WiredWX Hobby Weather ToolsLog in

 


Malwarebytes' Anti-Malware can't remove Backdoor.Bot

2 posters

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyMalwarebytes' Anti-Malware can't remove Backdoor.Bot3rd January 2010, 8:35 pm

more_horiz
Hi Friends,

I met a problem using Malwarebytes' Anti-Malware. I downloaded it and used it to scan my system (windows vista home premium). Firstly, I got 13 infected files and then I removed all of them sucessfully. But "Backdoor.Bot" came over and over again when I scaned the system using Malwarebytes' Anti-Malware again, even I can remove it after scanning. This bad "Backdoor.Bot" only showed its name under "Vendor", but no other information showed under "category", "items", and so forth.

Will my system be afected by Backdoor.Bot? What can it do? How can I solve this problem?

Many thanks for all you guys, happy new year!

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot3rd January 2010, 9:24 pm

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot4th January 2010, 3:11 am

more_horiz
Many thanks Belahzur for your kind help.

I installed HiJackThis, and run it and got the following error message.

For some reason, your system denied write access to the Hosts file. If any hijacked domains are in this file, HiJackThis may not be able to fix this. If that happens, you need to edit the file yourself. To do this, click Start, Run, and type: notepad: "C:\windows\system32\drivers\etc\hosts" and press Enter. Find the line(s) HiJackThis reports and delete them. Save the file as "hosts". (with quotes) and reboot.

As it reminded, Vista users can run it as administrator. However, when I right clicked the HiJackThis icon, I couldn't find the "Run as administrator" choice. Then, I clicked the "OK" button of this error message button. It seemed HiJackThis can scan my system and showed the results in the HiJackThis window instead of Notepad file. I am not sure what I understand is right or not. The whole scanning process took about 1 minute.

Could you please give me a hand about this problem? Many thanks!

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot4th January 2010, 5:19 pm

more_horiz
Lets use this instead.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot4th January 2010, 7:10 pm

more_horiz
Thank you very much Belahzur.

I am sorry as I am not very clear for your first step: Please download DDS by sUBs to your Desktop (Important!!) from one of these locations....

What is "by sUBs", can I just click your link and download it to my desktop?

Thanks again

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot4th January 2010, 7:11 pm

more_horiz
sUBs is the developer of the DDS tool, yes, just click and download, then run.

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot4th January 2010, 8:10 pm

more_horiz
Many thanks Belahzur! The results (both logs) are as belows. Please help me to analyze them.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Dong at 14:20:00.28 on 04/01/2010
Internet Explorer: 8.0.6001.18865
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton AntiVirus *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k nȯne
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\TUProgSt.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\DONG\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.shoptoshiba.ca/welcome
mDefault_Page_URL = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder\comdlls\TDAtOnce_Now.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Thunder Browser Helper: {889d2feb-5411-4565-8998-1dd2c5261283} - c:\program files\thunder\comdlls\xunleiBHO_Now.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBBrowerBuddy Class: {a412e581-59b2-485e-834f-c5f0c0268c79} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: 金山词霸浏览器栏: {abb7394c-91cd-42e9-88a3-23166137709d} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: []
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
uPolicies-explorer: AlwaysShowClassicMenu = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: 使用迅雷下载 - c:\program files\thunder\program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\thunder\program\getallurl.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {A412E581-59B2-485E-834F-C5F0C0268C79} - {A412E581-59B2-485E-834F-C5F0C0268C79} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
DPF: {1345F3CB-7C40-41C2-9AC2-87CF8B68E34E} - hxxp://swf.news.163.com/2008/v/NetEaseTV_GZ.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd
============= SERVICES / DRIVERS ===============
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20091217.001\IDSvix86.sys [2009-12-22 286768]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2009-11-27 5120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-26 102448]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-9-2 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2009-7-5 252416]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-7-5 1245064]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
=============== Created Last 30 ================
2010-01-04 02:53:39 0 d-----w- c:\program files\TrendMicro
2010-01-03 04:09:45 0 d---a-w- c:\programdata\TEMP
2010-01-03 01:19:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 01:19:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 01:08:17 0 d-----w- c:\users\dong\appdata\roaming\Malwarebytes
2010-01-03 01:08:11 0 d-----w- c:\programdata\Malwarebytes
2010-01-03 01:08:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 15:52:50 0 d-----w- C:\StormMedia
2009-12-23 19:15:47 0 d-----w- c:\users\dong\appdata\roaming\Thinstall
2009-12-17 01:41:43 0 d-----w- c:\programdata\Norton
2009-12-09 00:01:08 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 00:01:02 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 00:01:00 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 23:23:50 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 23:23:49 281600 ----a-w- c:\windows\system32\raschap.dll
==================== Find3M ====================
2010-01-03 19:31:22 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-03 19:31:22 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-03 19:31:21 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41:23 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-10 20:37:25 174 --sha-w- c:\program files\desktop.ini
2009-07-10 18:08:48 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 14:22:06.83 ===============










UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)

Motherboard: ATI | | SB600
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Socket M2/S1G1 | 1800/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 179 GiB total, 69.481 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================

==== Installed Programs ======================
32 Bit HP CIO Components Installer
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
AppCore
ATI Catalyst Install Manager
Bluetooth Stack for Windows by Toshiba
Business Contact Manager for Outlook 2007 SP2
Camera Assistant Software for Toshiba
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
ccCommon
CD/DVD Drive Acoustic Silencer
Component Framework
DVD MovieFactory for TOSHIBA
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GoodSync
Hardlock Device Driver
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
InstaCal and Universal Library for Windows
IPAK
ISI ResearchSoft - Export Helper
Java(TM) 6 Update 13
Java(TM) 6 Update 2
jTTS 5.0 Desktop
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft XML Parser
MrvlUsgTracking
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton Protection Center
PowerWord2009 Professional
Protector Suite QL 5.6
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
REALTEK RTL8187B Wireless LAN Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
S-PLUS 8.0
SadtlerDBCOMSdk
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Encoder (KB954156)
Sentinel System Driver
SimpChinese Speech Package
Skins
SmartDraw 2008
SPBBC 32bit
Symantec Real Time Storage Protection Component
SymNet
Synaptics Pointing Device Driver
Tencent QQ2009
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TracerDAQ
TuneUp Utilities 2009
UltraISO Premium V9.35
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb976884)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
WinRAR archiver
搜狗拼音输入法 3.0 公测第二版 (3.0.0.2)
暴风影音
谷歌金山词霸合作版
迅雷 5.8.6.600
==== End Of File ===========================

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot4th January 2010, 11:07 pm

more_horiz
Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 13
    Java(TM) 6 Update 2

How is the machine running now?

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot5th January 2010, 3:48 am

more_horiz
Thanks a lot Belahzur! I did follow your procedure and remove the two Java updates. Then, I fully scanned my system using Malwarebutes' Anti-Malware under safe mode. Unfortunately, I found "Back.Bot" again, then I removed it using the software. I did scan the system again, this bad guy came out again. I was wondering may it be helpful if I use the software as administrator as my system is vista. Any suggestions? I worried about my system.

Thanks again!

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot5th January 2010, 1:52 pm

more_horiz
Hello Belahzur, please see above for my system after removing Java updates.

I just runned HiJackThis (DO a system scan only), althrough I got the following error message. I just click OK, then it runned and showed the results in the HiJackThis window (I assume those are results). After that I saved the results manually in a .txt file. I can upload the results if you think it will be helpful. Many thanks!

For some reason, your system denied write access to the Hosts file. If any hijacked domains are in this file, HiJackThis may not be able to fix this. If that happens, you need to edit the file yourself. To do this, click Start, Run, and type: notepad: "C:\windows\system32\drivers\etc\hosts" and press Enter. Find the line(s) HiJackThis reports and delete them. Save the file as "hosts". (with quotes) and reboot....

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot5th January 2010, 2:59 pm

more_horiz
Sorry, hijack this isn't that helpful is this case, there is probably a rootkit hiding.

