Zbot.gen!AP and Fraud.Fedexword

[LiquidTension]

Hi Maureen,

Before we proceed, I would like you to please run the following programme, and post back the log generated.

SystemLook

• Please download SystemLook (x64) and save the file to your desktop.
• Right-Click SystemLook_x64.exe and select Run as administrator to run the programme.
• Copy the entire contents of the codebox below and paste into the textfield.
  

  :filefind
  *18967481.sys*
  *20358622.sys*
  *83227107.sys*
  *18967481.sys*
  *20358622.sys*
  *83227107.sys*
  
  ::csinfo

• Click the button to start the scan.
• Upon completion, a log (SystemLook.txt) will open. Copy the contents of the log and paste in your next reply.
• Click the button.

[mla34]

Hi, Adam,
Here you go -


SystemLook 30.07.11 by jpshortstuff
Log created at 20:03 on 27/06/2014 by The Arnolds
Administrator - Elevation successful

========== filefind ==========

Searching for " *18967481.sys*"
No files found.

Searching for " *20358622.sys*"
No files found.

Searching for " *83227107.sys*"
No files found.

Searching for " *18967481.sys*"
No files found.

Searching for " *20358622.sys*"
No files found.

Searching for " *83227107.sys*"
No files found.

Searching for " ::csinfo "
No files found.

-= EOF =-

[LiquidTension]

Hi Maureen,

I typed AdwCleaner[SO] but got "no results found". I'm so sorry if I did something to make it disappear.

Please copy and paste the following text into the search bar: AdwCleaner[S0]
The "0" is in fact the number zero, not the letter "O".


STEP 1
Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  start
  Task: {C42AE82E-A9C3-41AE-9CB8-686FA2E84F4E} - \Security Center Update - 2120148171 No Task File <==== ATTENTION
  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\18967481.sys => ""="Driver"
  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\20358622.sys => ""="Driver"
  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\83227107.sys => ""="Driver"
  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\18967481.sys => ""="Driver"
  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\20358622.sys => ""="Driver"
  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\83227107.sys => ""="Driver"
  end

• Click File, Save As and type fixlist.txt as the File Name.
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop.Copy the contents of the log and paste in your next reply.

STEP 2
Update/Remove Java

• Download the latest version of Java from here.
• Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for and uninstall the following programmes (if present):
  
  • Java 7 Update 51
  • Java™ 6 Update 27

STEP 3
Malwarebytes Anti-Malware (MBAM)

• Please download Malwarebytes Anti-Malware Free to your desktop (this will update your current version).
• Double-click mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.
• Launch the programme and select Update.
• Once updated, click the Settings tab and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click theScan Log.
• Click Copy to Clipboard and paste the log in your next reply.

STEP 4
ESET Online Scan
Note: This scan will take a significant amount of time to complete. Please do not browse the Internet whilst your resident protection is disabled.

• Please download ESET Online Scan and save the file to your desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme.
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then press Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Click Hide advanced settings. Your settings should match that of the image below.
• Ensure Remove found threats is unchecked.
  
  
• Allow virus signature database to download and for the scan to finish. Please be patient as this can take some time.
• Upon completion, click List of found threats. If no threats were found, skip the next two bullet points.
• Click Export to text file... and save the file to your desktop, naming it something unique such as MyEsetScan.
• Push the Back button.
• Place a checkmark next to Uninstall application on close and click Finish.
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.

======================================================

STEP 5
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• AdwCleaner[S0]
• Fixlog.txt
• MBAM Scan log
• ESET Online Scan log

[mla34]

Hi, Adam,
I got the same "No results found" when I searched for the AdwCleaner[S0]. I must have screwed this up. So sorry.

I'm sending the first task results now so if the computer has to reboot for the next steps I won't lose this!

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-06-2014 02
Ran by The Arnolds at 2014-06-28 09:32:05 Run:3
Running from C:\Users\The Arnolds\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
Task: {C42AE82E-A9C3-41AE-9CB8-686FA2E84F4E} - \Security Center Update - 2120148171 No Task File <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\18967481.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\20358622.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\83227107.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\18967481.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\20358622.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\83227107.sys => ""="Driver"
end
*****************

'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C42AE82E-A9C3-41AE-9CB8-686FA2E84F4E}' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C42AE82E-A9C3-41AE-9CB8-686FA2E84F4E}' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2120148171' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\18967481.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\20358622.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\83227107.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Network\18967481.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Network\20358622.sys' => Key deleted successfully.
'HKLM\System\CurrentControlSet\Control\SafeBoot\Network\83227107.sys' => Key deleted successfully.

==== End of Fixlog ====

[mla34]

Hi, Adam,
Java asked if I wanted to run the program and that it may put my computer at risk. I clicked no and copied this. Should I do something?

Java Plug-in 10.60.2.19
Using JRE version 1.7.0_60-b19 Java HotSpot(TM) Client VM
User home directory = C:\Users\The Arnolds
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
calling downloadEagerorAll

[mla34]

Hi, Adam,

On Malwarebytes scan, do I uncheck Use Advanced Heuristics Engine (Shuriken) and Scan within archives or leave them checked?

[mla34]

Adam,

Just as a side note, when I am sitting here working on the homework you have given me, the computer "ticks" away, as if it is processing stuff, even if I am not running anything or doing anything. Maybe it has always done that but I don't think so. Just thought I would mention it. I don't want to move forward with the rest of the tasks until I hear back from you about the Java and Malwarebytes questions. Thanks!

[LiquidTension]

Hi Maureen,

Java asked if I wanted to run the program and that it may put my computer at risk. I clicked no and copied this. Should I do something?

Was this during the installation of the updated version, or the uninstalling of the outdated version?

Which versions of Java do you have on your computer? Press the Windows Key + r on your keyboard. Type appwiz.cpl and click Ok. Note down all installed versions of Java in your next reply.

I will answer your other questions once you have responded to the above.

[mla34]

Hi, Adam,

It was after I did the install from the link you provided. I have not done any install yet.
Below is what is listed:

Java 7 Update 60
Java(TM) 6 Update 27 (64-bit)

Will wait to hear back from you before doing the Malwarebytes and ESET steps just in case there is something else I should do before those.

Thanks.

[mla34]

It was after I did the install from the link you provided. I have not done any uninstall yet.