Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

TrojanDownloader: Win32/Cutwail.AY

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

TrojanDownloader: Win32/Cutwail.AY

Unread postby eli125 » April 23rd, 2010, 12:48 am

Hello,
Please your help with getting rid of this malware (Cutwail.AY). I have tried several antimalware/antivirus solutions with no success. Microsoft Security Essentials detects it and "removes it" by deleting svchost.exe from Windows/Temp/xxxx.tmp (where xxxx is a random four letter folder), but it re-appears after a couple of minutes and it becomes an endless battle between MSE and the malware.

Here is the HijackThis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:36:24 AM, on 23/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {54B02808-B60E-44CD-A72D-9865117E4E62} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: AGFormHelperObj Class - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\PROGRA~1\agat\AGForm\AGFORM~1.DLL
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AGForms - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-21-2499410155-1301715989-3668983942-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-2499410155-1301715989-3668983942-500\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'Administrator')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-c23a-453e-a040-c7c580bbf700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3c9d-426d-81df-aab636fa4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6087.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8076664656
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11024 bytes

=====================

Here is the uninstall list:

ACID Pro 7.0
Active@ ISO File Manager
Ad-Aware
Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Advanced SystemCare 3
AmpliTube 2 Live
AmpliTube2
APE to MP3 Plus
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AusLogics Disk Defrag
AVI ReComp 1.4.5
AviSynth 2.5
Babylon
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
CSR
Customer Experience Enhancement
Dairy Dash Deluxe
Data Fax SoftModem with SmartCP
DivX
E-GOV.IL Sign&Verify Software - AGForm toolbar
eMule
Enhanced Multimedia Keyboard Solution
ESET Online Scanner v3
Eusing Free Registry Cleaner
EZdrummer
EZXCocktail
FLAV Audio Converter 2.58.12
GemMaster Mystic
getPlus(R) for Adobe
Google Gmail Notifier
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Games 3.43.97
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP PrecisionScan LTX
HP Update
HP Web Helper
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 20
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Lexicon Lambda ASIO (remove only)
Lexicon Pantheon VST Plug-in (remove only)
LiveUpdate (Symantec Corporation)
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
MathType 5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Easy Assist v2
Microsoft Money 2006
Microsoft Office Professional Edition 2003
Microsoft Security Essentials
Microsoft Security Essentials
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Miroslav Philharmonik
Mozilla Firefox (3.5.8)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
MV2Player (remove only)
MVision
My HP Games
MyDSC2
Native Instruments Akoustik Piano
Native Instruments Guitar Rig 2 Demo
Native Instruments Guitar Rig 3
Native Instruments Service Center
Nero 7 Ultra Edition
neroxml
NoteWorthy Composer
OTR-88 1.0 DEMO
OTR-88 RTAS 1.0 DEMO
OTR-88 VST 1.0
Otto
PC-Doctor 5 for Windows
Preamp Emulator
Quicken 2006
QuickTime
Rayman
Realtek High Definition Audio Driver
Rhapsody Player Engine
roguescanfix 1.5
SampleTank 2
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Skype™ 4.1
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony ACID Pro 6.0
Sony Media Manager 2.2
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Terminator
SpywareBlaster 4.2
Studio Instruments 1.0
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Updates from HP (remove only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VobSub 2.23
WildTangent Web Driver
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.2.1
הפוך על הפוך
כלי ההעלאה של Windows Live
מסייע הכניסה של Windows Live

------------------

Your help with matter will be highly appreciated!

Thanks,
Eli
eli125
Active Member
 
Posts: 9
Joined: April 22nd, 2010, 4:51 pm
Advertisement
Register to Remove

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby MWR 3 day Mod » April 26th, 2010, 1:48 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby askey127 » April 26th, 2010, 5:07 pm

Hi eli125,
I will attempt to help, although I may have trouble with any non-English language parts of your system.
----------------------------------------------------
Compose A Script to Locate Files
Please highlight, copy (Ctrl+C) and paste (Ctrl+V) the text inside the quote into a new Notepad document.
For %%a in (
"wuaucldt.exe"
"wuaucldt.exe"
"loader_24.exe"
) do (
dir c:\*.* /L /A /B /S|Find %%a >> "%userprofile%\desktop\look.txt"
)
pause
Save it on your Desktop as file type "All Files" (NOT as "Text Documents") and name it FindMe.bat
Close Notepad.
Double click FindMe.bat on your Desktop. (If you have Vista, right-click the file, choose Run as administrator and OK the Command Processor).
A window will open and close in a minute or two. This is normal.
A new file icon named look.txt will appear on your desktop. In your next reply, please post the contents of the look.txt file, or tell me if it's blank.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
Ad-Aware
Ad-Aware
Adobe Reader 8.1.2
eMule
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
PC-Doctor 5 for Windows
roguescanfix 1.5
WildTangent Web Driver

Take extra care in answering questions posed by any Uninstaller.
--------------------------------------------------------
You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.3 are vulnerable.
  • Go HERE and click on AdbeRdr930_en_US.exe to download the latest version of Adobe Acrobat Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

-----------------------------------------------------------
REBOOT(RESTART) Your Machine
----------------------------------------------
Run Temp File Cleaner
Download Temp File Cleaner and save it to your desktop.
Double click to run it. (Right click and Run as Administrator in Vista)
If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.

So we will be looking for the results from the batch file search (look.txt), and the new list of installed programs.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby eli125 » April 27th, 2010, 12:48 pm

Hello askey127,

Thank you so much for your assistance.

I have followed your instruction:
1. I ran FindMe.bat and it created an empty file look.txt
2. I have removed all programs as in the list, and installed Adobe Acrobat 9.30
3. Restarted and ran TPC.exe
4. Restarted again (as requested by TPC.exe)
5. Created a new list of programs:

ACID Pro 7.0
Active@ ISO File Manager
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.3
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Advanced SystemCare 3
AmpliTube 2 Live
AmpliTube2
APE to MP3 Plus
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AusLogics Disk Defrag
AVI ReComp 1.4.5
AviSynth 2.5
Babylon
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
CSR
Customer Experience Enhancement
Dairy Dash Deluxe
Data Fax SoftModem with SmartCP
DivX
E-GOV.IL Sign&Verify Software - AGForm toolbar
Enhanced Multimedia Keyboard Solution
ESET Online Scanner v3
Eusing Free Registry Cleaner
EZdrummer
EZXCocktail
FLAV Audio Converter 2.58.12
GemMaster Mystic
getPlus(R) for Adobe
Google Gmail Notifier
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Games 3.43.97
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP PrecisionScan LTX
HP Update
HP Web Helper
iTunes
Java(TM) 6 Update 20
Lexicon Lambda ASIO (remove only)
Lexicon Pantheon VST Plug-in (remove only)
LiveUpdate (Symantec Corporation)
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
MathType 5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Easy Assist v2
Microsoft Money 2006
Microsoft Office Professional Edition 2003
Microsoft Security Essentials
Microsoft Security Essentials
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Miroslav Philharmonik
Mozilla Firefox (3.5.8)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
MV2Player (remove only)
MVision
My HP Games
MyDSC2
Native Instruments Akoustik Piano
Native Instruments Guitar Rig 2 Demo
Native Instruments Guitar Rig 3
Native Instruments Service Center
Nero 7 Ultra Edition
neroxml
NoteWorthy Composer
OTR-88 1.0 DEMO
OTR-88 RTAS 1.0 DEMO
OTR-88 VST 1.0
Otto
Preamp Emulator
Quicken 2006
QuickTime
Rayman
Realtek High Definition Audio Driver
Rhapsody Player Engine
SampleTank 2
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Skype™ 4.1
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony ACID Pro 6.0
Sony Media Manager 2.2
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Terminator
SpywareBlaster 4.2
Studio Instruments 1.0
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Updates from HP (remove only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VobSub 2.23
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.2.1
הפוך על הפוך
כלי ההעלאה של Windows Live
מסייע הכניסה של Windows Live

Thanks again,
Eli
eli125
Active Member
 
Posts: 9
Joined: April 22nd, 2010, 4:51 pm

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby askey127 » April 27th, 2010, 1:27 pm

eli125,

-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
Eusing Free Registry Cleaner

Take extra care in answering questions posed by any Uninstaller.

