malwarebytes log files

[cowboydd]

attached are the anti-maleware log and dds/gmer log files

_DDS.txt

mbam_log_2010_06_22__14_30_13_.txt

[inzanity]

Hello and

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

• The fixes are specific to your problem and should only be used for the issues on this machine.
  
• Do not install/uninstall anything on your computer unless advised.
  
• Do not run any other scanning tools other than those instructed for you to use.
  
• Follow the instructions on the order they are given.
  
• Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  
• If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  
• If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
  
• And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.
  

_________________________________________________

You have 2 current open threads. This thread and here -> http://forums.malwarebytes.org/index.php?showtopic=55064

I take it they are the same? I'll have the other thread closed. Any questions you have and/or replies to me, please use the Add Reply button located on the lower right corner of this thread. Don't create a new topic. Thanks.

For the meantime, am reviewing your logs and will post back shortly with the next steps.

[inzanity]

Hi,

It seems that your Norton is outdated. Do you have any trouble updating it?

Did Defogger produced any log when you run it? If so, please post it.

Let's do another scan.

OTL:

• Download OTL to your desktop.
  
• Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output
  
• Check the boxes beside LOP Check and Purity Check.
  
• Copy and paste the following bold text into the box under Custom Scan
  netsvcs
  %SYSTEMDRIVE%\*.exe
  c:\windows\system32\drivers\*.sys /90
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  /md5stop
  CREATERESTOREPOINT
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of the OTL.txt and post it with your next reply along with the Extras.txt log.

To post in your next reply:

1. Regarding my questions above.

2. OTL logs.

[inzanity]

Hi,

It's been several days. Do you still need help on this?

This thread will be closed if you don't respond within 48 hours.

[cowboydd]

Hello and

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

• The fixes are specific to your problem and should only be used for the issues on this machine.
  
• Do not install/uninstall anything on your computer unless advised.
  
• Do not run any other scanning tools other than those instructed for you to use.
  
• Follow the instructions on the order they are given.
  
• Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  
• If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  
• If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
  
• And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.
  

_________________________________________________

You have 2 current open threads. This thread and here -> http://forums.malwarebytes.org/index.php?showtopic=55064

I take it they are the same? I'll have the other thread closed. Any questions you have and/or replies to me, please use the Add Reply button located on the lower right corner of this thread. Don't create a new topic. Thanks.

For the meantime, am reviewing your logs and will post back shortly with the next steps.

[cowboydd]

Thanks for reponding. A misunderstanding on my part made me monitor my emails for ereplies. Yes, absolutely need your help. I cannot find a lof entry file on my desktop for defrogger. What type of file would it be so I can look for it and should I run defrogger again?

[cowboydd]

Attached the OTL & Extras logs. Norton works is outdated but I have an active , up to date update capability with Norton that expires in Aug this year. System will not update the virus files. Defrogger was run but cannot find the file of the log.

Extras.Txt

OTL.Txt

[inzanity]

Hi,

Sorry for the delay. My subscription to this thread seems to have expired.

You system restore is disabled. Did you set this up?

Please do the following:

Please go to VirSCAN

• Click on Browse.
  
• On the File Upload window, copy/paste the text below into the File name box:
  C:\Documents and Settings\Casey Lee\Desktop\dd6ezk8w.exe
  
• Click Upload. Allow the file to be scanned. If it says already scanned -- click Reanalyze Now
  

Repeat the procedure with the following file:

C:\WINDOWS\System32\_psisdecd.dll

Please post the results in your next reply.

[cowboydd]

As requested, the scan of those two files

File information

File Name : dd6ezk8w.exe

File Size : 293376 byte

File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : f80f6e09e7f4bafe478ca0da6137e1e2

SHA1 : 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722

Scanner results

Scanner results : 3% Scanner(s) (1/36) found malware!

Time : 2010/06/30 07:46:07 (EDT)

