Hi, I have some processes that appear to be suspicious. I know csrss.exe is a critical windows process, but I am concerned that hte process has been replaced by a worm or virus. one reason is that I cannot open the process location. not with taskmanager and not with process explorer which I downloaded from MS. However when I start widows in safe mode I can. The same is true for a few other prcecesses like winlogon. I was wondering how I could verify that these were the original exeucables that were running when in normal mode and not some other processes that are taking over, if I cannot open the process location. Thanks for your help Ron

Hi Cathal, I ran the procedure successfully and got a message that some corrupt files were fixed. It produced a file called CBS.log. Problem is that I don't know what to look for in the file (it is quite massive). I also installed the process explorer. When I view scrss.exe, for example, in the process explorer I can't find the location of the process and all the properties are blank (I can only see them in safe mode). this is not the case for most of the processes for which I can see the properties and the location of the exe file. The processes which are "blank" are atieclxx.exe, audiodg.exe, csrss.exe, lsm.exe, services.exe, smss.exe, winint.exe,, winnlogin.exe and WUDFhost.exe Would appreciate more help Thank you very much Ron

Hi Cathal, that seemed to work :o) I was concerned since I downloaded a viewer for streaming movies and it messed up the antivirus. I managed to uninstall it but I was not sure whether it already infected any files and became friends with the AV. If the executable are of different sizes than mentioned online, should that be a cause for concern? Thanks again Ron

Thanks a lot Cathal will follow the procedure you recomended. regards Ron

Thanks a lot Gentlemen for shareing your conversation - it helped me a lot when doing a sanity check on my security. I also realized that i could not see the location or user name on csrss.exe - I run Windows 7 First i checked the 'sfc /scannow' but the promt told me: You have to be an admistrator running a consol session - hmm i only have one accont on the pc and that is the administrator account - the gues account is deactivated OK - so i donwnloaded the process explorer - and checked my processes - i found that i have 2 csrss.exe listed in the process explorer, both of them are located at C:\Windows\System32\csrss.exe - and both of the says verified when i click the verify button under properties Should i worry about this? or is it ok? Niels