Inactive Malwarebytes keeps finding password.stealer

[Tooji]

Here ya go

 

[Broni]

Cool

Update Malwarebytes, run new "Quick scan" and post fresh log.

 

[Tooji]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4433

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

15/08/2010 2:16:25 PM
mbam-log-2010-08-15 (14-16-25).txt

Scan type: Quick scan
Objects scanned: 142708
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\configuring (Password.Stealer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video library (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Broni]

Why does it say "No action taken"?

 

[Tooji]

Why does it say "No action taken"?

I saved the log before removing

here it is again


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4433

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

15/08/2010 2:22:26 PM
mbam-log-2010-08-15 (14-22-26).txt

Scan type: Quick scan
Objects scanned: 142708
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\configuring (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video library (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Tooji]

Trojan.agent is a new one I've never seen it before. But password stealer is the same one I kept getting that would reappear even if it said quarantined and deleted succesfullu

 

[Broni]

Restart computer and re-run MBAM.

 

[Broni]

Have you ever visited this site:
cr-wowmatrix_dot_com (I changed "." to "_dot_", so the link is not clickable)
to download WoWMatrix installer?

 

[Tooji]

Hey take a look at this, spybot search and destroy just gave me this

Detected an important registry entry that has been changed
Category: System startup user entry

Change: value deleted

Entry: Video Library

Old data: "C:\Windows\system32\rundll32.exe"
C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll,Sets

Allow or deny?

 

[Tooji]

Have you ever visited this site:
cr-wowmatrix_dot_com (I changed "." to "_dot_", so the link is not clickable)
to download WoWMatrix installer?

Never heard of that but it could of been when I originally went to the phishing website (which google told me it had blocked but whatever)

 

[Broni]

Deny. No .dll file should run from Temp folder.
...and give me fresh MBAM log.

 

[Tooji]

Search and destroy pops up with that at boot and as soon as I click remove on MBAM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4433

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

15/08/2010 2:40:43 PM
mbam-log-2010-08-15 (14-40-43).txt

Scan type: Quick scan
Objects scanned: 142059
Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\configuring (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video library (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Broni]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :reg
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Tooji]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:48 on 15/08/2010 by Campoli (Administrator - Elevation successful)

========== reg ==========

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Configuring"="rundll32.exe C:\Users\Campoli\AppData\Local\Temp\1258725.txt,W"
"DirectPlayerCore"=""C:\Program Files (x86)\NBC Direct\DirectPlayerCore.exe""
"Pando Media Booster"=""C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe""
"SpybotSD TeaTimer"=""C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe""
"SUPERAntiSpyware"=""C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe""
"Video Library"=""C:\Windows\system32\rundll32.exe" C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll,Sets"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
@=""


-=End Of File=-

 

[Broni]

Very good
It'll take couple of steps to try to remove that thing.

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

 

[Tooji]

Atleast its narrowed down

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "Configuring"=-
  "Video Library"=-
  
  :Files
  C:\Users\Campoli\AppData\Local\Temp\1258725.txt
  C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[Tooji]

Spybot popped up again at reboot

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Configuring deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Video Library deleted successfully.
========== FILES ==========
File\Folder C:\Users\Campoli\AppData\Local\Temp\1258725.txt not found.
File\Folder C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData

User: Campoli
->Temp folder emptied: 4378898 bytes
->Temporary Internet Files folder emptied: 634868 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 36813941 bytes
->Flash cache emptied: 2035 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes

 

[Broni]

Please, re-run SystemLook with very same script as in my reply #38.

 

[Tooji]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:08 on 15/08/2010 by Campoli (Administrator - Elevation successful)

========== reg ==========

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Configuring"="rundll32.exe C:\Users\Campoli\AppData\Local\Temp\1258725.txt,W"
"DirectPlayerCore"=""C:\Program Files (x86)\NBC Direct\DirectPlayerCore.exe""
"Pando Media Booster"=""C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe""
"SpybotSD TeaTimer"=""C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe""
"SUPERAntiSpyware"=""C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe""
"Video Library"=""C:\Windows\system32\rundll32.exe" C:\Users\Campoli\AppData\Local\Temp\Rpcqt.dll,Sets"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
@=""


-=End Of File=-

 

[Broni]

Interesting....stubborn, huh?

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow
  
  at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

 

[Tooji]

Alrighty. I have to leave to soccer practice in a half hour. I'll be back in about an hour and half after that.

 

[Broni]

No problem
You can leave Dr.Web running. It may take a while.

 

[Tooji]

Hi, DR web has been running its full test for 24 hours and it seems to be stuck on a certain program slowing to a crawl at 53kbs/s.

Should I remove this program and restart the test as it is an old game that I used to play?

 

[Broni]

Delete your file, download fresh one and run new scan.