Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Extra info: Please help... Looks clean, but ...


  • Please log in to reply

#1
RayShine

RayShine

    New Member

  • Member
  • Pip
  • 2 posts
Hi,

I don't know if I should post it, but for those who have the same problems as badaxe (and me), see topic:
http://www.geekstogo...DIE-t34189.html

I can confirm that you can clean it by removing the entry in the subkey "System" in :

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

badaxe got the

csexv.exe
csrlz.exe

and I got the csfds.exe.

When you look in the registry, it looks like that there is no entry in the subkey "System", but "Silent Runners" will confirm this. In safe-mode or in dos, you will find the .exe in the system32 folder.

Silent Runners told me:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csfds.exe" [null data]

After deleting this .exe, and running "Silent Runners" again, the log shows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csfds.exe" [file not found]

When you now take a look again in the registry, you will find the .exe in the subkey "System", so clear the entry.

Here some other things I noticed:
- the .exe will try to execute a program somewhere on the internet. In my case, a "/users/barney-web/ntfsnlap.jpg" (which is a exe). I use Avast anti virus, and this program detects this approach sindce a few days.
- When the .jpg is executed it will create the following files: rdsnd.exe, cisvvc.exe and drv2cltr.dll (maybe more, but thats what I found). the first two were detected by Ewido, but they forgot the last one.
- The result is linking to sites you don't wanna go.

I still have a question:
Why didn't I (and badaxe) found a value in the "System" key when I looked in the registry ("Silent Runners" found it there), and only after removing the .exe from the system32 the value was visible in the registry?
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP