Member Panel

the_machine

Ok I consider myself a descent hjt log reader. And my pc is locked up pretty tight. Yet, a.exe is running in my task manager. now I looked it up and ok its a worm.. So I went and did the usuall scans, avg, trend, panda etc. then went and got myself spysweeper, opened all hidden folders, files etc.. and everything is coming up with nothing. So seen the Ewido program and still nothing in the log exept a few tracking cookies. So why is it showing up in TM but not being read by anything? Did my own reg hack to overwrite the files it try's to overwrite, cant find bridge.dll and looked everywhere just in case. This one has got me puzzled.. :lol:

Zimbo

Alright lets see if we can solve this:

The a.exe is showing up in your hijackthis log:

C:\WINDOWS\system32\a.exe?

Have you tried removing it from the hijackthis log along with browsing to the c:\windows\system32 directory and deleting the file from there.

Also check your startup menu to see whether there is anything in there that is loading it.

You can also open "regedit" and browse to the following location : HKEY_LOCAL_MACHINE - SOFTWARE - MICROSOFT - WINDOWS - CURRENTVERSION - RUN
and see whether there is anything relating to a.exe within there.

The virus it relates to is - W32.Ahlem.A@mm

This is from symantec website

Click Start, and then click Run. (The Run dialog box appears.) [*]Type regedit [*]Then click OK. (The Registry Editor opens.)

Navigate to the key:
[*]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

In the right pane, delete the value:
[*]"SYSTEMSars32"="%windir%\csrss.exe"

Exit the Registry Editor.
Restart the computer

http://securityresponse.symantec.com...hlem.a@mm.html

the_machine

Thanks Zimbo,
Ya tried all of that. Thats what has me a little cross eyed. I did everything Symantec said and trend. But nothing seems to get rid of it, nor identify it as a threat. Yet still running, one thing I forgot to say is every once in awhile, Down in the IE progress bar I see this loading "javascript grrrrr" exactly as written. So of cours got rid of java to see if it would help. No dice. I looked all over in the reg for the files, even used this nice little app.
http://www.hoverdesk.net/freeware.htm ( nice free and spyware free) (good program to find reg entries. And it cant find it either. I mean its not causing any problems, but it's wierd to have it running and nothing can see it..Even HJT can't see it some times. So just a guess but maybe just a rouge file left? Becuase here is a new HJT log without it. Yet 5 minutes before it was in there.. Yep confusing..But thanks..

Zimbo

I am sure you have already tried what I am about to write but I thought I needed to ask anyway.

Have you tried doing a search on your hard drive for the file "a.exe" or "SARS_IMAGE.JPG"

the_machine

not a problem zimbo, dont mind being asked, but yes did that included the look in hidden files etc..

And Joe5, The crsrss.exe is where it should be. Think I should delete just in case?

joe5

No sorry , i was doing two things at a time and not paying attention , i already removed that post. Just ignore it.

Zimbo

Bit of background info on csrss:

csrss - csrss.exe - Process Information
Process File: csrss or csrss.exe
Process Name: Microsoft Client/Server Runtime Server Subsystem
?
Description:
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

Note: csrss.exe is also process which is registered as the W32.Netsky.AB@mm worm, the W32.Webus Trojan, Win32.Ladex.a and more. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it?s hostile attachment. The worm has it?s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process

I recommend renaming the file to something like test.old, at least then you can see whether your machine will work properly without it. And if it doesn't you can always rename the file back.