  • Download combofix from here
    Link 1
    Link 2
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:

Malwarebytes' Anti-Malware can't remove Backdoor.Bot CF_download_FF

Malwarebytes' Anti-Malware can't remove Backdoor.Bot 2aflf5z

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot5th January 2010, 6:40 pm

more_horiz
Thanks a lot Belahzur for your detailed help! I followed your procedure and run the ComboFix. It scanned my system and then removed some files from my system. The results are as follows. Could you please analyze the results? Thanks again!


ComboFix 10-01-04.01 - DONG 05/01/2010 10:53:11.1.2 - x86
执行位置: c:\users\DONG\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
SP: Norton AntiVirus *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1731352543-3892579127-1766459742-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
c:\program files\StormII
c:\program files\StormII\BFThumbs.dll
c:\program files\StormII\box\BoxLog.dll
c:\program files\StormII\box\cache\readme.txt
c:\program files\StormII\box\HttpServer.dll
c:\program files\StormII\box\InstallInfo.ini
c:\program files\StormII\box\MovieBoxCore.dll
c:\program files\StormII\box\MovieBoxPS.dll
c:\program files\StormII\box\skin\MovieBox.zip
c:\program files\StormII\box\Stline.exe
c:\program files\StormII\box\UILib.dll
c:\program files\StormII\box\UiManager.dll
c:\program files\StormII\box\UiPlay.dll
c:\program files\StormII\box\UitvWrapper_dll.dll
c:\program files\StormII\BugReport.exe
c:\program files\StormII\codec\264be.dll
c:\program files\StormII\codec\264dmmx.dll
c:\program files\StormII\codec\264dsse.dll
c:\program files\StormII\codec\264dsse2.dll
c:\program files\StormII\codec\264dsse3.dll
c:\program files\StormII\codec\ac3filter.ax
c:\program files\StormII\codec\atidvcr.dll
c:\program files\StormII\codec\avcodec.dll
c:\program files\StormII\codec\avdevice.dll
c:\program files\StormII\codec\avformat.dll
c:\program files\StormII\codec\AviSplitter.ax
c:\program files\StormII\codec\avutil.dll
c:\program files\StormII\codec\bass.dll
c:\program files\StormII\codec\bass_aac.dll
c:\program files\StormII\codec\bass_alac.dll
c:\program files\StormII\codec\bass_ape.dll
c:\program files\StormII\codec\bass_flac.dll
c:\program files\StormII\codec\bass_mpc.dll
c:\program files\StormII\codec\bass_tta.dll
c:\program files\StormII\codec\bass_wv.dll
c:\program files\StormII\codec\binkw32.dll
c:\program files\StormII\codec\cddareader.ax
c:\program files\StormII\codec\cl264dec.ax
c:\program files\StormII\codec\CLVc1Dec.ax
c:\program files\StormII\codec\CLVsd.ax
c:\program files\StormII\codec\clvsdx.ax
c:\program files\StormII\codec\coreavc.ax
c:\program files\StormII\codec\CUDA_Filter.ax
c:\program files\StormII\codec\DCBassSource.ax
c:\program files\StormII\codec\DEC_StdMpeg4.dll
c:\program files\StormII\codec\divxdec.ax
c:\program files\StormII\codec\dxvadec.ax
c:\program files\StormII\codec\empgdmx.ax
c:\program files\StormII\codec\EmzAMRNBDec.dll
c:\program files\StormII\codec\EmzMp4Source.dll
c:\program files\StormII\codec\EzdAMRWBDec.dll
c:\program files\StormII\codec\ff_kernelDeint.dll
c:\program files\StormII\codec\ff_liba52.dll
c:\program files\StormII\codec\ff_libavcodec.dll
c:\program files\StormII\codec\ff_libdts.dll
c:\program files\StormII\codec\ff_libfaad2.dll
c:\program files\StormII\codec\ff_libmad.dll
c:\program files\StormII\codec\ff_libmpeg2.dll
c:\program files\StormII\codec\ff_libmplayer.dll