Scanner Engine Ver Sig Ver Sig Date Scan result Time

a-squared 5.0.0.13 20100630100106 2010-06-30 - 40.093

AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 - 40.113

AntiVir 8.2.4.2 7.10.8.232 2010-06-30 - 0.301

Antiy 2.0.18 20100630.4810408 2010-06-30 - 0.124

Arcavir 2009 201006281601 2010-06-28 - 0.272

Authentium 5.1.1 201006292201 2010-06-29 - 3.221

AVAST! 4.7.4 100630-0 2010-06-30 - 0.089

AVG 8.5.793 271.1.1/2972 2010-06-30 - 1.751

BitDefender 7.90123.6349953 7.32501 2010-06-30 - 4.368

ClamAV 0.96.1 11289 2010-06-30 - 0.244

Comodo 3.13.579 5263 2010-06-30 - 40.144

CP Secure 1.3.0.5 2010.06.30 2010-06-30 - 0.188

Dr.Web 5.0.2.3300 2010.06.30 2010-06-30 - 8.977

F-Prot 4.4.4.56 20100629 2010-06-29 - 3.699

F-Secure 7.02.73807 2010.06.30.01 2010-06-30 - 0.576

Fortinet 4.1.133 12.98 2010-06-29 - 40.090

GData 21.435/21.159 20100630 2010-06-30 - 40.105

Ikarus T3.1.01.84 2010.06.30.76167 2010-06-30 - 7.005

JiangMin 13.0.900 2010.06.30 2010-06-30 - 40.085

Kaspersky 5.5.10 2010.06.30 2010-06-30 - 0.387

KingSoft 2009.2.5.15 2010.6.30.7 2010-06-30 - 40.090

McAfee 5400.1158 6028 2010-06-29 - 17.374

Microsoft 1.5902 2010.06.30 2010-06-30 - 40.085

Norman 6.05.10 6.05.00 2010-06-29 - 6.022

nProtect 20100629.01 8851204 2010-06-29 - 40.087

Panda 9.05.01 2010.06.27 2010-06-27 - 40.089

Quick Heal 10.00 2010.06.30 2010-06-30 - 40.085

Rising 20.0 22.54.02.04 2010-06-30 - 40.092

Sophos 3.07.1 4.54 2010-06-30 - 3.841

Sunbelt 3.9.2426.2 6524 2010-06-29 - 40.094

Symantec 1.3.0.24 20100629.002 2010-06-29 - 13.952

The Hacker 6.5.2.0 v00306 2010-06-29 - 30.701

Trend Micro 9.120-1004 7.276.09 2010-06-30 - 0.109

VBA32 3.12.12.5 20100629.0850 2010-06-29 Win32 Shadow Driver Install (suspicious) 4.005

ViRobot 20100629 2010.06.29 2010-06-29 - 40.085

VirusBuster 4.5.11.10 10.126.109/2042045 2010-06-29 - 3.864

?Heuristic/Suspicious ?Exact

NOTICE: Results are not 100% accurate and can be reported as a false positive by some scannerswhen and if malware is found. Please judge these results for yourself.

VirSCAN.org Scanned Report :

Scanned time : 2010/06/30 08:03:41 (EDT)

Scanner results: Scanners did not find malware!

File Name : _psisdecd.dll

File Size : 198144 byte

File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi

MD5 : dccf363dadfcf9bc838c7f81702a51b7

SHA1 : a0dc87a345d87874df9250e869eb35f0148911db

Online report : http://virscan.org/report/d714a29aa0edbe55...16552953a2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 5.0.0.13 20100630100106 2010-06-30 40.09 -

AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 40.09 -

AntiVir 8.2.4.2 7.10.8.233 2010-06-30 0.52 -

Antiy 2.0.18 20100630.4810408 2010-06-30 0.14 -

Arcavir 2009 201006281601 2010-06-28 0.01 -

Authentium 5.1.1 201006292201 2010-06-29 1.92 -

AVAST! 4.7.4 100630-0 2010-06-30 0.02 -

AVG 8.5.793 271.1.1/2972 2010-06-30 0.28 -

BitDefender 7.90123.6350552 7.32504 2010-06-30 3.87 -

ClamAV 0.96.1 11289 2010-06-30 0.05 -

Comodo 3.13.579 5263 2010-06-30 40.09 -

CP Secure 1.3.0.5 2010.06.30 2010-06-30 0.07 -

Dr.Web 5.0.2.3300 2010.06.30 2010-06-30 8.71 -

F-Prot 4.4.4.56 20100629 2010-06-29 1.85 -

F-Secure 7.02.73807 2010.06.30.01 2010-06-30 0.16 -

Fortinet 4.1.133 12.98 2010-06-29 40.09 -

GData 21.435/21.159 20100630 2010-06-30 40.09 -

ViRobot 20100629 2010.06.29 2010-06-29 40.09 -

Ikarus T3.1.01.84 2010.06.30.76167 2010-06-30 7.11 -

JiangMin 13.0.900 2010.06.30 2010-06-30 40.09 -

Kaspersky 5.5.10 2010.06.30 2010-06-30 0.09 -

KingSoft 2009.2.5.15 2010.6.30.7 2010-06-30 40.09 -

McAfee 5400.1158 6028 2010-06-29 18.88 -

Microsoft 1.5902 2010.06.30 2010-06-30 40.09 -

Norman 6.05.10 6.05.00 2010-06-29 6.01 -

Panda 9.05.01 2010.06.27 2010-06-27 40.09 -

Trend Micro 9.120-1004 7.276.09 2010-06-30 0.03 -

Quick Heal 10.00 2010.06.30 2010-06-30 40.09 -

Rising 20.0 22.54.02.04 2010-06-30 40.09 -

Sophos 3.07.1 4.54 2010-06-30 3.74 -

Sunbelt 3.9.2426.2 6524 2010-06-29 40.09 -

Symantec 1.3.0.24 20100629.002 2010-06-29 0.06 -

nProtect 20100629.01 8851204 2010-06-29 40.14 -

The Hacker 6.5.2.0 v00306 2010-06-29 40.09 -

VBA32 3.12.12.5 20100630.0947 2010-06-30 2.87 -

VirusBuster 4.5.11.10 10.126.109/20420452010-06-29 2.47 -

[cowboydd]

I missed your first question: I disabled the restore points for security purposes as I heard the worm used this function to beat the security.

