Useless processes running on your pc? csrss.exe

skysidhe · 10-24-2009, 10:41 AM

Is there any reason I should not delete this file.

csrss.exe

I know what it is. I want to delete it. There is some confusion about it being benign or not.

I downloaded some software and my pc bogged down.
It is one of two running.

I got it cornered in my program files. I am going to delete the thing that makes it duplicate. My finger resting on the delete button ready to execute it.

lumberjim · 10-24-2009, 10:47 AM

wait!

skysidhe · 10-24-2009, 10:48 AM

lol

I am not doing anything rash until I know for sure.

I can't stand the half answers when I google it. "Oh it's ok" " It is windows enviroment..blah blah blah but it can be exploited and can look like similar files and so ...to make sure download half a dozen spy ware products that have loads more spy ware products on them" bah!

tw · 10-24-2009, 11:35 AM

Quote:

Originally Posted by skysidhe

I am not doing anything rash until I know for sure.

csrss does something important. Forgot what. If you remove it using task manager, it will return.

However there is one process that I cannot discover a purpose. Wbemcore. It makes a computer consume 100% CPU time when nothing else it executing. MS documents say it performs an essential Windows function. But the task is defined cryptically - simple to the reasons that proved Saddam had WMDs. When I remove it, Windows works fine.

Apparently Wbemcore does some kind of maintenance function. But it also slows other processes noticeably. That is one I would ask about (it is part of one of the Svchost tasks - the one that is consuming so much CPU time).

richlevy · 10-24-2009, 12:17 PM

csrss.exe is both an important Windows process and a trojan running under the same name. I believe csrss has something to do with card readers or client/server.

If you have Process Explorer (link to Microsoft Download) or another improved task manager, it will give you a full name and the Company name, although this can be faked.

crss.exe is definitely a trojan/virus.

From here

Quote:

.svchostX CSRSS.EXE Added by the WEBUS.F TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!

So if you do START-RUN and start MSCONFIG, you should not see CSRSS.EXE in the list. If you do, you definitely have the trojan. If that's the case, search your hard drive and remove the one that is not in your system folder.

Here are basic instructions.

Good Hunting.

xoxoxoBruce · 10-24-2009, 01:01 PM

Quote:

Originally Posted by richlevy

crss.exe is definitely a trojan/virus.

I think csrss.exe is ok, CSRSS.EXE is the trojan.

richlevy · 10-24-2009, 02:51 PM

Quote:

Originally Posted by xoxoxoBruce

I think csrss.exe is ok, CSRSS.EXE is the trojan.

Not sure about caps/non-caps, but crss.exe (without an s after the c) is a trojan. In that case they used a name similar to, but not exactly the same as csrss.

skysidhe · 10-24-2009, 02:54 PM

yay I just ran msconfig and it is not in my start up.
Thanks rich and bruce

My memory and my cpu runs pretty low usually so it must have been the serif software I downloaded hogging resources for a moment.

All I knew was the csrss is exploitable or helpful process a trojan or both so thanks for the imput.

( @ tw I usually find a task or process list online that explains each function but the list I found today had conflicting information. )

Brought to you by Microsoft. This little service announcement.

Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
•Tim Garnett of Determina Security Research for reporting the MsgBox (CSRSS) Remote Code Execution Vulnerability - CVE-2006-6696

Quote:

Originally Posted by richlevy

Not sure about caps/non-caps, but crss.exe (without an s after the c) is a trojan. In that case they used a name similar to, but not exactly the same as csrss.

The trojan could be anything looking similar. You're both right I'm sure.

mbpark · 10-24-2009, 03:55 PM

CSRSS.exe is the Client Server Runtime Subsystem.

Source: http://en.wikipedia.org/wiki/CSRSS

If you had deleted that and it was the real thing, you would not be typing on that computer.

It does not appear in the startup sequence at all. If you see it there, delete it using AutoRuns.

Wbemcore is used for Windows Management Instrumentation, aka WMI. It's used to keep the internal DB of hardware/software data used by that current. I've had issues with this before, including ones where it caused issues with Microsoft Installer. To fix that issue, run the following from Safe Mode:

http://www.microforge.net/kb/102

Thanks,

Mitch

skysidhe · 10-24-2009, 09:13 PM

Thanks Mitch

Crimson Ghost · 10-24-2009, 09:23 PM

Also check out -

http://www.what-is-exe.com/

It doesn't have every possible program, but it does help.....

xoxoxoBruce · 10-25-2009, 01:50 AM

Quote:

Originally Posted by richlevy

Not sure about caps/non-caps, but crss.exe (without an s after the c) is a trojan. In that case they used a name similar to, but not exactly the same as csrss.

Ah, my bad. Thought you had just misspelled it.

10-24-2009, 10:41 AM	#1
skysidhe ~~Life is either a daring adventure or nothing.~~ Join Date: Apr 2006 Posts: 6,828	Useless processes running on your pc? csrss.exe Is there any reason I should not delete this file. csrss.exe I know what it is. I want to delete it. There is some confusion about it being benign or not. I downloaded some software and my pc bogged down. It is one of two running. I got it cornered in my program files. I am going to delete the thing that makes it duplicate. My finger resting on the delete button ready to execute it.

10-24-2009, 10:47 AM	#2
lumberjim I can hear my ears Join Date: Oct 2003 Posts: 25,571	wait! __________________ This body holding me reminds me of my own mortality Embrace this moment, remember We are eternal, all this pain is an illusion ~MJKeenan

10-24-2009, 10:48 AM	#3
skysidhe ~~Life is either a daring adventure or nothing.~~ Join Date: Apr 2006 Posts: 6,828	lol I am not doing anything rash until I know for sure. I can't stand the half answers when I google it. "Oh it's ok" " It is windows enviroment..blah blah blah but it can be exploited and can look like similar files and so ...to make sure download half a dozen spy ware products that have loads more spy ware products on them" bah! Last edited by skysidhe; 10-24-2009 at 10:56 AM.

10-24-2009, 03:55 PM	#9
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	CSRSS - wait a minute! CSRSS.exe is the Client Server Runtime Subsystem. Source: http://en.wikipedia.org/wiki/CSRSS If you had deleted that and it was the real thing, you would not be typing on that computer. It does not appear in the startup sequence at all. If you see it there, delete it using AutoRuns. Wbemcore is used for Windows Management Instrumentation, aka WMI. It's used to keep the internal DB of hardware/software data used by that current. I've had issues with this before, including ones where it caused issues with Microsoft Installer. To fix that issue, run the following from Safe Mode: http://www.microforge.net/kb/102 Thanks, Mitch

10-24-2009, 09:23 PM	#11
Crimson Ghost Larger than life and twice as ugly. Join Date: Apr 2004 Posts: 5,264	Also check out - http://www.what-is-exe.com/ It doesn't have every possible program, but it does help..... __________________ We must all go through a rite of passage. It must be physical, it must be painful, and it must leave a mark. I have no knowledge of the events which you are describing, and if I did have knowledge of them, I would be unable to discuss them with you now or at any future period. Don't waste your time always searching for those wasted years

10-24-2009, 09:13 PM	#10
skysidhe ~~Life is either a daring adventure or nothing.~~ Join Date: Apr 2006 Posts: 6,828	Thanks Mitch

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)