csrss.exe trying to kill off my antivirus and firewall

Discussion in 'ProcessGuard' started by Cheinoa, Apr 29, 2006.

Thread Status:
Not open for further replies.
  1. Cheinoa

    Cheinoa Registered Member

    Apr 28, 2006
    hi, im new posting here. ive been reading all of the issues with others. i have downloaded the latest version of the freeware process guard. ive had this a few weeks with no issues at hand untill recently. im running an antivirus and also zonealarm. within the last week, zone is poping up with an alart that csrss want to access something in the computer. before i can even click allow or deny, the whole computer is freezing up, can only shut it down from the plug and start is back up...that event lasted an entire day. so now when the ZA alert comes up for csrss i quickly click deny and the computer is working. but yesterday, when i turned on the computer, the first message from winxp is...am i sure i want to delete the links to all my desktop icon shortcuts. i clicked no, abort and began investigating. first i went to process guard to check the log from the night before. hum..strange, there was no log. there is a log from every day except that day. next i looked at the main menu of process guard, protection enabled was checked while, execute protection was turned off. that was strange too because i would never turn anything off. next i went to my Zone Alarm and began checking. looks like 'csrss.exe' has been trying to kill my Zone Alarm and antivirus. still that doesn't give me any information as to why...process guard was unchecked and no log. kinda strange. but...why would csrss suddenly be trying to kill my firewall and my antivirus. so i decided to check the authorities of what csrss can and can not do in process guard. i found that csrss.exe. winlogon.exe and smss.exe all have the same, the ability to terminate 'protected' applications. does that give csrss the ability to try and terminate the 2 most protected applications on the computer? i consider my firewall, my antivirus and processguard to be the backbone of protection but how do i protect these applications? without process guard installed, normally would these 3 files have permissions to terminate other applications? ive consider unchecking these that they are not allowed to terminate anything but then i thought...could make matters worse. i have run my antivirus, plus done an online scan, found nothing. im beginning to wonder if csrss maybe isn't a worm of some sort. ive run my hijackthis and also, nothing. i believe if id had the pg log from this day maybe i could have had better luck determining what happened. i do wonder sometimes if maybe my computer hasn't been hacked and they turning on, off services in my computer. anyway...thanks and any suggestions would be appreciated.
    Last edited: Apr 29, 2006
  2. siliconman01

    siliconman01 Registered Member

    Mar 6, 2003
    West Virginia (USA)
    Your problem description does sound like you are infected with a worm. As you can see from the links below, the location of csrss and smss on your hard drive gives some clues that you may be infected.



    This, coupled with Winlogon that you described, strongly indicates a problem. Here's a link to doing some remote scans by AV vendors and spyware vendors. I urge you to perform scans starting with Kaspersky.

Thread Status:
Not open for further replies.