c:\program files\StormII\codec\ff_realaac.dll
c:\program files\StormII\codec\ff_samplerate.dll
c:\program files\StormII\codec\ff_theora.dll
c:\program files\StormII\codec\ff_TomsMoComp.dll
c:\program files\StormII\codec\ff_tremor.dll
c:\program files\StormII\codec\ff_unrar.dll
c:\program files\StormII\codec\ff_vfw.dll
c:\program files\StormII\codec\ff_wmv9.dll
c:\program files\StormII\codec\ff_xvidcore.dll
c:\program files\StormII\codec\ffavisynth.dll
c:\program files\StormII\codec\ffdshow.ax
c:\program files\StormII\codec\ffdshow.ax.manifest
c:\program files\StormII\codec\FFDShowAPI.dll
c:\program files\StormII\codec\ffmpeg.dll
c:\program files\StormII\codec\ffsource.ax
c:\program files\StormII\codec\ffSpkCfg.dll
c:\program files\StormII\codec\Flash.ocx
c:\program files\StormII\codec\FLT_ffdshow.dll
c:\program files\StormII\codec\FLVSplitter.ax
c:\program files\StormII\codec\H264VDEC.dll
c:\program files\StormII\codec\HikAudioDec.ax
c:\program files\StormII\codec\HikDataDump.ax
c:\program files\StormII\codec\HikFileSource.ax
c:\program files\StormII\codec\HikFileSplitter.ax
c:\program files\StormII\codec\HikH264Dec.ax
c:\program files\StormII\codec\HikMpeg4Dec.ax
c:\program files\StormII\codec\HikPSDemux.ax
c:\program files\StormII\codec\iconv.dll
c:\program files\StormII\codec\ir50_32.dll
c:\program files\StormII\codec\libavcodec.dll
c:\program files\StormII\codec\MatroskaSplitter.ax
c:\program files\StormII\codec\mfplat.dll
c:\program files\StormII\codec\Microsoft.VC90.CRT.manifest
c:\program files\StormII\codec\mkunicode.dll
c:\program files\StormII\codec\mkx.dll
c:\program files\StormII\codec\mkzlib.dll
c:\program files\StormII\codec\mmamrdmx.ax
c:\program files\StormII\codec\mp4.dll
c:\program files\StormII\codec\MP4Splitter.ax
c:\program files\StormII\codec\mpeg2dmx.ax
c:\program files\StormII\codec\MpegSplitter.ax
c:\program files\StormII\codec\mpg4ds32.ax
c:\program files\StormII\codec\MPlayer.exe
c:\program files\StormII\codec\msvcp71.dll
c:\program files\StormII\codec\msvcr71.dll
c:\program files\StormII\codec\msvcr90.dll
c:\program files\StormII\codec\NDParser.ax
c:\program files\StormII\codec\NeSplitter.ax
c:\program files\StormII\codec\nvcuvid.dll
c:\program files\StormII\codec\nvviddec.ax
c:\program files\StormII\codec\OggSplitter.ax
c:\program files\StormII\codec\ogm.dll
c:\program files\StormII\codec\PmpSplt.ax
c:\program files\StormII\codec\pncrt.dll
c:\program files\StormII\codec\pndx5016.dll
c:\program files\StormII\codec\pndx5032.dll
c:\program files\StormII\codec\pthreadVC2.dll
c:\program files\StormII\codec\qasf.dll
c:\program files\StormII\codec\RadGtSplitter.ax
c:\program files\StormII\codec\Real\Codecs\14_43260.dll
c:\program files\StormII\codec\Real\Codecs\28_83260.dll
c:\program files\StormII\codec\Real\Codecs\atrc.dll
c:\program files\StormII\codec\Real\Codecs\cook.dll
c:\program files\StormII\codec\Real\Codecs\dnet3260.dll
c:\program files\StormII\codec\Real\Codecs\drv2.dll
c:\program files\StormII\codec\Real\Codecs\drvc.dll
c:\program files\StormII\codec\Real\Codecs\raac.dll
c:\program files\StormII\codec\Real\Codecs\ralf.dll
c:\program files\StormII\codec\Real\Codecs\sipr.dll
c:\program files\StormII\codec\RenderFilter.ax
c:\program files\StormII\codec\RMSplt.ax
c:\program files\StormII\codec\skinsres.dll
c:\program files\StormII\codec\smackw32.dll
c:\program files\StormII\codec\splitter.ax
c:\program files\StormII\codec\swscale.dll
c:\program files\StormII\codec\ts.dll