Avoid using Registry Cleaners/Boosters/Optimizers.
The risk is great. The benefit is negligible. See an example here:
An Example of What Can Happen
---------------------------------------------
SysProt Antirootkit
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box, set up the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby eli125 » April 27th, 2010, 5:04 pm

Hi Askey127,
I tried to uninstall Eusing Free Registry Cleaner, but it failed because of missing INSTALL.LOG file. I don't know how to remove it.
I ran sysprot.exe and here is the log:

ysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: sphg.sys
Service Name: ---
Module Base: BA6A6000
Module End: BA7A7000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\a4b4yi3p.SYS
Service Name: ---
Module Base: B8FA8000
Module End: B8FE0000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B3F31000
Module End: B3F49000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BAE18000
Module End: BAE1A000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlertResumeThread
Address: 8A59F240
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 8AA94B88
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 8A172870
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: 8A692750
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: BA91887E
Driver Base: BA918000
Driver End: BA927000
Driver Name: Lbd.sys

Function Name: ZwCreateMutant
Address: 8A606680
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 8A172948
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: B474FCB0
Driver Base: B473C000
Driver End: B475E000
Driver Name: \??\C:\Program Files\Symantec\SYMEVENT.SYS

Function Name: ZwEnumerateKey
Address: BA6C5CA4
Driver Base: BA6A6000
Driver End: BA7A7000
Driver Name: sphg.sys

Function Name: ZwEnumerateValueKey
Address: BA6C6032
Driver Base: BA6A6000
Driver End: BA7A7000
Driver Name: sphg.sys

Function Name: ZwFreeVirtualMemory
Address: 8A5A72C8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 8A67D128
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 8A68C058
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwMapViewOfSection
Address: 8A65CBE8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 8A511CE8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenKey
Address: BA6A70C0
Driver Base: BA6A6000
Driver End: BA7A7000
Driver Name: sphg.sys

Function Name: ZwOpenProcessToken
Address: 8A3F8628
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThreadToken
Address: 8A639628
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryKey
Address: BA6C610A
Driver Base: BA6A6000
Driver End: BA7A7000
Driver Name: sphg.sys

Function Name: ZwQueryValueKey
Address: 8AA01450
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwResumeThread
Address: 8A5669F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 8A6840E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationProcess
Address: 8A55A7E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationThread
Address: 8A6B5448
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: B474FF10
Driver Base: B473C000
Driver End: B475E000
Driver Name: \??\C:\Program Files\Symantec\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 8AA01390
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 8A696058
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 8A65D1A8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 8A68A058
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 8A679248
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 8A68A168
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied





Note: While sysprot was running Microsoft Security Essentials issued an alert about a password stealer PWS:Win32/Zbot.PG
I have removed the threat.

Thanks,
Eli
eli125
Active Member
 
Posts: 9
Joined: April 22nd, 2010, 4:51 pm

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby askey127 » April 27th, 2010, 8:40 pm

eli125,
--------------------------------------------
TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Double-click the tdsskiller Folder on your desktop.
  • Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy (Ctrl+C) the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste (Ctrl+V) the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply
----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
So we are looking for the contents from tdsskiller.txt and the contents of the Malwarebytes-Antimalware log.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby eli125 » April 28th, 2010, 3:33 pm

Hello askey127,

1. I have succeeded to remove Eusing! I have re-installed it and then the uninstall worked fine.
2. Here is the content of tdskiller.txt:

