Task Manager query

Sponsored Links
Csrss stands for Client/Server Run-Time Subsystem, and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and implementing some portions of the 16-bit virtual MS-DOS environment.

Note: The csrss.exe file is located in the folder C:\Windows\System32. In other cases, csrss.exe is a virus, spyware, trojan or worm!

To ensure it is the legit one, open Task manager and find the csrss.exe entry in the list, (there may be more than one so do each one seperately),
Right click it and either click Properties or Open File Location.
If either indicates the file location is in the C:\Windows\System32 folder then you are fine.
If it is located anywhere else then click to End process. And then post back here.

OK I right clicked it and it came up perform adminstrative tasks. So clicked continue and there is two csrss running. Both have system next to them. No cpu usage and the memory for the first one is 780 k and the one down below is 472 K.

Don't know if that means anything to anybody. It doesn't mean much to me except if it was a virus there would be more cpu usage. I know viruses running can be seen in Task Manager but I haven't a clue what I am looking for Thank you again. I've always wondered what that was.
What operating system do you have running? XP, Vista or Win 7?

Are you logged in as an Administrator?

After opening the Task Manager, did you click on Properties after right clicking the Csrss.exe?

In the General tab it shows you the location of the file.

If it is 'System 32' then you are OK.
Sponsored Links
My operating system is Windows Vista Home Basic Service Pack 2.

Yes I am the Administrator.

When I right click on Csrss and click properties nothing happens. It just says system next to it. When I click on open File Location my Physical Memory goes up.
When you open the Task Manager, in the Processes Tab, you should be able to right click the line that says:
and the context menu should give you several options, including Open file Location and, further down the list, properties.

If you click Open File Location it will open a list of files, then look in the address bar at the top and it should give you the route to where it is stored. Something like:
Computer: (C\: ) Windows > System 32

If it says System 32 then the file is OK.

I have two entries for csrss.exe running in Task manager, one is about 916K in the memory column and the other is 1500K, using Windows 7.

With the Task Manager open, click at the top right to open it in full screen and see what it reads in the description column. If it is listed as Client Server Runtime Process, then it should be OK. Both, if you have two entries can read the same and you should be fine.

Any other queries about items in the Task Manager, make a note of the names or initials you do not understand and check them out HERE

Yes they are both Client Server Runtime Process. I think I am just worrying about nothing. Thank you for your help.

On a different note I was looking something up and came across a rogue which AVG blocked. It said Threat blocked. The name of it was Exploit. I am just running a scan to be on the safe side.
Working in parallel to AVG LinkScanner the Active Surf Shield checks scripts and files found on web sites and blocks any malicious ones.

The 'Exploit' is part of the full wording of what it blocked.
As it blocked a suspicious web site link, you should not have anything on you computer.
The web site could have been completely safe and the blocking was a false positive but a scan never does any harm just to put your mind at rest.

I clicked the website and suddenly the page I was viewing disappeared and the message came up saying threat blocked and another message came up saying your computer may be infected with spyware.

It is recommended you download this program or words to that effect. Hit Ctrll, Alt, Delete and ended the programme. The scan didn't pick anything up

In the summer I got an Exploit which the AVG Resident Shield detected but when I upgraded to 9.0 it said list was empty. It showed a window where it said my c drive, floppy drive and removable disc f were infected but I think I brought Task Manager up and closed it. I thought it was called Exploit because it puts viruses on your computer and steals your identity.

I'm sure I'll come up with more random questions. Sorry for being a pest :LOL:
"Sorry for being a pest" No problem at all.Glad to try to be of help.

AVG may not have been quick enough to stop it getting on your computer but as it said you were infected and to download another program, it sounds more like malware and an antivirus program is not programmed to remove malware.

Just to be on the safe side:

Please download MalwareBytes' AntiMalware using the BLUE button for the FREE version.
Save to Desktop.

When download is complete;
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware

* Then click Finish

If an update is found, it will download and install the latest version.

* Once the program has loaded, select > Perform Quick Scan, then click > Scan.
* When the scan is complete, click > OK, then > Show Results to view the results.
* Be sure that everything is checked, and click > Remove Selected.
* When completed, a log will open in Notepad. Save this log to My Documents in case it is needed for reference.
Reboot as required.

Right I have downloaded Malware bytes and am running a quick scan now. Can I keep this or will it clash with AVG? Already it has found seven infected objects. Those might be tracking cookies. I think I've used this before. Will keep you updated. Have created a MalwareBytes folder and will save the log there. Should I start a new topic for this?
Right here's the Log. I clicked removed and rebooted.

Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Users\Lorna\AppData\Roaming\Zango (Adware.Zango) -> Delete on reboot.
C:\ProgramData\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.

Files Infected:
C:\$Recycle.Bin\S-1-5-21-1220871702-929508847-3254620893-1000\$RL3ZOND\iStar.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-1220871702-929508847-3254620893-1000\$RVRNRJG\iStar.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSAAbout.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSAau.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSAEula.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\ProgramData\ZangoSA\ZangoSA_kyf.dat (Adware.Zango) -> Quarantined and deleted successfully.
Well it appears to have removed all that it found except the Zango Adware which it will delete when you next reboot the computer. S, if you haven't done so since the scan, do so now.
Once you have rebooted, run another quick scan with it and see if it finds anymore.
Once clean you need to purge your system restore points so that you do not accidentally do a restore to one of the contaminated points.
Purging System Restore:
To remove all SR Points thus removing any contaminated ones:
Turn OFF System Restore then turn it back ON and then set a new restore point.

In Vista:
Follow these instructions.
Then set a new restore point by following these instructions

Keep MBAM installed, it will NOT have any conflict with any antivirus program because it does a totally different job. It does not find or remove viruses so don't get rid of your antivirus program.
MBAM is not a real-time program, meaning it does not monitor your computer all the time, it does not stop malware getting onto your computer but it does a ruddy good job of getting rid of it when you run it.
As you have Vista, you should have Windows Defender which provides real-time antispyware/malware protection. This is only as good as the updates it gets, so keep it updated.

Keep it updated every couple of days, just incase you get an infection that prevents you accessing the internet for updates. Then run it once a week in Quick Scan, only takes about 3 to 5 minutes at most. Let it remove all that it finds.

Sponsored Links