0

I've experienced some odd behavior lately (cookies being cleared in Firefox, forcing me to log in again). Antivirus scans (MS Security Essentials, MalwareBytes) aren't showing anything, but Process Explorer shows two instances of csrss.exe with no verified signer. Access is denied to these processes.

Wikipedia shows that some viruses/trojans disguise themselves as this process.

How can I verify if this is a virus or not?

Improve this question
1
  • 2
    Right-click on the process name in Windows Task Manager->"Open File Location", note the location. Go to VirusTotal and upload the file. Once it finishes scanning you'll see if the it's a known malware. But to be honest, I don't think that Firefox cookies being cleared is a sign of infection. Commented Mar 15, 2013 at 13:16

1 Answer 1

Reset to default
1

Multiple instances of csrss is not uncommon. I actually have two running on my desktop right now and have had more than that on a multi-user system. It can't hurt to upload the file to be verified that it isn't a malicious replacement of the normal file, but it is a perfectly common site to see it more than once.

You could also try running SFC (system file checker) from a clean boot from your Windows disk and that should check key system files of which I'm pretty sure csrss is one. (Not positive on that though.) You could also look to see if they are all running from the same windows system path. If they are running from different path's then that is a dead giveaway that something is awry.

Improve this answer
3
  • Thanks - I just checked a different system and found multiple instances, but these show as "(Verified) Microsoft Windows" in Process Explorer (and show the correct path). Could be I wasn't running that with Admin privs on the other system; I'll check. Commented Mar 15, 2013 at 14:25
  • And that was it. Running Process Explorer as Administrator showed the csrss processes as verified/signed from the proper path. Commented Mar 16, 2013 at 4:31
  • A little clarification: csrss.exe is the Client/Server Runtime SubSystem. On NT5 systems (e.g. XP), a single process handled all requests. In NT6 (e.g. Vista, Win7) this was changed. The session manager subsystem (smss.exe) spawns a csrss process at boot time to handle requests from session 0 processes, i.e. processes owned by the system and not by any logged in user. On a server that doesn't allow interactive users, this will be the only csrss process. When an interactive user logs on, it gets its own csrss process for its session. If 6 users are logged on, there will be 7 csrss processes. Commented Mar 17, 2013 at 16:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.