I have more than one cmd.exe (Windows Command Processor) running in Task manager Processes. Sometimes there are more than five running and this makes the CPU to run at 100%. When I end all the cmd.exe the CPU usage drops to less than 15%. This started only few days ago. No software or hardware changes made. HP Notebook, Vista Home Premium.
Any idea about this? Any one know how to control the Task Manager Processes as System configuration (msconfig) gives only very few options to disable the start up items.
How-To Geek Forums » Windows Vista
Tip: Click Here to Update All Your PC's Outdated Drivers (Sponsored Link)
cmd.exe in Task Manager Processes
(25 posts)
Download Process Explorer at http://www.microsoft.com/techn.....lorer.mspx
Process Explorer lists more information then Task Manager does.
Open Process Explorer and double click on one of the cmd.exe processes.
This will list more on what the process is for.
You can select some text, right click and copy it.
Do that for the "Command Line", "Current Directory" and "Parent" fields and reply with those values.
Santo, you might have a virus. See where your cmd.exe is located. If it is in the C:\windows\system32 folder, then you are OK. If it is in a subfolder of C:\windows\system32 or in C:, then you have a problem. Do all the virus scanning you have available. I would also recommend to clean up the registry. CCleaner (for free from the web) works good.
You may also want to download and run Process Explorer. That will show you which processes are chewing up your CPU
Hi jd2066,
The values are given below.
Path: C:\Windows\system32\cmd.exe
Command line: C:\Windows\system32\cmd.exe /c if exist C:\Users\santo\AppData\Local\Temp\csrss.bat call C:\Users\santo\AppData\Local\Temp\csrss.bat
Current directory: C:\Recycler\Recycler\
Parent: lsass.exe(3852)
====
Hi whs, I have ccleaner, done a complete scan for virus and spyware. Found nothing.
While writing this there were two cmd.exe, cpu was at 100%; killed them both cpu usage became less than 10% immediately.
Thank you all in advance. Waiting for further steps from jd2066.
That's interesting.
Something is causing lsass.exe (Normally handles local login security and policies) to run a batch file with cmd.exe that's named csrss.bat (No idea what it is for but it's fishy as it's name it similar to csrss.exe, a normal process) out of a temp folder with an odd current directory.
So far a Google search hasn't turned up much for csrss.bat but this certainly appears to be some kind of malware.
Try opening notepad, open C:\Users\santo\AppData\Local\Temp\csrss.bat, copy what is in it and then pasting it in a reply.
I'll then see if the contents have a clue to what it is.
I found this reference
sys0ption.bin等文件,csrss.bat内容如下:@echo off
:loop
del c:\windows\system32\inetsrv\csrss.exe
if exist "c:\windows\system32\inetsrv\csrss.exe" goto loop
copy c:\windows\system32\inetsrv\Update\csrss.exe c:\windows\system32\inetsrv\csrss.exe
del c:\windows\system32\inetsrv\Update\csrss.exe
cd c:\windows\system32\inetsrv\
csrss
del %0
Hi jd2066,
When I open the csrss.bat it runs in a command prompt window (C:\Windows\system32\cmd.exe) the following command runs continously the only way to terminate it was by Ctrl+C
C:\Users\santo\AppData\Local\Temp>C:\Users\santo\AppData\Local\Temp\csrss.bat
Any idea about this?
Is it some thing to do with a malware or spyware?
Sorry, my message wasn't entrirly clear.
Here is more details on what I said:
1. Click Start.
2. Type notepad in the search box and press enter.
3. Click file and then click open.
4. In the file name box paste in C:\Users\santo\AppData\Local\Temp\csrss.bat and click open.
5. Click edit and click "Select All".
6. Click edit and click "Copy".
Then in a reply to this message paste that.
I think the batch file maybe part of some spyware and think that maybe seeing the contents will help me figure out what it is so I can find out how to remove it.
Hi here is what I got when I followed your instructions. The same path is repeated several times and I have pasted all that I got from the notepad. Wondering why the same is repeated over several times.
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
C:\Users\santo\AppData\Local\Temp\csrss.bat
That is odd. It appears the csrss.bat batch file is calling itself over and over again in an infinite loop.
I can only assume for the purpose of using all your cpu and possibly crashing the machine.
Unfortunately while we now know what it does, we still don't know how the file got there and what is causing it to start in the first place.
Try opening Windows Explorer and opening the folder C:\Recycler\Recycler and reply back with what is in there.
I'll try doing some Google searches on batch files and infinite loops and see what I can find.
In C:\Recycler\Recycler there is one Autolaunch.exe (File Version:1.0.47.2 Date Created:09-01-2008 8:11 Size:200 KB)
and the other one is Isass.exe (File Version:1.0.47.2 Date Created:09-01-2008 8:10 Size:200 KB)
I have noticed in Process Explorer all the cmd.exe are listed below the Isass.exe and when I kill the Isass.exe all the cmd.exe goes away and the CPU usage comes to below 10%.
I did a complete scan with the latest Kaspersky Anti virus and found nothing.
Should i delete those two files?
I'd try 'Regedit'; then search for csrss.bat. If you find a key named accordingly, delete it. If you can't find it in the Registry, then try MSConfig to search 'Win.ini', 'System.ini', and 'Autoexec (bat and .nt).
I bet you'll find it there, then just delete the entry. It's just a bogus batch program running forever (doesn't appear to be damaging), just eats up resources.
No, that won't remove the file from the computer. Use the Windows 'SEARCH' function, and search the entire computer for the file, then delete all instances. Empty the recycle bin when you're done. If you want to keep a copy, before deleting it, copy it to a location of your choice. Probably re-name it to keep from accidentally executing it again! Rename it something like 'CSRSS-NUSIANCE.TXT'
@Lighthouse: We do know what is in that batch file, it's a bunch of lines calling itself over and over to apparently eat up the CPU.
@Santo: I see what is happening now. The batch file is being launched from a fake Isass.exe file called by Autolaunch.exe and that file is probably being launched on startup.
Here is how to remove the startup entry:
1. Click start.
2. Type msconfig in the search box and press enter.
3. Click continue.
4. Click the startup tab.
5. Look for an item that has a command line starting with C:\Recycler\Recycler and uncheck it.
6. Click ok.
Now open C:\Recycler in Windows Explorer and delete the Recycler subfolder.
Also delete the csrss.bat file.
@whs: In one of Santo's posts above it said "I did a complete scan with the latest Kaspersky Anti virus and found nothing."
Yes there is chance that Santo could have more malware then that but since nothing else seems to be wrong I didn't think there was a need to do something about it.
I suppose Santo could run a scan with Housecall and Spybot just to be sure but even then it's hard to say as new malware comes out all the time that security software people haven't found yet.
Topic Closed
This topic has been closed to new replies.