CWShredder - csrss.exe

[Menno Hershberger]

This is a little off topic, but someone may get something out of it.
For what it's worth, I just ran CWShredder as I do routinely. It found a
couple of things and repaired it. I didn't really make a note of its
findings. As soon as I was done, I noticed that my notepad icon had
turned into a "window" instead of the usual notepad icon. Clicked it, it
wouldn't run... error said it couldn't run as W32 app or something like
that. I checked the properties for notepad and it had been changed to
windows\system32\csrss.exe. (Should be windows\notepad.exe)
I've been doing some research on it... csrss.exe is a valid Windows
application but it has also been associated with a virus (dalbug.worm).
Info at http://www.symantec.com/avcenter/venc/data/w32.dalbug.worm.html
I corrected the notepad properties to point it back to where it belonged
and everything seems to be OK. I just ran NAV on the drive and it didn't
find anything. I'm almost *certain* that CWShredder did this, because I
was using notepad just before I ran it.
I'm running XP-Pro.
I think I'm out of the woods, but I'm curious if anyone else has noticed
any strange happenings from running CWShredder.

 

[cquirke (MVP Win9x)]

On Wed, 04 Feb 2004 08:16:40 -0800, Menno Hershberger

This is a little off topic, but someone may get something out of it.
For what it's worth, I just ran CWShredder as I do routinely. It found a
couple of things and repaired it.

I didn't really make a note of its findings.

That was a bad mistake, as you've no doubt gathered
Always make sure such changes are logged, if you go MEGO staring at
the details at the time. It prolly did; look in the app's subtree...

As soon as I was done, I noticed that my notepad icon had
turned into a "window" instead of the usual notepad icon. Clicked it, it
wouldn't run... error said it couldn't run as W32 app or something like
that. I checked the properties for notepad and it had been changed to
windows\system32\csrss.exe. (Should be windows\notepad.exe)

That looks like an auto-groping shortcut - one of MS's more assinine
ideas. When a shortcut points to a file that's deleted, it "gropes"
for a "best match", settling on an arbitrarily-named file in an
arbitrary location, such as SMARTDRV.EXE - leading tshooting off on a
wild goose chase, and (where it's a StartUp shortcut) potentially
botching attempts to run Windows at all.

If all .exe files are affected, suspect a HKCR .exe -> exefile issue
(many malware patch into that and other file associations). But what
you describe may just be a lost NOTEPAD.EXE - may be a malware that
troj'd the file, a generic Win32PE infector that infected it, or a
third-party app that replaced it. So you NEED that log !!

I've been doing some research on it... csrss.exe is a valid Windows
application but it has also been associated with a virus (dalbug.worm).
Info at http://www.symantec.com/avcenter/venc/data/w32.dalbug.worm.html

It may also be a complete red herring, as described above.

I corrected the notepad properties to point it back to where it belonged
and everything seems to be OK. I just ran NAV on the drive and it didn't
find anything. I'm almost *certain* that CWShredder did this, because I
was using notepad just before I ran it.

Hm. Did you ever use a 3rd-party "better-than-notepad" that may have
patched into the Notepad/Wordpad axis?

I'm running XP-Pro.
I think I'm out of the woods, but I'm curious if anyone else has noticed
any strange happenings from running CWShredder.

I'd do a *formal* virus check anyway; you can't trust NAV if it's
standing waist-high in infected OS when it runs. Unless you've
snookered yourself by using NTFS; then you're stuffed, I guess.

---------- ----- ---- --- -- - - - -

Consumer Asks: "What are you?"
Market Research: ' What would you like us to be? '

 

[kimmy]

On Wed, 04 Feb 2004 08:16:40 -0800, Menno Hershberger



That was a bad mistake, as you've no doubt gathered
Always make sure such changes are logged, if you go MEGO staring at
the details at the time. It prolly did; look in the app's subtree...

That was a bug in the version you were using. Update to the latest version.

 

[Menno Hershberger]

That looks like an auto-groping shortcut - one of MS's more assinine
ideas. When a shortcut points to a file that's deleted, it "gropes"
for a "best match", settling on an arbitrarily-named file in an
arbitrary location, such as SMARTDRV.EXE - leading tshooting off on a
wild goose chase, and (where it's a StartUp shortcut) potentially
botching attempts to run Windows at all.

I think that's what happened. Everything seems to be clean now. To
the best of my knowledge, CWShredder doesn't make a log file anywhere,
but I'll look for one anyway. Thanks for your input!