I don't know what blogs or steps you followed so I don't know what was or was not removed. As such we can't tell what registry keys were affected, removed or restored by any of the steps you have already taken. Without having more information no one on this site is going to instruct you with going into the registry.csrss.exe
is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for managing most graphical commands in Windows, console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment. This process is important for stable and secure operation of your system and should not be terminated. The legitimate csrss.exe file is located in the C:\Windows\System32 folder. If found running from a different location, it's usually indicative of malware.
Determining whether a file is malware or a legitimate process usually depends on the location
(path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program
so that it can run automatically each time the computer is booted. Keep in mind that a legitmate file can also be infected by some types of malware such as Virut
which is a dangerous polymorphic file infector
. A file's properties may give a clue to identifying it. Right-click
on the file, choose Properties
and examine the General and Version tabs.
Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location.