Trojan.Zbot found in InstallShield

Inactive
By AnxietyProne
Nov 1, 2012
  1. My computer has been fine lately, but I decided to run a routine scan and was very surprised to see Malwarebytes pick up two trojan.zbots, one in system32/installshield. I removed them both and restarted my computer, but I want to be sure they're completely gone. I'll paste required logs in my next posts. Thanks. :)

    Malwarebytes Quick Scan Log:

    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.11.01.09

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Rachel :: RACHEL-HP [administrator]

    11/1/2012 10:30:56 PM
    mbam-log-2012-11-01 (22-30-56).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 203564
    Time elapsed: 4 minute(s), 59 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  2. AnxietyProne

    AnxietyProne Newcomer, in training Topic Starter Posts: 85

    GMER produced no log, so on to DDS:

    DDS (Ver_2012-10-19.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16421
    Run by Rachel at 23:24:03 on 2012-11-01
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1605 [GMT -4:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Tablet\Pen\Pen_TouchService.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files (x86)\Secunia\PSI\PSIA.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\Explorer.EXE
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Program Files\Tablet\Pen\Pen_Tablet.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Tablet\Pen\Pen_Tablet.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
    C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Bamboo Dock\BambooCore.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files (x86)\Secunia\PSI\sua.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
    C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
    C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
    uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [BambooCore] C:\Program Files (x86)\Bamboo Dock\BambooCore.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: Free YouTube Download - C:\Users\Rachel\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
    IE: Free YouTube to MP3 Converter - C:\Users\Rachel\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    TCP: NameServer = 192.168.1.254
    TCP: Interfaces\{C05AD519-926E-46DA-A286-D6B3A0E85834} : DHCPNameServer = 68.87.74.166 68.87.68.166
    TCP: Interfaces\{E65370D4-3078-4DF2-BEF3-9DA773D84084} : DHCPNameServer = 192.168.1.254
    TCP: Interfaces\{E65370D4-3078-4DF2-BEF3-9DA773D84084}\2375942554637393 : DHCPNameServer = 192.168.1.254
    TCP: Interfaces\{E65370D4-3078-4DF2-BEF3-9DA773D84084}\C696E6B6379737 : DHCPNameServer = 68.87.74.166 68.87.68.166
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
    x64-Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
    x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\ftipx0mn.default\
    FF - prefs.js: browser.startup.homepage - about:home
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
    FF - plugin: C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
    FF - ExtSQL: 2012-09-21 05:29; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; C:\Users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\ftipx0mn.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-9-16 55856]
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-7-5 969200]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-7-5 359464]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-7-5 25232]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-7-5 71600]
    R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atipmdag.sys [2010-11-20 6403072]
    R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-11-20 188928]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-3-31 25928]
    R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-9-1 17976]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-11-20 347680]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-11-20 38456]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-11-20 245792]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-22 59392]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
    S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\System32\drivers\wacmoumonitor.sys [2012-10-30 13312]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
