What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » msconfig

Pages: (2): « First « 1 [ 2 ] Last »
msconfig
Author: Message:
Menthix
forum admin
*******

Avatar

Posts: 5537
Reputation: 102
40 / Male / Flag
Joined: Mar 2002
RE: msconfig
csrss.exe is a normal process too. See csrss.exe process information. Don't try to delete it before you are sure it really is a virus, you may damage Windows otherwise :).
Finish the problem
Menthix.net | Contact Me
11-27-2005 07:51 PM
Profile E-Mail PM Web Find Quote Report
MeEtc
Patchou's look-alike
*****

Avatar
In the Shadow Gallery once again

Posts: 2200
Reputation: 60
38 / Male / Flag
Joined: Nov 2004
Status: Away
RE: msconfig
quote:
Originally posted by TylerG
I think I found it, but when I try to end it, it says "This is a critical system process.  Task Manager cannot end this process.":S  But it might just be a regular process, but I don't think I have seen it before.
use services.msc to end it :)

Start > Run > services.msc
[Image: signature/]     [Image: sharing.png]
I cannot hear you. There is a banana in my ear.
11-28-2005 12:55 PM
Profile PM Web Find Quote Report
CookieRevised
Elite Member
*****

Avatar

Posts: 15517
Reputation: 173
– / Male / Flag
Joined: Jul 2003
Status: Away
RE: RE: msconfig
quote:
Originally posted by MeEtc
quote:
Originally posted by TylerG
I think I found it, but when I try to end it, it says "This is a critical system process.  Task Manager cannot end this process.":S  But it might just be a regular process, but I don't think I have seen it before.
use services.msc to end it :)

Start > Run > services.msc

csrss.exe is not a service, therefore starting up services.msc woudn't do anything good.

-----------

TylerG,

If csrss.exe is the virus, then there should be two csrss.exe processes running. One for the virus and one for the legit windows process.

To determine which is which, you need to:
  • either look at who has started the process. If it is "SYSTEM" or "NT AUTHORITY" or the likes then it means it is the legit windows process. If it is your username/computername then it means csrss.exe has started up as a normal program and thus the process is not legit and a fake.
  • either look at the startup directory of csrss.exe. If it is C:\Windows\System32 Then that it is the legit windows program. If it is another directory, you have your virus (but seeing the directory is not possible in Windows' TaskManager).


Killing the process in Windows' TaskManager will indeed popup the "this is a system process yadda yadda"-warning as Windows only checks for filename (which is of course the same as the real legit one) and thus it gives that warning.



[Image: attachment.php?pid=570865]
To remove it properly:
  1. Run "Process Explorer" from SysInternal. Find the not-legit csrss.exe file by right clicking on its name and checking its properties for the startup directroy and/or check who owns the process "NT AUTHORITY/SYSTEM" or you.
  2. If found, and still in Process Explorer, kill it using right click, "Kill Process Tree".
  3. Now run "AutoRuns" from SysInternal. And find the startup entry (or entries) of the not-legit csrss.exe and remove it.
  4. Reboot

Also see CookieRevised's reply to Block-Checker

.gif File Attachment: csrss.exe.gif (31.29 KB)
This file has been downloaded 178 time(s).

This post was edited on 11-28-2005 at 03:41 PM by CookieRevised.
.-= A 'frrrrrrrituurrr' for Wacky =-.
11-28-2005 02:51 PM
Profile PM Find Quote Report
Pages: (2): « First « 1 [ 2 ] Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On