08:24:05:468 3408 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
08:24:05:468 3408 ================================================================================
08:24:05:468 3408 SystemInfo:

08:24:05:468 3408 OS Version: 5.1.2600 ServicePack: 3.0
08:24:05:468 3408 Product type: Workstation
08:24:05:468 3408 ComputerName: HOMELI
08:24:05:468 3408 UserName: HP_Administrator
08:24:05:468 3408 Windows directory: C:\WINDOWS
08:24:05:468 3408 Processor architecture: Intel x86
08:24:05:468 3408 Number of processors: 2
08:24:05:468 3408 Page size: 0x1000
08:24:05:468 3408 Boot type: Normal boot
08:24:05:468 3408 ================================================================================
08:24:05:484 3408 UnloadDriverW: NtUnloadDriver error 2
08:24:05:484 3408 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
08:24:05:531 3408 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
08:24:05:546 3408 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:24:05:546 3408 wfopen_ex: Trying to KLMD file open
08:24:05:546 3408 wfopen_ex: File opened ok (Flags 2)
08:24:05:546 3408 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
08:24:05:546 3408 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:24:05:546 3408 wfopen_ex: Trying to KLMD file open
08:24:05:546 3408 wfopen_ex: File opened ok (Flags 2)
08:24:05:546 3408 Initialize success
08:24:05:546 3408
08:24:05:546 3408 Scanning Services ...
08:24:06:078 3408 Raw services enum returned 395 services
08:24:06:093 3408
08:24:06:093 3408 Scanning Kernel memory ...
08:24:06:093 3408 Devices to scan: 11
08:24:06:093 3408
08:24:06:093 3408 Driver Name: Disk
08:24:06:093 3408 IRP_MJ_CREATE : BA90EBB0
08:24:06:093 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:093 3408 IRP_MJ_CLOSE : BA90EBB0
08:24:06:093 3408 IRP_MJ_READ : BA908D1F
08:24:06:093 3408 IRP_MJ_WRITE : BA908D1F
08:24:06:093 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:093 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:093 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:093 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:093 3408 IRP_MJ_FLUSH_BUFFERS : BA9092E2
08:24:06:093 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:093 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:093 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:093 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:093 3408 IRP_MJ_DEVICE_CONTROL : BA9093BB
08:24:06:093 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
08:24:06:093 3408 IRP_MJ_SHUTDOWN : BA9092E2
08:24:06:093 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:093 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:093 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:093 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:093 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:093 3408 IRP_MJ_POWER : BA90AC82
08:24:06:093 3408 IRP_MJ_SYSTEM_CONTROL : BA90F99E
08:24:06:093 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:093 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:093 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:109 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:24:06:109 3408
08:24:06:109 3408 Driver Name: Disk
08:24:06:109 3408 IRP_MJ_CREATE : BA90EBB0
08:24:06:109 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:109 3408 IRP_MJ_CLOSE : BA90EBB0
08:24:06:109 3408 IRP_MJ_READ : BA908D1F
08:24:06:109 3408 IRP_MJ_WRITE : BA908D1F
08:24:06:109 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:109 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:109 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:109 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:109 3408 IRP_MJ_FLUSH_BUFFERS : BA9092E2
08:24:06:109 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:109 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:109 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:109 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:109 3408 IRP_MJ_DEVICE_CONTROL : BA9093BB
08:24:06:109 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
08:24:06:109 3408 IRP_MJ_SHUTDOWN : BA9092E2
08:24:06:109 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:109 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:109 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:109 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:109 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:109 3408 IRP_MJ_POWER : BA90AC82
08:24:06:109 3408 IRP_MJ_SYSTEM_CONTROL : BA90F99E
08:24:06:109 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:109 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:109 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:125 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:24:06:125 3408
08:24:06:125 3408 Driver Name: Disk
08:24:06:125 3408 IRP_MJ_CREATE : BA90EBB0
08:24:06:125 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:125 3408 IRP_MJ_CLOSE : BA90EBB0
08:24:06:125 3408 IRP_MJ_READ : BA908D1F
08:24:06:125 3408 IRP_MJ_WRITE : BA908D1F
08:24:06:125 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:125 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:125 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:125 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:125 3408 IRP_MJ_FLUSH_BUFFERS : BA9092E2
08:24:06:125 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:125 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:125 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:125 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:125 3408 IRP_MJ_DEVICE_CONTROL : BA9093BB
08:24:06:125 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
08:24:06:125 3408 IRP_MJ_SHUTDOWN : BA9092E2
08:24:06:125 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:125 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:125 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:125 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:125 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:125 3408 IRP_MJ_POWER : BA90AC82
