Virus and Rootkit threats

Like some folks, I consider myself to be computer-savvy, but somehow, something got by me.

My laptop wireless switch is dying, and disconnects sometimes. Since this laptop never leaves my desk, I don’t care. I just plugged in a cable to my wireless router.

It won’t work. Long story short, talking to Linksys revealed corrupted files courtesy of crss.exe and/ or a rootkit virus.

I checked my other 2 laptops in the house, and sure enough, crss.exe is a process on each of them as well.

Thus begins a long weekend of work to remove and restore everything.
I humbly suggest you check your machines for these two sneaky bastiges. My Avast and Microsoft essentials let me down…

If you never hear from me again, it may


I just checked task manager and I have csrss.exe running! I’m going to use a bootable disk to navigate (thanks command prompt!) there and delete it.

If you never hear from me again, it may

csrss.exe is a necessary part of Windows.

infections might infect or disguise themselves as this.

Healthy Windows machines have csrss.exe running.

Client/Server Runtime Subsystem

csrss.exe is the Client Server runtime process, and is an integral part of Windows. You shouldn’t delete it (in fact, I’d be surprised if Windows will let you if you try).

It’s always possible that some malware could replace the native copy of the file with its own ‘bad’ version, but don’t panic just because it’s there, because it always is.
ETA; I need to learn to type faster and/or be more concise :slight_smile:

It really would have been nice if Microsoft would have named their executables better, so they’d make sense to the uninformed, and thus malware makers couldn’t just put a bunch of random letters and numbers together and fool people.

Wouldn’t help. How is Joe Blow to know if he is supposed to have a “Client Server Runtime Subsystem”? If he more or less remembers that that is important, do you expect him to realize that he shouldn’t have a “Client Srvr Runtime Subsystem”? Given that there are such an ungodly number of executables and DLLs in a Windows system having memorable names wouldn’t help; malware makers would just dream up their own variations on those memorable names.

I also deleted wsh.exe.
(I thought about whether it was a bad idea to post that in case someone else (e.g., my grandmother) saw and reflexively deleted the file. But if they know enough to be able to boot to a command prompt, navigate to the location and delete, they know enough not to do so willy-nilly. Also, I thought repeating the OP’s joke of “If you never hear from me again, it may” would have been clear. Please, please don’t hold this against me when I need tech help in the future.)

I was under the impression that one could potentially delete NTloader and the System 32 folder without much trouble, both of which are near fatal for a Win system.

Obviously I’ve never tried either, but are you saying Windows won’t let you?

This is perfectly normal. Just make sure you don’t have two crss.exe processes running.

I am not sure how serious we are being now, but is that bad, because I do have have two csrss.exe processes running? They seem to be using very different amounts of memory too? (Windows 7, 64bit.)

I know it is normal for Windows to have several instances of some of its processes running simultaneously. (I currently appear to have 13 instances of svchost.exe running, for example, and I know I have seen many instances of it running together before.) Is that not so in the case of csrss.exe?

(I am seeing no signs of malware at the moment, but I did have an infection not long ago, so I am a bit jumpy.)

Is it a recent Linksys router, in the EA series?

What you’re talking about doesn’t sound like the “upgrade” Cisco just pushed through, but if you’re using a Linksys EA router and didn’t turn off automatic upgrades, that’s something else to look into.

Meantime, try visiting the AskLeo web site for information on finding and removing viruses and malware. Good luck.

I once saw a virus that ran “svohost.exe”, copying the legitimate “svchost.exe”.

I’m being semi-serious: this is not good if (and only if) they’re running under your user ID. If you have to click ‘Show processes from all users’ to see a second one, then that’s fine. You may have further copies if ither people are logged into your PC. Both should also have low Process IDs in Task Manager.