Re: Unknown Malware found csdiv.dll

[Sven Carstens <sven.carstens () blinker-links de>]

My remaining questions are:
How is the csdiv.dll dropped back into place?
  -> I'll look and see if I can find a BHO (I bet he hasn't reinstalled)

Why, oh why can't people properly setup their autoresponders?

Here some cumulated follow-ups:

> I was wondering if you could provide a little more
> information that might help narrow this baddy down a
> bit...
>
> Caught?  You mean he just found the file?

Not really. He just noticed all this nice stuff poping up when he opened IE.
Porn, advertising, warning that he has a bad spyware on his pc (in an remote
hmtl page) and should immediately install a program from a website.
Now he didn't fall for that at least.

So I started up sysinternals procexp.exe and autoruns.exe.
There I found a bunch of different programs running that didn't belong there.
These were with varying names and locations within \windows and 
\windows\system32.

Then I tried to install AdAware. This failed. So I first killed the suspicious 
processes and then AdAware installed without failure.
AdAware updated and detected the changes in the registry (res:\\ types for IE)
and the various programs that were running at the start of my poking around.

Rebooted the PC and everything was back to before (some other program names 
this time). 

I removed the default route on his pc. Let AdAware do his job again. Removed 
the cddiv.dll and a service entry that referred to one of the nummerous 
programs running.

Rebooted again. This time IE didn't start at all when double clicking it. 
procexp showed it as running without a window. But when started with a 
standard .html file it would run normal.

Setting the default route back to normal did lead to the expected experience.
IE started with the Malware and all files I removed where back in place.

I told him to reinstall and left hom without a default route set. I just 
figure him crawling under his desk to see why he has no network connectivity.

> What are some of the "well known other parts", and how
> do you know that they're "dropped" by this DLL?

Calling the res:\\csdiv.dll immediately led to the other processes running.

> Where did you check, specifically?  Did you check
> specific keys (if so, which ones?) or did you just
> search the Registry for the DLL name?

I let AdAware and autoruns.exe check for the usual suspects
and searched for 'csdiv' with regedit.

> Searching all files on disk?  What does that mean?
> Did you look for the DLL name within files, or did you
> search for the file name itself?

I looked for all files containing 'csdiv'. This found the logfiles and
the csdiv.dll file.

> Could it be that the DLL was called by one of the EXE
> files mentioned in the logfile you posted?  Did you
> happen to find those files, too?

Some but not all of the EXE files showed up during starting IE. These were not 
all of the files that showed up but the others didn't differ in content but 
rather in name. Those were found by AdAware.

> Just out of curiosity, have we ruled out the possibility that
> more than one piece of malware found its way in?  Often, it's
> hard to tell if you're playing "5 blind men and an elephant", or
> "5 blind men and 5 different animals"...
>
> (If you find that hard to believe, consider the recent study that
> found an *average* of 7 or so *different* pieces of spyware on
> the boxes surveyed....)

It's just I cleaned up to the best of mycurrent abilities and just the stuff 
relating to the csdiv.dll dropped back into place.

> There's a nice free service which will scan any submitted file using 10
> different scanners at www.virustotal.com.
>
> Results of a file scan
>
> This is the report of the scanning done over "csdiv.dll" file that
> VirusTotal processed on 06/29/2004 at 17:07:29.
>
> Antivirus    Version    Update    Result
> BitDefender    7.0    06.28.2004    Trojan.Downloader.Agent.AP
> eTrustAV-Inoc    4641    06.28.2004    -
> F-Prot    3.14e    06.28.2004    -
> Kaspersky    3.0    06.29.2004    TrojanDownloader.Win32.Winshow.u
> McAfee    4370    06.26.2004    -
> NOD32v2    1.796    06.26.2004    -
> Panda    7.02.00    06.29.2004    Adware/Iefeatsl
> Sybari    7.50.1138    06.29.2004    JS.Winshow.Q
> Symantec    8.0    06.28.2004    -
> TrendMicro    1.00    06.25.2004    TROJ_WINSHOW.AB

Guess which three of these scanners are in use.
Symantec, McAfee and F-Prot.

CU Sven