08:24:06:125 3408 IRP_MJ_SYSTEM_CONTROL : BA90F99E
08:24:06:125 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:125 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:125 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:125 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:24:06:125 3408
08:24:06:125 3408 Driver Name: Disk
08:24:06:125 3408 IRP_MJ_CREATE : BA90EBB0
08:24:06:125 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:125 3408 IRP_MJ_CLOSE : BA90EBB0
08:24:06:125 3408 IRP_MJ_READ : BA908D1F
08:24:06:125 3408 IRP_MJ_WRITE : BA908D1F
08:24:06:125 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:125 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:125 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:125 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:125 3408 IRP_MJ_FLUSH_BUFFERS : BA9092E2
08:24:06:125 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:125 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:125 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:125 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:125 3408 IRP_MJ_DEVICE_CONTROL : BA9093BB
08:24:06:125 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
08:24:06:125 3408 IRP_MJ_SHUTDOWN : BA9092E2
08:24:06:125 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:125 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:125 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:125 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:125 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:125 3408 IRP_MJ_POWER : BA90AC82
08:24:06:125 3408 IRP_MJ_SYSTEM_CONTROL : BA90F99E
08:24:06:125 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:125 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:125 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:125 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:24:06:125 3408
08:24:06:125 3408 Driver Name: usbstor
08:24:06:125 3408 IRP_MJ_CREATE : 8A62F500
08:24:06:125 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:125 3408 IRP_MJ_CLOSE : 8A62F500
08:24:06:125 3408 IRP_MJ_READ : 8A62F500
08:24:06:140 3408 IRP_MJ_WRITE : 8A62F500
08:24:06:140 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:140 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:140 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:140 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:140 3408 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:06:140 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:140 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:140 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:140 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:140 3408 IRP_MJ_DEVICE_CONTROL : 8A62F500
08:24:06:140 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A62F500
08:24:06:140 3408 IRP_MJ_SHUTDOWN : 804F4562
08:24:06:140 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:140 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:140 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:140 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:140 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:140 3408 IRP_MJ_POWER : 8A62F500
08:24:06:140 3408 IRP_MJ_SYSTEM_CONTROL : 8A62F500
08:24:06:140 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:140 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:140 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:140 3408 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:24:06:140 3408
08:24:06:140 3408 Driver Name: usbstor
08:24:06:140 3408 IRP_MJ_CREATE : 8A62F500
08:24:06:140 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:140 3408 IRP_MJ_CLOSE : 8A62F500
08:24:06:140 3408 IRP_MJ_READ : 8A62F500
08:24:06:140 3408 IRP_MJ_WRITE : 8A62F500
08:24:06:140 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:140 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:140 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:140 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:140 3408 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:06:140 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:140 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:140 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:140 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:140 3408 IRP_MJ_DEVICE_CONTROL : 8A62F500
08:24:06:140 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A62F500
08:24:06:140 3408 IRP_MJ_SHUTDOWN : 804F4562
08:24:06:156 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:156 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:156 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:156 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:156 3408 IRP_MJ_POWER : 8A62F500
08:24:06:156 3408 IRP_MJ_SYSTEM_CONTROL : 8A62F500
08:24:06:156 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:156 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:156 3408 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:24:06:156 3408
08:24:06:156 3408 Driver Name: usbstor
08:24:06:156 3408 IRP_MJ_CREATE : 8A62F500
08:24:06:156 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:156 3408 IRP_MJ_CLOSE : 8A62F500
08:24:06:156 3408 IRP_MJ_READ : 8A62F500
08:24:06:156 3408 IRP_MJ_WRITE : 8A62F500
08:24:06:156 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:156 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:156 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:156 3408 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:156 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:156 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:156 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:156 3408 IRP_MJ_DEVICE_CONTROL : 8A62F500
08:24:06:156 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A62F500
08:24:06:156 3408 IRP_MJ_SHUTDOWN : 804F4562
