Mark O
Posts: 13 +0
We opened the wrong email....Delta tickets attached! Immediately got an embedded virus, 'updateflashplayer.exe Trojan. I started the process of following the Techspot forum instructions.
Here are the logs from MBAM and DDS. I have Security Essentials as antivirus protection and only now loaded MBAM premium...for real time malware protection going forward. Windows 7 Pro, 32bit laptop.
Can you help me finish cleaning this machine??
Version: 2.00.2.1012
Malware Database: v2014.09.06.06
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: AnyUser
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 279195
Time Elapsed: 7 min, 50 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 1
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, 3848, Delete-on-Reboot, [a6f3d6f3d2a9a690f71e8f2926dbf20e]
Modules: 0
(No malicious items detected)
Registry Keys: 1
PUP.Optional.WeDownLoadManager.A, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\WEDLMNGR, Quarantined, [d7c205c4d4a76ec8119f738822e01de3],
Registry Values: 1
Trojan.Zbot, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Ymsedielamb, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, Quarantined, [a6f3d6f3d2a9a690f71e8f2926dbf20e]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 5
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, Delete-on-Reboot, [a6f3d6f3d2a9a690f71e8f2926dbf20e],
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Alpebyc\ibfuu.exe, Quarantined, [12872f9a4635cb6b987dbefa01008d73],
Trojan.Zbot, C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_96952c1b.exe, Quarantined, [5c3d6a5fceadc76f44d1962203fef50b],
Trojan.Zbot, C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_d3c7bcbb.exe, Quarantined, [ebae5376e19a9d99f61f9226669ba55b],
Trojan.Agent.MP, C:\Users\AnyUser\AppData\Local\butiqvll.exe, Quarantined, [46533297fa81f73f122bedf8ca3a60a0],
Physical Sectors: 0
(No malicious items detected)
(end)
DDS scan
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17239
Run by AnyUser at 12:09:14 on 2014-09-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.2017 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\DTS.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\AtService.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoSync\MemeoAutoSync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = Preserve
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [HP Officejet Pro 8610 (NET)] "c:\program files\hp\hp officejet pro 8610\bin\ScanToPCActivationApp.exe" -deviceID "CN41BBK12X:NW" -scfn "HP Officejet Pro 8610 (NET)" -AutoStart 1
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [FingerPrintSoftwareSplashScreen] "c:\program files\lenovo fingerprint software\splashscreen.exe" \s
mRun: [picon] "c:\program files\common files\intel\privacy icon\PIconStartup.exe"
mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: DisallowCpl = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print\SmartPrintSetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1388550385823
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{F5FB515C-88C4-40A8-A8E0-D729B3C3D357} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\belarcadvisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.103\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-5-31 1824584]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-5-31 98304]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-9-5 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-9-5 860472]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2014-3-15 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2011-5-31 659968]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-8-22 225408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-9-5 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-9-5 110296]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-5-31 106496]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-8-14 108032]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-9-5 51928]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 104264]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-1-4 14848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-3-14 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-10-18 1343400]
.
=============== Created Last 30 ================
.
2014-09-06 16:24:31 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-06 16:24:31 -------- d-----w- c:\programdata\RogueKiller
2014-09-05 23:46:36 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-05 23:46:21 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-05 23:46:21 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-05 23:46:21 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-05 23:46:20 -------- d-----w- c:\programdata\Malwarebytes
2014-09-05 23:46:20 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-05 10:17:44 237 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
2014-09-05 10:16:10 -------- d-----w- c:\users\anyuser\appdata\roaming\Alpebyc
2014-09-05 09:57:58 -------- d-----w- c:\users\anyuser\appdata\roaming\Ihexdoe
2014-09-05 04:15:34 280064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzppw71.dll
2014-09-04 11:31:22 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4cabbce6-e73b-4acb-b060-dff64cb7fc07}\mpengine.dll
2014-09-03 11:29:47 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-08-29 11:30:34 893248 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a53b23e6-d90f-41c5-8cd2-bc028b31e215}\gapaengine.dll
2014-08-27 19:27:47 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-08-27 19:27:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-27 14:55:41 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
2014-08-27 14:16:02 -------- d-----w- c:\windows\system32\appmgmt
2014-08-18 22:29:03 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-18 22:28:27 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-18 22:27:32 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-08-18 22:27:32 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-15 11:09:55 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-15 11:09:49 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-15 11:09:38 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-08-15 11:09:29 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
.
==================== Find3M ====================
.
2014-07-25 13:04:40 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-07-25 13:03:54 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-07-25 12:34:49 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-07-25 12:34:03 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-07-25 12:33:08 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-07-25 12:30:32 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-07-25 12:10:15 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-07-25 12:10:12 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-07-25 12:08:47 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-07-25 12:06:47 4204032 ----a-w- c:\windows\system32\jscript9.dll
2014-07-25 11:59:29 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-07-25 11:43:16 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-07-25 11:07:49 2001920 ----a-w- c:\windows\system32\inetcpl.cpl
2014-07-25 11:07:10 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-07-25 10:05:23 1792512 ----a-w- c:\windows\system32\wininet.dll
2014-07-16 02:46:02 2048 ----a-w- c:\windows\system32\tzres.dll
2014-07-14 01:42:02 654336 ----a-w- c:\windows\system32\rpcrt4.dll
2014-07-09 02:59:14 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 02:59:14 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
2014-06-16 01:44:49 730048 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-06-16 01:44:49 219072 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2014-06-16 01:40:20 107520 ----a-w- c:\windows\system32\cdd.dll
.
============= FINISH: 12:09:46.87 ===============
I will post DDS 'attach' report if you need it.
Thank you!
Here are the logs from MBAM and DDS. I have Security Essentials as antivirus protection and only now loaded MBAM premium...for real time malware protection going forward. Windows 7 Pro, 32bit laptop.
Can you help me finish cleaning this machine??
Version: 2.00.2.1012
Malware Database: v2014.09.06.06
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: AnyUser
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 279195
Time Elapsed: 7 min, 50 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 1
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, 3848, Delete-on-Reboot, [a6f3d6f3d2a9a690f71e8f2926dbf20e]
Modules: 0
(No malicious items detected)
Registry Keys: 1
PUP.Optional.WeDownLoadManager.A, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\WEDLMNGR, Quarantined, [d7c205c4d4a76ec8119f738822e01de3],
Registry Values: 1
Trojan.Zbot, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Ymsedielamb, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, Quarantined, [a6f3d6f3d2a9a690f71e8f2926dbf20e]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 5
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, Delete-on-Reboot, [a6f3d6f3d2a9a690f71e8f2926dbf20e],
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Alpebyc\ibfuu.exe, Quarantined, [12872f9a4635cb6b987dbefa01008d73],
Trojan.Zbot, C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_96952c1b.exe, Quarantined, [5c3d6a5fceadc76f44d1962203fef50b],
Trojan.Zbot, C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_d3c7bcbb.exe, Quarantined, [ebae5376e19a9d99f61f9226669ba55b],
Trojan.Agent.MP, C:\Users\AnyUser\AppData\Local\butiqvll.exe, Quarantined, [46533297fa81f73f122bedf8ca3a60a0],
Physical Sectors: 0
(No malicious items detected)
(end)
DDS scan
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17239
Run by AnyUser at 12:09:14 on 2014-09-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.2017 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\DTS.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\AtService.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoSync\MemeoAutoSync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = Preserve
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [HP Officejet Pro 8610 (NET)] "c:\program files\hp\hp officejet pro 8610\bin\ScanToPCActivationApp.exe" -deviceID "CN41BBK12X:NW" -scfn "HP Officejet Pro 8610 (NET)" -AutoStart 1
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [FingerPrintSoftwareSplashScreen] "c:\program files\lenovo fingerprint software\splashscreen.exe" \s
mRun: [picon] "c:\program files\common files\intel\privacy icon\PIconStartup.exe"
mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: DisallowCpl = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print\SmartPrintSetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1388550385823
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{F5FB515C-88C4-40A8-A8E0-D729B3C3D357} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\belarcadvisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.103\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-5-31 1824584]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-5-31 98304]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-9-5 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-9-5 860472]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2014-3-15 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2011-5-31 659968]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-8-22 225408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-9-5 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-9-5 110296]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-5-31 106496]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-8-14 108032]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-9-5 51928]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 104264]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-1-4 14848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-3-14 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-10-18 1343400]
.
=============== Created Last 30 ================
.
2014-09-06 16:24:31 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-06 16:24:31 -------- d-----w- c:\programdata\RogueKiller
2014-09-05 23:46:36 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-05 23:46:21 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-05 23:46:21 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-05 23:46:21 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-05 23:46:20 -------- d-----w- c:\programdata\Malwarebytes
2014-09-05 23:46:20 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-05 10:17:44 237 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
2014-09-05 10:16:10 -------- d-----w- c:\users\anyuser\appdata\roaming\Alpebyc
2014-09-05 09:57:58 -------- d-----w- c:\users\anyuser\appdata\roaming\Ihexdoe
2014-09-05 04:15:34 280064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzppw71.dll
2014-09-04 11:31:22 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4cabbce6-e73b-4acb-b060-dff64cb7fc07}\mpengine.dll
2014-09-03 11:29:47 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-08-29 11:30:34 893248 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a53b23e6-d90f-41c5-8cd2-bc028b31e215}\gapaengine.dll
2014-08-27 19:27:47 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-08-27 19:27:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-27 14:55:41 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
2014-08-27 14:16:02 -------- d-----w- c:\windows\system32\appmgmt
2014-08-18 22:29:03 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-18 22:28:27 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-18 22:27:32 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-08-18 22:27:32 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-15 11:09:55 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-15 11:09:49 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-15 11:09:38 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-08-15 11:09:29 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
.
==================== Find3M ====================
.
2014-07-25 13:04:40 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-07-25 13:03:54 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-07-25 12:34:49 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-07-25 12:34:03 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-07-25 12:33:08 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-07-25 12:30:32 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-07-25 12:10:15 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-07-25 12:10:12 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-07-25 12:08:47 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-07-25 12:06:47 4204032 ----a-w- c:\windows\system32\jscript9.dll
2014-07-25 11:59:29 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-07-25 11:43:16 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-07-25 11:07:49 2001920 ----a-w- c:\windows\system32\inetcpl.cpl
2014-07-25 11:07:10 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-07-25 10:05:23 1792512 ----a-w- c:\windows\system32\wininet.dll
2014-07-16 02:46:02 2048 ----a-w- c:\windows\system32\tzres.dll
2014-07-14 01:42:02 654336 ----a-w- c:\windows\system32\rpcrt4.dll
2014-07-09 02:59:14 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 02:59:14 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
2014-06-16 01:44:49 730048 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-06-16 01:44:49 219072 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2014-06-16 01:40:20 107520 ----a-w- c:\windows\system32\cdd.dll
.
============= FINISH: 12:09:46.87 ===============
I will post DDS 'attach' report if you need it.
Thank you!