Author Topic: csrss.exe Firefox Image - Possible Virus  (Read 4920 times)

0 Members and 1 Guest are viewing this topic.

MadMugsy

  • Guest
csrss.exe Firefox Image - Possible Virus
« on: November 29, 2011, 04:22:00 PM »
Hello. So I got hit with a nasty little virus that added a program called Win 7 2012 anti-spyware. Got rid of that with Malwarebytes and Avast. However going through my processes I noticed the csrss.exe process running. I did some research and realized that it can be a good thing or a bad thing. I right clicked the process, told it to show me the path and it goes to my system32 file folder. So the process seems legitimate.

However I also read that I should do a file search for csrss.exe. I found that I have one file called csrss.exe with no file path and it has a firefox image for an icon. I tried to delete and it said I don't have the access to delete it. So I am looking for some advice. I will be getting home later on today and running avast in safemode and scanning that particular file but I know that file should not be there and it should not have the firefox image for an icon.

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: csrss.exe Firefox Image - Possible Virus
« Reply #1 on: November 29, 2011, 05:10:44 PM »
welcome to the forum.

could it be related to micrsoft?

http://www.processlibrary.com/directory/files/csrss/26031/

if not another thread suggested it was a trojan.

http://www.spywarepoint.com/help-can-get-rid-csrss-exe-trojan-t53489.html.

upload the file to virustotal.com and post the result here.

http://www.virustotal.com/

good luck
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

MadMugsy

  • Guest
Re: csrss.exe Firefox Image - Possible Virus
« Reply #2 on: November 29, 2011, 06:27:35 PM »
Thanks :)

I'm not sure if it is related to microsoft or not. The csrss.exe process in my task manager seems to be legitimate so that is all well and good.

The issue is this csrss.exe file that has no path and has a firefox image for an icon. I'll use virustotal.com when I get home and see if it tells me it is or not. I'm just wondering if anyone ran in to it as well or knows about it.

Also I tried deleting it in safemode and I was unable to which gives me cause for concern. I'll be trying virustotal as well as scanning the file directly in safemode after work.

Alpha32

  • Guest
Re: csrss.exe Firefox Image - Possible Virus
« Reply #3 on: November 29, 2011, 06:39:33 PM »
csrss.exe is a microsoft file, it's a Client Server Runtime Process and is a critical system process so therefore cannot be terminated in task manager or be deleted.



(Finally one I know!)

DonZ63

  • Guest
Re: csrss.exe Firefox Image - Possible Virus
« Reply #4 on: November 29, 2011, 10:28:24 PM »
It is normal to have two instances of csrss.exe running. Both should have a system32 directory source.

Note: There is a command line associated with this process. On my Win 7 x64 installlation, the command line for both is:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

You can download ProcessExplorer from the SysInternals web site which will allow you to view the above detail.

MadMugsy

  • Guest
Re: csrss.exe Firefox Image - Possible Virus
« Reply #5 on: November 30, 2011, 04:47:45 PM »
Thanks for the replies guys. I will also look in to that process explorer tool.

So it appears that using malwarebytes and avast in safe mode got rid of the csrss.exe file that was showing the firefox image. Alright, no problem. So I boot up my computer and being as paranoid as I am, I run Avast full scan. It goes through the computer and finds nothing but tells me that I can run a boot-time scan. I decide to go ahead with that and right as my computer starts, it scans. Its taking quite a while but it finds some infected files and deletes them. At the end of the scan my computer reboots and then I get the system restore screen that tells me that windows had an issue booting up. I can either run the system restore process or start windows automatically. I decide the latter the first time but when it rebooted, it happened again. So I decide to go through the restore utility. So it restored my computer to about a week ago and uninstalled avast since I got it only two days ago.

My new question is why did my computer have issues booting up after avast ran the boot-time scan and is it something that I could prevent? I had this happen one other time when I used avast before, on the same computer. Does this stem from an even deeper problem?

DonZ63

  • Guest
Re: csrss.exe Firefox Image - Possible Virus
« Reply #6 on: November 30, 2011, 10:22:22 PM »
Quote
Does this stem from an even deeper problem?

Appears to me Avast has a problem with with the boot time scan. Your not the only one to have this happen recently. I theorize that Avast's boot time scan is somehow corrupting the the bootloader files in its virus removal operations.

I know I am not going to run an Avast boot time scan until I see this fixed.

You should always create a boot CD with your bootloader files on it so that you can at least boot into your OS from the CD if the bootloader files get corrupted. Every version of Windows has an option to do this. Then you can copy the bootloader files from the CD to the root diretory of your hard drive. Of course, the bootloader files have to be "clean" or you will just reinfect yourself.

Alpha32

  • Guest
Re: csrss.exe Firefox Image - Possible Virus
« Reply #7 on: December 01, 2011, 05:56:23 AM »
You deleted csrss.exe and your windows still fine? It's a critical file which cannot be deleted without causing harm to your computer. So either it was a fake, ie a virus pretending to be it or you deleted but restored itself either way, windows needs it. Deleting will result in BSOD in most cases.
« Last Edit: December 01, 2011, 06:02:42 AM by Alpha32 »

DonZ63

  • Guest
Re: csrss.exe Firefox Image - Possible Virus
« Reply #8 on: December 01, 2011, 03:33:50 PM »
Quote
Also I tried deleting it in safemode and I was unable to which gives me cause for concern. I'll be trying virustotal as well as scanning the file directly in safemode after work.

WIN 7 won't allow you to delete critical system files without elevated permissions.