Talha Khan's Log
Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2
11:37:11 PM 8/15/2008
mbam-log-8-15-2008 (23-37-11).txt
Scan type: Quick Scan
Objects scanned: 38169
Time elapsed: 6 minute(s), 20 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
C:\CSRSS.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\CSRSS.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runonce (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amva (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD (Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\CSRSS.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amvo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amvo1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\CSRSS.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Database version: 1012
Windows 5.1.2600 Service Pack 2
11:37:11 PM 8/15/2008
mbam-log-8-15-2008 (23-37-11).txt
Scan type: Quick Scan
Objects scanned: 38169
Time elapsed: 6 minute(s), 20 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
C:\CSRSS.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\CSRSS.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runonce (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amva (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD (Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\CSRSS.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amvo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amvo1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\CSRSS.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
0
Comments
If you still need assistance, could you please do the following
Please download HJTInstall.exe to your Desktop.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead