virus/malware in csc.exe?

For last couple of days, only when i turn my laptop on and Avast updates the virus database, i get an info about malware in a .dll file, everytime a different one, in csc.exe.
I’ve used Malwarebytes and Avast pro and none of them finds anything.
Is it Avast mistaking some process or is it a really stubborn virus?

Can you either post the text of the alert, file name, location and malware name or attach a screenshot of the avast alert window.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

I attach screens. It’s basically the first line (.dll file name) that changes every time.

I couldn’t get a log from aswMBR because it crashed every time during scan.

I couldn't get a log from aswMBR because it crashed every time during scan.
try run it from safe mode

when you run AdwCleaner… did you click delete button… i see the log say Usun but google translate give a strange translate to that word
you need to click delete button to remove the crap files in the log

Essexboy is notified and should be here soon…

it still doesn’t work, even in safe mode.
I attach a screen.

Yes, I did click “Delete”. My windows was originally Polish, however it’s English now, i don’t know why the software was in Polish.

it still doesn't work, even in safe mode.
OK..the removal experts have other tools to run if needed, so wait for there advice...

Hi let me know if this kills it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
[2013/02/10 13:04:35 | 000,000,000 | ---D | M] (Yontoo) -- C:\Users\gosia\AppData\Roaming\Mozilla\Firefox\Profiles\1b615deu.default\extensions\plugin@yontoo.com
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-142123002-2161092192-694725643-1000\..\Toolbar\WebBrowser: (no name) - {687578B9-7132-4A7A-80E4-30EE31099E03} - No CLSID value found.
O4:64bit: - HKLM..\Run: [SNUVCDSM] C:\Windows\snuvcdsm.exe ()

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi,

it didn’t help, I still get exactly the same warning from Avast.
these are the logs from OTL

Is it the dll being reported ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Still getting malware alerts.
Logs attached.

Hmm I can not yet see the launch point

Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.
[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO

[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.

sorry i disappeared.

another logs added.

Could you expand the Avast file location for the dll If you go to the virus chest you will be able to get the data there

I will need the long file identification

Is screenshot enough? I don’t know how to save the log as a .txt

Hmm all in the temp folder

Download the GMER Rootkit Scanner. to your Desktop, it will be a randomly named .exe file .

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click the file you downloaded. The program will begin to run.

https://dl.dropbox.com/u/73555776/GMER_Open.JPG

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[
]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt
[*]Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

logs added.

Hello @ all,

I have exact the same problem. The first time in my life that avast lost (till now) against a malware… :cry:

I have a Windows 7 64bit PC. And I want to clean the computer with avast, mbam.exe, spybot… Nothing helps… I want to try the spyware terminator or a antivirus boot cd this week.

Search in google:
avast malware csc.exe
And you find some threads from 2013 with the same problem. I hope you find a way to fix it? Please reply the way in this thread!!! :slight_smile:

Thank you so much and nice greetings from Germany,
Flesh

OK I can see no launch point for this malware, and as it is a dotnet file the programme launching it is not evident…

Time for the big analyser I feel

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPfront.gif

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpsettings.gif

Do not close AVPTool or it will self uninstall, if it does uninstall - - then just rerun the setup file on your desktop

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then upload to a file sharing site for me to collect
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPAnalysis.gif

I also discovered I had this problem yesterday. Like Flesh, I tried various tools but it’s still there. And like Flesh I Googled the topic and found my way here. At least Avast has noticed the problem, nothing else I’ve tried sees anything wrong. I hope someone here finds the answer!
Best wishes,
wag7