[SOLVED] csrss.exe as virus in my pc (70% sure)

palo112

Commendable
Sep 23, 2019
90
1
1,535
hello! few days ago my pc was exposed to one very annoying virus/es. it basically started to openning up new pages in my browser and at the end it started installing some garbagecleaner.exe. so my 1st thought process was to perform acan with malwarebytes. it found looooads of viruses but i didnt do that many scans in the past so...i deleted all of them. then i thought since i dont have anything that important on my pc i decided to run a clean reinstall of windows. i thought when i reset all files back to default it will minimize the risk.
then right after i changed almost every password i had. wasnt really sure if i am still safe so i tried to not log in from my pc anywhere.

2 days later everything seemed to be ok so i logged in to my facebook account...nothing strange yet so i went to work and about 2 hours later in work when i wanted to check facebook i got message my account was locked with saying someone from taiwan logged into my facebook so i quickly changed my password again.

Coincidence???? i dont think so. what i think there is some dodgy spying proccess running in backround. so i started searching for answers and then i found something. this process called csrss.exe. on one hand yes it is microsoft file but i was searching even more because in my processes in my task bar i have 2 csrss.exe running. and i found couple forums where they were saying something like if u see one process its okay but if there are 2 there is high chance one of them is virus

also there was nentioned that if csrss.exe is located anywhere else than system 32 folder it is virus. but both my processes showing asbthey are in system 32 folder under C:

can anyone help me? i ran numeruos tests and every test now is showing literally nothing like my pc was clean but i am certain it isnt.
 
Solution
csrss.exe is the client server that your user runs on. If you removed it, windows would restart as it has no choice. You would likely get a critical process died bsod

how about this, download process explorer and one of its default fields is name/owner of all the processes currently running, you can see anything that seems out of place and ask
Download Process explorer and run it as admin (it comes from Microsoft so its safe)

the default view is tree structure meaning like your task manager screen, it will show what processes are under each service.

Private bytes = Ram + page file usage
Working set = actual ram usage

This page shows what all the colours and headings mean, link at bottom of it shows how to use it to find...
okay thanks for replay i was just a bit scared after i saw those forum s saying if ur computer is running more than 1 csrss.exe then one is probablly fake. so are they legit? i mean i checked where they are located and each one leads to system 32 folder.

okay so do u think my pc is clean and was that facebook only coincidence it happenned in this time period? or should i do something else to make sure i am good because i dont feel safe enough. here is what i did
malwarebytes - 0 viruses
zemana antimalware - 0 viruses
hitman pro - 0 viruses
EmsisoftEmergencyKit - 0 viruses
 
csrss.exe is the client server that your user runs on. If you removed it, windows would restart as it has no choice. You would likely get a critical process died bsod

how about this, download process explorer and one of its default fields is name/owner of all the processes currently running, you can see anything that seems out of place and ask
Download Process explorer and run it as admin (it comes from Microsoft so its safe)

the default view is tree structure meaning like your task manager screen, it will show what processes are under each service.

Private bytes = Ram + page file usage
Working set = actual ram usage

This page shows what all the colours and headings mean, link at bottom of it shows how to use it to find problems. You can right click processes and run an av scan from within the program.
 
Solution