    .
    =============== Created Last 30 ================
    .
    2012-10-31 10:26:36 -------- d-----w- C:\Users\Rachel\AppData\Local\{FB41345B-5192-4D16-9025-62F134599D40}
    2012-10-31 02:25:34 -------- d-----w- C:\Users\Rachel\AppData\Roaming\wacomid-desktop-launcher.DCFD4B89A63EE70BC162777F06D4B93B6397AEC7.1
    2012-10-31 02:24:38 -------- d-----w- C:\Users\Rachel\AppData\Roaming\Wacom
    2012-10-31 02:24:30 -------- d-----w- C:\ProgramData\Wacom
    2012-10-31 02:24:00 -------- d-----w- C:\Program Files (x86)\Bamboo Dock
    2012-10-31 02:21:31 -------- d-----w- C:\Users\Rachel\AppData\Roaming\WTablet
    2012-10-31 02:21:29 1326456 ----a-w- C:\Windows\System32\Pen_Touch_Tablet.dll
    2012-10-31 02:21:29 1107832 ----a-w- C:\Windows\SysWow64\Pen_Touch_Tablet.dll
    2012-10-31 02:21:16 -------- d-----w- C:\Program Files (x86)\TabletPlugins
    2012-10-31 02:21:10 13312 ----a-w- C:\Windows\System32\drivers\wacmoumonitor.sys
    2012-10-31 02:20:36 12848 ----a-w- C:\Windows\System32\drivers\wacommousefilter.sys
    2012-10-31 02:20:07 16168 ----a-w- C:\Windows\System32\drivers\wacomvhid.sys
    2012-10-31 02:20:02 1392504 ----a-w- C:\Windows\System32\WacomMT.dll
    2012-10-31 02:20:02 1152888 ----a-w- C:\Windows\SysWow64\WacomMT.dll
    2012-10-31 02:20:01 1401208 ----a-w- C:\Windows\System32\Wintab32.dll
    2012-10-31 02:20:01 1156472 ----a-w- C:\Windows\SysWow64\Wintab32.dll
    2012-10-31 02:20:00 1369464 ----a-w- C:\Windows\SysWow64\Pen_Tablet.dll
    2012-10-31 02:19:59 1665400 ----a-w- C:\Windows\System32\Pen_Tablet.dll
    2012-10-31 02:19:53 -------- d-----w- C:\Program Files\Tablet
    2012-10-30 08:53:00 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{314EFFCC-3025-4283-8EA1-FB6EAA42F862}\mpengine.dll
    2012-10-28 01:58:06 -------- d-----w- C:\Users\Rachel\AppData\Local\{569E437D-D43B-4D41-9C09-4F744184CC44}
    2012-10-14 03:37:36 -------- d-----w- C:\Users\Rachel\AppData\Local\{F16DAD32-941E-4293-A975-C3566F7E1E72}
    2012-10-11 02:41:59 5120 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
    2012-10-11 02:40:57 715776 ----a-w- C:\Windows\System32\kerberos.dll
    2012-10-11 02:40:57 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
    2012-10-11 02:40:47 1464320 ----a-w- C:\Windows\System32\crypt32.dll
    2012-10-11 02:40:45 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll
    2012-10-11 02:40:43 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
    2012-10-11 02:40:43 140288 ----a-w- C:\Windows\System32\cryptnet.dll
    2012-10-11 02:40:41 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
    2012-10-11 02:40:41 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
    2012-10-05 23:14:43 -------- d-----w- C:\Users\Rachel\AppData\Local\{F69D49DD-F2F6-4840-82E9-EAFC013906B1}
    .
    ==================== Find3M ====================
    .
    2012-10-08 20:46:25 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-10-08 20:46:24 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-09-29 23:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
    2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
    2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
    2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
    2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
    2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
    2012-08-21 17:01:20 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
    2012-08-21 17:01:20 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
    2012-08-21 17:01:20 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
    2012-08-21 09:13:13 969200 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-08-21 09:13:12 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-08-21 09:13:12 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-08-21 09:12:33 41224 ----a-w- C:\Windows\avastSS.scr
    2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
    2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
    2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
    2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-08-06 10:44:20 955888 ----a-w- C:\Windows\System32\npDeployJava1.dll
    2012-08-06 10:44:20 839152 ----a-w- C:\Windows\System32\deployJava1.dll
    .
    ============= FINISH: 23:25:23.32 ===============
  3. AnxietyProne

