csrus.exe?? driveinfo.exe??

Discussion in 'Malware Help (A Specialist Will Reply)' started by zakrz1, Oct 27, 2005.

  1. zakrz1

    zakrz1 Private First Class

    Found csrus.exe and driveinfo.exe in my hikackthis log after very slow I.E. a nd Firefox this morning; can't find any references to them.... Anyone know what these are? Won't have time to run full cleanup scans until after work.....
     
    zakrz1, Oct 27, 2005
    #1
  2. zakrz1

    zakrz1 Private First Class

    OK, what was done:
    1. turned off sys restore, disconnected ethernet, reboot to safe mode
    2. Ran Ccleaner
    3. Ran Spybot - found LSA - fixed
    4. Ran Cwshredder - nothing
    5. Ran Counterspy (full version normally finds a lot more than Adaware)- found nothing (Counterspy catches a lot more spyware than Adaware!)
    6. Ran HS remove - found 8 items - but who knows what? Doesn't exactly give you a log...
    7. Ran Kill2me- removed if present, but did it?
    8. BHODemon - nothing
    9. Ran TrendMicro Anti-spyware scan, found Effective -i Inc. and cleaned
    10. Ran Trend Houscall - nothing found
    11. Ran BitDefender, found AIM95.exe/WISE007=WISE008 and not certain what it did about it "<p><font face="Arial" size="2">Update failed</font></p>"

    Browsing seems to me reasonably back to normal. however, I'm not totally convinced..... There's something out there that loads driveinfo.exe and csrus.exe, of which there are no or very few links...

    Suggestions you gurus???

    Some crap that invokes
     
    zakrz1, Oct 27, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 28, 2005
    #3
  4. zakrz1

    zakrz1 Private First Class

    Hijackthis log attached.
    zakrz1
     

    Attached Files:

    zakrz1, Oct 29, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see csrus.exe or driveinfo.exe in your HJT log. You only have a few minor non-malware items to fix in your log.

    I first recommend disable Spybot's Teatimer because it could block making fixes.

    To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
    Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
    Now quit Spybot!

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    After clicking Fix, exit HJT.

    Now reboot in normal mode and post a new HJT log.

    And tell us how things are working.
     
    chaslang, Oct 29, 2005
    #5
  6. zakrz1

    zakrz1 Private First Class

    OK, completed what you wrote, log attached. Things seem OK now, but I'm still wondering how I got the csrus.exe or driveinfo.exe in the first place?! I found out about the driveinfo utility but nothing on csrus.exe other than some Russian website I couldn't decifer....
    Thanks,
    Zakrz1
     

    Attached Files:

    zakrz1, Oct 31, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I cannot tell you where you got them from. Only you know where you or anyone else using the PC has been surfing and what has been downloaded. The two files in question are typically flagged as the following virus: Backdoor.IRCBot.es


    Your log is clean! Are you having anymore problems?
     
    chaslang, Oct 31, 2005
    #7
  8. zakrz1

    zakrz1 Private First Class

    No more problems at the moment. Thanks!
    Zakrz1
     
    zakrz1, Nov 1, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Nov 1, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds