I need some help here I think...

So I got rid of mcafee…been meaning to for a while now…and downloaded avira and comodo.

Now, comodo is reporting that an application with no name is trying to take a screenshot of my computer. It says “[blank] is trying to access the screen directly…” and when I pull up my task manager, the only one with a blank description is csrss.exe (I have two csrss.exe’s running).

I tried googling and it doesn’t seem anyone else is having this problem. I did however find this:

http://www.moernaut.com/default.aspx?item=grabber

It appears to be a program that poses as csrss.exe that people can buy to take screenshots of remote computers.

Anyway, I did a complete search on my hard drive for csrss.exe and scanned all 6 for viruses with avira and it did not find a virus in any of them.

Now here’s the weird part…I tried to take a screenshot (vista) of this problem, and my SnippingTool is not working. I get an error message when I try to open it.

Also, if I deny the request through comodo, it just pops up and asks me again if it’s ok…30 times in a row, until I just allow it.

Please help. Thanks.

csrss.exe is a normal running program. It is part of Windows and is not a virus or anything. I run Avira Premium 8 and Comodo on 2 machines with no troubles what so ever. What program are you denying access to? Did you tick off “remember”? DId you block your snipping tool under D+?

[attachment deleted by admin]

Couldn’t a virus just name itself csrss.exe?

I don’t know what program I am denying access to. It comes up with no name at all. And I don’t believe I blocked my snipping tool, I haven’t messed with that at all. And yes, I clicked remember, but it keeps asking me anyway. Every 10 seconds it asks me…until I click to allow then it takes about 10 minutes before it asks me again.

This might be over my head. I have not downloaded any executables though from the internet unless they’re KNOWN good programs like comodo or avira, or have like huge amounts of good reviews and are trusted.

Could you get something like this from a Flash animation?

OK here we go…I rebooted and the snipping tool works now.

See all these blocked events where it says “Direct Monitor Access” isn’t that odd?

No. Can you take a screen shot and post it?

Hi deapee,welcome to the forums.

When you do Defence+/View Active Process List.
Can you see 2 instances of csrss.exe,also can you right click on it and tick next to “Full path”
It should be under ?:\WINDOWS\system32\csrss.exe

Matty

ps you can upload a screenshot by clicking “Additional Options” then browse to the picture

Yes it can be a virus.
It depends where it is stored it should be in C:\Windows\system32
Dennis
Copy from website
If a process named csrss.exe is running on your computer, you may have been infected with a strain of the Ahlem.A worm.

csrss.exe is considered to be a security risk, not only because antivirus programs flag Ahlem.A Worm as a virus, but also because a number of users have complained about its performance.

Ahlem.A Worm is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of csrss.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.

CSRSS.EXE - Confusion
Csrss.exe is the Microsoft client server runtime which generates worker threads for client requests. The confusion over csrss.exe comes from Trojans or viruses that use the same executable name (.exe) as that of csrss.

Many spyware/malware programs use filenames of usual, non-malware programs.

The legitimate csrss.exe is part of the Microsoft client server software and is a very important part of the system which should not be removed.

If you think you have a virus you can upload the file here.

You can also download Dr.Web Curit here.

I don’t know I guess I’ll just ignore it. It just sounds odd to me that something is wanting to take a screenshot of my computer.

Here are two screenshots of what I have running:

There are two csrss.exe’s but both are in Windows\System32\ so I guess I’m safe.


I did do a full system scan and nothing came up by the way.

From the screenshots I presume you have Vista I have two csrss.exe running both together at the top.
Do not try to shutdown them in the task manager as the website suggested this only works for XP.
I tried and got a BSOD
Dennis