Announcement

Collapse
No announcement yet.

Odd service running on computer

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Odd service running on computer

    Question for everyone,
    I have a home computer running XP Pro. I ran a nessus scan against it, came up with port 7621 listening on it. Forget why I tried it, but tried connecting via FTP. When I connected it came up with a banner "welcome to basement-ultra ftp" Not sure how or why, but how can I locate and remove this service from my machine? I ran an anti-virus scan against it, no luck there. Same with adaware. Only promising lead I have is that fport tells me that csrss.exe in my system32 folder is responsible for the listening port..........Appreciate any ideas.

  • #2
    have you tried the ctrl + alt +delete function, then finding the process in your process tree and ending task, and if that doesnt work have you tried going into your system32 folder and deleting it?
    before asking a retarded question, google it. google knows all.

    Comment


    • #3
      Originally posted by dementeddemon
      have you tried the ctrl + alt +delete function, then finding the process in your process tree and ending task, and if that doesnt work have you tried going into your system32 folder and deleting it?
      Please do not listen to this advice: it will destroy your system. csrss.exe is the "Client/Server Runtime Server Subsystem" for Microsoft Windows. The fact that this process owns the port probably indicates that it is running as a service.

      You can see the list of registered services under "Control Panel/Administrative Tools/Services" (or equivalently, "Start/Run.../%SystemRoot%\system32\services.msc /s"). Your rogue FTP server is likely a "Started" service in the list Windows presents to you.

      Unfortunately, the attackers probably did more than insert an easily-disabled service into your system...

      Comment


      • #4
        on my windows os, which is 2000 pro, i dont have the csrss.exe file running, but then i have a startup manager and i disabled it to where it doesn't run when i boot up and it hasn't destroyed my system or anything like that, and i can still connect to the internet just fine.
        before asking a retarded question, google it. google knows all.

        Comment


        • #5
          Originally posted by skubinnada
          * computer running XP Pro
          * nessus scan came up with port 7621 listening
          * tried connecting via FTP: it came up with a banner "welcome to basement-ultra ftp"
          * Not sure how or why, but how can I locate and remove this service from my machine?
          * I ran an anti-virus scan against it, no luck there. Same with adaware.
          * Only promising lead I have is that fport tells me that csrss.exe in my system32 folder is responsible for the listening port
          A google search provided me with a link that suggests using:
          Code:
          C:> netstat -anO
          Will give you the PID of the process associated with an open port. See iif it is the same as the one you found with "fport".
          Examine PID in task manager, and see if the PID is the real system process or another application just using that name.

          An old technique to hide processes on a system has been to name them the same as known daemons or common applications, or use substitutions (Zeros for Oh's) so they do not appear out of the ordinary. Examination of memory footprint, and details about process resources and environments can help you to know if one is a fake.

          Originally posted by dementeddemon
          ...finding the process ... and ending task, and if that doesnt work ... going into your system32 folder and deleting it?

          Originally posted by Voltage spike
          Please do not listen to this (dementeddemon's suggestion as) advice...
          [followed by good advice from voltage spike that was chopped here]
          I agree, but would go further to say I would suspect most any advice offered on tech and computers from demented demon as unreliable, risky or dangerous at this point in time.
          Last edited by TheCotMan; April 10, 2005, 21:04.

          Comment


          • #6
            Originally posted by TheCotMan
            An old technique to hide processes on a system has been to name them the same as known daemons or common applications, or use substitutions (Zeros for Oh's) so they do not appear out of the ordinary.
            I suppose I should have mentioned this point considering that there is a variant of Netsky in the wild that does exactly that with the process in question.

            I still maintain that killing the real csrss.exe is fatal, but I must admit that I have never attempted such a bold feat.

            Comment


            • #7
              Originally posted by Voltage Spike
              I still maintain that killing the real csrss.exe is fatal, but I must admit that I have never attempted such a bold feat.
              Killing most any processes that Windows XP/2000 allows the admin to kill is usually not so bad-- worst I've seen is a requirement to reboot to "make it work properly" again. There have been cases where killing a process on NT 3.51 and NT 4.0 lead to a BSOD, but the machine still booted, and I've not seen this on XP yet.

              Deletion of file(s) (as suggested by dementeddemon) is a bad suggestion.

              Kill a process? Sometimes it may cause other things to die, force a logout, killing of other services, or something else to the state of the mcahine, but generally does not make the machine unbootable. Deletion of files risks making a machine unbootable.

              Comment


              • #8
                Your computer may be running just fine as you see it demented demon, but that may be because you don't know how your computer should be running. It has nothing to do with how you connect to the internet.

