Re: Unknown Malware found csdiv.dll

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <200406301026.12115.sven.carstens () blinker-links de>

Sven,

I'll have to admit...your responses certainly generate a lot of questions.  Please bear with me here while I try to get 
some idea of what you've got going on...

> So I started up sysinternals procexp.exe and autoruns.exe.
> There I found a bunch of different programs running that didn't belong there.

Didn't belong where?  Autoruns shows multiple locations...

> These were with varying names and locations within \windows and 
> \windows\system32.

Varying names...such as?  Many times, the name of the file pointed to by a Registry entry will give clues as to what it 
does.  Some malware drops a file on the system with a file name comprised of 8 random lower-case characters.  Not the 
definitive, of course, but a clue.

Also, in addition to procexp.exe (or perhaps instead of) I'd suggest that you run tlist.exe (from the MS Debugger 
Tools, *not* the RK) or cmdline.exe (DiamondCS) to get the command line used to launch each process.  This is usually 
more informative than simply the process name.

> Then I tried to install AdAware. This failed. So I first killed the suspicious 
> processes and then AdAware installed without failure.
> AdAware updated and detected the changes in the registry (res:\\ types for IE)

Hhhmmm...not sure where you got your understanding of the "res://" URI, but you might want to read this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;220830

The "res://" resource doesn't necessarily have a one-to-one relationship with "detected...changes in the registry".

Please understand...I'm not trying to find fault with anything you've done.  However, I do think that with a better 
understanding of the issues at hand, these sorts of things can be handled a little better in the future.

Harlan