suspiciously behaving processes (crss.exe and others)
Hi,
I have some processes that appear to be suspicious.
I know csrss.exe is a critical windows process, but I am concerned that hte process has been replaced by a worm or virus.
one reason is that I cannot open the process location. not with taskmanager and not with process explorer which I downloaded from MS. However when I start widows in safe mode I can. The same is true for a few other prcecesses like winlogon.
I was wondering how I could verify that these were the original exeucables that were running when in normal mode and not some other processes that are taking over, if I cannot open the process location.
Thanks for your help
Ron
August 11th, 2011 4:34am
Hi Cathal,
I ran the procedure successfully and got a message that some corrupt files were fixed. It produced a file called CBS.log. Problem is that I don't know what to look for in the file (it is quite massive).
I also installed the process explorer. When I view scrss.exe, for example, in the process explorer I can't find the location of the process and all the properties are blank (I can only see them in safe mode). this is not the case for most of the processes
for which I can see the properties and the location of the exe file.
The processes which are "blank" are atieclxx.exe, audiodg.exe, csrss.exe, lsm.exe, services.exe, smss.exe, winint.exe,, winnlogin.exe and WUDFhost.exe
Would appreciate more help
Thank you very much
Ron
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2011 11:16am
Hi Cathal,
that seemed to work :o)
I was concerned since I downloaded a viewer for streaming movies and it messed up the antivirus. I managed to uninstall it but I was not sure whether it already infected any files and became friends with the AV.
If the executable are of different sizes than mentioned online, should that be a cause for concern?
Thanks again
Ron
August 16th, 2011 6:40am
Thanks a lot Cathal
will follow the procedure you recomended.
regards
Ron
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2011 4:49am
Thanks a lot Gentlemen for shareing your conversation - it helped me a lot when doing a sanity check on my security. I also realized that i could not see the location or user name on csrss.exe - I run Windows 7
First i checked the 'sfc /scannow' but the promt told me: You have to be an admistrator running a consol session - hmm i only have one accont on the pc and that is the administrator account - the gues account is deactivated
OK - so i donwnloaded the process explorer - and checked my processes - i found that i have 2 csrss.exe listed in the process explorer, both of them are located at C:\Windows\System32\csrss.exe - and both of the says verified when i click the verify button
under properties
Should i worry about this? or is it ok?
Niels
September 8th, 2012 9:27pm