c:\program files\StormII\codec\tsccvid.dll
c:\program files\StormII\codec\vc1dc.dll
c:\program files\StormII\codec\vc1dmmx.dll
c:\program files\StormII\codec\vc1dsse.dll
c:\program files\StormII\codec\vc1dsse2.dll
c:\program files\StormII\codec\vc1wp.ax
c:\program files\StormII\codec\vp6vfw.dll
c:\program files\StormII\codec\vp7vfw.dll
c:\program files\StormII\codec\WMADMOD.dll
c:\program files\StormII\codec\WMVDECOD.dll
c:\program files\StormII\codec\wmvdmod.dll
c:\program files\StormII\codec\xvid.ax
c:\program files\StormII\codec\xvidcore.dll
c:\program files\StormII\Config.dll
c:\program files\StormII\CoreLog.dll
c:\program files\StormII\DXVACheck.dll
c:\program files\StormII\DXVAMgr.dll
c:\program files\StormII\FilterInfo.dll
c:\program files\StormII\game.ico
c:\program files\StormII\GdiPlus.dll
c:\program files\StormII\GifParser.dll
c:\program files\StormII\HD\ATI UVD解决方案(Vista_Win7).xml
c:\program files\StormII\HD\ATI UVD解决方案.xml
c:\program files\StormII\HD\ATI UVD解决方案2.xml
c:\program files\StormII\HD\Intel解决方案(Vista_Win7).xml
c:\program files\StormII\HD\Intel解决方案.xml
c:\program files\StormII\HD\MPEG-2解决方案.xml
c:\program files\StormII\HD\NVidia CUDA解决方案.xml
c:\program files\StormII\HD\NVidia PureVideoHD解决方案(Vista_Win7).xml
c:\program files\StormII\HD\NVidia PureVideoHD解决方案.xml
c:\program files\StormII\HD\NVidia PureVideoHD解决方案2.xml
c:\program files\StormII\HD\PowerDVD解决方案.xml
c:\program files\StormII\HD\VIA解决方案.xml
c:\program files\StormII\HD\微软解决方案(Vista_Win7).xml
c:\program files\StormII\HD\暴风影音解决方案.xml
c:\program files\StormII\intr.dll
c:\program files\StormII\jscript.dll
c:\program files\StormII\kcheck2.dll
c:\program files\StormII\keys.dat
c:\program files\StormII\mcntr.dll
c:\program files\StormII\media\def\def.flv
c:\program files\StormII\media\def\def.ini
c:\program files\StormII\media\empty.swf
c:\program files\StormII\media\media4in1.swf
c:\program files\StormII\media\mediabp.swf
c:\program files\StormII\media\others.xml
c:\program files\StormII\media\others.xml.ini
c:\program files\StormII\media\stcon.ini
c:\program files\StormII\media\toff.ini
c:\program files\StormII\media\video_material_list.xml
c:\program files\StormII\media\video_material_list.xml.ini
c:\program files\StormII\media\video_style_list.xml
c:\program files\StormII\media\video_style_list.xml.ini
c:\program files\StormII\Media2.dll
c:\program files\StormII\MediaInfo.dll
c:\program files\StormII\medialib.dll
c:\program files\StormII\mee.db
c:\program files\StormII\meedb.dll
c:\program files\StormII\minfo\MediaInfo2.dll
c:\program files\StormII\minfo\MInfo.dll
c:\program files\StormII\mps.dll
c:\program files\StormII\msscript.ocx
c:\program files\StormII\msvcp60.dll
c:\program files\StormII\Option.dll
c:\program files\StormII\p2p_player.swf
c:\program files\StormII\rndrmgr.dll
c:\program files\StormII\Skin\暴风1经典.zip
c:\program files\StormII\Skin\暴风2经典.zip
c:\program files\StormII\spfa.dll
c:\program files\StormII\splayers.dll
c:\program files\StormII\storm.exe
c:\program files\StormII\StormBox.ico
c:\program files\StormII\StormNC\Microsoft.VC80.CRT.manifest
c:\program files\StormII\StormNC\msvcm80.dll
c:\program files\StormII\StormNC\msvcp80.dll
c:\program files\StormII\StormNC\msvcr80.dll
c:\program files\StormII\StormNC\StormNC_I.dll
c:\program files\StormII\StormNC\StormNC_R.dll
c:\program files\StormII\stormpop.exe
c:\program files\StormII\StormRes.dll
c:\program files\StormII\StormSkinRes.dll
c:\program files\StormII\Stormtray.exe
c:\program files\StormII\StormUpdate.dll
c:\program files\StormII\StormUpdate.exe
c:\program files\StormII\subdecoder.dll
c:\program files\StormII\swDirScaner.dll
c:\program files\StormII\swf\ku6.swf
c:\program files\StormII\swf\tudou.swf
c:\program files\StormII\Tips.dll
c:\program files\StormII\uninst.exe
c:\program files\StormII\unrar.dll
c:\program files\StormII\web\Error.html
c:\program files\StormII\web\images\box_bg.jpg
c:\program files\StormII\web\images\box_li.jpg
c:\program files\StormII\web\images\cancel.jpg
c:\program files\StormII\web\images\cancellation.jpg
c:\program files\StormII\web\images\cid.jpg
c:\program files\StormII\web\images\downloads.jpg
c:\program files\StormII\web\images\false.jpg
c:\program files\StormII\web\images\false_0906707.jpg
c:\program files\StormII\web\images\line.jpg
c:\program files\StormII\web\images\link_bg.jpg
c:\program files\StormII\web\images\link_out.jpg
c:\program files\StormII\web\images\loading.gif
c:\program files\StormII\web\images\star.gif
c:\program files\StormII\web\images\star_bg.gif
c:\program files\StormII\web\Loading.html
c:\program files\StormII\win7Taskbar.dll
c:\users\DONG\Documents\backupregistry.reg
c:\users\DONG\Documents\reg backup.reg
c:\users\DONG\Documents\registry backup-complete-2.reg
c:\users\DONG\Documents\registry backup-complete.reg
c:\windows\system32\pdkgnn7.dll
c:\windows\system32\prsgrc.dll
----- BITS: Possible infected sites -----
hxxp://liveupdate.symantec.com
.
((((((((((((((((((((((((( 2009-12-05 至 2010-01-05 的新的档案 )))))))))))))))))))))))))))))))
.
2010-01-05 16:06 . 2010-01-05 16:06 -------- d-----w- c:\users\DONG\AppData\Local\temp
2010-01-05 16:06 . 2010-01-05 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-05 16:06 . 2010-01-05 16:06 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-04 02:53 . 2010-01-04 02:53 388096 ----a-r- c:\users\DONG\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-04 02:53 . 2010-01-04 02:53 -------- d-----w- c:\program files\TrendMicro
2010-01-03 01:19 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 01:19 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 01:08 . 2010-01-03 01:08 -------- d-----w- c:\users\DONG\AppData\Roaming\Malwarebytes
2010-01-03 01:08 . 2010-01-03 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 15:15 . 2010-01-03 01:28 -------- d-----w- c:\users\DONG\AppData\Local\cnubkf
2009-12-30 15:52 . 2009-12-30 15:52 -------- d-----w- C:\StormMedia
2009-12-23 19:15 . 2009-12-23 19:15 -------- d-----w- c:\users\DONG\AppData\Roaming\Thinstall
2009-12-23 19:15 . 2009-12-23 19:15 -------- d-----w- c:\users\DONG\AppData\Local\Thinstall
2009-12-09 00:01 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 00:01 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 00:01 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 23:23 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 23:23 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 14:37 . 2009-07-05 23:38 -------- d-----w- c:\users\DONG\AppData\Roaming\SogouPY
2010-01-05 03:22 . 2009-10-23 23:00 1356 ----a-w- c:\users\DONG\AppData\Local\d3d9caps.dat
2009-12-29 15:46 . 2009-10-01 00:21 -------- d-----w- c:\program files\Netease
2009-12-21 14:38 . 2009-07-06 00:21 -------- d-----w- c:\users\DONG\AppData\Roaming\GoodSync
2009-12-09 00:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-21 06:40 . 2009-12-08 23:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-08 23:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-08 23:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-03 01:42 . 2009-10-03 12:45 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-25 14:11 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-16 12:59 . 2009-07-05 19:55 117632 ----a-w- c:\users\DONG\AppData\Local\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-29 02:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-29 02:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-7-5 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"AlwaysShowClassicMenu"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-29 02:46 90112 ----a-w- c:\windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-08-09 11:26 4702208 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"TOSCDSPD"=c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_1_0 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe"
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" /startup
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"LtMoh"=c:\program files\ltmoh\Ltmoh.exe
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
"Stormtray"=c:\program files\StormII\Stormtray.exe /Start
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20091217.001\IDSvix86.sys [22/12/2009 10:23 PM 286768]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [25/01/2008 8:47 PM 149352]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [27/11/2009 9:51 PM 5120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2009 10:00 PM 102448]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [02/09/2007 6:50 AM 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187B.sys [05/07/2009 2:39 PM 252416]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [19/02/2009 12:31 PM 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [12/01/2008 9:32 PM 23888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
‘计划任务’ 文件夹 里的内容
2010-01-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 14:54]
2010-01-05 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - DONG.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
2010-01-05 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-10-05 18:39]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: 使用迅雷下载 - c:\program files\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder\Program\getallurl.htm
DPF: {1345F3CB-7C40-41C2-9AC2-87CF8B68E34E} - hxxp://swf.news.163.com/2008/v/NetEaseTV_GZ.cab
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
AddRemove-storm2 - c:\program files\StormII\uninst.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 11:06
Windows 6.0.6001 Service Pack 1 NTFS
扫描被隐藏的进程 。。。
扫描被隐藏的启动组 。。。
扫描被隐藏的文件 。。。
扫描完成
被隐藏的档案: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A35BAB48-4D1F-6A0B-6BCC81421932BFFC}\{F9F16A92-BF70-12AC-7ED2CC2822129D24}\{512F8077-C30C-4607-36213242EA83EF67}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,bb,55,4d,
63,8c,8d,ab,c5,0a,3b,24,3f,cb,b2,10,65,27,e6,e1,83,0d,66,5d,f8,57,09,69,27,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE362BA5-0629-D23B-C3FB8C239E33F8FC}\{C1CE7122-E981-B6FB-55D5EB357453DE2E}\{F24091A5-7F5D-E904-126AD7451BC3CC57}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- 运行进程下的动态链接库 ---------------------
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
完成时间: 2010-01-05 11:10:23
ComboFix-quarantined-files.txt 2010-01-05 16:10
Pre-Run: 73,938,771,968 bytes free
Post-Run: 73,940,254,720 bytes free
- - End Of File - - BED283734517DBC9786B5BF5F7B84109

