Hi there everyone,
Yesterday I was browsing someone's myspace page, when I got prompted by active virus control to either block/allow the file csrss.exe. Alas, I decided on the wrong move to allow it, which immediately prompted active virus control to block/allow the file dwm.exe, which I also allowed. Admittedly I didn't think this through properly and I had felt quite confident up til now that these were both harmless, because I have never received serious infection before since I installed BD TS 2010 in December 2009. Now, here's what happened: browsing with google search resulted in redirecting the search results to all manner of advertising pages, rather than showing me the results page. Shortly after, I was prompted by active virus control to block/allow the file conhost.exe, a file I had never noticed before and this time around I blocked it, becoming suspicious. However, I got continuous notices from BD's tray message balloon that this file won't run, having blocked it.
Windows task manager lists these files (csrss.exe, dwm.exe and conhost.exe) as running in the background, with another csrss.exe task. Now, I have no clue what csrss.exe actually does, but I suspect one of these two csrss.exe files would be a genuine one, the other being an infection disguising as a genuine file ? I decided to scan the maps containing these folders only to find out that BD didn't list them as problematic. (probably because I allowed at least two of those)
However, I also decided to scan issues with Spybot S&D and found that the csrss.exe file in the user/Local Settings/Temp/ map was listed as a Trojan by the name of Win32.FakeAlert.ttam. Spybot didn't list the other two files, though.
Next up, I decided to have a manual look (in windows XP) in the maps for the two other files, based on the BD log info.
Documents and Settings/User/ Application Data/dwm.exe
Documents and Settings/User/ Application Data/Microsoft/conhost.exe
When I browse the map where dwm.exe is found I get an antivirus notification dwm.exe virus name Gen:Variant.Kazy.22500 "BD can't disinfect, delete or quarantine this file.Access to this file has been denied."
I get the exactly the same message when I browse the map that contains conhost.exe: conhost.exe virus name Gen:Variant.Kazy.22500 "BD can't disinfect, delete or quarantine this file.Access to this file has been denied."
For some reason or another the conhost.exe file has renamed itself to zislhecf.svl since last reboot of the PC, a type of random filename. I didn't find any information about this file by right-clicking, other than it was made yesterday.
I have also checked dwm.exe file and found that it seems to be associated with two other suspicious files in the same directory, a file named 3482.8B3 (also made yesterday) and possibly a file called bdfvconp.ini However, I can't be sure the latter file has anything to do with it, because the properties say this file was made on February 18, 2010 and has never changed since !
Yesterday, I decided to remove the files with ccleaner.exe with a 35 passes shred, which didn't work. Then I decided to remove them with a 35 passes shred in Spybot's shred.exe app. Trying to remove the file dwm.exe this way, I noticed the association between the file and the 3482.8B3 file. dwm.exe disappears but somehow gets replaced by a file with a random filename, including a totally random extension. Trying to remove that file, results in the file renaming itself again randomly, and so on. In any case I noticed that both files can't be shredded with BD, either. Plus, the dwm.exe tends to reappear of its own accord after a while. The same happened yesterday with the conhost.exe file, also associated with a 3482.8B3 file found in its own map. However, as noted above, this file seems to have renamed itself to zislhecf.svl, while the 3482.8B3 seems to have disappeared altogether.
In any case, when I rebooted the PC today, I ascertained that both browsers I am using, Opera 11.10 and Firefox 4.0.1 redirected my searches, making it impossible to browse anything, including bookmarks. I always got the message "can't connect to proxy server....blablabla" when in fact, I never use a proxy server. Curiously enough, I went to Opera settings and found that 127.0.0.1 was added to the proxy server entry. Deleting this entry solved that issue.
At least, temporarily. I am suspecting that those 3 exe files will return after reboot, and will reappear as background processes where they are not wanted. I also suspect both browsers will encounter the same issues again after reboot.
So I have a few questions:
1) How am I going to make sure I can get rid of these files for sure ?
2) How will I be able to avoid deleting a genuine csrss.exe file, assuming that one of these is in fact necessary and genuine and the other isn't ?
3) I am also unsure how to access the User/Local Settings/Temp/ map, because I can't find it listed anywhere in Windows explorer.
Seeing as I am a bit wary when it comes to fiddling with the registry and such, any help would be gladly appreciated on the subject.
Many thanks in advance,
