I found csrss.exe aka W32.Gaobot.AO Worm
is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem.
Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click
on the file, Properties
and examine the General and Version tabs.Svchost.exe
is a generic host
process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.
It is not unusual for multiple instances of Svchost.exe running at the same time
in Task manager in order to optimise the running of the various services.
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.
If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here
. Make sure the spelling
is correct. If it is scv
host.exe], then your dealing with a Trojan
There are several ways to investigate svchost.exe and related processes. First, see "How to determine what services are running under a Svchost.exe process
there is an Inactive Process using 98 CPU and 28KB
That's probably your System Idle process.System Idle process
is used for measuring how much idle time the CPU is having at any particular time (100% minus the sum of all tasks CPU usage). It accounts for processor time when the system is not processing other threads and will display how much CPU resources, as a percentage are 'idle' and available for use. One instance of this process operates per CPU, and runs to occupy the processor when other threads are not running. System Idle process also issues HLT commands which put unused parts of the CPU into a suspend mode, thereby cooling the processor. Normally this process should take up at least 90%+
of processor time on average (this is the value in the CPU column). Thus, in non-technical terms, this figure represents how much CPU time has not been requested by anything else on your system.