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot5th January 2010, 6:45 pm

more_horiz
Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =

    RegNull::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A35BAB48-4D1F-6A0B-6BCC81421932BFFC}\{F9F16A92-BF70-12AC-7ED2CC2822129D24}\{512F8077-C30C-4607-36213242EA83EF67}*]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE362BA5-0629-D23B-C3FB8C239E33F8FC}\{C1CE7122-E981-B6FB-55D5EB357453DE2E}\{F24091A5-7F5D-E904-126AD7451BC3CC57}*]

    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Malwarebytes' Anti-Malware can't remove Backdoor.Bot Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot5th January 2010, 8:34 pm

more_horiz
Thank you very much Belahzur! Please see the following log. I gratefully appreciate your help.



ComboFix 10-01-04.01 - DONG 05/01/2010 14:54:40.2.2 - x86
执行位置: c:\users\DONG\Desktop\ComboFix.exe
Command switches used :: c:\users\DONG\Desktop\CFScript.txt.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
SP: Norton AntiVirus *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
----- BITS: Possible infected sites -----
hxxp://liveupdate.symantec.com
.
((((((((((((((((((((((((( 2009-12-05 至 2010-01-05 的新的档案 )))))))))))))))))))))))))))))))
.
2010-01-05 20:05 . 2010-01-05 20:05 -------- d-----w- c:\users\DONG\AppData\Local\temp
2010-01-05 20:05 . 2010-01-05 20:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-05 20:05 . 2010-01-05 20:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-05 20:05 . 2010-01-05 20:05 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-03 01:19 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 01:19 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 01:08 . 2010-01-03 01:08 -------- d-----w- c:\users\DONG\AppData\Roaming\Malwarebytes
2010-01-03 01:08 . 2010-01-03 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 15:15 . 2010-01-03 01:28 -------- d-----w- c:\users\DONG\AppData\Local\cnubkf
2009-12-30 15:52 . 2009-12-30 15:52 -------- d-----w- C:\StormMedia
2009-12-23 19:15 . 2009-12-23 19:15 -------- d-----w- c:\users\DONG\AppData\Roaming\Thinstall
2009-12-23 19:15 . 2009-12-23 19:15 -------- d-----w- c:\users\DONG\AppData\Local\Thinstall
2009-12-09 00:01 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 00:01 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 00:01 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 23:23 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 23:23 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 14:37 . 2009-07-05 23:38 -------- d-----w- c:\users\DONG\AppData\Roaming\SogouPY
2010-01-05 03:22 . 2009-10-23 23:00 1356 ----a-w- c:\users\DONG\AppData\Local\d3d9caps.dat
2009-12-29 15:46 . 2009-10-01 00:21 -------- d-----w- c:\program files\Netease
2009-12-21 14:38 . 2009-07-06 00:21 -------- d-----w- c:\users\DONG\AppData\Roaming\GoodSync
2009-12-09 00:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-21 06:40 . 2009-12-08 23:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-08 23:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-08 23:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-03 01:42 . 2009-10-03 12:45 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-25 14:11 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-16 12:59 . 2009-07-05 19:55 117632 ----a-w- c:\users\DONG\AppData\Local\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-29 02:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-29 02:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-7-5 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"AlwaysShowClassicMenu"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-29 02:46 90112 ----a-w- c:\windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-08-09 11:26 4702208 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"TOSCDSPD"=c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_1_0 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe"
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" /startup
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"LtMoh"=c:\program files\ltmoh\Ltmoh.exe
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20091217.001\IDSvix86.sys [22/12/2009 10:23 PM 286768]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [25/01/2008 8:47 PM 149352]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [27/11/2009 9:51 PM 5120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2009 10:00 PM 102448]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [02/09/2007 6:50 AM 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187B.sys [05/07/2009 2:39 PM 252416]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [19/02/2009 12:31 PM 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [12/01/2008 9:32 PM 23888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
‘计划任务’ 文件夹 里的内容
2010-01-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 14:54]
2010-01-05 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - DONG.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
2010-01-05 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-10-05 18:39]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.shoptoshiba.ca/welcome
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: 使用迅雷下载 - c:\program files\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder\Program\getallurl.htm
DPF: {1345F3CB-7C40-41C2-9AC2-87CF8B68E34E} - hxxp://swf.news.163.com/2008/v/NetEaseTV_GZ.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 15:06
Windows 6.0.6001 Service Pack 1 NTFS
扫描被隐藏的进程 。。。
扫描被隐藏的启动组 。。。
扫描被隐藏的文件 。。。
扫描完成
被隐藏的档案: 0
**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------
- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
完成时间: 2010-01-05 15:08:58
ComboFix-quarantined-files.txt 2010-01-05 20:08
ComboFix2.txt 2010-01-05 16:10
Pre-Run: 73,635,921,920 bytes free
Post-Run: 73,604,354,048 bytes free
- - End Of File - - 5E86D9CB065953791C4B5E5294D3A7D0

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot5th January 2010, 9:56 pm

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

descriptionMalwarebytes' Anti-Malware can't remove Backdoor.Bot EmptyRe: Malwarebytes' Anti-Malware can't remove Backdoor.Bot

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum