Windows Defender Detecting Trojan

Are you using Windows 10?

Run Windows Defender and run a full system scan with it.

When Windows Defender detects any malware, it should show the location too, please post back the location of malware and name of the malware.

thank you so much for your reply!!

yes I'm using windows 10. I did a full system scan it showed as Trojan virus located in windows system 32. my friend suggested to use Malwarebytes and I installed it did a full scan it detected the Trojan virus and quarantined it and I got it deleted and ran a full system scan with windows security and now its showing no threat.

but I'm still confused that it removed the virus or not because in the history of malware byte it says that the Trojan.glupteba.e - removal failed

and one more Question is that there are two csrss.exe in task manager but when I open these two file location its showing the same file in windows system 32, when I searched it online its says there should be one csrss.exe if more are there it may be trojan. is it true?

Hi V.KArchana,

MalwareBytes only failed to quarantine that part of your threat, that resides within

the "System" arm of your Registry. Perhaps, if you ran it in Safe Mode, it might be able

to quarantine that too.

If you explore C:\Windows\System32, can you physically see two instances of csrss.exe?

If a second one is here, or someplace else, the Trojan has probably not been completely

remediated.

Can you expand the "Location" in the Detection History of MalwareBytes, to include

the complete address of the Registry key?  (HKLM\System\...what).  This may provide

information regarding the location of part of this Trojan.

A Windows Defender Offline scan may be of help as well. Since it runs outside the

confines of the Operating System.

Good luck,  Glen

thank you so much for your reply!

I ran my pc in a safe mood and scanned with Malwarebytes and nothing got detected and it says no threat found. and I did a window security scan but it just showed like this in a safe mood

for the csrss.exe , when I open the location of the two file it only shows the same csrss.exe in the windows system 32.

the location in the Detection History of Malwarebytes is

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{DD0786B-1276-4F95-8FB1-A16CF7C18592}

I'll answer only the csrss.exe question to keep you from continuing to waste time on this, since it's a non-issue that's been discussed literally millions of times in these and other reputable forums over the years.

The following article discusses what csrss is and does, as well as displays the most commonly seen 2 instances of csrss within the Task Manager screen at the beginning of the article.

What Is Client Server Runtime Process (csrss.exe), and Why Is It Running On My PC?

However, though it mentions that 2 or more instances may exist, it doesn't appear to indicate precisely why.

The reason is that the first copy of the file is opened by the SYSTEM process as the operating system first boots, while the second (and any succeeding instances) are opened as the PC user(s) open the first and any additional interactive sessions (e.g. logins) on that same computing device.

In other words, multiple instances of csrss referring to either the exe or dll are always normal, it's only the location of the copies of that file that matter, since if any aren't located in Windows\System32 on the primary operating system drive, then they're immediately suspect as potential malware.

Since you've repeatedly mentioned both of yours are located in that system32 folder, you can safely ignore this often confused situation as normal.

The Malwarebytes detection of a shared instance of a firewall policy in the registry seems worth exploring though, since it's been called out as questionable by reputable anti-malware apps.

Rob

thank you so much for your information about csrss.exe

but what about the torjan removal failed one? 

I'm not skilled in malware removal without the use of common tools like Malwarebytes and Windows Defender which you've already tried, so I'll leave that to either Glen or someone else.

I just didn't want you focusing efforts on csrss when that clearly wasn't causing the issues.

As a side note, I tried searching for that entire registry string as well as just the hex identifier portion at the end and was unable to find anything specific to these online.  However, the searches did find multiple cases of other detections with similar strings by both AdwCleaner and Malwarebytes that were either false positive or at least questionable detections, in many cases unable to be clearly resolved.

That doesn't mean they weren't related to malware, but if no other files or related malware detections occur, at most this particular detection should indicate the existence of a firewall rule that allowed access through by some app.  If that app no longer exists, then it may not matter, but I'll leave that particular question to others as well, since I have no specific experience with these either.

My preference is to avoid malware in the first place and since a particularly destructive incident with Windows 95 where the operating system was wiped out, but data still able to be recovered, I've generally managed to do just that.

Rob

Hi V.KArcharna,

Sorry for the delay, but I had to get some sleep. Looks like Rob has explained most

of what I have uncovered as well.

Regarding the failure, when you tried to run Windows Defender.

Windows Defender will not function in Safe Mode. What you saw is how it normally

reacts when you try it.

As Rob said, the Registry Key points to a Firewall rule. May or may not be significant.

I do not have that particular key. If curious, you should navigate to yours, and see

if it does only describe a Firewall rule. Rest the cursor on the right side of the key.

Since MalwareBytes in Safe Mode ran clean, It is fairly certain that your Trojan has been

remediated. For peace of mind, you may want to run a scan with "Windows Defender

Offline". It tests your PC outside of the Operating System, so the malware cannot

influence the outcome. Plus it uses the same signatures that saw the Trojan in the first

place.  The results from Windows Defender are available in "Protection History", only

if it discovers malware.

Regards,  Glen