Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

HijackThis automated log analyzer! Submit a log and you will receive ALL the information we have in our DB's on everything on your system INSTANTLY!

csrss.exe


Click here to scan for csrss.exe Related Errors and Optimize PC performance

What is it?
csrss.exe - Client/Server Runtime Server Subsystem

What does it do?
This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

You will not be able to end this through task manager!

More info

Virus Precaution:

The csrss.exe which is from Microsoft is located in the %Windows/System32/csrss.exe folder.
There have been quite a few different viruses that masquerade as this file. If you find it in a location like C:\DOCUME~1\Home\LOCALS~1\Temp\csrss.exe you will probably need to run combofix to clear this.

Nimda.E - Symantec Corporation


Fix csrss.exe Errors: Free Scan

Recommended: Free PC Speed Test - what is slowing down your PC?


csrss.exe is a Windows System File and should be in a system directory. If it is then this application is safe.

Startup DB Entries:
[.svchost]"Added by the WEBUS.F TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" b
[.TEXTCONV]"Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process which should not normally figure in Msconfig/Startup!" b
[.WMAudio]"Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process which should not normally figure in Msconfig/Startup!" b
[ASP.NET State Service]"Added by the DLOADER-QI TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[AtiSound]"WinSpy surveillance software. Uninstall this software unless you put it there yourself. Note - this is not the same file as the csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""ComRoot"" subfolder" u
[AVManager]"Added by the AUTORUN-DV WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ~A~m~B~u~R~a~D~u~L~ subfolder" b
[BagleAV]"Added by the NETSKY.AB WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[BuildLabs]"Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process which should not normally figure in Msconfig/Startup!" b
[ccpApps]"Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process which should not normally figure in Msconfig/Startup!" b
[Console de Gerenciamento Microsoft]"Unidentified malware! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""Level4"" subfolder" b
[CSRSS]"Search page hijackerb
[csrss.exe]"Added by the DALBUG WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[csrssLevel4]"Unidentified malware! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""Level4"" subfolder" b
[DIECOX]"Added by a variant of the ATM.GEN TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" b
[FiendlyType]"Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process which should not normally figure in Msconfig/Startup!" b
[FirewallActivies]"Added by the BANKER-AQ TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""3041"" subfolder" b
[KernellApps]"Added by the BANCBAN-AC TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""System"" subfolder" b
[Key Logger]"Added by the BUCHON.A WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in the root folder (ieb
[Krnlcheck]"Added by the BOTNACHALA TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[Logon]"Added by the BRONTOK-BH WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in Documents and Settings\<User>\Local Settings\Application Data\WINDOWS" b

Service DB Entries:
Windows Client/Server Runtime Server Subsystem (WCSRSS) Added by the W32/Tilebot-DA WORM! Note: This worm rojan is located in C:WindowsSystem (Win9x/Me) C:%
Syscheck (Syscheck) Added by the Troj/LdPinch-AL TROJAN! Note: This is not the legitimate Windows process csrss.exe (Whi
Microsoft Windows Update (msupdate) Added by an unknown TROJAN! Note: This has nothing to do with Microsoft Windows Update and this is n
Clients Server Runtime Process (Windows Internet) Added by the W32/Sdbot-CPF WORM! Note: This worm rojan is located in C:%WINDIR% folder.
Clients Server Runtime Process Added by the W32/Sdbot-CPF WORM! Note: This worm rojan is located in C:%WINDIR% This is not the legi
Client Server Runtime Process Microsoft Client Server Runtime Process
Client Server Runtime Proces Added by the WORM_SDBOT.BTI WORM! Note: This worm rojan is located in C:%WINDIR% folder. Malicious a
Windows Client/Server Runtime Service (csrss) Added by an unidentified TROJAN! of the Sdbot family. Note: This worm rojan is located in C:Windowsi
Windows Security Drivers (csrs) Added by an unknown TROJAN! Note: This has nothing to do with Microsoft Windows Update and this is n
Windows TCP/IP Socket Driver (winsck) Added by TROJ_RANKY.HW TROJAN! Note: This worm rojan is located in C:%WINDIR%winsock This is not the

