Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.bot


  • Please log in to reply
13 replies to this topic

#1 mw74

mw74

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:43 PM

Posted 07 November 2011 - 04:18 PM

Hi,
After scanning with Mbam it found 2counts of a backdoor.bot i followed the removal procedure but on rebooting and rescanning the results show the same 2 infections
I need help removing them plz,
Thanks...

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 07 November 2011 - 04:22 PM

Hello, please post the MBAM log
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


And this
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mw74

mw74
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:43 PM

Posted 07 November 2011 - 04:42 PM

well wierd.... just rescanned with the flash scan which was detecting the infection, is showing all clear, am running a full scan now, thanks for your quick response I will keep an eye on the situation and update if it reoccurs.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 07 November 2011 - 04:52 PM

Ok,.I'll leave it opem.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mw74

mw74
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:43 PM

Posted 07 November 2011 - 04:53 PM

thanks. :thumbup2:

#6 mw74

mw74
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:43 PM

Posted 07 November 2011 - 06:33 PM

Ok Mbam showing clean but Norman showing 3 infections, I think Mbam is not detecting since i updated last???


log....


Norman Malware Cleaner v2.03.03
Copyright 1990 - 2011, Norman ASA.

Norman Scanner Engine Version: 6.07.13
nvcbin.def: Version: 6.07.00, Date: 2011/11/07 11:25:25, Variants: 11655444
nvcmacro.def: Version: 6.07.00, Date: 2011/02/01 14:21:31, Variants: 20465

Operating System: Windows 7 Service Pack 1 x64

Switches: /iagree /cleanrootkit /nosb

Scan started: 2011/11/07 23:02:43

Running pre-scan cleanup routine...
Potentially unwanted registry value: 'HKCR\txtfile\shell\open\command --> (null) = %SystemRoot%\SysWow64\notepad.exe %1'
Modify registry value: HKCR\txtfile\shell\open\command --> (Default) from '%SystemRoot%\SysWow64\notepad.exe %1' to '%SystemRoot%\system32\notepad.exe %1'
Cleaning successful
Potentially unwanted settings in service: 'Windows Error Reporting Service'
Modify service start type for service: 'Windows Error Reporting Service' (from '4' to '2')
Cleaning successful

Number of malicious objects found: 2
Number of malicious objects cleaned: 2
Scanning time: 1s

Scanning running processes and process memory...

Number of objects found: 914
Number of objects scanned: 914
Number of objects not scanned: 0
Number of malicious memory objects found: 0
Number of malicious objects cleaned: 0
Number of malicious files found: 0
Number of malicious files cleaned: 0
Scanning time: 3m 36s

Scanning system for FakeAV...

Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Number of malicious files found: 0
Number of malicious files cleaned: 0
Scanning time: 1s

Running quick scan...
C:\Windows\System32\drivers\sptd.sys: Error opening file for read: 0x00000020

Number of files found: 5163
Number of archives unpacked: 0
Number of objects found: 5163
Number of objects scanned: 5162
Number of objects not scanned: 1
Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Number of malicious files found: 0
Number of malicious files cleaned: 0
Scanning time: 3m 35s

Running post-scan cleanup routine...
Potentially unwanted registry value: 'HKCR\txtfile\shell\open\command --> (null) = %SystemRoot%\SysWow64\notepad.exe %1'
Modify registry value: HKCR\txtfile\shell\open\command --> (Default) from '%SystemRoot%\SysWow64\notepad.exe %1' to '%SystemRoot%\system32\notepad.exe %1'
Cleaning successful

Number of malicious objects found: 1
Number of malicious objects cleaned: 1
Scanning time: 0s

Results:
Total number of files found: 5163
Total number of archives unpacked: 0
Total number of objects found: 6077
Total number of objects scanned: 6076
Total number of objects not scanned: 1
Total number of malicious objects found: 3
Total number of malicious objects cleaned: 3
Total number of malicious files found: 0
Total number of malicious files cleaned: 0
Total number of objects quarantined: 1
Total scanning time: 7m 13s

MiniToolBox....


MiniToolBox by Farbar
Ran by mark the daddy (administrator) on 07-11-2011 at 23:09:57
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com

There are 15071 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : markthedaddy-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lan

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : lan
Description . . . . . . . . . . . : Realtek RTL8191SE 802.11b/g/n WiFi Adapter
Physical Address. . . . . . . . . : 1C-65-9D-73-70-30
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b460:59f4:fee5:ec6e%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.65(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, November 07, 2011 9:32:02 PM
Lease Expires . . . . . . . . . . : Tuesday, November 08, 2011 9:32:02 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 387736989
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-3E-4E-B7-64-31-50-60-77-E1
DNS Servers . . . . . . . . . . . : 8.26.56.26
8.20.247.20
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 64-31-50-60-77-E1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.lan:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 8.26.56.26

