...Will check that out when I get home.

Had you checked the Game for Virus pp.?

[bkkmick]

Hi Reimar. No I haven't but I'll check when I get home. Thanks.

[Cuban]

csrss.exe is the file name of a program file used by Windows.

Generally you will only find one copy of any program file on a computer, however, the /i386 directory is the place that is used as a storage area from which the Windows operating system can install/reinstall itself. For example if you decide you want your Windows operating system to be able to display Japanese text correctly you might choose Far Eastern Language support from within your Control Panel. During this update "Windows" will ask you for the original install CD/DVD or the location of the install files, it might prompt you with: C:\i386 for example.

Do not worry about there being a second copy you can see listed within Explorer. And as a novice I would strongly recommend that you do not learn "computers" by deleting things to see if that makes it work better. About 15 years ago you could get away with it and repair the damage caused through learning by hand like patching a hole in a shirt, these days the repair tends to require a reinstall of the operating system.

Any executable program file (&*%$.exe) can be infected with software virus code.

The best solution would be to use an online virus scan to see if your computer is infected now - then install a virus sacnner application that auto updates and resolves such problems in the future. Links below.

Free online scan of your PC - http://us.mcafee.com/root/mfs/default.asp (depends on operating system)

Free to download, install anti virus application - http://free.grisoft.com/

[Cuban]

I installed a game I bought for my daughter from Seri Center. Then I noticed csrss.exe in the task manager sometimes using a lot of CPU time and I'm sure that I never noticed that program before.

I think you will find that the game requires the use of the csrss program to run, from looking up it's function it's not unreasonable.

Did you scan the game's CD/DVD before installation?

Do you have a resident virus scanner installed? (as mentioned above), this should detect malware during installation.

Even the best software defences can be beaten if the user chooses to less than careful with a CD or stray click of the mouse on a ropey web site.

I was looking at a friend's PC at the weekend, he assured me that he had a virus scanner installed that worked every time he used his computer. In fact what he thought was anti virus software was in fact malware that just downloaded a flash animation of what the average newbie thinks a virus scan software application should do (flashy lights glowing computer screens - that sort of thing) then asked for him to pay money to continue etc etc.

[bkkmick]

Hi cuban. No I didn't scan first (lazy I guess). I have the latest Kaspersky running - hopefully that would have checked. It's just such a coincidence that the csrss.exe came to my attention the other day for the first time and then I noticed this thread. I'll def. scan everything when I get home....

[bkkmick]

Well I just got home and searched for the csrss.exe file. There's one copy in C:\WINDOWS\System32 which is 6k and another copy in C:\WINDOWS\System\Level3 which is 89k. Now I'm getting worried. Can't stop the process in Task Manager and can't delete the file from ...\Level3 as it says it's already running...Any ideas?

Edit: I scanned the file with Kasperskey and it found no threats.

When I hover over the Level3 version it says Auto It v3 Compiled script" and has the date I first installed my daughters game.

Edited January 29, 2008 by bkkmick

[Guest Reimar]

Well I just got home and searched for the csrss.exe file. There's one copy in C:\WINDOWS\System32 which is 6k and another copy in C:\WINDOWS\System\Level3 which is 89k. Now I'm getting worried. Can't stop the process in Task Manager and can't delete the file from ...\Level3 as it says it's already running...Any ideas?

Edit: I scanned the file with Kasperskey and it found no threats.

When I hover over the Level3 version it says Auto It v3 Compiled script" and has the date I first installed my daughters game.

bkkmick, donwload the progs as I suggested and run them.

[Guest Reimar]

Well I just got home and searched for the csrss.exe file. There's one copy in C:\WINDOWS\System32 which is 6k and another copy in C:\WINDOWS\System\Level3 which is 89k. Now I'm getting worried. Can't stop the process in Task Manager and can't delete the file from ...\Level3 as it says it's already running...Any ideas?

Edit: I scanned the file with Kasperskey and it found no threats.

When I hover over the Level3 version it says Auto It v3 Compiled script" and has the date I first installed my daughters game.

bkkmick, donwload the progs as I suggested and run them.

May I forget to mention: run CureIt but in Safe Mode only! Disconnect from network to first!

[Robski]

The one at 89k does sound worrying.. from what I've read it seeems the csrss.exe file is the perfect hiding place because it is needed to browse and therefore needs access through the firewall, so AV and spyware programs overlook it.

