I am recieving a Virus Threat from AMON of NOD32 (Version of Signatures 2305 Def-20070601), it's something like this:
c:\Windows\csrss.exe (There is no such file there, yet the file is in system32 directory, but nod32 gives this notice)
A threat detected as c:\windows\system32\winlogon.exe attempted to create a file. The file has been moved to quarantine. The file can safely be deleted.
However, the options such as move to quarantine, delete, clean or submit for analysis etc. are not highlighted and may not be selected, i have one but option is to close the notice window.
So, I did an online scan at www.virustotal.com and the results were as following:
STATUS: FINISHEDComplete scanning result of "csrss.exe", received in VirusTotal at 06.03.2007, 08:37:04 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
AntiVir 7.4.0.29 06.01.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.02.2007 no virus found
BitDefender 7.2 06.03.2007 no virus found
CAT-QuickHeal 9.00 06.02.2007 no virus found
ClamAV devel-20070416 06.03.2007 no virus found
DrWeb 4.33 06.02.2007 no virus found
eSafe 7.0.15.0 05.31.2007 no virus found
eTrust-Vet 30.7.3684 06.02.2007 no virus found
Ewido 4.0 06.02.2007 no virus found
FileAdvisor 1 06.03.2007 No threat detected
Fortinet 2.85.0.0 06.02.2007 no virus found
F-Prot 4.3.2.48 06.01.2007 no virus found
F-Secure 6.70.13030.0 06.02.2007 no virus found
Ikarus T3.1.1.8 06.03.2007 no virus found
Kaspersky 4.0.2.24 06.03.2007 no virus found
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.03.2007 no virus found
NOD32v2 2305 06.01.2007 no virus found
Norman 5.80.02 06.01.2007 no virus found
Panda 9.0.0.4 06.02.2007 no virus found
Prevx1 V2 06.03.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 06.03.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 no virus found
VBA32 3.12.0 06.02.2007 no virus found
VirusBuster 4.3.23:9 06.02.2007 no virus found
Webwasher-Gateway 6.0.1 06.03.2007 no virus found
Aditional Information
File size: 6144 bytes
MD5: f12b178b1678d778cfd3ff1fc38c71fb
SHA1: d9aa29288951e94773caa1054237d29734e79f34
Bit9 info: http://fileadvisor.b...fd3ff1fc38c71fb
After having a lot at forums I decided that HijackThis would also help. Results of the scan:
Logfile of HijackThis v1.99.1
Scan saved at 14:54:01, on 2007-6-3
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\winlogon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Task Killer\TaskKiller.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Eset\nod32.exe
C:\Program Files\HijackThis\HijackThis.exe
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [nvchost] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Startup: Task Killer.lnk = C:\Program Files\Task Killer\TaskKiller.exe
O4 - Startup: 乃癟QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: ノQQ眒獺祇癳赣瓜 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 睰QQ薄 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 睰QQ﹚竡狾 - C:\Program Files\Tencent\QQ\AddPanel.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {A96C48EA-AA88-4BBD-B58C-7B41146A6EAC} (PhotoUploadCtrl Control) - http://qz-photo.qq.c...eMediaTools.cab
O16 - DPF: {C661F36D-DF85-4EF4-83C7-E107B83D04B1} (WebActivater Control) - http://dl_dir.qq.com...ow/3DShowVM.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetow...outLauncher.cab
O16 - DPF: {FCD61199-E187-4ADD-88E5-9AF238486D11} (CPPMediaCtrl Object) - http://www.hbol.net/...forceplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{281AB564-C46F-45F1-9547-A4C9B2B1CBF2}: NameServer = 202.96.128.166,202.96.128.86
O17 - HKLM\System\CS2\Services\Tcpip\..\{281AB564-C46F-45F1-9547-A4C9B2B1CBF2}: NameServer = 202.96.128.166,202.96.128.86
O17 - HKLM\System\CS3\Services\Tcpip\..\{281AB564-C46F-45F1-9547-A4C9B2B1CBF2}: NameServer = 202.96.128.166,202.96.128.86
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
Your help will be much appreciated.
Thanks a lot..
Sign In
Create Account
