What is This

Discussion in 'adware, spyware & hijack cleaning' started by Retboilrweldr, Mar 4, 2004.

Thread Status:
Not open for further replies.
  1. Retboilrweldr

    Retboilrweldr Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    2
    First let me introduce myself: Ken Ketcherside, Retiree, living in Seattle, avid user of your software to keep out spyware.
    Next, my problem: somehow, while surfing the web yesterday, a file named csrss.exe got downloaded into my Windows folder. I found another, csrss_2.dll, in my Windows/Temp folder and another named csrss.lgc in my Windows/Applog folder. Properties reveals the name Westronix holdin... I have isolated all three and placed them in a folder named What Is This. Wordpad reveals that the .dll apparently sends emails with some kind of reports.
    I suspect that they are part of a back door or spy prog. Can I send them in an email to you? All have been scanned and are free of viruses.
    Aloha
    Ken
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Retboilrweldr,

    Don't delete everything you found. Depending on th location where csrss.exe was running from, this could be several things:

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hale.html
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sokacaps.html
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.gutta.html
    http://www.symantec.com/avcenter/venc/data/w32.ahlem.a@mm.html

    And then there is the legitimate file with the same name:
    http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/

    You can find several online scans here:
    http://www.wilders.org/free_services.htm
    At Kaspersky and DrWeb you can upload separate files, which might save you some time. Keep us posted.

    Regards,

    Pieter
     
  3. Retboilrweldr

    Retboilrweldr Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    2
    Pieter_Arntz:
    Thank you for your quick and thoughtful reply. I have carefully checked each of the links you provided and do not believe my instance is a legit file because it refers to an unknown company in Capetown, S. Africa with whom I have never had any dealings. further I believe it is a new worm or at least a backdoor. Really would like to send a copy of them to you for further evaluation. Since it appeared yesterday, it must have come from one of the web sites I had visited.
    If you like I can excerpt some of the info contained in the .exe file using wordpad.
    Aloha
    Ken
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Ken,

    Send the file to the address in my profile. I'll have a look and forward it to any parties that might be interested.
    Did anything come up with the Kaspersky and DrWeb scans?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.