I run Lavasoft adaware, spybot, Boclean and Kaspersky AV.

My suspicions are aroused because I get a notification that windows has encountered a problem and needs to shut down,

but even though I allow that the browser continues to run, which makes me think that both of these csrss.exe programs are running at the same time.

Reimar I will have a look with the tools you've mentioned when I get time tomorrow and let you know the result.

Cuban that is an excellent piece of advice and rather witty too

And as a novice I would strongly recommend that you do not learn "computers" by deleting things to see if that makes it work better.

Edited January 29, 2008 by Robski

[bkkmick]

Don't know why you felt it necessary to make that comment Cuban. Been making a living in computing for 20 years now. Not exactly a novice.

[Robski]

I think perhaps he meant me, as I was saying I wanted to make a restart point and delete the file in my i386 folder...

It could all end in tears, but it's so tempting.

Edited January 29, 2008 by Robski

[Cuban]

Been making a living in computing for 20 years now.

Agreed, my first processor was an 8080 that I coded in binary using a push button to load each line of "code".

I used to train junior staff on their first day with a cardboard box of bits that they would assemble into a computer to get the idea that it was magic out of their mind before then introducing faults for them to find and so build confidence. (We would add extra bits to the box to show that you didn't need every part to make a basic system.)

These days jumping in is less easy, many home systems are sold without even the OEM operating system install CDs/DVDs also many patches require access to the internet. So to protect a bare bones system from a standing start you need to be exposed to raw internet to get AV protection etc etc etc.

It generally takes a computer to loose all the data, contacts, documents and pictures twice before the owner chooses to take the time and trouble to establish a back up process and learn a bit about their computer.

The OP is right on the ball monitoring his computer and asking the right questions to learn more about the subject. I've always compared computing to driving, easy to drive a car - takes a bit more time to understand what make 91 different from 95 or E20 or E85 or why one spark plug is better than another brand.

There is no cut and dried answer to how to understand computers as everyone will have a level that they are comfortable with, whether that is just being an application user, software developer, website builder, case modder or hardware hacker at an IC level. (At university I would sign the substrate of the ICs I was making with the broken end of a gold wire bonding machine. So I consider I know computers down to a very low level.)

Forums like this and the mass of more IT focused ones are great as they allow many different points of view on the same subject to be openly expressed, people can pick and choose what level they are happy to dig down to.

[AlexLah]

Download Hijack this.

Run it.

And post the results.

http://www.spywareinfo.com/~merijn/programs.php

Edited January 29, 2008 by AlexLah

[bkkmick]

There's a lot. Anyway here are the HijackThis results:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:41:33 PM, on 1/29/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level3\smss.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\InterVideo\WinDVR3\WinDvr.exe

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\system32\mdm.exe

C:\Program Files\WhatsRunning\WhatsRunning.exe

C:\Program Files\LeapFTP\LeapFTP.exe

C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\DEVENV.EXE

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Mick Wright\Desktop\cureit.exe

C:\DOCUME~1\MICKWR~1\LOCALS~1\Temp\RarSFX0\_start.exe

C:\DOCUME~1\MICKWR~1\LOCALS~1\Temp\RarSFX0\setup.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webmasterworld.com/forum9

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [smssLevel3] C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level3\smss.exe

O4 - HKLM\..\Run: [csrssLevel3] C:\Windows\System\Level3\csrss.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spam Bully for Outlook Express] "C:\Program Files\Axaware\Spam Bully 2 for OE\oespambully.exe" install

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,,C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 9114 bytes

[dsys]

did you get this sorted?

Had a quick look through the HJT file and id say you got a multidrop trojan;

associated reg keys are :

O4 - HKLM\..\Run: [smssLevel3] C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level3\smss.exe

O4 - HKLM\..\Run: [csrssLevel3] C:\Windows\System\Level3\csrss.exe

with the proc file hiding as a WMP skin

C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level3\smss.exe

Guess you already deleted one hidden proc.

Cant see the hook in the registry but may be this file:

7E853D72-626A-48EC-A868-BA8D5E23E045 - scan your registry for that string and see what jumps out.

If I had to guess id say its may be something to do with the google2 process but cant say for sure.

Could you expand these directories

C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

Anyways i'd bin the two reg keys and shred the fake skin.

Edited February 1, 2008 by dsys

[Robski]

Interesting, but complete gobbledygook to me...

I sent my i386 csrss.exe file to be zipped and now it's in there zipped up,

and I haven't had any notifications that the process is being shut down,

but the Task manager still shows 2 csrss.exe programs running...

I set a reset and backed up the important stuff, I'd really like to get rid of it.

If I can delete it and it all goes wrong I should be able to roll it back... shouldn't I?

[dsys]

Interesting, but complete gobbledygook to me...

I sent my i386 csrss.exe file to be zipped and now it's in there zipped up,

and I haven't had any notifications that the process is being shut down,

but the Task manager still shows 2 csrss.exe programs running...

I set a reset and backed up the important stuff, I'd really like to get rid of it.

If I can delete it and it all goes wrong I should be able to roll it back... shouldn't I?

sorry did not realise that you were the OP thought was BKKmick and my response was directed at him.

Robsji did you post your Highjack this file - its almost impossible to fault these issues remotely without one. If you want to post one I'll have a look at it . The process running in i386 with the same signatures is not genrally an isse but can't say for sure. Seen three processes all runnning at the same time from diferent locations and they have been legit.

[Robski]

Ok thanks in advance.

The task manager still shows 2 csrss.exe running.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 7:47:34 PM, on 2/2/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\Comodo\CBOClean\BOCORE.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\PROGRA~1\Comodo\CBOClean\BOC425.exe

C:\Program Files\Kontiki\KHost.exe

C:\WINDOWS\csrss.exe

C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Robski\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe

C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe

C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe

C:\Documents and Settings\Robski\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE

C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Winamp\winamp.exe

C:\Documents and Settings\Robski\My Documents\My Received Files\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&...&channel=uk

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [bOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe

O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all

O4 - HKLM\..\Run: [csrss] C:\WINDOWS\csrss.exe

O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup

O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Robski\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe"

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Robski\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AVerQuick.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe

O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191432611078

O17 - HKLM\System\CCS\Services\Tcpip\..\{59AEDC8A-A4D8-43B6-B7AA-C4E5FC170946}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{78D0C392-566A-4936-801C-A6E1BBD9DC3F}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{85563026-D45B-4B7E-B070-6196760722D0}: NameServer = 85.255.115.86,85.255.112.26

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - AppInit_DLLs: ,,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 11325 bytes

[dsys]

Couple of additional questions first.

How many anti-virus programs are you running? I am seeing Kaperski, eset and norton on your system.

Can you have a look again at the task manager, look for the csrss processes and check the image path name, look to see if one is running from windows32 and the other from windows. If you can post a screen capture, great.

The registry output suggests a lot of orphaned keys, can you run a registry check, do a search on the forum for registry scanner, pick something Reimar has posted - he usually posts good programs.

run the HJT file once you have done that and post it again.

Right now I'd say you may have a problem with the following:

C:\WINDOWS\csrss.exe

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [csrss] C:\WINDOWS\csrss.exe

Things that could be slowing down your PC:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

[bkkmick]

WOW dsys...That all looks quite complicated to me...I'll have to take my time and go through that all. Thanks very much for the response.

The PC I'm using is the same one I've had for almost 5 years and it's rarely switched off so there's been a lot of software installed/uninstalled over the years.

I'm only using Kaspersky at the moment.

I cannot see the image path name but there are two versions or CSRSS runnnig one username says SYSTEM and the other has my name.

Every now and then my PC freezes for up to a minute which is a fairly recent thing. I used to use IE7 and the freezing was very frequent. I now use Opera and the freezing is not so frequent. Weird.

Mick

Edited February 3, 2008 by bkkmick

[dsys]

this could get messy -

Robski - this post was for you Today, 2008-02-03 16:34:22

BKKmick - this was for you Posted 2008-02-01 20:32:17

my fault should have been more explicit.

To view the image name in the task manager

click view

select columns

and check the "image path name " box.

click Ok

reason you want this instead of/ as well as "command line" is that it gives you registry keys for multiple processes (when invoked) so good to quickly check for mal/spy/ware

Generally running system processes under your user name is not good and reflects a problem. Note i said generally.

Edited February 3, 2008 by dsys