Csrss.exe: The Client Server Runtime Subsystem process, also known as the Win32 subsystem, generates a worker thread for client requests.
Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.
some virus makers know of this, and will bind a virus to this program, or rename their virus to CSRSS.exe (so you won't think it is a virus)
You should check the particular .exe, and see whether or not it contains a virus.
If you want to know if a file, such as csrss.exe, is legitimite or not, a good hint is the "Date modified" information you can view when performing a search on the filename on your hard drive.
If you suspect a file has started trying to access the network illegally in recent days, the file may have been modified by a virus just prior to the date when this unwarranted activity started.
Be careful when you use this test!
If you recently patched your system, the "Modified date" on the file will correspond to the date a file may have been changed by the software editor in order to correct a problem.
The person writing the virus may also be aware of the date the file was last modified by the software editor and try to fool you into believing the file is legitimite. This could be done if the hacker is aware of the date the software vendor last changed the file and makes the the "Modified date" on the infected file correspond to it. A little far fetched, but possible.
A few known viruses and worms attach themselves to (overwrite) windows executable services.
Here's a report by Symantec about the virus/worm Nimda:
*securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e@mm.html
It seems to copy itself as Csrss.exe in the windows folder (the good one is under system32)
I think Blaster also behaves similarly... If you have your reasons to believe there's a virus there, then you're probably right...
Keep an antivirus close to you at all times! Here's a very nice removal tool from McAfee that takes care of most of the latest threats: Stinger
LSASS.EXE:: Local Security Authentication Server (LSASS.EXE). This is the LSA server. During user authentication, the WINLOGIN process will interact with the LSASS process. LSASS implements the user space part of the authentication procedure for accessing objects, interacting with the Executive Security Reference Monitor mechanism.
If you're having problems with LSASS.EXE then please read the informations about the worm "W32/Sasser":
*vil.nai.com/vil/content/v_125007.htm
In this context you could find avserve.exe on your system
NVSVC32.EXE :: nvsvc32.exe is a process that belongs to the NVIDIA graphics card drivers (Detonator).
SERVICES.EXE :: This is the Services Control Manager, which is responsible for running, ending, and interacting with system services.
SMSS.EXE :: This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).
WMIPRVSE.EXE :: Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. By using industry standards, managers can use WMI to query and set information on desktop systems, applications, networks, and other enterprise components. Developers can use WMI to create event monitoring applications that alert users when important incidents occur.
wuauclt.exe :: Windows Update AutoUpdate Client. Background process which checks with Microsoft website for updates to the operating system. Shows up on the Task Manager's processes list when it is waiting for a response, e.g. to confirm permission to download an update.