Name: google.com.lan
Addresses: 92.242.144.50
92.242.144.50


Pinging google.com [74.125.39.147] with 32 bytes of data:
Reply from 74.125.39.147: bytes=32 time=65ms TTL=47
Reply from 74.125.39.147: bytes=32 time=52ms TTL=47

Ping statistics for 74.125.39.147:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 52ms, Maximum = 65ms, Average = 58ms
Server: UnKnown
Address: 8.26.56.26

Name: yahoo.com.lan
Addresses: 92.242.144.50
92.242.144.50


Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=211ms TTL=48
Reply from 98.137.149.56: bytes=32 time=211ms TTL=47

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 211ms, Maximum = 211ms, Average = 211ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
13...1c 65 9d 73 70 30 ......Realtek RTL8191SE 802.11b/g/n WiFi Adapter
10...64 31 50 60 77 e1 ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.65 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.65 281
192.168.1.65 255.255.255.255 On-link 192.168.1.65 281
192.168.1.255 255.255.255.255 On-link 192.168.1.65 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.65 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.65 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
13 281 fe80::/64 On-link
13 281 fe80::b460:59f4:fee5:ec6e/128
On-link
1 306 ff00::/8 On-link
13 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/07/2011 10:20:41 PM) (Source: Application Error) (User: )
Description: Faulting application name: a2start.exe, version: 6.0.0.44, time stamp: 0x4eb10147
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
Exception code: 0xc00000fd
Fault offset: 0x0002dece
Faulting process id: 0x1348
Faulting application start time: 0xa2start.exe0
Faulting application path: a2start.exe1
Faulting module path: a2start.exe2
Report Id: a2start.exe3

Error: (11/07/2011 09:30:05 PM) (Source: Application Error) (User: )
Description: Faulting application name: a2start.exe, version: 6.0.0.44, time stamp: 0x4eb10147
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
Exception code: 0xc00000fd
Fault offset: 0x0002dece
Faulting process id: 0x1028
Faulting application start time: 0xa2start.exe0
Faulting application path: a2start.exe1
Faulting module path: a2start.exe2
Report Id: a2start.exe3

Error: (11/07/2011 08:57:49 PM) (Source: Application Error) (User: )
Description: Faulting application name: a2guard.exe, version: 6.0.0.36, time stamp: 0x4eb1012a
Faulting module name: a2framework.dll_unloaded, version: 0.0.0.0, time stamp: 0x4eb10107
Exception code: 0xc0000005
Fault offset: 0x03766744
Faulting process id: 0x13c8
Faulting application start time: 0xa2guard.exe0
Faulting application path: a2guard.exe1
Faulting module path: a2guard.exe2
Report Id: a2guard.exe3

Error: (11/07/2011 08:55:26 PM) (Source: Application Error) (User: )
Description: Faulting application name: a2guard.exe, version: 6.0.0.36, time stamp: 0x4eb1012a
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
Exception code: 0xc00000fd
Fault offset: 0x0002dece
Faulting process id: 0xed8
Faulting application start time: 0xa2guard.exe0
Faulting application path: a2guard.exe1
Faulting module path: a2guard.exe2
Report Id: a2guard.exe3

Error: (11/07/2011 08:54:32 PM) (Source: Application Error) (User: )
Description: Faulting application name: a2wizard.exe, version: 6.0.0.37, time stamp: 0x4eb10152
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
Exception code: 0xc00000fd
Fault offset: 0x0002dece
Faulting process id: 0x964
Faulting application start time: 0xa2wizard.exe0
Faulting application path: a2wizard.exe1
Faulting module path: a2wizard.exe2
Report Id: a2wizard.exe3

Error: (11/07/2011 08:48:25 PM) (Source: Application Error) (User: )
Description: Faulting application name: a2service.exe, version: 6.0.0.41, time stamp: 0x4eb10135
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
Exception code: 0xc00000fd
Fault offset: 0x0002dece
Faulting process id: 0x10b8
Faulting application start time: 0xa2service.exe0
Faulting application path: a2service.exe1
Faulting module path: a2service.exe2
Report Id: a2service.exe3

Error: (11/07/2011 07:06:36 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary 67986927.

System Error:
The system cannot find the file specified.
.

Error: (11/07/2011 07:06:36 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary 2393436drv.

System Error:
The system cannot find the file specified.
.

Error: (11/07/2011 07:06:01 PM) (Source: Application Error) (User: )
Description: Faulting application name: IsoBurner-Setup.exe, version: 14.0.0.162, time stamp: 0x4626b2f4
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
Exception code: 0xc00000fd
Fault offset: 0x0002dece
Faulting process id: 0xd64
Faulting application start time: 0xIsoBurner-Setup.exe0
Faulting application path: IsoBurner-Setup.exe1
Faulting module path: IsoBurner-Setup.exe2
Report Id: IsoBurner-Setup.exe3

Error: (11/07/2011 07:04:59 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary 67986927.

System Error:
The system cannot find the file specified.
.


System errors:
=============
Error: (11/07/2011 09:32:58 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1058

Error: (11/07/2011 09:32:56 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1058

Error: (11/07/2011 09:32:52 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
pvkvlw

Error: (11/07/2011 08:38:17 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1058

Error: (11/07/2011 08:38:10 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
pvkvlw

Error: (11/07/2011 08:37:57 PM) (Source: Service Control Manager) (User: )
Description: The SBSD Security Center Service service failed to start due to the following error:
%%1053

Error: (11/07/2011 08:37:57 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the SBSD Security Center Service service to connect.

Error: (11/07/2011 08:35:20 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/07/2011 08:35:20 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/07/2011 08:35:20 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (11/07/2011 10:20:41 PM) (Source: Application Error)(User: )
Description: a2start.exe6.0.0.444eb10147ntdll.dll6.1.7601.175144ce7ba58c00000fd0002dece134801cc9d9773cc0d67C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2start.exeC:\Windows\SysWOW64\ntdll.dllb97f77a3-098e-11e1-aedf-6431506077e1

Error: (11/07/2011 09:30:05 PM) (Source: Application Error)(User: )
Description: a2start.exe6.0.0.444eb10147ntdll.dll6.1.7601.175144ce7ba58c00000fd0002dece102801cc9d91ec8cc7ecC:\Program Files (x86)\Emsisoft Anti-Malware\a2start.exeC:\Windows\SysWOW64\ntdll.dlla8724f75-0987-11e1-89dc-6431506077e1

Error: (11/07/2011 08:57:49 PM) (Source: Application Error)(User: )
Description: a2guard.exe6.0.0.364eb1012aa2framework.dll_unloaded0.0.0.04eb10107c00000050376674413c801cc9d8fe5eb60d0C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exea2framework.dll2632facc-0983-11e1-89dc-6431506077e1

Error: (11/07/2011 08:55:26 PM) (Source: Application Error)(User: )
Description: a2guard.exe6.0.0.364eb1012antdll.dll6.1.7601.175144ce7ba58c00000fd0002deceed801cc9d8f8f91526eC:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exeC:\Windows\SysWOW64\ntdll.dlld1147c42-0982-11e1-89dc-6431506077e1

Error: (11/07/2011 08:54:32 PM) (Source: Application Error)(User: )
Description: a2wizard.exe6.0.0.374eb10152ntdll.dll6.1.7601.175144ce7ba58c00000fd0002dece96401cc9d8e9b05f834C:\Program Files (x86)\Emsisoft Anti-Malware\a2wizard.exeC:\Windows\SysWOW64\ntdll.dllb0f3872a-0982-11e1-89dc-6431506077e1

Error: (11/07/2011 08:48:25 PM) (Source: Application Error)(User: )
Description: a2service.exe6.0.0.414eb10135ntdll.dll6.1.7601.175144ce7ba58c00000fd0002dece10b801cc9d8e8c8e4e3bC:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exeC:\Windows\SysWOW64\ntdll.dlld5d3b3bc-0981-11e1-89dc-6431506077e1

Error: (11/07/2011 07:06:36 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: Details:
AddLegacyDriverFiles: Unable to back up image of binary 67986927.

System Error:
The system cannot find the file specified.

Error: (11/07/2011 07:06:36 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: Details:
AddLegacyDriverFiles: Unable to back up image of binary 2393436drv.

System Error:
The system cannot find the file specified.

Error: (11/07/2011 07:06:01 PM) (Source: Application Error)(User: )
Description: IsoBurner-Setup.exe14.0.0.1624626b2f4ntdll.dll6.1.7601.175144ce7ba58c00000fd0002deced6401cc9d800fde89a2C:\USERS\MARKTH~1\APPDATA\LOCAL\TEMP\wz272f\IsoBurner-Setup.exeC:\Windows\SysWOW64\ntdll.dll87d09e9e-0973-11e1-a293-6431506077e1

Error: (11/07/2011 07:04:59 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: Details:
AddLegacyDriverFiles: Unable to back up image of binary 67986927.

System Error:
The system cannot find the file specified.


