TechSpot

Malwarebytes keeps finding password.stealer

Inactive
By Tooji
Aug 14, 2010
  1. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    here ya go
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Cool :)

    Update Malwarebytes, run new "Quick scan" and post fresh log.
     
  3. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4433

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    15/08/2010 2:16:25 PM
    mbam-log-2010-08-15 (14-16-25).txt

    Scan type: Quick scan
    Objects scanned: 142708
    Time elapsed: 3 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\configuring (Password.Stealer) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video library (Trojan.Agent) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Why does it say "No action taken"?
     
  5. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    I saved the log before removing

    here it is again


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4433

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    15/08/2010 2:22:26 PM
    mbam-log-2010-08-15 (14-22-26).txt

    Scan type: Quick scan
    Objects scanned: 142708
    Time elapsed: 3 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\configuring (Password.Stealer) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video library (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  6. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Trojan.agent is a new one I've never seen it before. But password stealer is the same one I kept getting that would reappear even if it said quarantined and deleted succesfullu
     
  7. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Restart computer and re-run MBAM.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Have you ever visited this site:
    cr-wowmatrix_dot_com (I changed "." to "_dot_", so the link is not clickable)
    to download WoWMatrix installer?
     
  9. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Hey take a look at this, spybot search and destroy just gave me this

    Detected an important registry entry that has been changed
    Category: System startup user entry

    Change: value deleted

    Entry: Video Library

    Old data: "C:\Windows\system32\rundll32.exe"
    C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll,Sets

    Allow or deny?
     
  10. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Never heard of that but it could of been when I originally went to the phishing website (which google told me it had blocked but whatever)
     
  11. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Deny. No .dll file should run from Temp folder.
    ...and give me fresh MBAM log.
     
     
  12. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Search and destroy pops up with that at boot and as soon as I click remove on MBAM

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4433

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    15/08/2010 2:40:43 PM
    mbam-log-2010-08-15 (14-40-43).txt

    Scan type: Quick scan
    Objects scanned: 142059
    Time elapsed: 4 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\configuring (Password.Stealer) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video library (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  13. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :reg
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  14. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 14:48 on 15/08/2010 by Campoli (Administrator - Elevation successful)

    ========== reg ==========

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Configuring"="rundll32.exe C:\Users\Campoli\AppData\Local\Temp\1258725.txt,W"
    "DirectPlayerCore"=""C:\Program Files (x86)\NBC Direct\DirectPlayerCore.exe""
    "Pando Media Booster"=""C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe""
    "SpybotSD TeaTimer"=""C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe""
    "SUPERAntiSpyware"=""C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe""
    "Video Library"=""C:\Windows\system32\rundll32.exe" C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll,Sets"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
    @=""


    -=End Of File=-
     
  15. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Very good :)
    It'll take couple of steps to try to remove that thing.

    Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
    Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
    Click on View > Select Colunms.
    In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
    Go File>Save As, and save the report as Procexp.txt.
    Attach the file to your next reply.
     
  16. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Atleast its narrowed down
     

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      "Configuring"=-
      "Video Library"=-
      
      :Files
      C:\Users\Campoli\AppData\Local\Temp\1258725.txt
      C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  18. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Spybot popped up again at reboot

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Configuring deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Video Library deleted successfully.
    ========== FILES ==========
    File\Folder C:\Users\Campoli\AppData\Local\Temp\1258725.txt not found.
    File\Folder C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: AppData

    User: Campoli
    ->Temp folder emptied: 4378898 bytes
    ->Temporary Internet Files folder emptied: 634868 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 36813941 bytes
    ->Flash cache emptied: 2035 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
     
  19. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Please, re-run SystemLook with very same script as in my reply #38.
     
  20. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 15:08 on 15/08/2010 by Campoli (Administrator - Elevation successful)

    ========== reg ==========

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Configuring"="rundll32.exe C:\Users\Campoli\AppData\Local\Temp\1258725.txt,W"
    "DirectPlayerCore"=""C:\Program Files (x86)\NBC Direct\DirectPlayerCore.exe""
    "Pando Media Booster"=""C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe""
    "SpybotSD TeaTimer"=""C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe""
    "SUPERAntiSpyware"=""C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe""
    "Video Library"=""C:\Windows\system32\rundll32.exe" C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll,Sets"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
    @=""


    -=End Of File=-
     
  21. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Interesting....stubborn, huh?

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


     
  22. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Alrighty. I have to leave to soccer practice in a half hour. I'll be back in about an hour and half after that.
     
  23. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    No problem :)
    You can leave Dr.Web running. It may take a while.
     
  24. Tooji

    Tooji TS Rookie Topic Starter Posts: 31

    Hi, DR web has been running its full test for 24 hours and it seems to be stuck on a certain program slowing to a crawl at 53kbs/s.

    Should I remove this program and restart the test as it is an old game that I used to play?
     
  25. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Delete your file, download fresh one and run new scan.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.