csrss and winlogon

Discussion in 'malware problems & news' started by Lucy85, Oct 3, 2006.

Thread Status:
Not open for further replies.
  1. Lucy85

    Lucy85 Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    27
    Good day. I recently found something suspicious when i open Task Manager. Here's a screenshot :

    http://img139.imageshack.us/img139/8792/0000qy1.th.png

    And explorer.exe is in uppercase?

    Did a full system scan with Ewido/AVG anti-spyware and NOD32 but nothing was found. Hope someone can help me with this, thanks.
     
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    hello, Lucy!
    I found nothing wrong in your screenshot. Anyway, you could go to msconfig and see what do you have in the startup field and additionally scan those files on VirusTotal. :)
     
  3. Lucy85

    Lucy85 Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    27
    Hi pykko, thanks for replying.

    I mean isn't it weird to have "??" in front of drive C? Plus, i don't remember explorer's exe is in uppercase. Both msconfig and services.msc don't show anything weird on startup entry.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    They appear to me like legit system files.
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Marcos, I actually changed my mind now. I've noticed the "??" which seems to me a virus like behaviour. I know those are quick deleted files...

    I think it has those ?? to hide it from the OS and to run on startup. But perhaps I am wrong.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    There could be a simpler answer. Do you use a localized version of Windows? Is your username in local language? It could be as simple as that.
    Mrk
     
  7. Lucy85

    Lucy85 Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    27
    No, i'm using English version Windows XP Pro SP1. My account username is by default "user".

    It's weird that only csrss and winlogon are like that, the other processes in system32 folder are in the correct path. Did another full system scan but NOD32 and AVG Anti-spyware still found nothing.
     
  8. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Nothing wrong with your system, it's normal that these 2 processes have \??\ in front of the path.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    And Windows is "case non-sensitive" so explorer.exe and EXPLORER.exe are the same since they can't co-exist in the same folder/directory.

    Regards,

    Pieter
     
  10. Lucy85

    Lucy85 Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    27
    Guess i was just being paranoid :p

    Thank you all for helping.
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    No problem. It's better too ask then to keep on going in insecurity. :)
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, nice to see Lucy is all right. :)
     
Thread Status:
Not open for further replies.