08:24:06:156 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:156 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:156 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:156 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:156 3408 IRP_MJ_POWER : 8A62F500
08:24:06:156 3408 IRP_MJ_SYSTEM_CONTROL : 8A62F500
08:24:06:156 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:156 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:156 3408 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:24:06:156 3408
08:24:06:156 3408 Driver Name: usbstor
08:24:06:156 3408 IRP_MJ_CREATE : 8A62F500
08:24:06:156 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:156 3408 IRP_MJ_CLOSE : 8A62F500
08:24:06:156 3408 IRP_MJ_READ : 8A62F500
08:24:06:156 3408 IRP_MJ_WRITE : 8A62F500
08:24:06:156 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:156 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:156 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:156 3408 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:156 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:156 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:156 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:156 3408 IRP_MJ_DEVICE_CONTROL : 8A62F500
08:24:06:156 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A62F500
08:24:06:156 3408 IRP_MJ_SHUTDOWN : 804F4562
08:24:06:156 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:156 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:156 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:156 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:156 3408 IRP_MJ_POWER : 8A62F500
08:24:06:156 3408 IRP_MJ_SYSTEM_CONTROL : 8A62F500
08:24:06:156 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:156 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:156 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:171 3408 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:24:06:171 3408
08:24:06:171 3408 Driver Name: Disk
08:24:06:171 3408 IRP_MJ_CREATE : BA90EBB0
08:24:06:171 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:171 3408 IRP_MJ_CLOSE : BA90EBB0
08:24:06:171 3408 IRP_MJ_READ : BA908D1F
08:24:06:171 3408 IRP_MJ_WRITE : BA908D1F
08:24:06:171 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:171 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:171 3408 IRP_MJ_FLUSH_BUFFERS : BA9092E2
08:24:06:171 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_DEVICE_CONTROL : BA9093BB
08:24:06:171 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
08:24:06:171 3408 IRP_MJ_SHUTDOWN : BA9092E2
08:24:06:171 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:171 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:171 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:171 3408 IRP_MJ_POWER : BA90AC82
08:24:06:171 3408 IRP_MJ_SYSTEM_CONTROL : BA90F99E
08:24:06:171 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:171 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:171 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:24:06:171 3408
08:24:06:171 3408 Driver Name: Disk
08:24:06:171 3408 IRP_MJ_CREATE : BA90EBB0
08:24:06:171 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:171 3408 IRP_MJ_CLOSE : BA90EBB0
08:24:06:171 3408 IRP_MJ_READ : BA908D1F
08:24:06:171 3408 IRP_MJ_WRITE : BA908D1F
08:24:06:171 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:171 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:171 3408 IRP_MJ_FLUSH_BUFFERS : BA9092E2
08:24:06:171 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_DEVICE_CONTROL : BA9093BB
08:24:06:171 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
08:24:06:171 3408 IRP_MJ_SHUTDOWN : BA9092E2
08:24:06:171 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:171 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:171 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:171 3408 IRP_MJ_POWER : BA90AC82
08:24:06:171 3408 IRP_MJ_SYSTEM_CONTROL : BA90F99E
08:24:06:171 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:171 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:171 3408 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:24:06:171 3408
08:24:06:171 3408 Driver Name: atapi
08:24:06:171 3408 IRP_MJ_CREATE : BA5FBB40
08:24:06:171 3408 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:06:171 3408 IRP_MJ_CLOSE : BA5FBB40
08:24:06:171 3408 IRP_MJ_READ : 804F4562
08:24:06:171 3408 IRP_MJ_WRITE : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_SET_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_EA : 804F4562
08:24:06:171 3408 IRP_MJ_SET_EA : 804F4562
08:24:06:171 3408 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:06:171 3408 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_DEVICE_CONTROL : BA5FBB40
08:24:06:171 3408 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA5FBB40
08:24:06:171 3408 IRP_MJ_SHUTDOWN : 804F4562
08:24:06:171 3408 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:06:171 3408 IRP_MJ_CLEANUP : 804F4562
08:24:06:171 3408 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:06:171 3408 IRP_MJ_SET_SECURITY : 804F4562
08:24:06:171 3408 IRP_MJ_POWER : BA5FBB40
08:24:06:171 3408 IRP_MJ_SYSTEM_CONTROL : BA5FBB40
08:24:06:171 3408 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:06:171 3408 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:06:171 3408 IRP_MJ_SET_QUOTA : 804F4562
08:24:06:187 3408 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
08:24:06:187 3408
08:24:06:187 3408 Completed
08:24:06:187 3408
08:24:06:187 3408 Results:
08:24:06:187 3408 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
08:24:06:187 3408 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:24:06:187 3408 File objects infected / cured / cured on reboot: 0 / 0 / 0
08:24:06:187 3408
08:24:06:187 3408 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
08:24:06:187 3408 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
08:24:06:187 3408 KLMD(ARK) unloaded successfully

