Where is csrss.exe supposed to be located in XP Media 2005?

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

I have two csrss.exes running at once. One is located in c:\WINDOWS\SYSTEM32\
and the other is located in c:\WINDOWS\SYSTEM\DRIVER\ and is hidden as a
system process. I was not aware of the one in SYSTEM32 until just today when
I noticed that two csrss.exes were running.

The one located in SYSTEM32 is 6kb, is version 5.1.2600.2180 was created on
August 10th, 2005, has a high priority, is in caps, uses close to 3000 KB
memory and has 13 threads.

The one located in DRIVER is 682 KB, is version 5.1.2600.0 was created on
May 20th, 2005, has a normal priority, is not in caps, uses close to 4000 KB
memory and has 6 threads.

The one located in SYSTEM32 seems to be suspicious, however, Trend Housecall
seems to think that the one located in DRIVER is TROJ SERVU.Q (
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SERVU.Q). Both Norton and Ad-Aware don't think that either of them are viral/spyware.

I am normally able to deal with problems on my own but this one has me
extremely confused. The only csrss.exe that I had on my computer before I had
two was the one in DRIVER which is supposedly the virus. But how could the
only csrss.exe that I have be a virus? So I left it alone thinking Housecall
was insane. Now I don't know... I am sorry if this was already addressed
previously, but it's getting late and I would like to take advantage of the
patience that sleep brings me.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

Sorry about the self reply but I think this is worth adding.

C:\I386\CSRSS.EXE
Created: April 23, 2005, 2:16:58 PM
!!Modified: August 10, 2005 4:00:00AM!!

The 4 AM modification seems inconceivable to me as 1. No one is on the
computer at 4 AM (hopefully) and 2. My computer is turned off at night
(hopefully [other people in family sometimes forget but the computer goes
into hibernation within 20 minutes].

Anyway, the modification of the I386 CSRSS.exe corresponds with the creation
of the SYSTEM32 CSRSS.exe.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

Smaschmeyer wrote on Mon, 29 Aug 2005 22:25:06 -0700:

> I have two csrss.exes running at once. One is located in
> c:\WINDOWS\SYSTEM32\ and the other is located in c:\WINDOWS\SYSTEM\DRIVER\
> and is hidden as a system process. I was not aware of the one in SYSTEM32
> until just today when I noticed that two csrss.exes were running.
>
> The one located in SYSTEM32 is 6kb, is version 5.1.2600.2180 was created
> on August 10th, 2005, has a high priority, is in caps, uses close to 3000
> KB memory and has 13 threads.
>
> The one located in DRIVER is 682 KB, is version 5.1.2600.0 was created on
> May 20th, 2005, has a normal priority, is not in caps, uses close to 4000
> KB memory and has 6 threads.

I'd say they're both suspicious. System32 is the correct location for the
file, but as you pointed out the one there has been identified as being
infected, although Trend might be wrong. I would suggest that the original
installation copy in c:\i386 was infected, and the other copy was dropped
some time before by something else, and on reboot the real version in
c:\windows\system32 was overwritten by the copy in i386 or the sfc cache.
Personally, I'd wipe and reinstall.

Dan