Xenopus Posted August 18, 2009 ID:111788 Share Posted August 18, 2009 Malwarebytes' Anti-Malware 1.40Database version: 2651Windows 5.1.2600 Service Pack 218/08/2009 22:19:13mbam-log-2009-08-18 (22-19-13).txtScan type: Quick ScanObjects scanned: 104228Time elapsed: 6 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)=============================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:24:07, on 18/08/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Norman\Npm\Bin\Elogsvc.exeC:\Program Files\Norman\Npm\Bin\Zanda.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Norman\N-Ad-Aware\naservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\system32\TFNF5.exeC:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\Apoint2K\Apntex.exeC:\WINDOWS\system32\TPSODDCtl.exeC:\Program Files\TOSHIBA\TME3\TMERzCtl.EXEC:\Program Files\TOSHIBA\TME3\TMESBS32.EXEC:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\Program Files\TOSHIBA\TAudEffect\TAudEff.exeC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\WINDOWS\system32\TPSBattM.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\Norman\Npm\bin\ZLH.EXEC:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exeC:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exeC:\WINDOWS\system32\ctfmon.exec:\program files\arclab\maillist controller\amlcSVC.exeC:\Program Files\Messenger\msmsgs.exeC:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\DAEMON Tools Lite\daemon.exeC:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exeC:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\ThpSrv.exeC:\Program Files\TOSHIBA\TME3\Tmesbs32.exeC:\Program Files\TOSHIBA\TME3\Tmesrv31.exeC:\WINDOWS\system32\wdfmgr.exeC:\Program Files\TOSHIBA\TME3\TMEEJME.EXEC:\Program Files\VMware\VMware Server\vmware-authd.exeC:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exeC:\WINDOWS\system32\vmnat.exeC:\Program Files\Webroot\WebrootSecurity\SpySweeper.exeC:\WINDOWS\system32\vmnetdhcp.exeC:\Program Files\VMware\VMware Server\vmserverdWin32.exeC:\Program Files\Norman\Npm\bin\NJEEVES.EXEC:\WINDOWS\system32\imapi.exeC:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXEC:\Program Files\Norman\Nvc\bin\nvcoas.exeC:\Program Files\Norman\Nvc\BIN\NIP.EXEC:\Program Files\Norman\Nvc\bin\cclaw.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Documents and Settings\steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Program Files\Microsoft Office\Office12\OUTLOOK.EXEC:\Program Files\Webroot\WebrootSecurity\SSU.EXEC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Documents and Settings\steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\word64main.exe,C:\WINDOWS\system32\renator.exe,O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dllO4 - HKLM\..\Run: [00THotkey] "C:\WINDOWS\system32\00THotkey.exe"O4 - HKLM\..\Run: [000StTHK] "000StTHK.exe"O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [NVRotateSysTray] "rundll32.exe" C:\WINDOWS\system32\nvsysrot.dll,EnableO4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"O4 - HKLM\..\Run: [DpUtil] "C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe"O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"O4 - HKLM\..\Run: [TFNF5] "TFNF5.exe"O4 - HKLM\..\Run: [smoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"O4 - HKLM\..\Run: [TPSMain] "TPSMain.exe"O4 - HKLM\..\Run: [TPSODDCtl] "TPSODDCtl.exe"O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /LogonO4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /ServiceO4 - HKLM\..\Run: [TMESBS.EXE] "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /ClientO4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [TAudEffect] "C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" /runO4 - HKLM\..\Run: [TFncKy] TFncKy.exeO4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startupO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"O4 - HKLM\..\Run: [spywarefighterguard] "C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe"O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASHO4 - HKLM\..\Run: [MailListController] "C:\Program Files\Arclab\MailList Controller\amlcSCT.exe"O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKLM\..\Run: [O2Start] "C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe" /sO4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintrayO4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorunO4 - HKCU\..\Run: [1&1 EasyLogin] "C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Norman\Norman Ad-Aware SE Professional\Ad-Watch.exe"O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0A706A23-DEF4-4C4B-B1F6-96AAB61F2257} (ExpertPlugin Object) - https://techinline.net/Expert/TIEXpert.cabO16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.1.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1245493726321O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://owa.elliottpeople.com/Remote/msrdp.cabO16 - DPF: {DFB5BCF1-06AE-4ABB-BFA8-1E228F41C50A} - http://bobtv.fr/download/cfweb_www.bobtv.f..._instmodule.exeO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Update Service (gupdate1ca08ad8a450928) (gupdate1ca08ad8a450928) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MailList Controller - Arclab Software Technologies - c:\program files\arclab\maillist controller\amlcSVC.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: Norman N-Ad-Aware Service (naservice) - Norman - C:\Program Files\Norman\N-Ad-Aware\naservice.exeO23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\bin\NJEEVES.EXEO23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exeO23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program Files\Norman\Nse\bin\NSESVC.EXEO23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exeO23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exeO23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exeO23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exeO23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exeO23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exeO23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exeO23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exeO23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exeO23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exeO23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe--End of file - 14705 bytesalso ip protection pops up 95.211.13.248 Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 19, 2009 Staff ID:112056 Share Posted August 19, 2009 Hi,Please back up your important data first while you can still access your Windows. Reason is because you are dealing with one of these Trojans/Bots that have the functionality to kill your OS.Read this article for more info: When a Bot master goes mad - Kill the OS and here A Zeus botnet self-destructsThen, I see you are running AdWatch. I suggest you disable it because it can interfere with the fixes.To disable AdWatch - * Right click on the Ad-Watch icon in the system tray and select to Disable Adwatch Live.If Spysweeper has the same functionality, please disable, because it will otherwise interfere with the malwarebytes scan and make things worse.Then, please update MalwareBytes, because the databaseversion is outdated.Start MalwareBytes and click the Update tab. There click "Check for updates"In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.Once the updates are downloaded, perform a quick scan again.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 30, 2009 Staff ID:117169 Share Posted August 30, 2009 Due to the lack of feedback, this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts