csrss.exe in winsxs

I saw somewhere that there are versions of csrss.exe which are malware.
The posts said that versions of csrss.exe that are not in the
windows/system32 directory are probably malware and should be deleted. I
did a search of my harddrive and found that there are in fact two
versions of csrss.exe, one in the windows/system32 directory and another
burried deep within the windows root directory. The file is the only
file sitting in this directory:

C:\Windows\winsxs\x86_microsoft-windows-csrss_31bf3856ad364e35_6.0.6001.18000_none_58e3e3d7e415ae4c

I tried to rename the file to see what happens but Vista told me that I
didn't have permission to do that (gotta love Vista!). Anyway, I did a
little research into winsxs and found this article interesting:

'Demystifying the WinSxS directory in Windows XP, Vista and Server
2003/2008 - Aaron Tiensivu's Blog'
()

Could someone verify that another copy of csrss.exe is supposed to be
sitting in the winsxs directory?

Thanks


--
Meir

 

Meir wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I saw somewhere that there are versions of csrss.exe which are
> malware. The posts said that versions of csrss.exe that are not in the
> windows/system32 directory are probably malware and should be
> deleted. I did a search of my harddrive and found that there are in
> fact two versions of csrss.exe, one in the windows/system32 directory
> and another burried deep within the windows root directory. The file
> is the only file sitting in this directory:
>
> C:Windowswinsxsx86_microsoft-windows-csrss_31bf3856ad364e35_6.0.6001.18000_none_58e3e3d7e415ae4c
>
> I tried to rename the file to see what happens but Vista told me that
> I didn't have permission to do that (gotta love Vista!). Anyway, I
> did a little research into winsxs and found this article interesting:
>
> 'Demystifying the WinSxS directory in Windows XP, Vista and Server
> 2003/2008 - Aaron Tiensivu's Blog'
> ()
>
> Could someone verify that another copy of csrss.exe is supposed to be
> sitting in the winsxs directory?
>
> Thanks<!--colorc--><!--/colorc-->


I have csrss.exe in:

c:\windows\system32
c:\windows\winsxs\long garbled folder name
c:\windows\winsxs\backup

Plus various manifest files and other odd named files with
csrss embedded in the file name in the windows sub folders.

Don't be so paranoid and don't believe everything you read or hear about virus/malware.

 

what he is claiming is a spyware or malware is true. I have the EXACT
same folder name, with a csrss.exe in it- and even console recovery (the
vista equivalent) can't touch it- and it isn't the appropriate file size
(should be almost exactly 6kb, is instead 7.5kb) and a duplicate (this
is how it is confirmed to be a virus) of csrss.exe running on my machine
as a process. Also, i have an additional copy of csrss.exe saved in my
folders! You can also check the created or last edited date to coincide
with your computer's OS install time- if it is off, then its been added
at a different time...another indicator of malware.
Also, yes, that particular folder name has the VIRUS version of
csrss.exe in it. It is particularly agitating, as it is blocking
windows update, destroys antispyware programs, randomly disconnects my
internet, and is overall a problem. This is most likely a remote
takeover trojan or a keylogger/password stealer.
Don't be so quick to tell users they don't have a virus. Calling
people paranoid is quite rude!


--
abnerjames