At 04:55 PM 8/2/2003 -0500, you wrote: >The program is run by a troan csrss.exe in C:\winnt\system32\restore and >is installed at the same time an FTP server is installed. I did a strings >on the csrss.exe but turned up nothing that worked as a password. Can >anyone tell me more about this program or what it might be. Or the >password. What's the size of your csrss.exe? There is a legitimate csrss.exe in Windows; it's a stub for the Win32 runtime service and it's 4K in size. I would *not* just delete instances of csrss.exe without further investigation as Windows (NT/2K/XP) needs this to run and will bluescreen if it is halted. My home system (XP Pro) does not have a system32\recover directory, nor does my test SBS2000 (2K) box. Are there any other files in \winnt\system32\recover? You could try, if you have 2K or higher, the following: sfc /scannow This will scan your system and replace suspicious files; if csrss was replaced in place, this will flush it out. I don't think this is happening, though. >>One thing we are finding is a program running on port 6651 that identifies >>itself as pAdmin - by: pdi in a web browser. This interface has a place >>for a password. What does Task Manager tell you? If you use Foundstone fport, it should tell you exactly what executable is listening on that port; you should run that any time you suspect a trojan. Take care, Dave David Moisan, N1KGH ARES/SKYWARN dmoisanat_private Invisible Disability: http://www.davidmoisan.org/invisible_disability.html ATS-909 FAQ: http://www.davidmoisan.org/radio/sangean/ats909faq.html --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 12:10:14 PDT