Removed: C:\WINDOWS\system32\csbdll.dll (trojan Meredrop)

I will tell you in this post how to fix the issue manually and how to clean it automatically using a special powerful removal tool. You can download the removal program for free here:

Malware: tn.exe

Removed: C:\WINDOWS\system32\csbdll.dll

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: csbdll
Author:
Related File: C:\WINDOWS\system32\CSBDLL.DLL
Type: Winlogon Notification

Removal Results: Success
Number of reboot: 1


Will you remove it?
0 0

Download Removal Tool for Free

People say

Visitor post

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\DLLName
Value: “csbdll.dll”

Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\StartShell
Value: “WinlogonStartShellEvent”

Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\Logon
Value: “WinlogonLogonEvent”

Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\Logoff
Value: “WinlogonLogoffEvent”

Files: C:\WINDOWS\system32\csbdll.dll
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
Microsoft 1.5902 2010.06.17 Trojan:Win32/Meredrop
NOD32 5205 2010.06.17 Win32/TrojanDownloader.Agent.PMF

—————————————————————————————————————————-
Additional information
File size: 88576 bytes
MD5 : 63529b944c952182015ee82d3a68cad0
SHA1 : 4a320c03a6393847f747c0272e1ee805f28714cd
SHA256: e83dc9fb7a10277267d2caf1d507ed91a99aabfe12f6497f2babda695a27753a
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:1
———————————-
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll

———————————-
Values added:7
———————————-
HKLM\Software\Microsoft\Internet Explorer\group: 0×00000096
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\DLLName: “csbdll.dll”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\StartShell: “WinlogonStartShellEvent”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\Logon: “WinlogonLogonEvent”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\Logoff: “WinlogonLogoffEvent”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\Impersonate: 0×00000001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\Asynchronous: 0×00000001

———————————-
Values modified:1
———————————-
(-) HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000001
(+) HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000000

———————————-
Files added:11
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\59A9.tmp.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\History\History.IE5\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\O308NZ0V\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\RVUHHK3A\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\VRKZS5IE\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\WGNOQT9V\desktop.ini
C:\WINDOWS\system32\csbdll.dll

———————————-
Folders added:9
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies
C:\Documents and Settings\Administrator\Local Settings\Temp\History
C:\Documents and Settings\Administrator\Local Settings\Temp\History\History.IE5
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\O308NZ0V
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\RVUHHK3A
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\VRKZS5IE
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\WGNOQT9V

———————————-
Total changes:29
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning ads and viruses from my friend's computers, because it is extremely fast and effective.




STEP 1: Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

STEP 2: Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed the first Scan will start automatically

Review the detected threats

STEP 3: Carefully review the detected threats!

Click Remove button or False Positive.

Enjoy!

7 votes, average: 5.00 out of 57 votes, average: 5.00 out of 57 votes, average: 5.00 out of 57 votes, average: 5.00 out of 57 votes, average: 5.00 out of 5 (7 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...
  • annie gillis

    Hi Alex

    I recently was going through my old hdd that ran XP, and I noticed all folders in temp folder similar to what you described. There was a whole new set of history, cookie and temp internet folders within the temp folder with desktop.ini and index.dat files in them which contained some data. The history file had about three days worth of browsing from dec 2007 and also had one day from dec. 2008..

    Its pretty weird, and I have no idea what caused it since it was so long ago. If it was malware, the malware would have been deleted a while ago.

    My question is, was this 100% malware related, or could something else have caused this duplicate file structure?

    Thanks