| By Fred Langa |
One tool says your PC is infected. Another says you’re clean. Which do you believe?
No need to flip a coin! With a little sleuthing, you can get to the bottom of just about any malware confusion.
How to deal with dueling malware removers
When malware-removal tools disagree on whether your PC is infected or not, how do you know which one to believe? That’s the problem facing reader Thomas Trickey. But rather than focusing just on Thomas’ dilemma, let’s broaden the answer into a more general problem-solving approach for this type of problem. This way, Thomas’ specific example can also serve as a kind of problem-solving template you can use to get to the bottom of other, similar problems:
- "The software ‘NoAdware’ keeps picking up W32.Netsky.AB@mm, which I believeis a worm. It tells me it is located at C:Windowscsrss.exe. However I cannot find the little devil. Symantec has a tool (free) that is suppose to fix the problem, but whenever I run the tool, it cannot find it. Is there anything you can guide me to, to help me eliminate this problem?"
If the removal tools don’t seem to work, as in Thomas’ case, the next step is to try to track down the problem file itself. In this case, Thomas reports that the file is csrss.exe. What is it?
You may already have a favorite site for looking up various Windows system components, such as the programs and processes that show up in Windows’ Task Manager applet. (Press Ctrl+Alt+Del and click Task Manager to bring up this useful tool.) I haven’t found any one site that truly does it all, so I usually gravitate to three sites that complement each other: Answers that Work, Uniblue’s Windows Process Library, and PCreview. Combining and boiling down the information from those sites, you can see that:
- There is a system file in Windows NT4/2000/XP/2003 called csrss.exe (the Client Server Runtime SubSystem). Csrss.exe is not part of Windows ME/98 or earlier versions.
- The real csrss.exe file is located in the WindowsSystem32 folder on your PC. (Bonus tip: These sites don’t say it, but there may also be a spare copy of many system files in your WindowsServicePackFilesi386 folder, too. The datestamps and file sizes of the csrss.exe files in System32 and ServicePackFilesi386 should be identical. If they are not, one of the copies may be compromised.)
- Csrss.exe is automatically launched by smss, the Windows Session Manager Subsystem. Csrss.exe is not launched on its own, and thus should not appear in the Startup folder or list.
- Any copy of csrss.exe found in a folder other than WindowsSystem32 or WindowsServicePackFilesi386 is most likely bogus.
- Any copy of csrss.exe found on any Windows ME/98 installation is most likely bogus.