What is This

Discussion in 'adware, spyware & hijack cleaning' started by Retboilrweldr, Mar 4, 2004.

Thread Status:
Not open for further replies.
  1. Retboilrweldr

    Retboilrweldr Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    2
    First let me introduce myself: Ken Ketcherside, Retiree, living in Seattle, avid user of your software to keep out spyware.
    Next, my problem: somehow, while surfing the web yesterday, a file named csrss.exe got downloaded into my Windows folder. I found another, csrss_2.dll, in my Windows/Temp folder and another named csrss.lgc in my Windows/Applog folder. Properties reveals the name Westronix holdin... I have isolated all three and placed them in a folder named What Is This. Wordpad reveals that the .dll apparently sends emails with some kind of reports.
    I suspect that they are part of a back door or spy prog. Can I send them in an email to you? All have been scanned and are free of viruses.
    Aloha
    Ken
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Retboilrweldr,

    Don't delete everything you found. Depending on th location where csrss.exe was running from, this could be several things:

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hale.html
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sokacaps.html
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.gutta.html
    http://www.symantec.com/avcenter/venc/data/w32.ahlem.a@mm.html

    And then there is the legitimate file with the same name:
    http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/

    You can find several online scans here:
    http://www.wilders.org/free_services.htm
    At Kaspersky and DrWeb you can upload separate files, which might save you some time. Keep us posted.

    Regards,

    Pieter
     
  3. Retboilrweldr

    Retboilrweldr Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    2
    Pieter_Arntz:
    Thank you for your quick and thoughtful reply. I have carefully checked each of the links you provided and do not believe my instance is a legit file because it refers to an unknown company in Capetown, S. Africa with whom I have never had any dealings. further I believe it is a new worm or at least a backdoor. Really would like to send a copy of them to you for further evaluation. Since it appeared yesterday, it must have come from one of the web sites I had visited.
    If you like I can excerpt some of the info contained in the .exe file using wordpad.
    Aloha
    Ken
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Ken,

    Send the file to the address in my profile. I'll have a look and forward it to any parties that might be interested.
    Did anything come up with the Kaspersky and DrWeb scans?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.