Jump to content

Please help.

Recommended Posts

Here is the log from my mbam scan:

Malwarebytes' Anti-Malware


Database version: 7016

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

7/4/2011 3:18:26 AM

mbam-log-2011-07-04 (03-18-26).txt

Scan type: Quick scan

Objects scanned: 167000

Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

c:\Users\Nhat\AppData\Local\Temp\0.8828415472678759.exe (Spyware.Passwords.XGen) -> 6904 -> Unloaded process successfully.

c:\Users\Nhat\AppData\Roaming\dwm.exe (Trojan.Backdoor.Gen) -> 7592 -> Unloaded process successfully.

c:\Users\Nhat\AppData\Local\Temp\csrss.exe (Trojan.Backdoor.Gen) -> 7372 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Spyware.Passwords.XGen) -> Value: conhost -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Backdoor.Gen) -> Bad: (C:\Users\Nhat\AppData\Local\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Nhat\AppData\Local\Temp\0.8828415472678759.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Nhat\AppData\Roaming\dwm.exe (Trojan.Backdoor.Gen) -> Quarantined and deleted successfully.

c:\Users\Nhat\AppData\Local\Temp\csrss.exe (Trojan.Backdoor.Gen) -> Quarantined and deleted successfully.

c:\Users\Nhat\AppData\Roaming\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

  • 5 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.