Security Incidents mailing list archives
Re: Unknown Malware found csdiv.dll
From: H Carvey <keydet89 () yahoo com>
Date: 1 Jul 2004 12:26:08 -0000
In-Reply-To: <200406301026.12115.sven.carstens () blinker-links de> Sven, I'll have to admit...your responses certainly generate a lot of questions. Please bear with me here while I try to get some idea of what you've got going on...
So I started up sysinternals procexp.exe and autoruns.exe. There I found a bunch of different programs running that didn't belong there.
Didn't belong where? Autoruns shows multiple locations...
These were with varying names and locations within \windows and \windows\system32.
Varying names...such as? Many times, the name of the file pointed to by a Registry entry will give clues as to what it does. Some malware drops a file on the system with a file name comprised of 8 random lower-case characters. Not the definitive, of course, but a clue. Also, in addition to procexp.exe (or perhaps instead of) I'd suggest that you run tlist.exe (from the MS Debugger Tools, *not* the RK) or cmdline.exe (DiamondCS) to get the command line used to launch each process. This is usually more informative than simply the process name.
Then I tried to install AdAware. This failed. So I first killed the suspicious processes and then AdAware installed without failure. AdAware updated and detected the changes in the registry (res:\\ types for IE)
Hhhmmm...not sure where you got your understanding of the "res://" URI, but you might want to read this: http://support.microsoft.com/default.aspx?scid=kb;en-us;220830 The "res://" resource doesn't necessarily have a one-to-one relationship with "detected...changes in the registry". Please understand...I'm not trying to find fault with anything you've done. However, I do think that with a better understanding of the issues at hand, these sorts of things can be handled a little better in the future. Harlan
Current thread:
- Re: Unknown Malware found csdiv.dll H Carvey (Jul 04)