3. Here is content of Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4044

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

28/04/2010 22:28:06
mbam-log-2010-04-28 (22-28-06).txt

Scan type: Quick scan
Objects scanned: 117010
Time elapsed: 12 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.

Thanks a lot,
Eli
eli125
Active Member
 
Posts: 9
Joined: April 22nd, 2010, 4:51 pm

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby askey127 » April 28th, 2010, 5:34 pm

eli125,
Please look at the Malwarebytes log you just posted.
-----------------------------------------------------------
Unfortunately, you have had a very dangerous infection, with "backdoor" capabilities.
The backdoor bot allows intruders to remotely control your computer, log keystrokes, steal critical system information, and download and execute files.

  • If you do any banking or other financial transactions on the PC, or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. This would include contacts like your Internet Provider, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups to which you belong.
  • It would be wise to contact any of the financial institutions directly and apprise them of your situation.
  • Do NOT change passwords or do any transactions while using the infected computer because the intruder may get the new passwords and transaction information.
Once infected with this type of Trojan, the best course of action is to reformat the hard drive and reinstall the Windows Operating System. That is my best advice to you.

Although an attempt can be made to finish cleaning this machine, we could not be certain afterward that it was truly clean, secure, and trustworthy.
In some cases, removal of these malware files can result in a system which does not work properly, and a reformat/re-install of Windows would become mandatory.
Because of the infection's backdoor functionality(i.e., remote control capability), the basic security of your PC is likely compromised, and there is no way to be sure it can ever again be trusted.

The following articles may be of assistance in your decision: Should you have any questions, please feel free to ask.

Please let me know what you would like to do in your next post.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby eli125 » April 29th, 2010, 1:06 am

Hello askey127,

Your warning is loud and clear and thank you for that.
Let me think it over and I shall get back to you shortly after evaluating the risks and options.

Eli
eli125
Active Member
 
Posts: 9
Joined: April 22nd, 2010, 4:51 pm

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby eli125 » April 29th, 2010, 11:22 am

Hi askey127,
I have evaluated my options and here is my conclusion:
This specific computer is a secondary one for me and is used mostly for media (music, video, etc.). I am not using it for financial transactions and it does not contain sensitive data.
I had to re-install it a couple of years ago and it took me two full days to restore it to its previous condition while still losing some functionality and data.
I am aware of the threat and all risks involved, still I am ready to go ahead and finish cleaning my PC with your help.

