Virus ?

Discussion in 'Software Q&A' started by synecdoche, Dec 16, 2004.

Thread Status:
Not open for further replies.
  1. synecdoche

    synecdoche New Member

    Joined:
    Sep 7, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    Hi,

    AVG did not detect any virus but I am not sure about whether there is any virus.

    I have the following tasks running on my computer at the moment:

    CSRSS.EXE
    LSASS.EXE
    NVSVC32.EXE
    SERVICES.EXE
    SMSS.EXE
    WMIPRVSE.EXE
    wuauclt.exe

    I'd appreciate it if you could let me know whether any of thiese is a virus and of any solution to remove the same
     
  2. it_waaznt_me

    it_waaznt_me Coming back to life ..

    Joined:
    Nov 30, 2003
    Messages:
    2,023
    Likes Received:
    10
    Trophy Points:
    38
    Location:
    A bit closer to heaven
    If you run WinXP then all of them are required process ..
     
  3. thinkdigit

    thinkdigit New Member

    Joined:
    Dec 7, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    0
  4. rakesh_1024

    rakesh_1024 New Member

    Joined:
    Apr 28, 2004
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    0
  5. #/bin/sh

    #/bin/sh New Member

    Joined:
    Apr 20, 2004
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    42.65 N 73.76 W
    Csrss.exe: The Client Server Runtime Subsystem process, also known as the Win32 subsystem, generates a worker thread for client requests.
    Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.
    some virus makers know of this, and will bind a virus to this program, or rename their virus to CSRSS.exe (so you won't think it is a virus)
    You should check the particular .exe, and see whether or not it contains a virus.

    If you want to know if a file, such as csrss.exe, is legitimite or not, a good hint is the "Date modified" information you can view when performing a search on the filename on your hard drive.

    If you suspect a file has started trying to access the network illegally in recent days, the file may have been modified by a virus just prior to the date when this unwarranted activity started.

    Be careful when you use this test!

    If you recently patched your system, the "Modified date" on the file will correspond to the date a file may have been changed by the software editor in order to correct a problem.

    The person writing the virus may also be aware of the date the file was last modified by the software editor and try to fool you into believing the file is legitimite. This could be done if the hacker is aware of the date the software vendor last changed the file and makes the the "Modified date" on the infected file correspond to it. A little far fetched, but possible.

    A few known viruses and worms attach themselves to (overwrite) windows executable services.
    Here's a report by Symantec about the virus/worm Nimda:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e@mm.html
    It seems to copy itself as Csrss.exe in the windows folder (the good one is under system32)

    I think Blaster also behaves similarly... If you have your reasons to believe there's a virus there, then you're probably right...
    Keep an antivirus close to you at all times! Here's a very nice removal tool from McAfee that takes care of most of the latest threats: Stinger


    LSASS.EXE:: Local Security Authentication Server (LSASS.EXE). This is the LSA server. During user authentication, the WINLOGIN process will interact with the LSASS process. LSASS implements the user space part of the authentication procedure for accessing objects, interacting with the Executive Security Reference Monitor mechanism.
    If you're having problems with LSASS.EXE then please read the informations about the worm "W32/Sasser":
    http://vil.nai.com/vil/content/v_125007.htm
    In this context you could find avserve.exe on your system


    NVSVC32.EXE :: nvsvc32.exe is a process that belongs to the NVIDIA graphics card drivers (Detonator).


    SERVICES.EXE :: This is the Services Control Manager, which is responsible for running, ending, and interacting with system services.

    SMSS.EXE :: This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

    WMIPRVSE.EXE :: Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information and control in an enterprise environment. By using industry standards, managers can use WMI to query and set information on desktop systems, applications, networks, and other enterprise components. Developers can use WMI to create event monitoring applications that alert users when important incidents occur.

    wuauclt.exe :: Windows Update AutoUpdate Client. Background process which checks with Microsoft website for updates to the operating system. Shows up on the Task Manager's processes list when it is waiting for a response, e.g. to confirm permission to download an update.
     
  6. #/bin/sh

    #/bin/sh New Member

    Joined:
    Apr 20, 2004
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    42.65 N 73.76 W
Thread Status:
Not open for further replies.

Share This Page