Unable to end/remove a process I think is a keylogger

windows windows-10 virus anti-virus keylogger

10,871

Others have asked the same question of Microsoft found at this link below

https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/os-remediation-system-service/671c62b2-705a-44c1-870d-e1ed6555be37

Quote from the above webpage: "OS Remediation System Service is a legit service from Microsoft included in KB4056254 update. We are still looking for additional documentation that shows the full description of the service. In the meantime, you can check this link about the update where osrss is included."

Link on OSRSS https://support.microsoft.com/en-us/help/4056254/windows-10-update-facilitation-service

10,871

TheJarrHead

Updated on September 18, 2022

Comments

TheJarrHead over 1 year
I have a suspicion that the process "OSRSS", shown below, is some sort of virus, although I believe it is more specifically a keylogger.

When I check its file location, it directs me to "C:\WINDOWS\System32\svchost" which, as far as I can tell, is a legitimate file in it's proper location. When I go to end the task via task manager however, I am denied access as the image below shows.

I have scanned it both with Kaspersky and Malwarebytes, and both tell me the file "svchost" in the location stated is virus-free. However I feel that they are incorrect, as I checked several other Windows 10 computers and none of them have a process called "OSRSS"

I believe that this issue occurred when I video game called "Old School Runescape", along with various related-programs I'm told, were downloaded to the computer. I've since-then uninstalled anything downloaded in the past several days that I could easily find. It is my belief, and perhaps a paranoid one, that this "OSRSS" loosely ties into this video game "Old School Runescape", or "OSRS".

My question effectively breaks down into three parts:
1. Would both Malwarebytes and Kaspersky guarantee my computer is fine, and I'm just being paranoid?
2. How would I remove this process from my computer entirely, assuming it is a virus?
3. In a worst-case scenario, would resetting my computer to factory default solve this solution, or is this keylogger embedded in the files needed to run Windows, preventing this from being a solution?
- Jeff Zeitlin over 6 years
  
  What research have you done toward this? I quickly found bleepingcomputer.com/startups/ctfnom.exe-12370.html which suggests where to look for it, and that in turn should suggest ways to get rid of it - perhaps booting up in safe mode and then logging in as the computer administrator will allow you to clear it out.
- Daniel B over 6 years
  
  What you’re looking at is a service host. The actual process is in the “Details” tab. Because it runs as a service, you cannot stop it without Task Manager running elevated. If you don’t stop the service, it will most likely also restart automatically.
- Henke over 3 years
  
  About osrss.exe: This is an undesirable program.. You can also remove KB4023057 and KB4056254 (Publisher - Microsoft Corporation) if you have any of those installed. They are unnecessary. And worse: likely to cause problems, such as eating up your CPU.
- Henke over 3 years
  
  svchost.exe is absolutely necessary for your Windows OS. Don't try to remove it!
- Henke over 3 years
  
  About osrss.exe: This is an undesirable program. You can also remove KB4023057 and KB4056254 (Publisher - Microsoft Corporation) if you have any of those installed. They are unnecessary. And worse: likely to cause problems, such as eating up your CPU. An easy way to remove KB4023057 is to open cmd.exe as admin and run: wusa /uninstall /kb:4023057. You will have to restart your computer.
- Henke over 3 years
  
  Recommended reading: askwoody.com/tag/kb-4023057.
DrMoishe Pippik over 6 years

You can also use Sysinternals' (now part of MS) Autoruns to disable the service. Run Autoruns as Administrator.