Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • Please log in to reply
7 replies to this topic

#1 yesdavy

yesdavy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 04 December 2008 - 07:28 AM

I saw virtumonde momentarily on my IE7 window (vista home premium os) but not sure if it was blocked alert or what. IE7 would not run or close due to DEP issue but seemed to want to redirect so I suspect a browser hijacking. Loaded Opera as work-around. Reset IE7 to default settings and deleted all cookies etc. IE7 started working again but wanted to redirect to AOL instead of runonce or google homepage. Ran spybot s&d, ad-aware, norton, defender, mbam and finding nothing with any of them, they all say everything is okay. But when I view processes I see csrss.exe with no user and no description and search C: does not find any csrss files. I looked in >windows>system32 and found csrss.exe dated 1/19/2008 2:33 PM. I looked in >system32>en-US and found csrss.exe.mui dated as last modified 11/2/2006 7:41 PM. I was going to load combofix to be ready per these post replies by Thunder...

http://www.bleepingcomputer.com/forums/ind...&hl=thunder

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

...however, directions on how to install recovery console for vista require dvd but it came loaded on this laptop so I have no dvd. I have HJT and will provide log upon instructions. Thanks!

Edited by yesdavy, 04 December 2008 - 08:18 AM.


BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 04 December 2008 - 03:11 PM

welcom to this site :thumbsup:
The thread you have linked to is within the HJT section

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer

To attempt to follow instructions given to someone else is very unwise as those instructions will have been customised for that particular computer and NOT yours

May one suggest you instead post the report from the Malawarebytes program you ran so the Team can examine it and suggest further suitable tools for you?

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
If you wish to copy and paste the contents of that report someone can examine it for you?

#3 yesdavy

yesdavy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 04 December 2008 - 07:57 PM

Is the csrss.exe an issue?

Per suggestion, MBAM log below:

Malwarebytes' Anti-Malware 1.31
Database version: 1459
Windows 6.0.6001 Service Pack 1

12/4/2008 5:56:24 PM
mbam-log-2008-12-04 (17-56-24).txt

Scan type: Quick Scan
Objects scanned: 50422
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 05 December 2008 - 11:41 AM

The Malawarebytes scan appears to be clean


.

I looked in >windows>system32 and found csrss.exe dated 1/19/2008 2:33 PM. I looked in >system32>en-US and found csrss.exe.mui dated as last modified 11/2/2006 7:41 PM.


You may wish to know that according to a google search FOR csrss .exe

http://www.google.co.uk/search?hl=en&q...earch&meta=
yiu will find

http://www.neuber.com/taskmanager/process/csrss.exe.html


This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Note: The csrss.exe file is located in the folder C:\Windows\System32. In other cases, csrss.exe is a virus, spyware, trojan or worm!

From what you say your csrss.exe appears to be in the correct location

You may wish to run a different scan also Vista compatible just to to check the computer
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your Desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".

    (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method.

To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
let us see that scan report too to check for you :thumbsup:

#5 yesdavy

yesdavy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 09 December 2008 - 07:33 PM

Please excuse the time lag, was on the road.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/10/2008 at 04:17 AM

Application Version : 4.22.1014

Core Rules Database Version : 3665
Trace Rules Database Version: 1645

Scan type : Complete Scan
Total Scan Time : 01:36:11

Memory items scanned : 214
Memory threats detected : 0
Registry items scanned : 8922
Registry threats detected : 0
File items scanned : 238600
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@adlegend[2].txt
C:\Documents and Settings\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@advertising[1].txt
C:\Documents and Settings\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@atdmt[2].txt
C:\Documents and Settings\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@insightexpressai[2].txt
C:\Documents and Settings\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@msnportal.112.2o7[1].txt
C:\Users\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@adlegend[2].txt
C:\Users\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@ads.bleepingcomputer[1].txt
C:\Users\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@advertising[1].txt
C:\Users\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@atdmt[2].txt
C:\Users\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@insightexpressai[2].txt
C:\Users\Davy\AppData\Roaming\Microsoft\Windows\Cookies\Low\davy@msnportal.112.2o7[1].txt

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:13 PM

Posted 09 December 2008 - 10:23 PM

So how is the PC behaving now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 yesdavy

yesdavy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 19 December 2008 - 08:36 PM

Sorry again for the delay, traveling.

All seems okay, other than Vista is always very slow and today when I tried to ipconfig /flushdns it said the action required elevation even though I am logged on as administrator. I discovered that by using the programs menu > accessories I can right-click on command prompt and run as administrator. That got the job done.

Thanks for everything.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:13 PM

Posted 19 December 2008 - 10:57 PM

Good news !!
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users