                "Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment. " --Pulled from a post at http://www.neuber.com/taskmanager/pr...csrss.exe.html



                Also, you should also note from the that csrss.exe is a popular clone file for worms and trojans. Would suggest making sure your virus definitions are up to date, and running virus check and some sort of spy sweeper.

                Comment


                • #9
                  Thanks for all the advice

                  I have pretty much tried all of the ideas so far except for deleting/stopping the csrss.exe file/process. For one, it won't let me stop it, two, it is a system file. I did however see two instances of csrss.exe running in the process list. Wouldn't let me stop either one. I have ran almost every virus scan, adaware program and trojan finder known to man, nothing has showed up to this point. I'm almost to the point where I think I installed an FTP server in the past and have just forgot about it. One other thing, in Computer Management/services, I don't see FTP as one of my services, running or otherwise.
                  Thanks again for the ideas. I'll probably just reformat/reload.

                  Comment


                  • #10
                    try running HiJackThis and posting the log here. More than likely, if you have 2 instances of csrss.exe running, one of them is bound to be a virus. The best way you can tell is if one of the processes is not located in the system32 file.

                    Comment


                    • #11
                      Try these

                      Try the following Spybot
                      Microdoze LOL anti spyware
                      an make sure they are updated
                      then scan
                      and why Google when you can Scroogle scraper
                      Just Google it and then well,
                      rtfm...............
                      Peace out !
                      Love
                      Me HEEHEHEHLOL

                      Comment


                      • #12
                        some other suspicious applications...

                        Here are a few other suspicious applications running on a computer I have been working on:

                        MSAOL32.EXE (No such thing as Microsoft AOL Instant Messenger?)
                        SVCHOSETS16.EXE (maybe CoolWebSearch?)

                        The computer is a Gateway 1.2 ghz running Windows XP SP2 and I am 99.9% sure these are not Microsoft-related services or programs.

                        Both are said to be located in C:\Windows\System32 yet neither file can be found there or anywhere else on the system. Microsoft Antispyware, Adaware and Spybot Search & Destroy find nothing. AVG Antivirus same result. Several online virus/trojan databases did not find anything by these names.

                        Neither filename produces many meaningful results on Google. A few threads that suggest one or both of them might be trojans, but nothing concrete. The MSAOL one is sometimes listed as Microsoft AOL Instant Messenger but I am pretty sure there is no such thing. Also, some of the references are French webpages that don't translate too well.

                        Sygate Personal Firewall is able to block these services from connecting the Internet, and can terminate the services, but upon reboot they start up again.

                        Any ideas?
                        Last edited by theprez98; April 11, 2005, 21:22.
                        "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                        Comment


                        • #13
                          Originally posted by theprez98
                          Any ideas?
                          In your other posts, you demonstrated knowledge, so I am reluctant to suggest the obvious, but
                          Have you told the OS to show all files including hidden ones?

                          Next, I have found some bits of malware to be annoying enough to be called to startup as one name, which is a wrapper to copy itself to a new name in the system folder, fork/exec a new process from the new location, and delete the copied file or rename it.

                          With some of these, I have found creation of a file (assuming NTFS) in the same location where no file appears to exist where it should be (according to the process listings) and then setting it to be protected with permissions to help identify a source. Some wrappers will produce an error which will be logged and give you a clue on what was actually the real cause.

                          Of course, coders of malware get smarter and more malicious to detection techniques, and attempts to break them may lead to triggering an undesired event.

                          A google search shows discussion of one of those filenames in an adware/spyware/malware forum and the other does not show up in google searches.
                          Last edited by TheCotMan; April 11, 2005, 21:25.

                          Comment


                          • #14
                            Originally posted by TheCotMan
                            In your other posts, you demonstrated knowledge, so I am reluctant to suggest the obvious, but
                            Have you told the OS to show all files including hidden ones?
                            Well first off, thanks for the compliment. And yes, I searched all files included hidden and found nothing. Interestingly, Microsoft's Anti-spyware scan specifically lists it as being in the system32 directory along with the other standard files it searches.

                            Originally posted by TheCotMan
                            A google search shows discussion of one of those filenames in an adware/spyware/malware forum and the other does not show up in google searches.
                            My continued searches finds a little bit on the MSAOL32.EXE which suggests it is malware but haven't been able to find any program yet which can delete it. Tomorrow hopefully I can find the websites they are trying to connect to, and perhaps that can shed more light on what these processes might be.
                            "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                            Comment


                            • #15
                              HijackThis appears to have successfully eliminated the two offending programs from the computer.
                              "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                              Comment

                              Working...
                              X