Inactive Trojan.Zbot found in InstallShield

AnxietyProne

Posts: 79   +0
My computer has been fine lately, but I decided to run a routine scan and was very surprised to see Malwarebytes pick up two trojan.zbots, one in system32/installshield. I removed them both and restarted my computer, but I want to be sure they're completely gone. I'll paste required logs in my next posts. Thanks. :)

Malwarebytes Quick Scan Log:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.01.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Rachel :: RACHEL-HP [administrator]

11/1/2012 10:30:56 PM
mbam-log-2012-11-01 (22-30-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 203564
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
GMER produced no log, so on to DDS:

DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421
Run by Rachel at 23:24:03 on 2012-11-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1605 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\Explorer.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Bamboo Dock\BambooCore.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [BambooCore] C:\Program Files (x86)\Bamboo Dock\BambooCore.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Free YouTube Download - C:\Users\Rachel\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - C:\Users\Rachel\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{C05AD519-926E-46DA-A286-D6B3A0E85834} : DHCPNameServer = 68.87.74.166 68.87.68.166
TCP: Interfaces\{E65370D4-3078-4DF2-BEF3-9DA773D84084} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{E65370D4-3078-4DF2-BEF3-9DA773D84084}\2375942554637393 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{E65370D4-3078-4DF2-BEF3-9DA773D84084}\C696E6B6379737 : DHCPNameServer = 68.87.74.166 68.87.68.166
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\ftipx0mn.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - ExtSQL: 2012-09-21 05:29; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; C:\Users\Rachel\AppData\Roaming\Mozilla\Firefox\Profiles\ftipx0mn.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-9-16 55856]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-7-5 969200]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-7-5 359464]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-7-5 25232]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-7-5 71600]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atipmdag.sys [2010-11-20 6403072]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-11-20 188928]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-3-31 25928]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-9-1 17976]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-11-20 347680]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-11-20 38456]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-11-20 245792]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-22 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\System32\drivers\wacmoumonitor.sys [2012-10-30 13312]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2012-10-31 10:26:36 -------- d-----w- C:\Users\Rachel\AppData\Local\{FB41345B-5192-4D16-9025-62F134599D40}
2012-10-31 02:25:34 -------- d-----w- C:\Users\Rachel\AppData\Roaming\wacomid-desktop-launcher.DCFD4B89A63EE70BC162777F06D4B93B6397AEC7.1
2012-10-31 02:24:38 -------- d-----w- C:\Users\Rachel\AppData\Roaming\Wacom
2012-10-31 02:24:30 -------- d-----w- C:\ProgramData\Wacom
2012-10-31 02:24:00 -------- d-----w- C:\Program Files (x86)\Bamboo Dock
2012-10-31 02:21:31 -------- d-----w- C:\Users\Rachel\AppData\Roaming\WTablet
2012-10-31 02:21:29 1326456 ----a-w- C:\Windows\System32\Pen_Touch_Tablet.dll
2012-10-31 02:21:29 1107832 ----a-w- C:\Windows\SysWow64\Pen_Touch_Tablet.dll
2012-10-31 02:21:16 -------- d-----w- C:\Program Files (x86)\TabletPlugins
2012-10-31 02:21:10 13312 ----a-w- C:\Windows\System32\drivers\wacmoumonitor.sys
2012-10-31 02:20:36 12848 ----a-w- C:\Windows\System32\drivers\wacommousefilter.sys
2012-10-31 02:20:07 16168 ----a-w- C:\Windows\System32\drivers\wacomvhid.sys
2012-10-31 02:20:02 1392504 ----a-w- C:\Windows\System32\WacomMT.dll
2012-10-31 02:20:02 1152888 ----a-w- C:\Windows\SysWow64\WacomMT.dll
2012-10-31 02:20:01 1401208 ----a-w- C:\Windows\System32\Wintab32.dll
2012-10-31 02:20:01 1156472 ----a-w- C:\Windows\SysWow64\Wintab32.dll
2012-10-31 02:20:00 1369464 ----a-w- C:\Windows\SysWow64\Pen_Tablet.dll
2012-10-31 02:19:59 1665400 ----a-w- C:\Windows\System32\Pen_Tablet.dll
2012-10-31 02:19:53 -------- d-----w- C:\Program Files\Tablet
2012-10-30 08:53:00 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{314EFFCC-3025-4283-8EA1-FB6EAA42F862}\mpengine.dll
2012-10-28 01:58:06 -------- d-----w- C:\Users\Rachel\AppData\Local\{569E437D-D43B-4D41-9C09-4F744184CC44}
2012-10-14 03:37:36 -------- d-----w- C:\Users\Rachel\AppData\Local\{F16DAD32-941E-4293-A975-C3566F7E1E72}
2012-10-11 02:41:59 5120 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2012-10-11 02:40:57 715776 ----a-w- C:\Windows\System32\kerberos.dll
2012-10-11 02:40:57 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2012-10-11 02:40:47 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2012-10-11 02:40:45 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-10-11 02:40:43 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-10-11 02:40:43 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-10-11 02:40:41 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-10-11 02:40:41 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-10-05 23:14:43 -------- d-----w- C:\Users\Rachel\AppData\Local\{F69D49DD-F2F6-4840-82E9-EAFC013906B1}
.
==================== Find3M ====================
.
2012-10-08 20:46:25 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-08 20:46:24 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-29 23:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-08-21 17:01:20 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-08-21 17:01:20 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-08-21 17:01:20 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-08-21 09:13:13 969200 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-08-21 09:13:12 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-08-21 09:13:12 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-08-21 09:12:33 41224 ----a-w- C:\Windows\avastSS.scr
2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-08-06 10:44:20 955888 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-08-06 10:44:20 839152 ----a-w- C:\Windows\System32\deployJava1.dll
.
============= FINISH: 23:25:23.32 ===============
 
