Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:/windows/config/csrss.exe


  • Please log in to reply
10 replies to this topic

#1 dummy61

dummy61

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 04 April 2008 - 03:29 PM

Hi,
My pc started to act up, and I did not have control over it, so I read your pages and did what it said so hopefully everything has gone, and my pc seems ok, except when I boot up it comes up with (cannot find file c:/windows/config/csrss.exe)

This happened when I scanned with AVG and with not thinking and not knowing much about the workings of the pc I quarrentined a file that came up file infected and it was the one c:/windows/config/csrss.exe.

I have browsed the web and there is not much and what there is I do not understand what to do and how it works so can anyone tell me how I can get this file back.

thanks

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:24 AM

Posted 04 April 2008 - 03:33 PM

If you quarantined the file, (or in this case, sent it to the virus vault), you should be able to restore it from there.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 04 April 2008 - 03:37 PM

Hello.

If the file was quarantined, it is possible that it was infected.

You may want to run the System File Checker to restore a legit version. There are instructions HERE

The Panda

Edited by PropagandaPanda, 04 April 2008 - 03:37 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:24 PM

Posted 04 April 2008 - 04:10 PM

Hi dummy61,

The legit csrss.exe should be in C:\Windows 32\csrss.exe and the one which is quarantined should be a malware. The file is removed but the startup entry pointing to the file is still there. What you should do is to remove the start up entry pointing to C:\windows\config\csrss.exe. To do that you need one of the applications handling startup entries: Autoruns.exe, Spybot Search & Destroy, any other application listing the startup entries.

If you are able to handle registry I would give you instruction to remove the startup entry from there.

Another option is to do it as follow:

* Click start > Run
* In the run box type: msconfig to open up System Configuration Utility.
* Click on startup tab.
* Find the entry pointing to C:\windows\config\csrss.exe
* Uncheck the box next to it.
* Press Apply and confirm if it is needed to reboot.

Good luck!

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 04 April 2008 - 04:55 PM

Great observation :thumbsup:. Didn't notice it was running from the wrong location myself.

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:24 AM

Posted 04 April 2008 - 04:58 PM

Me either. Thanks for the heads up, farbar.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:24 PM

Posted 04 April 2008 - 11:51 PM

Thanks PropagandaPanda and Billy O'Neal for the acknowledgement and encouragement . :thumbsup:

#8 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:24 AM

Posted 05 April 2008 - 09:04 AM

Great catch farbar!

FWIW - msconfig wasn't designed to provide permanent fixes, but rather to be a temporary diagnostic tool.
For permanent fixes, I'd suggest one of these 2 free tools:

StartupCPL by Mike Lin (use the standalone tool) - an easy tool to use, but it doesn't cover as many areas as the next one: http://www.mlin.net/StartupCPL.shtml

Autoruns (can be a bit confusing) - http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:24 PM

Posted 05 April 2008 - 09:05 PM

Thanks usasma,

You are right about the temporary nature of the fix. I would use Msconfig as the last resource. The information you provided and the link may be handy for many others as the type of problem is very common.

I'll use the reference in future.

#10 dummy61

dummy61
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 06 April 2008 - 07:20 AM

Hi, thank you everyone for your help,

I tried the auto runs before I ask for help, I read it and I was at a loss so I gave it up, it would be great if they could make it simple for me and people like me I am new to computers and I learn is as I go along.



thanks for your help everyone.

dummy61

#11 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:24 AM

Posted 06 April 2008 - 07:45 AM

If you're using Autoruns, look in the Everything tab and scroll down until you find C:\windows\config\csrss.exe in the IMAGE NAME column - then remove the check mark on the left side of that line, close the program and reboot to see if it fixed it.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users