Zbot.gen!AP and Fraud.Fedexword

**LiquidTension** · 2014-06-29, 11:16

Hi Maureen,

It was after I did the install from the link you provided. I have not done any uninstall yet.

Lets uninstall all versions for now. Please proceed with the uninstall instructions, ensuring you uninstall the version you just installed as well. We can come back to the installation of the latest version at the end.

On Malwarebytes scan, do I uncheck Use Advanced Heuristics Engine (Shuriken) and Scan within archives or leave them checked?

Please leave both options checked.

Just as a side note, when I am sitting here working on the homework you have given me, the computer "ticks" away, as if it is processing stuff, even if I am not running anything or doing anything.

This is not necessarily unusual, but we can look into it later.

For now, please uninstall all versions of Java, and proceed with Malwarebytes and ESET.

**mla34** · 2014-06-29, 15:22

Good morning, Adam,
Here is the Malwarebytes log. I will get the ESET scan going and send it to you later when it is finished. Thanks.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/29/2014
Scan Time: 9:06:58 AM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.29.03
Rootkit Database: v2014.06.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: The Arnolds

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 341446
Time Elapsed: 10 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

**mla34** · 2014-06-29, 15:26

Hi, Adam,

Not sure what to check off here. Enable or Disable?

**LiquidTension** · 2014-06-29, 17:40

Hi Maureen,

Please click Enable, and proceed.*

**mla34** · 2014-06-29, 21:08

Hi, Adam,
Below is the ESET scan. Another note, the computer seems to be a bit slow booting up each time. Everything loads okay but it takes longer than it used to. Also, in the Notification Area I keep getting a "white flag" that is the Action Center - it still tells me "PWS:Win32/Zbot is found on my PC
Thanks for your help and patience!

C:\AdwCleaner\Quarantine\C\chatzum_nt.exe.vir OSX/ChatZum.C potentially unwanted application
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Windows\System32\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

**LiquidTension** · 2014-06-30, 16:41

Hi Maureen,

C:\AdwCleaner\Quarantine\C\chatzum_nt.exe.vir OSX/ChatZum.C potentially unwanted application
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Windows\System32\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

The first item is already quarantined, and the 4 below do not need to be removed.

Another note, the computer seems to be a bit slow booting up each time.

We can look into this later.

STEP 1

Temporary File Cleaner (TFC)

Please download TFC and save the file to your desktop.
Close any open windows.
Double-click TFC.exe to run the programme.
Click Start.
Allow TFC to run interrupted.
Upon completion, your computer will reboot automatically. If this does not happen, please manually reboot.
Note: It is not unusual for a computer to reboot slower than usual immediately after running TFC.

STEP 2

ComboFix

Note: Please read to the end of these instructions before running ComboFix.
Please download ComboFix.
Important: Save ComboFix.exe to your Desktop.
Temporarily disable your anti-virus software. For instructions, please refer to the following link.
Right-Click ComboFix.exe and select Run as administrator to run the programme.
Follow the prompts.
Allow ComboFix to complete it's removal routine (please refer to Important Notes:)
Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
Re-enable your anti-virus software.

Important Notes:

Do NOT mouse click ComboFix's window whilst it is running. This may cause it to stall.
Do NOT use your computer whilst ComboFix is running.
Your desktop/taskbar may disappear whilst ComboFix is running; this is normal.
If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
ComboFix will disconnect your machine from the Internet as soon as it starts.
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If you are unable to access the Internet after running ComboFix, please reboot your computer.

Also, in the Notification Area I keep getting a "white flag" that is the Action Center - it still tells me "PWS:Win32/Zbot is found on my PC

After running ComboFix, please ensure you reboot your computer. Proceed by opening Microsoft Security Essentials, and run a scan (as you did earlier). Let me know how you get on.

======================================================

STEP 3

Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

ComboFix.txt
MSE results

**mla34** · 2014-06-30, 17:46

Hi, Adam,

I am sending the Combofix text alone in case it is too big to send along with the MSE scan results.