    AnxietyProne Newcomer, in training Topic Starter Posts: 85

    DDS ATTACH:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-10-19.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/5/2011 2:26:49 AM
    System Uptime: 11/1/2012 10:28:02 PM (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 1444
    Processor: AMD Athlon(tm) II P340 Dual-Core Processor | Socket S1G4 | 792/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 280 GiB total, 194.144 GiB free.
    D: is FIXED (NTFS) - 17 GiB total, 2.49 GiB free.
    E: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
    Description: USB Video Device
    Device ID: USB\VID_04F2&PID_B1AA&MI_00\6&87B58A9&0&0000
    Manufacturer: Microsoft
    Name: HP Webcam-101
    PNP Device ID: USB\VID_04F2&PID_B1AA&MI_00\6&87B58A9&0&0000
    Service: usbvideo
    .
    ==== System Restore Points ===================
    .
    RP283: 10/23/2012 4:57:16 AM - Windows Update
    RP284: 10/26/2012 1:47:16 PM - Windows Update
    RP285: 10/30/2012 4:52:18 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Community Help
    Adobe Download Assistant
    Adobe Flash Player 11 Plugin
    Adobe Photoshop Elements 10
    Adobe Photoshop.com Inspiration Browser
    Adobe Shockwave Player 11.5
    AIM 7
    AMD USB Filter Driver
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Driver Installation Program
    ATI Catalyst Install Manager
    avast! Free Antivirus
    Bamboo
    Bamboo Dock
    Battle.net
    Bejeweled 2 Deluxe
    Blackhawk Striker 2
    Bonjour
    Build-a-lot 2
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    ccc-utility64
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    Chuzzle Deluxe
    CinemaNow Media Manager
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    CyberLink DVD Suite
    CyberLink MediaShow
    CyberLink PowerDVD 9
    CyberLink YouCam
    D3DX10
    Diablo
    Diablo II
    Diablo III
    Diner Dash 2 Restaurant Rescue
    Dora's Carnival Adventure
    Download Updater (AOL LLC)
    Elements 10 Organizer
    Energy Star Digital Logo
    Escape Rosecliff Island
    ESU for Microsoft Windows 7
    FATE
    Final Drive Nitro
    Free Studio version 5.7.4.918
    Heroes of Hellas 2 - Olympia
    HP Advisor
    HP Customer Experience Enhancements
    HP Documentation
    HP Game Console
    HP Games
    HP MediaSmart CinemaNow 2.0
    HP Photo Creations
    HP Power Manager
    HP Quick Launch
    HP Setup
    HP Software Framework
    HP Wireless Assistant
    iTunes
    Java(TM) 7 Update 5 (64-bit)
    Jewel Quest 3
    Jewel Quest Solitaire 2
    Junk Mail filter update
    LabelPrint
    League of Legends
    LightScribe System Software
    Malwarebytes Anti-Malware version 1.65.1.1000
    MapleStory
    Messenger Companion
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable (x64)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft WSE 3.0 Runtime
    Microsoft XNA Framework Redistributable 4.0
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_ATL_x86_x64
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_CRT_x86_x64
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFC_x86_x64
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC80_MFCLOC_x86_x64
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_ATL_x86_x64
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_CRT_x86_x64
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFC_x86_x64
    Microsoft_VC90_MFCLOC_x86
    Microsoft_VC90_MFCLOC_x86_x64
    Mozilla Firefox 16.0.2 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NC Launcher (GameForge)
    Nexon Game Manager
    NVIDIA PhysX v8.10.29
    OpenAL
    Pando Media Booster
    Penguins!
    PhotoNow!
    Plants vs. Zombies
    Poker Superstars III
    Polar Bowler
    Polar Golfer
    Power2Go
    PowerDirector
    Project64 1.6
    PSE10 STI Installer
    Realtek Ethernet Controller Driver For Windows 7
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Recovery Manager
    Riven The sequel to Myst
    Roxio CinemaNow 2.0
    RtVOsd
    Secunia PSI (2.0.0.4003)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Skype Click to Call
    Skype™ 5.10
    Spybot - Search & Destroy
    Steam
    Synaptics Pointing Device Driver
    System Requirements Lab CYRI
    TortoiseSVN 1.6.16.21511 (64 bit)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Ventrilo Client
    Virtual Families
    Virtual Villagers - The Secret City
    WebTablet FB Plugin
    WebTablet IE Plugin
    WebTablet Netscape Plugin
    Wheel of Fortune 2
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR 4.01 (32-bit)
    Yu-Gi-Oh! ONLINE 3
    Zuma Deluxe
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/1/2012 11:24:37 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avast! Antivirus service.
    10/27/2012 8:34:51 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
    10/27/2012 8:34:51 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
  4. Broni

    Broni Malware Annihilator Posts: 46,134   +251

    Can you post previous MBAM log?
    I'd like to see files names and locations.