[inzanity]

Hi,

Enable system restore. It is better to have an infected restore than none at all if something goes south. We will be clearing it too after we're through.

Please do the following:

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  O4 - HKLM..\Run: []  File not found
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]

  
  

• Then click the Run Fix button at the top.
  
• Let the program run unhindered, reboot when it is done.
  
• Then post the result and a new OTL log in your next reply. ( don't check the boxes beside LOP Check or Purity this time )
  

--Next--

• Please open your MalwareBytes AntiMalware Program
  
• Click the Update Tab and search for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected. <-- very important
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

To post in your next reply:

1. OTL logs.

2. MBAM log.

[cowboydd]

both programs ran successfully. The results are attached. When I checked the restore function as requested, I found that it had been turned on again, maybe during one of the restarts. It says now it is on.

otllog2.txt

mbam_log_2010_07_01__09_22_43_.txt

[inzanity]

Hi,

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan
  

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
  

--Next--

• Open OTL.exe.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• There will only be a single log produced. OTL.Txt.
  Note:This log can be located in the OTL. folder on you C:\ drive if it fails to open automatically.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.
  

To post in your next reply, don't attach it please:

1. Kaspersky log.

2. OTL log.

[cowboydd]

Hi. Have run the two programs & logs are attached

otllog3.Txt

kasperskylog.txt

[inzanity]

Hi,

How is your computer?

The infections found by Kaspersky are already quarantined by Norton. So far your computer appears to be clean.

Let's do another scan to be sure.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)
    
    Click the image to enlarge it
    

  [*] Then click the Scan button & wait for it to finish.

  [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

  [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

[cowboydd]

attached is the log. My norton antivirus update process still gives me a "corrupted file" message for the virus definitions. does that mean I have to reload the program?

ark.txt

[inzanity]

Hi,

Your computer now looks clean!

How is your computer?

Let's do a little clean up before you go.

Delete the following:

• DDS
  
• GMER
  
• All the logs we've created.
  

You can keep TFC and use it to clean your computer of some junk atleast once a week. You can also keep Malwarebytes, it is an excellent malware removal tool. Update atleast once a week then run a complete scan.

--Next--

Clean up with OTL:

• Double-click OTL.exe to start the program.
  
• Close all other programs apart from OTL as this step will require a reboot
  
• On the OTL main screen, press the CLEANUP button
  
• Say Yes to the prompt and then allow the program to reboot your computer.
  

--Next--

You need to create a new Clean restore point.

Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Remove all previous Restore Points

Click Start Menu > Run > copy and paste

cleanmgr

At top, click on More Options tab. Click Clean up... button in the System Restore box. Click on Yes button. When finished, click on Cancel button to exit.

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Check "Hide file extensions for known file types."

Under the "Hidden files" folder, Uncheck "Show hidden files and folders."

Check "Hide protected operating system files."

Click Apply, and then click OK.

--Next--

To keep your operating system up to date visit

• Secunia Software inspector to check your program update status.
  
• Microsoft Windows Update .
  

Here are some tips to reduce the potential for spyware infection in the future:

1. It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article

Strong passwords: How to create and use them

Then consider a password keeper, to keep all your passwords safe.

2. Make your Internet Explorer More Secure

• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab.
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
  • Change the Download signed ActiveX controls to Prompt.
    
  • Change the Download unsigned ActiveX controls to Disable.
    
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    
  • Change the Installation of desktop items to Prompt.
    
  • Change the Launching programs and files in an IFRAME to Prompt.
    
  • Change the Navigate sub-frames across different domains to Prompt.
    
  • When all these settings have been made, click on the OK button.
    
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    

  [*]Next press the Apply button and then the OK to exit the Internet Properties page.

3. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

5. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

For information on how to download and install, please read this tutorial by WinHelp2002

Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

6. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

7. SpywareBlaster - Download and install SpywareBlaster. This program prevents the installation of ActiveX-based spyware and other potentially unwanted programs.

8. Protect your computer from internet threats with SandboxIE. This program isolates Internet Explorer from the rest of your operating system, 'sandboxing' it away - so malicious websites can't do damage to the rest of your system. There is a Getting Started guide on their website.

9. Some excellent free firewalls. Note: Use only one firewall at a time.

Agnitum Outpost Firewall

Online Armor Personal Firewall

10. And finally, please read these excellent articles:

Malware: Help prevent the Infection by Sandi Hardmeier,

Preventing Malware - Tools and Practices for Safe Computing

For more safe computing tips please read the guide by Rorschach112 on how to prevent malware and about safe computing here.

We will keep this thread open for a couple of days. Please post back if you have any problems or questions or when you have finished so this thread can be marked as "Resolved".

Good luck, happy computing and stay clean!

[cowboydd]

Thank you for all your help. It appears clean and healthy. May happiness be your constant companion!

[inzanity]

Hi,

Thank you and stay safe.