Just Too Little Time

I was using my computer the other day when suddenly a message appeared on my screen saying

microsoft visual c++ runtime library buffer overrun detected

C:\Documents and Settings\All Users\Application Data/csrss.exe

A buffer overrun has been detected which has corrupted the program’s internal state. The program cannot safely continue execution and must now be terminted.

I could see there was something not right in that message. File csrss.exe was a legitimate Windows core system file but it supposed to be located in Windows\System32 not in Documents and Settings\All Users\Application Data. So I immediately suspected my computer was infected by virus or spyware or malware or whatever it was called (I still don’t understand the difference between them).

I knew there was an easy, fast, reliable and (the most important was) FREE way to handle computer problems in my house. Easy because all I have to do is call the computer repairman, fast because he usually knows what to do, reliable because he’s done it so many times and FREE because he is my brother (or his friends), lol. But no, this time I chose the hardest way. I tried to solve them by myself, so I started to do some search (a lot of search to be exact) on Google instead.

After two days (yes that long) of trying several free anti-virus, anti spyware and anti-malware downloaded from the net, finally, I could solve the problem. Apparently my computer was infected with Trojan Agent and thankfully Malwarebytes’ Anti-Malware could detect and kill it for free, here’s the log file.

Malwarebytes’ Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/31/2009 11:04:29 PM
mbam-log-2009-10-31 (23-04-29).txt

Scan type: Full Scan (D:\|)
Objects scanned: 132807
Time elapsed: 28 minute(s), 28 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
D:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Elle\Local Settings\Temp\csrss2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\csrss2.dll (Trojan.Agent) -> Delete on reboot.

There were other programs that could detect the Trojan but they asked me to register (read: pay) before I could use to remove it, so I skipped them. Other programs failed to detect it but found other types of infections instead, most were found in my browser’s cookies.

Satisfied with my accomplishment, I called my brother to brag about it.

“Hei, I got virus on my computer!”
“Oh! You want me to check?”
“Nah, fixed it already with malwarebytes”
“No wonder you sound happy. Where did you get the program?”
“Google” (sparing the details about how long it took me to find it)
“Try to rescan with Kaspersky”
“Why? Is it better?”
“Just to make sure there’s nothing left. Sometimes different program can find what others can’t”
“I don’t like installing another anti-virus, already got too many of them”
“Use the online scan, you don’t have to install it”
“Oh ok, I’ll try”
“How many anti-virus you installed by the way?”
“Some. Bye!”

So I tried to online antivirus scan with Kaspersky. Of course another threats found, here’s the log file.

——————————————————————————–
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 2, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 02, 2009 16:08:40
Records in database: 3114865
——————————————————————————–

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area – Folder:
D:\Documents and Settings

Scan statistics:
Objects scanned: 12867
Threats found: 1
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 00:10:06

File name / Threat / Threats count
D:\Documents and Settings\Elle\Local Settings\Temp\plugtmp-90\plugin-board_review_view.php Infected: Exploit.Win32.Pidief.crv 1
D:\Documents and Settings\Elle\Local Settings\Temp\plugtmp-97\plugin-IMG_1084.php Infected: Exploit.Win32.Pidief.crv 1
D:\Documents and Settings\Elle\Local Settings\Temp\plugtmp-99\plugin-IMG_1084-1.php Infected: Exploit.Win32.Pidief.crv 1
D:\Documents and Settings\Elle\Local Settings\Temp\plugtmp-99\plugin-IMG_1084.php Infected: Exploit.Win32.Pidief.crv 1

Selected area has been scanned.

Those files seemed harmless (I guess) as they were located in temp folder. I deleted them anyway.

I found Malwarebytes was quite good in handling malware, the only downfall was the free version didn’t support real-time protection. So to give a real-time protection to my computer I installed Spyware Terminator (free version). It was integrated with Clam AntiVirus so could perform as anti-virus as well. Before, I used the free version of Avira (which was good) as my anti-virus but it couldn’t protect me from spyware or malware, so I temporarily disabled it and would see if Spyware Terminator could do better.

Now is my computer safe? Hopefully.