CSRSS.exe is indeed an MS process. However it is also a trojan. One form of this trojan installs a client that looks up its server and advertises an "Anti Spyware" message through Messenger. (Not to be confused with MSN Messenger or Windows Messenger). CSRSS386.exe is definitely a spyware executable as far as I can tell. The best way to determine whether you have spyware is to stick on a firewall like Zonealarm which should tell you what programs are trying to reach the internet. In order to eliminate the threat of spyware, either use an anti spyware program like Ad-Aware or filter through your drives and registry searching for keywords like csrss.exe etc. Be careful not to delete valid keys from your registry otherwise you will courrupt your OS and your pc will probably end up doing all sorts of weird things like autoshutdowns and BSD.

csrss386.exe is similar to W32.IRCBot.D (http://securityresponse.symantec.com/avcenter/venc/data/w32.ircbot.d.html). We saw this on 2 of our machines last week (11/23/2004) and was unable to find any info on it (absolutely 0 Google hits, nothing at Symantec). It does the following: 1) adds itself to various Run keys in the registry (search the registry for csrss386.exe) (see link above) 2) scans the network for servers on port 445 (microsoft-ds), I assume so it can spread itself via Windows sharing 3) deletes the admin shares (see link above) To fix: find the exe and rename it to *.old, and remove the Run keys from the registry. At least this fixed it for us.

... and to restore the admin shares, either restart, or run the following: net share c$ net share ipc$ net share admin$