DDS ATTACH:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 3/5/2011 2:26:49 AM
System Uptime: 11/1/2012 10:28:02 PM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 1444
Processor: AMD Athlon(tm) II P340 Dual-Core Processor | Socket S1G4 | 792/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 280 GiB total, 194.144 GiB free.
D: is FIXED (NTFS) - 17 GiB total, 2.49 GiB free.
E: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: USB Video Device
Device ID: USB\VID_04F2&PID_B1AA&MI_00\6&87B58A9&0&0000
Manufacturer: Microsoft
Name: HP Webcam-101
PNP Device ID: USB\VID_04F2&PID_B1AA&MI_00\6&87B58A9&0&0000
Service: usbvideo
.
==== System Restore Points ===================
.
RP283: 10/23/2012 4:57:16 AM - Windows Update
RP284: 10/26/2012 1:47:16 PM - Windows Update
RP285: 10/30/2012 4:52:18 AM - Windows Update
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Community Help
Adobe Download Assistant
Adobe Flash Player 11 Plugin
Adobe Photoshop Elements 10
Adobe Photoshop.com Inspiration Browser
Adobe Shockwave Player 11.5
AIM 7
AMD USB Filter Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
ATI Catalyst Install Manager
avast! Free Antivirus
Bamboo
Bamboo Dock
Battle.net
Bejeweled 2 Deluxe
Blackhawk Striker 2
Bonjour
Build-a-lot 2
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Chuzzle Deluxe
CinemaNow Media Manager
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
CyberLink DVD Suite
CyberLink MediaShow
CyberLink PowerDVD 9
CyberLink YouCam
D3DX10
Diablo
Diablo II
Diablo III
Diner Dash 2 Restaurant Rescue
Dora's Carnival Adventure
Download Updater (AOL LLC)
Elements 10 Organizer
Energy Star Digital Logo
Escape Rosecliff Island
ESU for Microsoft Windows 7
FATE
Final Drive Nitro
Free Studio version 5.7.4.918
Heroes of Hellas 2 - Olympia
HP Advisor
HP Customer Experience Enhancements
HP Documentation
HP Game Console
HP Games
HP MediaSmart CinemaNow 2.0
HP Photo Creations
HP Power Manager
HP Quick Launch
HP Setup
HP Software Framework
HP Wireless Assistant
iTunes
Java(TM) 7 Update 5 (64-bit)
Jewel Quest 3
Jewel Quest Solitaire 2
Junk Mail filter update
LabelPrint
League of Legends
LightScribe System Software
Malwarebytes Anti-Malware version 1.65.1.1000
MapleStory
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WSE 3.0 Runtime
Microsoft XNA Framework Redistributable 4.0
Microsoft_VC80_ATL_x86
Microsoft_VC80_ATL_x86_x64
Microsoft_VC80_CRT_x86
Microsoft_VC80_CRT_x86_x64
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFC_x86_x64
Microsoft_VC80_MFCLOC_x86
Microsoft_VC80_MFCLOC_x86_x64
Microsoft_VC90_ATL_x86
Microsoft_VC90_ATL_x86_x64
Microsoft_VC90_CRT_x86
Microsoft_VC90_CRT_x86_x64
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFC_x86_x64
Microsoft_VC90_MFCLOC_x86
Microsoft_VC90_MFCLOC_x86_x64
Mozilla Firefox 16.0.2 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NC Launcher (GameForge)
Nexon Game Manager
NVIDIA PhysX v8.10.29
OpenAL
Pando Media Booster
Penguins!
PhotoNow!
Plants vs. Zombies
Poker Superstars III
Polar Bowler
Polar Golfer
Power2Go
PowerDirector
Project64 1.6
PSE10 STI Installer
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Recovery Manager
Riven The sequel to Myst
Roxio CinemaNow 2.0
RtVOsd
Secunia PSI (2.0.0.4003)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Skype Click to Call
Skype™ 5.10
Spybot - Search & Destroy
Steam
Synaptics Pointing Device Driver
System Requirements Lab CYRI
TortoiseSVN 1.6.16.21511 (64 bit)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Ventrilo Client
Virtual Families
Virtual Villagers - The Secret City
WebTablet FB Plugin
WebTablet IE Plugin
WebTablet Netscape Plugin
Wheel of Fortune 2
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.01 (32-bit)
Yu-Gi-Oh! ONLINE 3
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
11/1/2012 11:24:37 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avast! Antivirus service.
10/27/2012 8:34:51 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
10/27/2012 8:34:51 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================
 
