richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
|  wssc.exe
I am trialling Blink from eEye and it is detecting that a request for outbound (TCP) access for C:\WINDOWS32\COM\WSSC.EXE is happening.
(1) Can anyone tell me whether this is a threat?
(2) How can I find out what is originating it?
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
| if you are able to surf the internet without allowing the tcp-out connection, i would not allow it, for the time being.. then, you could upload the file for scanning at "virusscan.jotti" to see if any programs there flag it as "malware".. here is the link for "virusscan.jotti":
»virusscan.jotti.org/
did you scan your computer with your antivirus progtram? you could also use kaspersky's online-virusscan to see if it flags anything, or "dr.web's cureit", but, imo, you should not delete any files before making sure that they are, infact, malware.. some programs use "heuristics" where they can flag files that are suspicious, but might not actually be "malware"..
»www.kaspersky.com/virusscanner
»www.freedrweb.com/cureit/?lng=en
you could also locate the file and check the file's "properties".. maybe that will give you a clue as to what the file is associated with, if it is a legitimate file.. |
|
norwegian
Premium
join:2005-02-15
Outback
 ·WestNet Broadband
| reply to richtig
said by richtig  :(2) How can I find out what is originating it? Not tried using the search function for DLL/HANDLE in Process Explorer ? It should return the user of that .exe
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to richtig
Sorry, gave the wrong location for that file. It is reported by Blink as C:\WINDOWS\SYSTEM32\COM\WSSC.EXE, but there is no such file. It is also report a WINSEC.EXE from the same location - once again, non-existent.
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
1 edit | Follow the steps as outlined here: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
WINSEC.EXE indicates CWS - »www.castlecops.com/s4326-winsec_exe.html
--
DSLR Phishtracker |
|
redwolfe_98
join:2001-06-11
·RoadRunner Cable
| reply to richtig
richtig, it is possible that the files are invisible "UPX-packed" files..
you could run a scan with "trojanhunter" and see if it flags the files as being UPX-packed files, or you could install a program called "supercleaner" and add the files' names ie "wssc.exe" to the list of "junk" files to scan for, and then see if it flags the files..
i have found invisible upx-packed files on my computer before, flagged by trojanhunter, but i had to use "supercleaner" to remove the files..
here are the links for "trojanhunter" and "supercleaner", both of which have free trial periods..
»www.misec.net/trojanhunter/
»www.southbaypc.com/SuperCleaner/
you could also try running "dr.web's cureit" and see if it flags the files.. but, again, make sure that any files that are flagged actually are malware before you delete them..
»www.freedrweb.com/cureit/?lng=en |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| Trojan Hunter found nothing.
I am running KIS 6.0 and it finds nothing.
Is there any reason to think that DrWeb will be any more useful?
The thing is that only Blink is purporting to find this offender. A registry search only finds Blink's firewall entries for these images.
If they are real, something is starting them up. ProcessExplorer only shows explorer.exe as the parent process.
If these processes are real, is there a way to find what is creating them?
For the moment, I simply have Blink denying them access.
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
Rocky67
Pencil Neck Geek
Premium
join:2005-01-13
Orange, CA | Try checking your C:\WINDOWS\SYSTEM32 for wssc.exe and wsscserv.exe. They are associated with a trojan which PREVX claims to be able to remove.
--
"The Internet? Is that still around?" - Homer |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to richtig
Curiously, after a recent reboot, KAV found several associated pieces of malware. See attached image. |
|
Rocky67
Pencil Neck Geek
Premium
join:2005-01-13
Orange, CA | Excellent. Glad KAV found and killed it. |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit | Not quite,
WINSEC.EXE is still MIA,KAV must of updated FWIW to find what it has 
Richtig
Try IceSword(its good at grabbin UPX malwares amongst other things  )
»majorgeeks.com/Icesword_d5199.html
Open the software,left hand column file box and then follow the folder tree to the reported folder location.Scroll down to entry if found,copy & rename if you wish to submit to vendors(s)etc ,use delete option to expunge the file from your system.
HTH |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| Icesword didn't find it.
I think WINSEC.EXE was being created by WSSC.EXE, at least I hope so. It hasn't raised its ugly head again.
I have just removed the blocking rule for WSSC.EXE from Blink, so I will now wait and see.
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
