PDA

View Full Version : Infection - don't know what to do.



Scoville
2011-02-13, 10:39
I have some sort of infection, I don't know anything about this kind of thing but I need help. Every time I start my computer, something comes up which say is can't access this:

C:\DOCUME~1\WESLEY~1\LOCALS~1\Temp\csrss.exe

I ran ad-aware.
I just ran malwarebytes - this is what came up:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 5751

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/13/2011 12:33:55 AM
mbam-log-2011-02-13 (00-33-55).txt

Scan type: Quick scan
Objects scanned: 147128
Time elapsed: 12 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\cryptnet32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Value: load -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cryptnet32.dll (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\wesley scoville\local settings\Temp\qpxk0gja.dat (Rootkit.MBR) -> Quarantined and deleted successfully.
c:\documents and settings\wesley scoville\local settings\Temp\_DF.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\wesley scoville\local settings\application data\vavctdxq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\crt.dat (Malware.Trace) -> Quarantined and deleted successfully.

Also, I can't access the internet so in firefox I changed the connection setting to auto-detect proxy setting. But only firefox works because of this - nothing else will connect.

ken545
2011-02-13, 22:01
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Download DDS from one of the links below to your desktop

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)


Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)


Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)

ken545
2011-02-17, 11:22
Still with us ?

ken545
2011-02-21, 11:34
Due to inactivity, this thread will now be closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.