Disclaimer

Every attempt has been made to ensure the information about csrss.exe is accurate but alot of malware applications try to pose as valid applications. If it is something other than what was posted above please leave some feedback in the forum.
Printer Friendly

User Comments
DidaI got drmsartload - I tried to remove it but at boot i keeps coming back. I found out that csrss.exe starting it - and that this csrss.exe is in windows directory not in windows/system32 directory
RichI kept seeing Windows Security Center saying windows firewall was turned off, as well as automatic updates. Also windows firewall was set to group policy, so you could not enable it even though group policy was not configured. Additionally there was always a mysterious connection to stealth.insert.si Booted in safe mode, deleted the csrss.exe from \windows and all is good now.
RichI kept seeing Windows Security Center saying windows firewall was turned off, as well as automatic updates. Also windows firewall was set to group policy, so you could not enable it even though group policy was not configured. Additionally there was always a mysterious connection to stealth.insert.si Booted in safe mode, deleted the csrss.exe from \windows and all is good now.
Andrew My firewall says csrss.exe is trying to use my internet connection, is the windows os doing this or it is a virus?
TristanThe csrss file is the root of all my problems, but it will now allow me to delete it, nor can I terminate the process. I disable it on startup but it adds itself again. It won't allow me to open any other programs/windows to try and remove it.
ItuenProcess shows two csrss.exe going on, 784k and 1,016k. Everybody is talking about only one. Something is wrong with my twins?
grav3sok i finally got rid of the virus file(was located in C:|windowsMedia folder) now the only proble is that there isnt a real csrss in the system32 folder.is this file absolutely necesary ? please someone respond!
WillTo get rid of a virus as such your just going to have to restart your operating system.
SteveJust cleaned up a problem with a fraudulent CSRSS.EXE. It was trying to run from C:WINDOWSCONFIGCSRSS.EXE which is NOT the valid location. Fortunately, on my system, that is not a valid location at all. But the proper location of the legit executable is in the SYSTEM32 directory, not directly in the Windows directory (or anywhere else).
ethanI have this problem and i cant see to fix it the only way i can figure out how to get rid of it in a way tat i can understand is to just reinstall vista xp etc....
DanielI had this Virus, I fixed it by going to system restore, and when back to an earlier time before i caught the virus, it fixed the problem.
TravisI have the same problem with one of my PCs. I did a search on the computer for the csrss.exe and it came up under C:WINDOWSsystem32 as well as C:WINDOWSservicepackfilesi386. Could the latter be the culprit?
calumhow do i know if its the virus csrss.exe or the windows process?
SoCalledFreeFree scan will cost you 29.95. This shows that the web site is not trustworthy.
jodieIt is linked with smss.exe. Only one of each should run. I ran a search and found it in two other locations. And I too also saw that my firewall was being turned off. how do i boot in safe mode...
Kristhis program keeps coming up in my processes without a user name. It is connected with someone hacking into my computer. It is accessing asghost.exe (identity security program) Stop both processess immediately if you see csrss.exe with no description or user name in your process list
jordani am having all of the problems above any fixes yet?
adami have the csrss.exe on my Processes on windows task manager but it isnt doing anything... any information please?
Windows Files
lsass.exe | csrss.exe | alg.exe | dwwin.exe | Svchost.exe | Spoolsv.exe | wowexec.exe | cidaemon.exe | wmiprvse.exe | ctfmon.exe | Winlogon.exe | wuauclt.exe | Smss.exe | msmsgs.exe | rundll32.exe | mdm.exe | ntvdm.exe | wscntfy.exe | explorer.exe | ntdll.dll | iexplore.exe | msdxm.ocx | wisptis.exe | wdfmgr.exe | MsiExec.exe | PDVDServ.exe | DLLhost.exe | gcasdtserv.exe | shdoclc.dll | Winmgmt.exe | cisvc.exe | oleaut32.dll | taskmgr.exe | inetinfo.exe | Shell32.dll | mspmspsv.exe | internat.exe | hal.dll | comctl32.dll | mstask.exe |