Archive for November 3rd, 2009
I was using my computer the other day when suddenly a message appeared on my screen saying
microsoft visual c++ runtime library buffer overrun detected
C:\Documents and Settings\All Users\Application Data/csrss.exe
A buffer overrun has been detected which has corrupted the program’s internal state. The program cannot safely continue execution and must now be terminted.
I could see there was something not right in that message. File csrss.exe was a legitimate Windows core system file but it supposed to be located in Windows\System32 not in Documents and Settings\All Users\Application Data. So I immediately suspected my computer was infected by virus or spyware or malware or whatever it was called (I still don’t understand the difference between them).
I knew there was an easy, fast, reliable and (the most important was) FREE way to handle computer problems in my house. Easy because all I have to do is call the computer repairman, fast because he usually knows what to do, reliable because he’s done it so many times and FREE because he is my brother (or his friends), lol. But no, this time I chose the hardest way. I tried to solve them by myself, so I started to do some search (a lot of search to be exact) on Google instead.
After two days (yes that long) of trying several free anti-virus, anti spyware and anti-malware downloaded from the net, finally, I could solve the problem. Apparently my computer was infected with Trojan Agent and thankfully Malwarebytes’ Anti-Malware could detect and kill it for free, here’s the log file.
Malwarebytes’ Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 210/31/2009 11:04:29 PM
mbam-log-2009-10-31 (23-04-29).txtScan type: Full Scan (D:\|)
Objects scanned: 132807
Time elapsed: 28 minute(s), 28 second(s)Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3Memory Processes Infected:
D:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Unloaded process successfully.Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
D:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Elle\Local Settings\Temp\csrss2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\csrss2.dll (Trojan.Agent) -> Delete on reboot.
There were other programs that could detect the Trojan but they asked me to register (read: pay) before I could use to remove it, so I skipped them. Other programs failed to detect it but found other types of infections instead, most were found in my browser’s cookies.
Satisfied with my accomplishment, I called my brother to brag about it.
Read more
