Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

csrss.exe on D drive


  • Please log in to reply
6 replies to this topic

#1 USN

USN

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 09 December 2010 - 02:33 PM

I've seen posts that claimed that csrss.exe found anywhere except C:\WINDOWS\System32 could be a virus or trojan. I found 2 other csrss.exe locations on my D drive D:\MiniNT\system32 & D:\I386\SYSTEM32. Taken literally, these 2 files are viruses, is that right ? Any problem deleting these files ? Will they stay deleted ?
I also have another csrss.exe file at C:\WINDOWS\ServicePackFiles\I386. Is this file harmful ?
Other than running slower than other newer computers, I'm not having problems. And a Norton 360 & MalawareByte Anti-Malware comprehensive scan found 0 infections. Am I safe ?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 AM

Posted 09 December 2010 - 11:07 PM

csrss.exe is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for managing most graphical commands in Windows, console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment. This process is important for stable and secure operation of your system and should not be terminated. Determining whether csrss.exe is malware or a legitimate Windows process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate csrss.exe file is located in the C:\Windows\System32 folder but you may find legitimate copies in other folders such as:

C:\i386
C:\Windows\$NTServicePackUninstall$
C:\Windows\ServicePackFiles\i386
C:\MiniNT\system32

Anytime you come across a suspicious file or you want a second opinion, submit it to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 USN

USN
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 10 December 2010 - 12:51 PM

thanks quietman7 for your detailed response...other locations, that csrss.exe could be legit,that u listed are all on the C drive. I have 2 that r on the D drive. [b]Does the drive location make a difference ? I ran comprehensive scans using Norton 360, Malawarebyte Anti-Malware & SpyBotS&D, no problems Is it possible for an infected file, specifically a corrupt csrss.exe file, to evade all these searches ?
I wouldn't be worried about it except that when i asked HP Support if increasing my 512MB RAM would improve performance (speed), they logged on to my computer, claimed to find a trojan (the csrss.exe file, which they pointed out while reviewing my Task Manager processes) and tried to sell me $299 worth of software warranty & included removing the trojan), or they would remove the trojan for $130 (but it could come back, thus the need for the warranty). They proceeded to alarm me about a hacker stealing my on-line banking information, etc. I'm a bit skeptical, and wanted a 2nd opinion. I'd like to think the scans are proof enough. But all these programs leave a little wiggle room.
If you are not sure about the csrss.exe lacations on the D drive, I will try:
Jotti's virusscan
virusTotal
VirSCAN

#4 USN

USN
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 10 December 2010 - 01:25 PM

okay I checked the 2 csrss.exe files on my D drive using Jotti's malware scan. No problems found.
I submitted both locations on the D drive, but the 2nd response stated that the file had previously been checked. Seems like the location did not matter. I don't know how this jives with "the csrss.exe file could be disguised malware if found in other locations (than C:\WINDOWS\system32)".
Anyway, it appears that I am okay..so not sure where HP Support was coming from.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 AM

Posted 10 December 2010 - 04:07 PM

Yes, they could be on your D: drive...probably a partition rather than a separate drive. How a drive is set up and partitioned varies from one vendor to another and can vary even more with custom set ups.

Sounds like HP was either trying to sell support or the tech just wasn't sure. Submissions to Jotti or the other online file analyzers are a great resource for getting a second opinion. Also be aware that most anti-virus vendors have procedures in place that allow you to submit files you find suspicious.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 USN

USN
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 10 December 2010 - 04:39 PM

Thanks a bunch for your help.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 AM

Posted 10 December 2010 - 04:49 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users