Tech Support Forum banner

cssrss creating HQS Trojan at startup

2141 Views 4 Replies 3 Participants Last post by  calvin333
I have been getting Trojan warning for over a week everytime I run NOD on-demand scan, and I delete the trojan file everytime (they are in the system32 folder), but they keep coming back.

Finally tonight when I turned on the computer NOD pop up saying that an HQS trojan was created by the cssrss process in windows/system32/

I looked through there and saw csrss and cssrss processes, and I believe csrss is a legitimate MS process.

My question is : can I go in and delete cssrss ? Is it a legitimate MS process infected?
Not open for further replies.
1 - 5 of 5 Posts
Hi and welcome to TSF.
cssrss.exe is not a legit process. It is loaded by the W32/FORBOT-CE worm.

I recommend you follow the instructions in the link below and post your logs in the hijack this section. An analyst will check your logs and advise you on cleaning your machine.
csrss.exe in system32 and system32\dllcache is a legit process. It should be 6,144 bytes on most XP machines.

cssrss.exe is not legit, as grumpygit has pointed out.

There's quite possibly something else on the system alongside...but in addition to deleting the file, you need to remove the loading point(s).

If you require assistance, follow the instructs in the link grumpygit has already provided.
First of all thank you for your replies.
I've been trying to do as instructed and scan with Panda ActiveScan but
IE and Firefox keep getting aborted when I'm about 30% complete (going from C to D drive)
and when the browser process was aborted then all data is lost.

So far after C drive scan I get about 7 infected files (mostly from RP3x files) but not getting scan complete is really frustrating. Is it because I don't have enough RAM (I have 512 MB)?

How do I remedy this situation and at least get scan completion?
Finally got Active Scan to run to completion.
I also use the Disinfect function to disinfect several trojan downloader in RP32... etc.
I am doing the DSS scan now and will post all logs in the Hijack this forum.

Thanks again.
1 - 5 of 5 Posts
Not open for further replies.