RE: Winlogon.exe and csrss.exe infections
I’m running XP Pro, SP3. I noticed in Glarysoft Pro 3 under processes these two items which appear to be Trojans from my research. One indicator is the executable path which is not my normal system32 folder which on my machine is E:\WINDOWS\system32 folder. The infections have the same file name but with two questionmarks in front. They are also the only two processes that have high priority. My windows system32 folder has the real winlogon.exe that is only 496kb versus the infection file which shows memory of 2554 kb. Same deal for csrss.exe which is 6kb versus the infection at 2764kb. I read that malware files are much larger than the real windows files.
Under the Windows Task Manager, they cannot be ended because they are “critical” system processes nor could I end them in Glarysoft 3. Akso, these are not showing up on the attached DDS log.
Also, are these processes legit as they have no information.:
System Idle Processes
I read another thread for troubleshooting winlogon.exe in this forum and ran Roguekiller as was suggested and have attached the report but didn’t delete anything. Thought it might give an indication.
I’m running a trial version of Kaspersky Pure 3.0 and MBAM Pro which hasn’t been automatically starting. A few weeks ago, I had to reinstall XP Pro which is why it is on my E partition. I tried to restore a registry backup from Glarysoft and when windows tried to load it would get into a reboot loop. I figured I had nuked the registry.
The required dds and attach.txt logs are attached.