quote:
Originally posted by MeEtc
quote:
Originally posted by TylerG
I think I found it, but when I try to end it, it says "This is a critical system process. Task Manager cannot end this process."
But it might just be a regular process, but I don't think I have seen it before.
use services.msc to end it 
Start > Run > services.msc
csrss.exe is not a service, therefore starting up services.msc woudn't do anything good.
-----------
TylerG,
If csrss.exe is the virus, then there should be two csrss.exe processes running. One for the virus and one for the legit windows process.
To determine which is which, you need to:
- either look at who has started the process. If it is "SYSTEM" or "NT AUTHORITY" or the likes then it means it is the legit windows process. If it is your username/computername then it means csrss.exe has started up as a normal program and thus the process is not legit and a fake.
- either look at the startup directory of csrss.exe. If it is C:\Windows\System32 Then that it is the legit windows program. If it is another directory, you have your virus (but seeing the directory is not possible in Windows' TaskManager).
Killing the process in Windows' TaskManager will indeed popup the "
this is a system process yadda yadda"-warning as Windows only checks for filename (which is of course the same as the real legit one) and thus it gives that warning.
![[Image: attachment.php?pid=570865]](http://shoutbox.menthix.net/attachment.php?pid=570865)
To remove it properly:
- Run "Process Explorer" from SysInternal. Find the not-legit csrss.exe file by right clicking on its name and checking its properties for the startup directroy and/or check who owns the process "NT AUTHORITY/SYSTEM" or you.
- If found, and still in Process Explorer, kill it using right click, "Kill Process Tree".
- Now run "AutoRuns" from SysInternal. And find the startup entry (or entries) of the not-legit csrss.exe and remove it.
- Reboot
Also see
CookieRevised's reply to Block-Checker
/ 
Attachment: 