    The log can be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  5. AnxietyProne

    AnxietyProne Newcomer, in training Topic Starter Posts: 85

    I'm sorry, Broni! I couldn't pull up my Malwarebytes log from the location you requested, but I went directly into my Malewarebytes logs and pulled this up. If this isn't what you're looking for, I will try again to find what you need. Thank you!

    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.11.01.09

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Rachel :: RACHEL-HP [administrator]

    11/1/2012 9:04:51 PM
    mbam-log-2012-11-01 (21-04-51).txt

    Scan type: Full scan (C:\|D:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 388195
    Time elapsed: 1 hour(s), 21 minute(s), 15 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
    C:\Windows\winsxs\wow64_microsoft-windows-I..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

    (end)
  6. Broni

    Broni Malware Annihilator Posts: 46,134   +251

    I've seen those today already and they're false positive.

    Open MBAM, click on "Quarantine" tab, select both files and click on "Restore" button.

    Next...

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Windows\System32\InstallShield\_isdel.exe
    - C:\Windows\winsxs\wow64_microsoft-windows-I..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe
    - IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
  7. AnxietyProne

    AnxietyProne Newcomer, in training Topic Starter Posts: 85

    I hope this is what you're looking for! It wouldn't allow me to remove C:\Windows\winsxs\wow64_microsoft-windows-I..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe from quarantine, so I was only able to scan installshield/_isdel.exe
    Also, so sorry for the wait! I've been sick since Halloween and I just passed out from exhaustion last night! @_@

    SHA256: 1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e
    SHA1: 0e7bb331d398be694a92a823de839fefdf464dfd
    MD5: 9d4ec4b71fd189a0b2c4dbd6aade16bf
    File size: 27.0 KB ( 27648 bytes )
    File name: _isdel.exe
    File type: Win32 EXE
    Detection ratio: 0 / 42
    Analysis date: 2012-11-02 15:17:35 UTC ( 0 minutes ago )
    [​IMG]
    2​
    2​
    Less details
  8. Broni

    Broni Malware Annihilator Posts: 46,134   +251

    Yes, it's definitely false positive.

    You're good to go but I need a favor from you.
    Zip and attach this file:
    - C:\Windows\System32\InstallShield\_isdel.exe
    so I can allert MBAM people.
  9. AnxietyProne

    AnxietyProne Newcomer, in training Topic Starter Posts: 85

    Thank you so much, Broni! :) <3

    I'm embarrassed to ask, but how would I locate that file and how do I zip it?
    And also, the one file that I'm unable to remove from quarantine, will that hurt my system any?
  10. Broni

    Broni Malware Annihilator Posts: 46,134   +251

    Open Windows Explorer, navigate to C:\Windows\System32\InstallShield folder, right click on _isdel.exe file, then Send To>Compressed (zipped) folder.
    _isdel.zip folder will appear in very same folder (InstallShield).
    Now go back here and click on "Upload a File" button at the bottom of reply window.
    Navigate to C:\Windows\System32\InstallShield\_isdel.zip
  11. AnxietyProne

    AnxietyProne Newcomer, in training Topic Starter Posts: 85

    I can't seem to find installshield folder. I tried to search by name and then I just went directly to my System32 folder and couldn't find it there. Is there any other way? D:
     
  12. Broni

    Broni Malware Annihilator Posts: 46,134   +251

    It may be hidden folder.
    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    Press F5 to refresh Windows Explorer view.
    NOTE. Make sure to reverse the above changes, when done with this step.
  13. AnxietyProne

    AnxietyProne Newcomer, in training Topic Starter Posts: 85

    I hope this is what you're looking for! :)

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 46,134   +251

    Thank you :)
    You're good to go.
    MBAM is already aware of the issue and they'll update their definitions.
  15. AnxietyProne

    AnxietyProne Newcomer, in training Topic Starter Posts: 85

    Thank you so much for your time, Broni! I appreciate you looking into this!
  16. Broni

    Broni Malware Annihilator Posts: 46,134   +251

    You're very welcome [​IMG]
    AnxietyProne likes this.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.