Csrss.exe virus problem [Solved/Closed]

Miguel - Jun 23, 2011 at 11:26 AM - Latest reply: Ambucias 55118 Posts Monday February 1, 2010Registration dateModeratorStatus September 25, 2018 Last seen
- Nov 9, 2012 at 03:41 PM

I got a serious problem with a virus I got, seems that it is infecting the csrss.exe file of my OS (windows 7 64bit). My antivirus MSE (Microsoft security essentials) gets to block the program and also the Malwarebytes does blocks it, but the thing is that they never get to find the infected file and delete it 'cause the treat disappears. I got only 3 csrss.exe files on my pc, on system32, system64 and a folder named AMD which I checked and is legitimate. I have run the scaner on safe mode, without being connected to the internet, I tried the Regedit thing and the values are ok, I tried the CCleaner, I have tried everything and I still have the virus on my pc, and I have had to restore the pc to a previous date 3 times already cause although the virus is being blocked it is damaging my system somehow. BTW the task manager only have 1 csrss.exe running. I'll appreciate a LOT any response, thanks ahead.
See more 

17 replies

Best answer
Thank you
Has this been resolved I have the same exact problem to the "T".

Thank you, Jav 3

Something to say? Add comment

CCM has helped 1796 users this month

Need more details,possibly you can create a new thread so that we could help you
Its the same exact problem. The only slight difference is that I get BSOD on boot of regular win 7 boot and safe mode. The exception is 0x0000135 mossing %hs file.
juju666 35734 Posts Wednesday December 17, 2008Registration dateSecurity contributorStatus August 22, 2018 Last seen - Oct 17, 2011 at 03:48 AM

Please open your topik for more help ;)

a registry change will allow you to boot. boot from a pe disc (I used Hiren's as it has a good pe registry editor), run a reg editor that can load the offline hives from your windows directory, navigate to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems and change the value of the "Windows" entry. You will see a reference to consrv.dll, change that to winsrv. It will look like this after the fix: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

ServerDLL=winsrv is more than likeley says ServerDLL=consrv at the moment...some references say that the same thing may need to be done in ControlSet002 also.
Bowzer, you are the man!

been searching for that key for over a day now

thanks a million
Ambucias 55118 Posts Monday February 1, 2010Registration dateModeratorStatus September 25, 2018 Last seen - Jun 23, 2011 at 04:03 PM
Thank you
To help you, I must make a diagnostic and to do so, I require a log.

Open this link and download ZHPDiag :


Register the file on your Desktop.

Double click on ZHPDiag.exe and follow the instructions.

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step).

Double click on the short cut ZHPDiag on your Destktop.

Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

Close ZHPDiag.

To transmit the report, click on this link :


Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).

Select the file ZHPDiag.txt.

Click on "upload »

Copy the url and post it here

Here is the link. Hope you find the cause of this problem. Thank you a lot in advance.
Ambucias 55118 Posts Monday February 1, 2010Registration dateModeratorStatus September 25, 2018 Last seen - Jun 24, 2011 at 04:49 AM
Thank you

I have found two malware. To remove them:

1. Run regedit, locate and delete the following value:

HKCU {758D57A1-E85D-4873-BBEE-7D83FE2D5515} - (Ask.com)

2. Open Explorer and delete the following .dll file:


Finally if the antivirus applications still find malware, they are possibly in the quarantine files. Empty the quarantine files.

Let me know

P.S. The malware you first got no doubt came from Limewire (should be deleted) and Azereus
Thank you
After I deleted the Value on the the registry (it was located on HKEY Local Machine/Software/Microsoft/Internet Explorer/Search Scopes/758D57A1-E85D-4873-BBEE-7D83FE2D5515) and then deleted the bassmod.dll file I run a quick scan and the antivirus found a malware on C:\Windows\system32\consrv.dll, the virus is named Trojan:Win64 Sirefef.B

After I deleted that virus and run the scanner again in search of any other malware or virus the MSE didnt find anything, but after 5 mins the same alert came up again, the same virus Sireref.B infecting another file:
But when I hit clean or remove the treat just disappears and the antivirus is unable to delete the file.
Ambucias 55118 Posts Monday February 1, 2010Registration dateModeratorStatus September 25, 2018 Last seen - Jun 24, 2011 at 03:44 PM
Thank you
The Trojan Horse Siresef B. is not a real menace other than being detected by Microsoft Security Essentials and may not be detected by any other antivirus. Actually the detection by MSE is the only symptom.

ZHP Diag is a top notch diagnostic tool and did not see the Trojan Horse roaming in the stable, hence to prove that it's just an annoying nuisance.

I suggest that:

1. You update MSE

2. Turn off your system restore

3. Search for this file and delete it if found :

4. Delete:


5. Download and run this free but very efficient registry cleaner:


6. Turn your system restore back on.

Good luck
thank you very much for your efforts, unfortunately nothing changed, I did all of what I know and what you told me, the files that are "infected" doesnt even appears while using CMD with admin privileges to see all hidden files, the file you told me to find and delete doesnt appear neither. What i'll do is allow the virus to run though my computer after doing a backup and see what happens, if it is bad i'll definitely format and install windows again, i'm sick and tired of this virus already hehe. Thanks again bro, take care :)
Ambucias 55118 Posts Monday February 1, 2010Registration dateModeratorStatus September 25, 2018 Last seen - Jun 25, 2011 at 05:46 AM
Thank you

I have one more solution to rid your computer of this rogue.

Lets fist kill the evil process.

1. Download to your desktop and run Rogue Kill:


2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Download to your desktop Malwarebyte.


Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it kioskea.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.
I did as you said, the Rogue program didn't find anything wrong, it just stopped Google Chrome and a Rundll file on a windows folder, the malwarebytes found a keygen (which is not a threat) and a malware on the registry. I did allow the 2 files that were infected to run and nothing changed, I opened the task manager to see if there was a new unknown process opened but there was nothing new in there. Everything seems to be fine and points that it was a false alarm; BUT I cant turn my firewall on lol I don't know if it was activated or not before (it was supposed to be on...) when I try to turn it on it says that some of my settings.... i'll do some research now to see how to activate it, if you know please let me know. Thank you so much once again.
Ambucias 55118 Posts Monday February 1, 2010Registration dateModeratorStatus September 25, 2018 Last seen - Jun 25, 2011 at 03:42 PM
Thank you
Go to your control panel and then to security centre, you will find your Windows Firewall there.
Thank you
Thank you so very much! now I know how the registry acts like a central commmand for a root kit
Ambucias 55118 Posts Monday February 1, 2010Registration dateModeratorStatus September 25, 2018 Last seen - Nov 9, 2012 at 03:41 PM
@Duma ndugu

Everything you do on the computer is inscribed in the registry and every application, malware or other has it's main base in the registry.