Avast detected ia virus when it arrived (I think) and I chose to delete it. However a file Oxf9.exe was recognized later Kaspersky as the virusBackdoor.Win32.Bandok.ii. Could it be the same? Panda found it also but called it Adware/picsplace; McAfee could not find it; and running Avast does not find it either. HouseCall found Adwawre_adclicker; Adware_inet; and Adaware_memwatcher and apparently cleand these.
I have run Kaspersky again and the it detectes the virus in the fil just as before.
In Avast’s Warning log I have the following:
18/10/2008 23:43:31 SYSTEM 1332 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Qimi\LOCALS~1\Temp\csrss5.dll” file.
How do I clean it manually? Can I just delete the file Oxf9.exe? Is this related to csrss5.dll which I cannot find anymore?
Meanwhile until you reply, I am going to rename the extension and move it elsewhere.
Incidentally, I turned off System Restore before I did the scans and the first Kaspersky, Panda, McAfee and HouseCall were done in Safe Mode
Thanks. I appreciate your advice. But right now what I need is some help identifying the culprit (Oxf9.exe) and how to safely remove it.
Can you help?
For instance is Oxf9.exe related to the Warning I received from Avast: “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Qimi\LOCALS~1
\Temp\csrss5.dll” file
And why did Avast not deal with it, if it is the same thing?
Thanks. I appreciate your advice. But right now what I need is some help identifying the culprit (Oxf9.exe) and how to safely remove it.
Can you help?
c:\Oxf9.exe
Please upload the above files to VirusTotal for analysis. Post the results here.
For instance is Oxf9.exe related to the Warning I received from Avast: "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\Qimi\LOCALS~1
\Temp\csrss5.dll" file
And why did Avast not deal with it, if it is the same thing?
Really hard to say. Malware often has many component parts, and one AV may recognise some parts but not others, especially as malware writers constantly try to disguise their malware by creating new variants. On the other hand, it may be something entirely unrelated.
File 0xf9.exe received on 10.19.2008 22:07:30 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result:
Loading server information…
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
Additional information
File size: 65536 bytes
MD5…: eddea7bec9b4c671f4d20aa75ed17515
SHA1…: ae1a84bda4691b0b12fe3954c0e6f9bd5238b1c8
SHA256: 9b9249b1f549356f3222afcb35e79da49f3d457c09701adf24d8078f315c66ba
SHA512: a275abb697f3ddc811ad2eb065db36692c845dc10bdbc99031e4c9d33a7e4528
ef16e1ca627310b0f0b6ef805dae2d6ea24e0d9ca827b73079ae9df5dc80a939
PEiD…: -
TrID…: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda’s Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x6c0710
timedatestamp…: 0x48f9fb04 (Sat Oct 18 15:04:36 2008)
machinetype…: 0x14c (I386)
Please note that I changed the file extension more than once from .exe to .exit and back again and that I took it out of the root C:\ directory and placed in a folder on the Desktop. What you got now is the Desktop version with the .exe extension. I will go now and change it back again before it executes…
I have a csrss.exe in HK_Current User\Software\Microsoft\Windows\CurrentVersion\Run pointing to c:\Documents&Settings\AllUsers\ ApplicationData\csrss.exe
Shouldn’t e there, right? I’ve unchecked in the startup tab of MSConfig. What next?
There is no listing of the 36 scanners and what they found or didn’t find, just copy and paste the URL from your browsers address window once the virus total completes its scan.
Hi :