Thanks,
Eli
eli125
Active Member
 
Posts: 9
Joined: April 22nd, 2010, 4:51 pm

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby askey127 » May 2nd, 2010, 7:35 am

eli125
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Advanced SystemCare 3

Take extra care in answering questions posed by any Uninstaller.
--------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A:D /B /S|Find "eusing" >> "%userprofile%\desktop\lookee.txt"

A file called lookee.txt should appear on your Desktop. Please post the contents of that file.
-----------------------------------------------------
Run an Online Kaspersky WebScan (This can take quite a while. Be patient).
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the Program and Database downloads have finished, (may take a while), Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post the contents of this log in your next reply.

So we are looking for the contents of lookee.txt on your desktop, and the results of the Kaspersky scan.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby eli125 » May 3rd, 2010, 12:50 am

Hi askey127,

1. I have removed Advanced SystemCare 3
2. File lookee.txt is empty
3. Here is the log of Kaspersky WebScan:

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, May 3, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, May 02, 2010 14:13:27
Records in database: 4030701
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\

Scan statistics:
Objects scanned: 177139
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 05:38:04


File name / Threat / Threats count
C:\Program Files\APE To MP3 Plus\ape-to-mp3-plus.exe Infected: Trojan-Dropper.Win32.VB.ammi 1

Selected area has been scanned.

Many thanks,
Eli
eli125
Active Member
 
Posts: 9
Joined: April 22nd, 2010, 4:51 pm

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby askey127 » May 3rd, 2010, 7:23 am

eli125,
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight this Entry, as follows, if it exists, and choose Remove :

APE to MP3 Plus

Take extra care in answering questions posed by any Uninstaller.
------------------------------------------------------------
Please download OTM and save to your Desktop.
  • Please double-click OTM.exe to run it.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Do NOT copy the word "Code" :
Code: Select all
:files
C:\Program Files\APE To MP3 Plus

:commands
[emptytemp]
  • Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next Reply.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.
Note: the logs are saved in C:\_OTM\MovedFiles\ if you need to retrieve one.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: TrojanDownloader: Win32/Cutwail.AY

Unread postby eli125 » May 3rd, 2010, 10:37 am

Hi askey127,

1. I have removed Ape to MP3 Plus
2. I ran OTM and here are the results:

All processes killed
========== FILES ==========
C:\Program Files\APE To MP3 Plus\View folder moved successfully.
C:\Program Files\APE To MP3 Plus\Trans folder moved successfully.
C:\Program Files\APE To MP3 Plus\SysIcon folder moved successfully.
C:\Program Files\APE To MP3 Plus\Sound folder moved successfully.
C:\Program Files\APE To MP3 Plus\Main folder moved successfully.
C:\Program Files\APE To MP3 Plus\bin folder moved successfully.
C:\Program Files\APE To MP3 Plus folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: HP_Administrator
->Temp folder emptied: 108935237 bytes
->Temporary Internet Files folder emptied: 761611532 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 95207831 bytes
->Flash cache emptied: 10126 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 67544 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1662452 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 46034 bytes

Total Files Cleaned = 923.00 mb


OTM by OldTimer - Version 3.1.12.0 log created on 05032010_171550

Files moved on Reboot...
File C:\WINDOWS\temp\TMP00000006C97AFCDB694F08D9 not found!

Registry entries deleted on Reboot...

------------------------
It should be noted that Microsoft Security Essentials opened shortly an alert window while OTM was running but I did not have a chace to read it before it closed, and there was no trace of it in its history.

Thanks,
Eli
eli125
Active Member
 
Posts: 9
Joined: April 22nd, 2010, 4:51 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware