rustock spambot log attached

Malware detected in email databases has to be cleaned up by you. You have a few choices:

1. delete the whole file which is not an option you normally want to use
2. load the email folder that contains the infection and delete ALL unnecessary emails (hoping to remove the problem email) and then use the Mailbox Cleanup option to delete all old emails. Then compact the Outlook database to permanently remove data. See http://support.microsoft.com/kb/196990 If you do not cleanup and compact the databases, the deleted emails may still be leaving hidden information in the database that you just cannot see but a scanner may still pickup on it.
3. create a new folder and move only emails you really need into the new folder and then delete the infected folder.

In the meantime, it looks like the scans took care of most of it. However, do you know what these are:
c:\windows\Ytizab.exe
c:\windows\Ytizaa.exe
If you don't, delete them along with:
c:\users\danyd\AppData\Roaming\ohipmn.dat
C:\Windows\TEMP\2c64e.tmp
C:\Windows\System32\drivers\wjudb.sys
C:\Windows\Temp\4a9ffdcf57e12c503faf261a.tmp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Windows\System32\drivers\wjudb.sys
C:\Windows\Temp\20daa33c.tmp
C:\Users\danyd\AppData\Local\Temp\debug.exe
C:\Users\danyd\AppData\Local\Temp\t9xo00b.dll
C:\Users\danyd\AppData\Local\Temp\h3a39as1a3.exe
C:\Users\danyd\AppData\Local\Temp\avp32.exe

Folder::
C:\Users\danyd\AppData\Roaming\Protection Center

Rregistry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"sdr8gdrgdrgke49orkgsjkjfjhsd"=-
"hsef87ehf3jishfs87fhuishfsgggfdgs4g"=-
"mcexecwin"=-
"hsehf98u34i9tjioaugy987iuegdsg"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.

* Please download TDSSKiller to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
* Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

Dameon tools are still showing here:
c:\users\goldorak\AppData\Roaming\DAEMON Tools Pro
c:\users\goldorak\AppData\Roaming\DAEMON Tools Lite
c:\users\goldorak\AppData\Roaming\DAEMON Tools

And your logs are still showing what could be a false positive about your MBR. Please go back to the Read and Run FIrst instructions and follow the instructions in step 6 to disable your disc emulation software.

In the meantime, run CCLeaner and clean out these folders:
C:\Windows\temp\
C:\Users\danyd\AppData\Local\temp\

As a precaution, let's have you do this:
Please also download MBRCheck to your desktop

* Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
* It will show a Black screen with some information that will contain either the below line if no problem is found:

• Done! Press ENTER to exit...

* Or you will see more information like below if a problem is found:

• Found non-standard or infected MBR.

• Enter 'Y' and hit ENTER for more options, or 'N' to exit:

* Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
* MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
* Attach this log to your next message.


Now run MGtools per the below instructions and attach the requested MGlogs.zip file

* Using MGtools

 

Let's redo this:

* Please download TDSSKiller to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
* Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

 

The MBRCheck shows that you are good to go. I am just guessing that something is left over from Dameon tools that is still giving a false positive. What issues are you still having?

 

How many computers are you running? Are they all going though a router? You may need to post the full logs for each system in their own threads.

Did your ISP cut off your service?