My Logs

[Xenopus]

Malwarebytes' Anti-Malware 1.40

Database version: 2651

Windows 5.1.2600 Service Pack 2

18/08/2009 22:19:13

mbam-log-2009-08-18 (22-19-13).txt

Scan type: Quick Scan

Objects scanned: 104228

Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=============================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:24:07, on 18/08/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Norman\Npm\Bin\Elogsvc.exe

C:\Program Files\Norman\Npm\Bin\Zanda.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Norman\N-Ad-Aware\naservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\system32\TPSODDCtl.exe

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Norman\Npm\bin\ZLH.EXE

C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe

C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

c:\program files\arclab\maillist controller\amlcSVC.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe

C:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\Program Files\VMware\VMware Server\vmware-authd.exe

C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\VMware\VMware Server\vmserverdWin32.exe

C:\Program Files\Norman\Npm\bin\NJEEVES.EXE

C:\WINDOWS\system32\imapi.exe

C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE

C:\Program Files\Norman\Nvc\bin\nvcoas.exe

C:\Program Files\Norman\Nvc\BIN\NIP.EXE

C:\Program Files\Norman\Nvc\bin\cclaw.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Documents and Settings\steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Webroot\WebrootSecurity\SSU.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Documents and Settings\steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\word64main.exe,C:\WINDOWS\system32\renator.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O4 - HKLM\..\Run: [00THotkey] "C:\WINDOWS\system32\00THotkey.exe"

O4 - HKLM\..\Run: [000StTHK] "000StTHK.exe"

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [NVRotateSysTray] "rundll32.exe" C:\WINDOWS\system32\nvsysrot.dll,Enable

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [DpUtil] "C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe"

O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"

O4 - HKLM\..\Run: [TFNF5] "TFNF5.exe"

O4 - HKLM\..\Run: [smoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"

O4 - HKLM\..\Run: [TPSMain] "TPSMain.exe"

O4 - HKLM\..\Run: [TPSODDCtl] "TPSODDCtl.exe"

O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon

O4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service

O4 - HKLM\..\Run: [TMESBS.EXE] "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /Client

O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [TAudEffect] "C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" /run

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"

O4 - HKLM\..\Run: [spywarefighterguard] "C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe"

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [MailListController] "C:\Program Files\Arclab\MailList Controller\amlcSCT.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [O2Start] "C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe" /s

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [1&1 EasyLogin] "C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"

O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Norman\Norman Ad-Aware SE Professional\Ad-Watch.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A706A23-DEF4-4C4B-B1F6-96AAB61F2257} (ExpertPlugin Object) - https://techinline.net/Expert/TIEXpert.cab

O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1245493726321

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://owa.elliottpeople.com/Remote/msrdp.cab

O16 - DPF: {DFB5BCF1-06AE-4ABB-BFA8-1E228F41C50A} - http://bobtv.fr/download/cfweb_www.bobtv.f..._instmodule.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Update Service (gupdate1ca08ad8a450928) (gupdate1ca08ad8a450928) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MailList Controller - Arclab Software Technologies - c:\program files\arclab\maillist controller\amlcSVC.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Norman N-Ad-Aware Service (naservice) - Norman - C:\Program Files\Norman\N-Ad-Aware\naservice.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program Files\Norman\Nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe

O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--

End of file - 14705 bytes

also ip protection pops up 95.211.13.248

[miekiemoes]

Hi,

Please back up your important data first while you can still access your Windows. Reason is because you are dealing with one of these Trojans/Bots that have the functionality to kill your OS.

Read this article for more info: When a Bot master goes mad - Kill the OS and here A Zeus botnet self-destructs

Then, I see you are running AdWatch.

I suggest you disable it because it can interfere with the fixes.

To disable AdWatch - * Right click on the Ad-Watch icon in the system tray and select to Disable Adwatch Live.

If Spysweeper has the same functionality, please disable, because it will otherwise interfere with the malwarebytes scan and make things worse.

Then, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  
• Once the updates are downloaded, perform a quick scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[miekiemoes]

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.