ComboFix 14-06-30.01 - The Arnolds 06/30/2014 11:19:13.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6057.3804 [GMT -4:00]
Running from: c:\users\The Arnolds\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6426\AddOnDownloaded\073fb38f-0e69-479d-bca1-4f81ec9dcbf6.dll
c:\programdata\PCDr\6426\AddOnDownloaded\0bb0beb6-da93-477d-980d-15bb6e2df09c.dll
c:\programdata\PCDr\6426\AddOnDownloaded\0d06f79c-d0e6-4610-9a2b-d8f1a48f4252.dll
c:\programdata\PCDr\6426\AddOnDownloaded\0d461521-7dbf-4cec-a29e-936c88cdf8c9.dll
c:\programdata\PCDr\6426\AddOnDownloaded\100c3865-0c76-461b-b2fd-042d6d5fa7f6.dll
c:\programdata\PCDr\6426\AddOnDownloaded\173c4dd2-e93c-4725-b006-db1d8f465192.dll
c:\programdata\PCDr\6426\AddOnDownloaded\1b0b3c38-2b97-4f8d-954b-06296209b73d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\1e0aaf9a-9947-4a7b-b1ae-8a89919438ed.dll
c:\programdata\PCDr\6426\AddOnDownloaded\263d6ac9-4f87-466c-947c-bd9af71d7035.dll
c:\programdata\PCDr\6426\AddOnDownloaded\2a6b5d0b-a2fc-4bdd-b3fe-6bbefb85b7e4.dll
c:\programdata\PCDr\6426\AddOnDownloaded\2eccd5d6-e118-4f76-97b6-ba56fb6c597a.dll
c:\programdata\PCDr\6426\AddOnDownloaded\3410f47b-5e8c-47c6-bf2c-234af4121d4c.dll
c:\programdata\PCDr\6426\AddOnDownloaded\378deb7f-049e-4a5e-83b2-5381dcd9e928.dll
c:\programdata\PCDr\6426\AddOnDownloaded\3972fea3-214c-4935-a7d1-96bf66115683.dll
c:\programdata\PCDr\6426\AddOnDownloaded\3b1c7acd-5e3e-4459-ab98-5109117e2341.dll
c:\programdata\PCDr\6426\AddOnDownloaded\434373b7-17f4-4a5e-9e8f-2c1bb65cd9e5.dll
c:\programdata\PCDr\6426\AddOnDownloaded\4546f2bc-b9d9-4667-abe7-b0bacc90279e.dll
c:\programdata\PCDr\6426\AddOnDownloaded\4804ced5-915b-48a3-a465-b8a5e02714bf.dll
c:\programdata\PCDr\6426\AddOnDownloaded\4818e109-9489-4cd8-9044-44defd8ec187.dll
c:\programdata\PCDr\6426\AddOnDownloaded\50441041-9037-4c34-842c-4a8523e700da.dll
c:\programdata\PCDr\6426\AddOnDownloaded\51fdf16e-ecb9-4fa4-8469-76fc9a22293b.dll
c:\programdata\PCDr\6426\AddOnDownloaded\57d7325c-8462-4866-a9ca-3f9228775fed.dll
c:\programdata\PCDr\6426\AddOnDownloaded\59be3af2-87f2-4d3a-b380-7509f3d47c40.dll
c:\programdata\PCDr\6426\AddOnDownloaded\62d1f0b0-bc9a-4f6c-bad7-93b19a91276a.dll
c:\programdata\PCDr\6426\AddOnDownloaded\64882123-3c6f-4e15-8579-c6d1ba56c9de.dll
c:\programdata\PCDr\6426\AddOnDownloaded\67c3d4fe-b638-467a-9fe2-c5813ade3330.dll
c:\programdata\PCDr\6426\AddOnDownloaded\6820b110-e483-4f1e-9b48-438f7916f078.dll
c:\programdata\PCDr\6426\AddOnDownloaded\6b5978fa-48d7-4309-a523-7e157768c0d8.dll
c:\programdata\PCDr\6426\AddOnDownloaded\6f4fb483-ce30-493a-8cb4-3e530ab1be5b.dll
c:\programdata\PCDr\6426\AddOnDownloaded\739db3eb-d3cd-4c86-a6ea-01a49984fa3b.dll
c:\programdata\PCDr\6426\AddOnDownloaded\7bd83798-7a02-4f50-83a2-b91cabcbd1f9.dll
c:\programdata\PCDr\6426\AddOnDownloaded\7bd91bf5-79bd-4c68-b85b-3c132cdb258a.dll
c:\programdata\PCDr\6426\AddOnDownloaded\7dbfef1a-6148-4748-a1b3-71627763a45a.dll
c:\programdata\PCDr\6426\AddOnDownloaded\813755dc-2229-47a2-b85b-19d0aaa641c9.dll
c:\programdata\PCDr\6426\AddOnDownloaded\872965c7-08b7-47fc-a74c-ff167590b71a.dll
c:\programdata\PCDr\6426\AddOnDownloaded\8745715d-dc8a-4b32-b6a6-89cd3d0cc3c5.dll
c:\programdata\PCDr\6426\AddOnDownloaded\8d357f17-07ad-4392-ba06-fb67564c98cd.dll
c:\programdata\PCDr\6426\AddOnDownloaded\934f6059-2d35-4bd9-a130-a17cb5563507.dll
c:\programdata\PCDr\6426\AddOnDownloaded\9c07cc30-4011-4e36-a63d-e59077a22429.dll
c:\programdata\PCDr\6426\AddOnDownloaded\a61f44a8-21a3-4c4a-a04b-993dfb73bf96.dll
c:\programdata\PCDr\6426\AddOnDownloaded\a9de0c84-9a7c-4638-9653-13aa8cf56e80.dll
c:\programdata\PCDr\6426\AddOnDownloaded\ad817bdc-639c-43e8-b06b-897bcb5b8f23.dll
c:\programdata\PCDr\6426\AddOnDownloaded\ae67b364-b69e-471e-b177-2459120b84d4.dll
c:\programdata\PCDr\6426\AddOnDownloaded\aeffdb78-a789-4b6a-b2c2-f85f9b4863e6.dll
c:\programdata\PCDr\6426\AddOnDownloaded\b2152f30-7380-4987-8fcf-e4c06952615d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\b4cc2a4a-87f5-49cd-935c-18f1a80e65b7.dll
c:\programdata\PCDr\6426\AddOnDownloaded\ba005e12-3139-4327-9f7a-9f2ea6a6c841.dll
c:\programdata\PCDr\6426\AddOnDownloaded\bc1b45ef-7c18-4b8a-95cd-f77c43d4f7df.dll
c:\programdata\PCDr\6426\AddOnDownloaded\bc6fc708-5b6b-4a72-b336-09b3089baa7a.dll
c:\programdata\PCDr\6426\AddOnDownloaded\bea3f575-677a-4c92-89ca-7be8480c11a9.dll
c:\programdata\PCDr\6426\AddOnDownloaded\bf647bd7-dfb5-4746-a6b4-b7c2fdbbf3b1.dll
c:\programdata\PCDr\6426\AddOnDownloaded\c4211805-b43b-471d-81af-4e0589f8607b.dll
c:\programdata\PCDr\6426\AddOnDownloaded\c6bf01ba-05a7-4930-b8dd-7c5fd03e97ac.dll
c:\programdata\PCDr\6426\AddOnDownloaded\cdda52ec-6ccd-425a-8c72-b7bbdc8b3acd.dll
c:\programdata\PCDr\6426\AddOnDownloaded\d114d5a6-2ec4-4056-a365-d6281d97c6b6.dll
c:\programdata\PCDr\6426\AddOnDownloaded\d1f4dc82-bc4c-4916-b37c-3ab9c30ae468.dll
c:\programdata\PCDr\6426\AddOnDownloaded\d34c0cf7-889f-43dd-9283-b2b6f442aae3.dll
c:\programdata\PCDr\6426\AddOnDownloaded\d460bca3-24f0-49a7-beed-a064fad82750.dll
c:\programdata\PCDr\6426\AddOnDownloaded\ddb9fe5d-525c-4d5d-ac37-0bd10f2864f8.dll
c:\programdata\PCDr\6426\AddOnDownloaded\dfc97e68-74cd-4807-807f-ac146d81ec5d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\e0db530c-27fc-4e55-af38-073796a09e9d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\e45cd45a-4d7c-4802-881f-74582b847e5c.dll
c:\programdata\PCDr\6426\AddOnDownloaded\e5847967-7dc8-4833-8ca6-09af078c1bcb.dll
c:\programdata\PCDr\6426\AddOnDownloaded\e5a71f43-c979-4b3d-a544-9ed1dc6dc4c8.dll
c:\programdata\PCDr\6426\AddOnDownloaded\ef78c3e8-1d94-4219-8070-7617e119bba4.dll
c:\programdata\PCDr\6426\AddOnDownloaded\f06c5597-1a85-4d1f-ac16-a6fdd2a6bedc.dll
c:\programdata\PCDr\6426\AddOnDownloaded\f12de547-df4d-4236-9129-baac054f90ab.dll
c:\programdata\PCDr\6426\AddOnDownloaded\f9dc840b-c6f7-42a5-acec-50cc7a2827fd.dll
.
.
((((((((((((((((((((((((( Files Created from 2014-05-28 to 2014-06-30 )))))))))))))))))))))))))))))))
.
.
2014-06-30 15:32 . 2014-06-30 15:32 -------- d-----w- c:\users\Greg\AppData\Local\temp
2014-06-30 15:32 . 2014-06-30 15:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-06-16 22:58 . 2014-06-22 23:39 -------- d-----w- c:\program files (x86)\ERUNT
2014-06-14 10:42 . 2014-06-14 10:42 -------- d-----w- c:\program files (x86)\Common Files\Skype
2014-06-11 08:05 . 2014-05-30 09:45 2768384 ----a-w- c:\windows\system32\iertutil.dll
2014-06-09 20:17 . 2014-06-09 20:17 -------- d-----w- c:\program files\iPod
2014-06-09 20:17 . 2014-06-09 20:18 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-06-09 20:17 . 2014-06-09 20:18 -------- d-----w- c:\program files\iTunes
2014-06-09 20:17 . 2014-06-09 20:18 -------- d-----w- c:\program files (x86)\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-12 12:11 . 2013-11-12 22:48 588496 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-06-12 07:02 . 2011-12-09 22:02 95414520 ----a-w- c:\windows\system32\MRT.exe
2014-05-26 22:20 . 2012-03-30 22:28 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-26 22:20 . 2011-10-12 12:14 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-12 11:25 . 2012-04-14 23:06 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-02 07:30 . 2012-02-11 02:27 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-04-12 02:22 . 2014-05-14 17:31 155072 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:22 . 2014-05-14 17:31 95680 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:19 . 2014-05-14 17:31 29184 ----a-w- c:\windows\system32\sspisrv.dll
2014-04-12 02:19 . 2014-05-14 17:31 136192 ----a-w- c:\windows\system32\sspicli.dll
2014-04-12 02:19 . 2014-05-14 17:31 28160 ----a-w- c:\windows\system32\secur32.dll
2014-04-12 02:19 . 2014-05-14 17:31 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-04-12 02:19 . 2014-05-14 17:31 31232 ----a-w- c:\windows\system32\lsass.exe
2014-04-12 02:12 . 2014-05-14 17:31 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-04-12 02:10 . 2014-05-14 17:31 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2014-05-08 21444224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2014-05-08 40312]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"NeroLauncher"="c:\program files (x86)\Nero\SyncUP\NeroLauncher.exe" [2012-08-21 67496]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2011-04-29 885760]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-05-26 152392]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PCDSRVC{D3412D80-CF3B4A27-06020200}_0;PCDSRVC{D3412D80-CF3B4A27-06020200}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\my dell\pcdsrvc_x64.pkms;c:\program files\my dell\pcdsrvc_x64.pkms [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys;c:\windows\SYSNATIVE\DRIVERS\LVPr2M64.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech QuickCam S5500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 22:20]
.
2014-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-11 00:19]
.
2014-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-11 00:19]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-06-12 12:11 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-06-12 12:11 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-06-12 12:11 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-04-29 2055016]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-20 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-20 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-20 439064]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://forums.spybot.info/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\The Arnolds\AppData\Roaming\Mozilla\Firefox\Profiles\3r6yn46d.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.ancestry.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file)
ShellIconOverlayIdentifiers-{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file)
ShellIconOverlayIdentifiers-{BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file)
ShellIconOverlayIdentifiers-{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file)
ShellIconOverlayIdentifiers-{BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{D3412D80-CF3B4A27-06020200}_0]
"ImagePath"="\??\c:\program files\my dell\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-06-30 11:41:55
ComboFix-quarantined-files.txt 2014-06-30 15:41
.
Pre-Run: 864,975,683,584 bytes free
Post-Run: 864,553,349,120 bytes free
.
- - End Of File - - E4A473133DEC4E1E9BFB7C153653FD5B
5C616939100B85E558DA92B899A0FC36

**mla34** · 2014-06-30, 18:53

Hi, Adam,

MSE did not find any threats on the computer. According to the history, the last time something was found was on June 16 - PWS:Win32/Zbot and TrojanDownloader:Win32/Kuluoz.D. Both were removed. However I had not run a scan so I'm not sure how it picked those up. I have not run a scan since I started working with you.

Anyway, the computer boots a bit slower than usual and I still find that the icons in the Notification Area are not consistently loading. Not an issue with me, unless it is an issue with you. I just find it odd.

Let me know what my next bit of homework is! Thanks!

**mla34** · 2014-06-30, 19:02

Hi, Adam,

Ok, so I was looking through my documents to find a medication file for my mother and saw that within My Documents Library folder I have My Pictures, My Videos, and My Music. I now have a shortcut listed for each, along with the original folder, but the original folders are all locked and I am told Access Denied. Help?

**mla34** · 2014-07-01, 00:48

Hi, Adam,

I came onto the computer to check to see if there was something in my email. I get a blank page when I click on the email icon. Nothing. At first I got the
about:Blank Page but now there is nothing in the location bar. Any ideas on this? I can get my email on my IPad but sent myself some pictures from the IPad that I wanted to d/l onto the desktop. I will shut the computer off again and wait to hear from you. It seems things are still strange! Thanks!

Thread: Zbot.gen!AP and Fraud.Fedexword

Thread Tools

Display

Posting Permissions