I don't know if I should post it, but for those who have the same problems as badaxe (and me), see topic:
http://www.geekstogo...DIE-t34189.html
I can confirm that you can clean it by removing the entry in the subkey "System" in :
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
badaxe got the
csexv.exe
csrlz.exe
and I got the csfds.exe.
When you look in the registry, it looks like that there is no entry in the subkey "System", but "Silent Runners" will confirm this. In safe-mode or in dos, you will find the .exe in the system32 folder.
Silent Runners told me:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csfds.exe" [null data]
After deleting this .exe, and running "Silent Runners" again, the log shows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csfds.exe" [file not found]
When you now take a look again in the registry, you will find the .exe in the subkey "System", so clear the entry.
Here some other things I noticed:
- the .exe will try to execute a program somewhere on the internet. In my case, a "/users/barney-web/ntfsnlap.jpg" (which is a exe). I use Avast anti virus, and this program detects this approach sindce a few days.
- When the .jpg is executed it will create the following files: rdsnd.exe, cisvvc.exe and drv2cltr.dll (maybe more, but thats what I found). the first two were detected by Ewido, but they forgot the last one.
- The result is linking to sites you don't wanna go.
I still have a question:
Why didn't I (and badaxe) found a value in the "System" key when I looked in the registry ("Silent Runners" found it there), and only after removing the .exe from the system32 the value was visible in the registry?