Hi, I have some processes that appear to be suspicious. I know csrss.exe is a critical windows process, but I am concerned that hte process has been replaced by a worm or virus. one reason is that I cannot open the process location. not with taskmanager and not with process explorer which I downloaded from MS. However when I start widows in safe mode I can. The same is true for a few other prcecesses like winlogon. I was wondering how I could verify that these were the original exeucables that were running when in normal mode and not some other processes that are taking over, if I cannot open the process location. Thanks for your help Ron

Hi Ron, If you run the command 'sfc /scannow' from the command line as an administrator it should verify the integrity of the system files on your computer. Also, if you download and use process explorer instead of Task Manager it will allow you to verify the file signatures so that you can confirm whether all of the processes are legit. Hope this helps, CathalCathal O'Brien BSc, PgDip, PhD . Techsmart IT Support | Computer Repairs

Hi Cathal, I ran the procedure successfully and got a message that some corrupt files were fixed. It produced a file called CBS.log. Problem is that I don't know what to look for in the file (it is quite massive). I also installed the process explorer. When I view scrss.exe, for example, in the process explorer I can't find the location of the process and all the properties are blank (I can only see them in safe mode). this is not the case for most of the processes for which I can see the properties and the location of the exe file. The processes which are "blank" are atieclxx.exe, audiodg.exe, csrss.exe, lsm.exe, services.exe, smss.exe, winint.exe,, winnlogin.exe and WUDFhost.exe Would appreciate more help Thank you very much Ron

Hi Ron, I forgot to mention that you must run the appropriate 32 or 64 bit version of process explorer as administrator to view all processes. To run it as administrator right click the icon and select 'Run as Administrator'. Also, I wouldn't worry too much about the output from the SFC file unless you are getting consistent problems after the repair. Hope this helps, CathalCathal O'Brien BSc, PgDip, PhD . Techsmart IT Support | Computer Repairs

Hi Cathal, that seemed to work :o) I was concerned since I downloaded a viewer for streaming movies and it messed up the antivirus. I managed to uninstall it but I was not sure whether it already infected any files and became friends with the AV. If the executable are of different sizes than mentioned online, should that be a cause for concern? Thanks again Ron

Hi Ron, It's hard to say without knowing exactly what versions of the files you are looking at and where the information is coming from. Although if the sfc command is doing its job these files should be legit. If you are still not sure that you have fully cleaned your computer of viruses you might try an offline scan using Kaspersky rescue disk or something similar. With these tools you boot from a CD and perform the scan while your operating system is offline. These systems can ordinarily detect viruses that are outside the reach of 'online' virus checkers. The other option would be to get better acquainted with your computer through this Malware Removal Video by Mark Russinovich who is one of the Microsoft fellows. It's a pretty good video and explains everything really well. If you have any more questions please don't hesitate to ask. CathalCathal O'Brien BSc, PgDip, PhD . Techsmart IT Support | Computer Repairs

Thanks a lot Cathal will follow the procedure you recomended. regards Ron