Malwarebytes pick up two trojan.zbots, one in system32/installshield
Can you post previous MBAM log?
I'd like to see files names and locations.

The log can be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
 
I'm sorry, Broni! I couldn't pull up my Malwarebytes log from the location you requested, but I went directly into my Malewarebytes logs and pulled this up. If this isn't what you're looking for, I will try again to find what you need. Thank you!

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.01.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Rachel :: RACHEL-HP [administrator]

11/1/2012 9:04:51 PM
mbam-log-2012-11-01 (21-04-51).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 388195
Time elapsed: 1 hour(s), 21 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Windows\winsxs\wow64_microsoft-windows-I..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)
 
I've seen those today already and they're false positive.

Open MBAM, click on "Quarantine" tab, select both files and click on "Restore" button.

Next...

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\InstallShield\_isdel.exe
- C:\Windows\winsxs\wow64_microsoft-windows-I..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe
- IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
 
I hope this is what you're looking for! It wouldn't allow me to remove C:\Windows\winsxs\wow64_microsoft-windows-I..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe from quarantine, so I was only able to scan installshield/_isdel.exe
Also, so sorry for the wait! I've been sick since Halloween and I just passed out from exhaustion last night! @_@

SHA256: 1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e
SHA1: 0e7bb331d398be694a92a823de839fefdf464dfd
MD5: 9d4ec4b71fd189a0b2c4dbd6aade16bf
File size: 27.0 KB ( 27648 bytes )
File name: _isdel.exe
File type: Win32 EXE
Detection ratio: 0 / 42
Analysis date: 2012-11-02 15:17:35 UTC ( 0 minutes ago )
[RIGHT][RIGHT]
chart
[/RIGHT]
[RIGHT][RIGHT]2[/RIGHT][/RIGHT]
[RIGHT][RIGHT]2[/RIGHT][/RIGHT][/RIGHT]
Less details
 
Yes, it's definitely false positive.

You're good to go but I need a favor from you.
Zip and attach this file:
- C:\Windows\System32\InstallShield\_isdel.exe
so I can allert MBAM people.
 
Thank you so much, Broni! :) <3

I'm embarrassed to ask, but how would I locate that file and how do I zip it?
And also, the one file that I'm unable to remove from quarantine, will that hurt my system any?
 
Open Windows Explorer, navigate to C:\Windows\System32\InstallShield folder, right click on _isdel.exe file, then Send To>Compressed (zipped) folder.
_isdel.zip folder will appear in very same folder (InstallShield).
Now go back here and click on "Upload a File" button at the bottom of reply window.
Navigate to C:\Windows\System32\InstallShield\_isdel.zip
 
I can't seem to find installshield folder. I tried to search by name and then I just went directly to my System32 folder and couldn't find it there. Is there any other way? D:
 
It may be hidden folder.
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
Press F5 to refresh Windows Explorer view.
NOTE. Make sure to reverse the above changes, when done with this step.
 
Thank you :)
You're good to go.
MBAM is already aware of the issue and they'll update their definitions.
 
Back