=========================== Installed Programs ============================

Active@ ISO Burner (Version: 2.5.0)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.0.1.152)
Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Advanced SystemCare 5 (Version: Beta 3.0)
Auslogics Disk Defrag (Version: version 3.3)
Auslogics Duplicate File Finder (Version: version 2.2)
CCleaner (Version: 3.12)
Comodo Dragon (Version: 15.0)
COMODO Internet Security (Version: 5.8.16726.2131)
COMODO livePCsupport (Version: 3.3.194328.53)
COMODO System-Cleaner (Version: 3.0.172695.53)
ConvertXtoDVD 4.1.19.365 (Version: 4.1.19.365)
Emsisoft Anti-Malware (Version: 6.0)
File Type Assistant
Free File Viewer 2011
HiJackThis (Version: 1.0.0)
Hitman Pro 3.5 (Version: 3.5.9.131)
InstallIQ Updater (Version: 1.4.3.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Miro (Version: 4.0.3)
MSXML 4.0 SP3 Parser (KB973685) (Version: 4.30.2107.0)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
PeerBlock 1.1 (r518) (Version: 1.1.0.518)
Secunia PSI (2.0.0.4003) (Version: 2.0.0.4003)
Spybot - Search & Destroy (Version: 1.6.2)
Synaptics Pointing Device Driver (Version: 15.2.4.4)
ThreatFire
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
VirusTotal Uploader 2.0
Webroot SecureAnywhere (Version: 8.0.0.66)
WinPatrol PLUS v 20.5.2011 by Moon-Dancer
WinZip 16.0 (Version: 16.0.9661)
WinZip Courier (Version: 3.5.9658)

========================= Memory info: ===================================

Percentage of memory in use: 48%
Total physical RAM: 3998.91 MB
Available physical RAM: 2054.38 MB
Total Pagefile: 7996.02 MB
Available Pagefile: 5238.15 MB
Total Virtual: 4095.88 MB
Available Virtual: 3985.29 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:449.25 GB) (Free:313.95 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:16.31 GB) (Free:14.37 GB) NTFS
3 Drive e: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
4 Drive f: (CDROM) (CDROM) (Total:0.08 GB) (Free:0 GB) CDFS
5 Drive g: (READYBOOST) (Removable) (Total:7.45 GB) (Free:3.23 GB) FAT32
6 Drive i: (SYSTEMTOOLS) (Removable) (Total:15.05 GB) (Free:13.83 GB) FAT32

========================= Users: ========================================

User accounts for \\MARKTHEDADDY-PC

Administrator Guest mark the daddy

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 07 November 2011 - 08:38 PM

Hello, The backdoor bot,, Can you find where it was and post that.
For example>>> c:\documents and settings\heriberto\application data\7c9cr2a.exe (Backdoor.Bot)

Can you post the MBAM log that was infected?
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Which of these are running? These are Antivirus'. What Firewall is runnning?
COMODO Internet Security (Version: 5.8.16726.2131)
ThreatFire
Webroot SecureAnywhere (Version: 8.0.0.66)

These are Antimalware
Emsisoft Anti-Malware (Version: 6.0)
Hitman Pro 3.5 (Version: 3.5.9.131)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Spybot - Search & Destroy (Version: 1.6.2)
WinPatrol PLUS v 20.5.2011
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 mw74

mw74
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:43 PM

Posted 08 November 2011 - 02:09 AM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8107

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

11/7/2011 6:26:15 PM
mbam-log-2011-11-07 (18-26-08).txt

Scan type: Flash scan
Objects scanned: 136109
Time elapsed: 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\system32.exe (Backdoor.Bot) -> No action taken.
c:\windows\syswow64\system32.exe (Backdoor.Bot) -> No action taken.


Im running comodo 5.8 firewall and D+,
webroot and Firethreat as AV,
and Mbam and Hitman Pro as on demand,
Emsisoft I installed to help with this issue.

#9 mw74

mw74
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:43 PM

Posted 08 November 2011 - 07:58 AM

During a scan with emsisoft I removed coolsearch, I have noticed on google that backdoor.bots are sometimes related to this, I wonder if Mbam is not picking it up since coolsearch got deleted. Also does this backdoor not have keylogging or similar abilitys ? I'm wondering if its safe to use my laptop.
Thanks...

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 08 November 2011 - 12:54 PM

Hello, I was trying to find out what it was. Here's my poitiion on finding a Backdoor infection.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 mw74

mw74
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:43 PM

Posted 08 November 2011 - 01:10 PM

Wow ok I've got really slow connection speed and processing speed have tried system restore in normal and safe mode, neither work think im gonna do a clean install im guessing I need to totally delete old windows files ?. Also can I clean my USB's or should I destroy them ?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 08 November 2011 - 01:21 PM

I borrowed this from one of our quitman7's posts.....
data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 mw74

mw74
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:43 PM

Posted 09 November 2011 - 01:27 AM

Ok thanks have reinstalled and all appears well, changed all passwords and completed hours of Microsoft updates, I'm pretty sure I picked up this infection trying to install SUMO @KC Software.
Thanks for your help :-D.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 09 November 2011 - 02:57 PM

You're welcome. If you save the download to the desktop then you can scan it before you open it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users