Malwarebytes' Anti-Malware can't remove Backdoor.Bot

Many thanks Belahzur! I feel the machine running well. Is my machine totally clean now? Based on the log, can you see whether my machine has been attacked, i.e., my information was accessed by somebody??

Thanks a lot!

Don't think so, most of it was just fake alert crap.

If used incorrectly it can be dangerous, yes.

Thank you Belahzur. I feel my computer is running very well now, could you please take a look at what I did using ComboFix to see whether I have misused it?

1. Following your instruction, drag CFscript.txt to ComboFix and post the results to you; you told me to uninstall ComboFix.

2. By mistake, I scanned my computer again using ComboFix, istead of removing it.

3. Following your instruction, I uninstalled ComboFix successfully.

I hope what I did is not harmful. Many thanks!

Hello Belahzur, could you please take a look at the above for ComboFix? as I concerned about that.

Another good news, I scanned my system using Malwarebytes' Anti-Malware again, now it didn't find any problem. Then, is it better for me to uninstall Malwarebytes' Anti-Malware or I need to run it regularly to check my system?

Thank you very much for your kind and professional help!!

Yes, post the Combofix log.

Thank you very much Belahzur for your help! The following are the scanned results before I uninstall ComboFix.


ComboFix 10-01-04.01 - DONG 05/01/2010 16:39:01.3.2 - x86
执行位置: c:\users\DONG\Desktop\ComboFix.exe
Command switches used :: /u
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
SP: Norton AntiVirus *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
----- BITS: Possible infected sites -----
hxxp://liveupdate.symantec.com
.
((((((((((((((((((((((((( 2009-12-05 至 2010-01-05 的新的档案 )))))))))))))))))))))))))))))))
.
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\users\DONG\AppData\Local\temp
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-03 01:19 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 01:19 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 01:08 . 2010-01-03 01:08 -------- d-----w- c:\users\DONG\AppData\Roaming\Malwarebytes
2010-01-03 01:08 . 2010-01-03 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 15:15 . 2010-01-03 01:28 -------- d-----w- c:\users\DONG\AppData\Local\cnubkf
2009-12-30 15:52 . 2009-12-30 15:52 -------- d-----w- C:\StormMedia
2009-12-23 19:15 . 2009-12-23 19:15 -------- d-----w- c:\users\DONG\AppData\Roaming\Thinstall
2009-12-23 19:15 . 2009-12-23 19:15 -------- d-----w- c:\users\DONG\AppData\Local\Thinstall
2009-12-09 00:01 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 00:01 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 00:01 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 23:23 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 23:23 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 14:37 . 2009-07-05 23:38 -------- d-----w- c:\users\DONG\AppData\Roaming\SogouPY
2010-01-05 03:22 . 2009-10-23 23:00 1356 ----a-w- c:\users\DONG\AppData\Local\d3d9caps.dat
2009-12-29 15:46 . 2009-10-01 00:21 -------- d-----w- c:\program files\Netease
2009-12-21 14:38 . 2009-07-06 00:21 -------- d-----w- c:\users\DONG\AppData\Roaming\GoodSync
2009-12-09 00:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-21 06:40 . 2009-12-08 23:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-08 23:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-08 23:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-03 01:42 . 2009-10-03 12:45 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-25 14:11 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-16 12:59 . 2009-07-05 19:55 117632 ----a-w- c:\users\DONG\AppData\Local\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2010-01-05_20.05.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-05 19:56 . 2010-01-05 21:06 16748 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-500399067-3763941887-1865380405-1003_UserData.bin
- 2009-07-05 19:35 . 2010-01-05 18:46 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-05 19:35 . 2010-01-05 21:37 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-05 19:35 . 2010-01-05 21:37 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-05 19:35 . 2010-01-05 18:46 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-05 19:35 . 2010-01-05 18:46 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-05 19:35 . 2010-01-05 21:37 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-05 19:50 . 2010-01-05 19:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-05 21:37 . 2010-01-05 21:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-01-05 19:50 . 2010-01-05 19:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-05 21:37 . 2010-01-05 21:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-10 21:32 . 2010-01-05 21:09 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-10 21:32 . 2010-01-05 17:53 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-05 17:48 . 2010-01-05 21:36 813472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-05 17:48 . 2010-01-05 19:49 813472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-29 02:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-29 02:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-7-5 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"AlwaysShowClassicMenu"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-29 02:46 90112 ----a-w- c:\windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-08-09 11:26 4702208 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"TOSCDSPD"=c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_1_0 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe"
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" /startup
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"LtMoh"=c:\program files\ltmoh\Ltmoh.exe
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20091217.001\IDSvix86.sys [22/12/2009 10:23 PM 286768]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [25/01/2008 8:47 PM 149352]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [27/11/2009 9:51 PM 5120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2009 10:00 PM 102448]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [02/09/2007 6:50 AM 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187B.sys [05/07/2009 2:39 PM 252416]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [19/02/2009 12:31 PM 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [12/01/2008 9:32 PM 23888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
‘计划任务’ 文件夹 里的内容
2010-01-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 14:54]
2010-01-05 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - DONG.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
2010-01-05 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-10-05 18:39]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.shoptoshiba.ca/welcome
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: 使用迅雷下载 - c:\program files\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder\Program\getallurl.htm
DPF: {1345F3CB-7C40-41C2-9AC2-87CF8B68E34E} - hxxp://swf.news.163.com/2008/v/NetEaseTV_GZ.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 16:52
Windows 6.0.6001 Service Pack 1 NTFS
扫描被隐藏的进程 。。。
扫描被隐藏的启动组 。。。
扫描被隐藏的文件 。。。
扫描完成
被隐藏的档案: 0
**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------
- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
完成时间: 2010-01-05 16:54:58
ComboFix-quarantined-files.txt 2010-01-05 21:54
ComboFix2.txt 2010-01-05 20:08
ComboFix3.txt 2010-01-05 16:10
Pre-Run: 73,532,780,544 bytes free
Post-Run: 73,502,162,944 bytes free
- - End Of File - - BC67FF5EBFDE7717067E21537B72D71C

Looks okay, still having problems?

Thank you Belahzur, my computer is fine, I am just thinking if I have used ComboFix incorrectly. I am happy all are fine.

I also installed Malwarebytes' Anti-Malware, should I uninstall it as well?

No, leave MBAM, it's a good on-demand scanner.

Thank you very much Belahzur!! My system is good now.