Trojan: PWS:Win32/Zbot.gen!AL gone ?

JazzPurr · June 13, 2013, 03:17:26 PM

Hello,

Yesterday morning I received the automatic Microsoft update which included the Malicious Software Removal Tool. Its scan had one result: PWS:Win32/Zbot.gen!AL, but it said it couldn't remove this.

I scanned with my free Avira and MBAM programs. No detection. Then I scanned with the online ESET scan. There were 4 detections: two were variants of "Win32/Medfos.QK trojan" and two were variants of "Win32/Kryptik.BDII trojan." Three were removed immediately and one of them (I forget which) on restart.

To play it safe (i.e. to confirm removal of the infection(s)) I then manually downloaded the Microsoft MSRT and ran the quick scan AND the full scan. No detections.

Btw, I also just ran the free Kaspersky Virus Removal Tool. No detections.

Since the ESET results only said "variants" of the trojans listed, can I be sure that the Microsoft MSRT's intial detection -- and the subject of this post -- was one of those variants ? Or could it still be hiding somewhere ?

In addition, only since yesterday at boot-up I get an error message:

http://imageshack.us/photo/my-images/845/dllfile.png/

The timing might suggest a relation to the trojan issue, might it not ? If so, I'm not sure why I would be getting the error message but getting NO detections in the scans. Unless there is a trojan hiding somewhere ?

Any suggestions appreciated ! :D

R-C · June 13, 2013, 05:46:29 PM

This is the post at GW for reference.
http://ths.gardenweb.com/forums/load/comphelp/msg0607261411314.html?9

Very glad to see you took Shax excellent advice and came here to have it looked at. You never know what lurks even when it says it was removed. Having a look at your logs is always a good idea. Be Patient someone will be giving you instructions soon.

MikeW · June 13, 2013, 05:59:17 PM

Hi JazzPurr

Please follow the log posting instructions here -
http://www.landzdown.com/analysis-and-malware-removal/log-posting-instructions/

Corrine will be by shortly to assist you

JazzPurr · June 13, 2013, 09:49:01 PM

Thank you both for your replies ! :)

Here are the results. (Btw, re: the item in red, I had removed Adobe Reader (using Revo Uninstaller) some time ago and had been using Foxit Reader. Now I just use FF's built-in reader. Anyway, I don't know why it's showing up as being out of date; it's not supposed to be on my computer at all !) :(

Security Check

Results of screen317's Security Check version 0.99.64
Windows 7 Service Pack 1 x64
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled!
Avira Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````[/u]
SUPERAntiSpyware Free Edition
Malwarebytes Anti-Malware version 1.75.0.1300
Java 7 Update 21
Adobe Flash Player 11.7.700.202
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (21.0)
````````Process Check: objlist.exe by Laurent````````[/u]
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````[/u]

DDS txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16611 BrowserJavaVersion: 10.21.2
Run by Scott Ogden at 17:35:53 on 2013-06-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4085.2864 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Users\Scott Ogden\Desktop\Shortcuts\Resolution Changer\Resolution.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\LogonUI.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: {09628AAA-66AD-4FA2-82E2-698185B66463} - <orphaned>
BHO: KeyScramblerBHO Class: {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files (x86)\KeyScrambler\KeyScramblerIE.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [uinco] "C:\Windows\System32\rundll32.exe" "C:\Users\Scott Ogden\AppData\Roaming\uinco.dll",chunk_error
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [B2C_AGENT] C:\ProgramData\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
mRun: [ITSecMng] C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [GrpConv] grpconv -o
StartupFolder: C:\Users\SCOTTO~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\Users\SCOTTO~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RESOLU~1.LNK - C:\Users\Scott Ogden\Desktop\Shortcuts\Resolution Changer\Resolution.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Subscribe in RSS Bandit - C:\Users\Scott Ogden\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - C:\Program Files (x86)\KeyScrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: emaildiscussions.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 204.186.110.76 204.186.80.251 216.144.187.199
TCP: Interfaces\{0EEC9765-795F-4BB3-B68C-21272ECFA0E5} : DHCPNameServer = 204.186.110.76 204.186.80.251 216.144.187.199
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files (x86)\SUPERAntiSpyware\SASSEH.DLL
x64-BHO: KeyScramblerBHO Class: {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files (x86)\KeyScrambler\x64\KeyScramblerIE.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - C:\Program Files (x86)\KeyScrambler\x64\KeyScramblerIE.dll
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Scott Ogden\AppData\Roaming\Mozilla\Firefox\Profiles\lcjohkxi.Scott\
FF - prefs.js: browser.search.selectedEngine - Startpage Search Engine
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Virtual Earth 3D\npVE3D.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - ExtSQL: 2013-06-12 06:13; {b9ebc846-d1ed-11e2-8276-b8ac6f996f26}; C:\Users\Scott Ogden\AppData\Roaming\Mozilla\Firefox\Profiles\lcjohkxi.Scott\extensions\{b9ebc846-d1ed-11e2-8276-b8ac6f996f26}.xpi
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-3-27 28600]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2013-3-27 86752]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2013-3-27 110816]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-3-27 100712]
R2 DirMngr;DirMngr;C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [2012-7-7 226304]
R3 KeyScrambler;KeyScrambler;C:\Windows\System32\drivers\keyscrambler.sys [2010-9-19 273088]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-6-10 57344]
RUnknown 48281302;48281302;

RUnknown 9402526drv;9402526drv;
S1 SASDIFSV;SASDIFSV;C:\Program Files (x86)\SUPERAntiSpyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.SYS [2010-2-17 66632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2013-3-4 57856]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-9-12 1512448]
S3 SASENUM;SASENUM;C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS [2010-2-17 12872]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-3-1 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-27 1255736]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile - HKCR\Unknown\Shell=C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,OpenAs_RunDLL %1 [default=openas]
.
=============== Created Last 30 ================
.
2013-06-13 14:46:55   --------   d-----w-   C:\ProgramData\Kaspersky Lab
2013-06-12 12:57:55   9460464   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BDA73285-4E4F-4743-9689-C1E0DC6BFB39}\mpengine.dll
2013-06-12 10:04:10   1424384   ----a-w-   C:\Windows\System32\WindowsCodecs.dll
2013-06-12 10:04:10   1230336   ----a-w-   C:\Windows\SysWow64\WindowsCodecs.dll
2013-06-12 10:04:06   30720   ----a-w-   C:\Windows\System32\cryptdlg.dll
2013-06-12 10:04:06   24576   ----a-w-   C:\Windows\SysWow64\cryptdlg.dll
2013-06-12 10:04:02   751104   ----a-w-   C:\Windows\System32\win32spl.dll
2013-06-12 10:04:02   492544   ----a-w-   C:\Windows\SysWow64\win32spl.dll
2013-06-12 10:04:00   1910632   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
2013-06-12 10:03:54   903168   ----a-w-   C:\Windows\SysWow64\certutil.exe
2013-06-12 10:03:54   52224   ----a-w-   C:\Windows\System32\certenc.dll
2013-06-12 10:03:54   43008   ----a-w-   C:\Windows\SysWow64\certenc.dll
2013-06-12 10:03:54   184320   ----a-w-   C:\Windows\System32\cryptsvc.dll
2013-06-12 10:03:54   1464320   ----a-w-   C:\Windows\System32\crypt32.dll
2013-06-12 10:03:54   140288   ----a-w-   C:\Windows\SysWow64\cryptsvc.dll
2013-06-12 10:03:54   139776   ----a-w-   C:\Windows\System32\cryptnet.dll
2013-06-12 10:03:54   1192448   ----a-w-   C:\Windows\System32\certutil.exe
2013-06-12 10:03:54   1160192   ----a-w-   C:\Windows\SysWow64\crypt32.dll
2013-06-12 10:03:54   103936   ----a-w-   C:\Windows\SysWow64\cryptnet.dll
2013-06-12 10:03:50   1887232   ----a-w-   C:\Windows\System32\d3d11.dll
2013-06-12 10:03:50   1505280   ----a-w-   C:\Windows\SysWow64\d3d11.dll
2013-06-11 19:49:21   --------   d-----w-   C:\Users\Scott Ogden\AppData\Roaming\Opera Mail
2013-06-11 19:49:18   --------   d-----w-   C:\Users\Scott Ogden\AppData\Local\Opera Mail
2013-05-29 22:58:21   --------   d-----w-   C:\Program Files (x86)\Opera Next
.
==================== Find3M ====================
.
2013-06-08 12:28:46   2706432   ----a-w-   C:\Windows\System32\mshtml.tlb
2013-06-08 11:13:19   2706432   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2013-05-17 11:42:51   71048   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-17 11:42:51   692104   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-17 01:25:57   1767936   ----a-w-   C:\Windows\SysWow64\wininet.dll
2013-05-17 01:25:27   2877440   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2013-05-17 01:25:26   61440   ----a-w-   C:\Windows\SysWow64\iesetup.dll
2013-05-17 01:25:26   109056   ----a-w-   C:\Windows\SysWow64\iesysprep.dll
2013-05-17 00:59:03   2241024   ----a-w-   C:\Windows\System32\wininet.dll
2013-05-17 00:58:10   3958784   ----a-w-   C:\Windows\System32\jscript9.dll
2013-05-17 00:58:08   67072   ----a-w-   C:\Windows\System32\iesetup.dll
2013-05-17 00:58:08   136704   ----a-w-   C:\Windows\System32\iesysprep.dll
2013-05-14 12:23:25   89600   ----a-w-   C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-14 08:40:13   71680   ----a-w-   C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-05-07 10:19:22   83160   ----a-w-   C:\Windows\System32\drivers\avnetflt.sys
2013-05-02 06:06:08   278800   ------w-   C:\Windows\System32\MpSigStub.exe
2013-04-13 05:49:23   135168   ----a-w-   C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19   350208   ----a-w-   C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19   308736   ----a-w-   C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19   111104   ----a-w-   C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16   474624   ----a-w-   C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15   2176512   ----a-w-   C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08   1656680   ----a-w-   C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54   265064   ----a-w-   C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53   983400   ----a-w-   C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50   3153920   ----a-w-   C:\Windows\System32\win32k.sys
2013-04-04 18:50:32   25928   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2013-04-04 09:35:05   95648   ----a-w-   C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-27 22:52:40   28600   ----a-w-   C:\Windows\System32\drivers\avkmgr.sys
2013-03-27 22:52:40   100712   ----a-w-   C:\Windows\System32\drivers\avgntflt.sys
2013-03-19 06:04:06   5550424   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58   48640   ----a-w-   C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58   230400   ----a-w-   C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56   43520   ----a-w-   C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13   3968856   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10   3913560   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50   6656   ----a-w-   C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33   112640   ----a-w-   C:\Windows\System32\smss.exe
.
============= FINISH: 17:36:20.92 ===============

Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/24/2009 2:05:06 PM
System Uptime: 6/13/2013 3:33:48 PM (2 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | G31M-ES2L
Processor: Pentium(R) Dual-Core CPU E5300 @ 2.60GHz | Socket 775 | 2600/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 100.172 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP538: 5/8/2013 12:56:33 PM - Revo Uninstaller's restore point - Comodo Dragon
RP539: 5/8/2013 1:18:25 PM - Revo Uninstaller's restore point - Opera 12.15
RP540: 5/15/2013 6:28:36 AM - Windows Update
RP541: 5/23/2013 7:23:45 AM - Installed TextPad 7.
RP542: 5/23/2013 7:33:01 AM - Revo Uninstaller's restore point - TextPad 7
RP543: 5/23/2013 7:33:10 AM - Removed TextPad 7.
RP544: 6/12/2013 6:04:32 AM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Auslogics Disk Defrag
Avira Free Antivirus
Bing Maps 3D
Bluetooth Stack for Windows by Toshiba
CCleaner
D3DX10
DivX Web Player
ESET Online Scanner v3
Feedback Tool
Foxit Reader 5.1
Gpg4win (2.1.1-svn1696)
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
Java 7 Update 21
Java Auto Updater
Junk Mail filter update
Karen's Clipboard Viewer
KeyScrambler
MailStore Home 7.0.7.7671
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
MozBackup 1.5.1
Mozilla Firefox 21.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSVCRT110
MSVCRT110_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OBEX Commander 2.0.2.0408
ODIR
Opera 12.15
Opera Mail 1.0
Opera next 15.0.1147.18
Photo Common
Revo Uninstaller 1.93
RSSOwl
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Spelling Dictionaries Support For Adobe Reader 9
SUPERAntiSpyware Free Edition
TrueCrypt
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817327) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.762
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
6/8/2013 10:33:26 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
6/13/2013 9:53:52 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
6/13/2013 9:53:28 AM, Error: Application Popup [1060] - \??\C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
6/13/2013 9:53:28 AM, Error: Application Popup [1060] - \??\C:\Program Files (x86)\SUPERAntiSpyware\SASDIFSV.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
6/13/2013 11:42:49 AM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
6/13/2013 1:28:53 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AntiVirSchedulerService service.
6/12/2013 7:05:40 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
6/12/2013 10:00:13 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
.
==== End Of File ===========================

Corrine · June 13, 2013, 10:40:19 PM

Hi, JazzPurr. Welcome to LandzDown Forum.

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Starting with the easy problem first, SecurityCheck picked up on the following file still installed on your computer: "Spelling Dictionaries Support For Adobe Reader 9". Since you have removed Adobe, I suggest you uninstall it.

I didn't notice any games in the installed programs list. Do you need Java for your bank? If not, I suggest you consider uninstalling it. Java exploits are a primary source of the trojans that were named in your thread at GW.

From what I have researched, I haven't seen any valid uses for unico.dll. As to having something to do with genealogy, the only connection is in searching for someone with that name!

As the mentioned trojans are Zeus-related and at least one identified as a password stealer, it would be advisable to change your passwords to your email, online bank, credit card and other sites where you may provide banking information.

Let's take a look and see if anything shows up with ComboFix. Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications.

Now, please run ComboFix:

Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click "Yes" to continue scanning for malware.

When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

JazzPurr · June 13, 2013, 11:11:41 PM

ComboFix 13-06-13.01 - MyName 06/13/2013 18:57:32.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4085.2928 [GMT -4:00]
Running from: c:\users\MyName\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-05-13 to 2013-06-13 )))))))))))))))))))))))))))))))
.
.
2013-06-13 23:02 . 2013-06-13 23:02   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-06-13 14:46 . 2013-06-13 14:46   --------   d-----w-   c:\programdata\Kaspersky Lab
2013-06-12 12:57 . 2013-05-14 05:48   9460464   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{BDA73285-4E4F-4743-9689-C1E0DC6BFB39}\mpengine.dll
2013-06-12 10:05 . 2013-05-17 03:30   775256   ----a-w-   c:\program files\Internet Explorer\iexplore.exe
2013-06-12 10:04 . 2013-04-17 07:02   1230336   ----a-w-   c:\windows\SysWow64\WindowsCodecs.dll
2013-06-12 10:04 . 2013-04-17 06:24   1424384   ----a-w-   c:\windows\system32\WindowsCodecs.dll
2013-06-12 10:04 . 2013-05-10 05:49   30720   ----a-w-   c:\windows\system32\cryptdlg.dll
2013-06-12 10:04 . 2013-05-10 03:20   24576   ----a-w-   c:\windows\SysWow64\cryptdlg.dll
2013-06-12 10:04 . 2013-04-26 05:51   751104   ----a-w-   c:\windows\system32\win32spl.dll
2013-06-12 10:04 . 2013-04-26 04:55   492544   ----a-w-   c:\windows\SysWow64\win32spl.dll
2013-06-12 10:04 . 2013-05-08 06:39   1910632   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2013-06-12 10:03 . 2013-05-13 05:51   184320   ----a-w-   c:\windows\system32\cryptsvc.dll
2013-06-12 10:03 . 2013-05-13 05:51   1464320   ----a-w-   c:\windows\system32\crypt32.dll
2013-06-12 10:03 . 2013-05-13 05:51   139776   ----a-w-   c:\windows\system32\cryptnet.dll
2013-06-12 10:03 . 2013-05-13 05:50   52224   ----a-w-   c:\windows\system32\certenc.dll
2013-06-12 10:03 . 2013-05-13 04:45   140288   ----a-w-   c:\windows\SysWow64\cryptsvc.dll
2013-06-12 10:03 . 2013-05-13 04:45   1160192   ----a-w-   c:\windows\SysWow64\crypt32.dll
2013-06-12 10:03 . 2013-05-13 04:45   103936   ----a-w-   c:\windows\SysWow64\cryptnet.dll
2013-06-12 10:03 . 2013-05-13 03:43   1192448   ----a-w-   c:\windows\system32\certutil.exe
2013-06-12 10:03 . 2013-05-13 03:08   903168   ----a-w-   c:\windows\SysWow64\certutil.exe
2013-06-12 10:03 . 2013-05-13 03:08   43008   ----a-w-   c:\windows\SysWow64\certenc.dll
2013-06-12 10:03 . 2013-04-25 23:30   1505280   ----a-w-   c:\windows\SysWow64\d3d11.dll
2013-06-12 10:03 . 2013-03-31 22:52   1887232   ----a-w-   c:\windows\system32\d3d11.dll
2013-06-11 19:49 . 2013-06-11 19:49   --------   d-----w-   c:\users\MyName\AppData\Roaming\Opera Mail
2013-06-11 19:49 . 2013-06-11 19:49   --------   d-----w-   c:\users\MyName\AppData\Local\Opera Mail
2013-05-29 22:58 . 2013-05-29 22:58   --------   d-----w-   c:\program files (x86)\Opera Next
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-03 22:16 . 2009-11-24 19:11   75898224   ----a-w-   c:\windows\system32\MRT.exe
2013-05-17 11:42 . 2012-11-23 15:09   71048   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-17 11:42 . 2012-11-23 15:09   692104   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-14 10:14 . 2012-07-17 19:37   22240   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-07 10:19 . 2013-05-07 10:19   83160   ----a-w-   c:\windows\system32\drivers\avnetflt.sys
2013-05-02 06:06 . 2009-11-24 19:12   278800   ------w-   c:\windows\system32\MpSigStub.exe
2013-04-16 10:52 . 2013-04-16 10:52   226304   ----a-w-   c:\windows\system32\elshyph.dll
2013-04-16 10:52 . 2013-04-16 10:52   185344   ----a-w-   c:\windows\SysWow64\elshyph.dll
2013-04-16 10:52 . 2013-04-16 10:52   1054720   ----a-w-   c:\windows\system32\MsSpellCheckingFacility.exe
2013-04-16 10:52 . 2013-04-16 10:52   905728   ----a-w-   c:\windows\system32\mshtmlmedia.dll
2013-04-16 10:52 . 2013-04-16 10:52   81408   ----a-w-   c:\windows\system32\icardie.dll
2013-04-16 10:52 . 2013-04-16 10:52   762368   ----a-w-   c:\windows\system32\ieapfltr.dll
2013-04-16 10:52 . 2013-04-16 10:52   73728   ----a-w-   c:\windows\SysWow64\SetIEInstalledDate.exe
2013-04-16 10:52 . 2013-04-16 10:52   719360   ----a-w-   c:\windows\SysWow64\mshtmlmedia.dll
2013-04-16 10:52 . 2013-04-16 10:52   61952   ----a-w-   c:\windows\SysWow64\tdc.ocx
2013-04-16 10:52 . 2013-04-16 10:52   523264   ----a-w-   c:\windows\SysWow64\vbscript.dll
2013-04-16 10:52 . 2013-04-16 10:52   48640   ----a-w-   c:\windows\SysWow64\mshtmler.dll
2013-04-16 10:52 . 2013-04-16 10:52   452096   ----a-w-   c:\windows\system32\dxtmsft.dll
2013-04-16 10:52 . 2013-04-16 10:52   441856   ----a-w-   c:\windows\system32\html.iec
2013-04-16 10:52 . 2013-04-16 10:52   38400   ----a-w-   c:\windows\SysWow64\imgutil.dll
2013-04-16 10:52 . 2013-04-16 10:52   361984   ----a-w-   c:\windows\SysWow64\html.iec
2013-04-16 10:52 . 2013-04-16 10:52   281600   ----a-w-   c:\windows\system32\dxtrans.dll
2013-04-16 10:52 . 2013-04-16 10:52   27648   ----a-w-   c:\windows\system32\licmgr10.dll
2013-04-16 10:52 . 2013-04-16 10:52   270848   ----a-w-   c:\windows\system32\iedkcs32.dll
2013-04-16 10:52 . 2013-04-16 10:52   247296   ----a-w-   c:\windows\system32\webcheck.dll
2013-04-16 10:52 . 2013-04-16 10:52   235008   ----a-w-   c:\windows\system32\url.dll
2013-04-16 10:52 . 2013-04-16 10:52   23040   ----a-w-   c:\windows\SysWow64\licmgr10.dll
2013-04-16 10:52 . 2013-04-16 10:52   216064   ----a-w-   c:\windows\system32\msls31.dll
2013-04-16 10:52 . 2013-04-16 10:52   197120   ----a-w-   c:\windows\system32\msrating.dll
2013-04-16 10:52 . 2013-04-16 10:52   158720   ----a-w-   c:\windows\SysWow64\msls31.dll
2013-04-16 10:52 . 2013-04-16 10:52   1509376   ----a-w-   c:\windows\system32\inetcpl.cpl
2013-04-16 10:52 . 2013-04-16 10:52   150528   ----a-w-   c:\windows\SysWow64\iexpress.exe
2013-04-16 10:52 . 2013-04-16 10:52   1441280   ----a-w-   c:\windows\SysWow64\inetcpl.cpl
2013-04-16 10:52 . 2013-04-16 10:52   1400416   ----a-w-   c:\windows\system32\ieapfltr.dat
2013-04-16 10:52 . 2013-04-16 10:52   138752   ----a-w-   c:\windows\SysWow64\wextract.exe
2013-04-16 10:52 . 2013-04-16 10:52   137216   ----a-w-   c:\windows\SysWow64\ieUnatt.exe
2013-04-16 10:52 . 2013-04-16 10:52   12800   ----a-w-   c:\windows\SysWow64\mshta.exe
2013-04-16 10:52 . 2013-04-16 10:52   110592   ----a-w-   c:\windows\SysWow64\IEAdvpack.dll
2013-04-16 10:52 . 2013-04-16 10:52   97280   ----a-w-   c:\windows\system32\mshtmled.dll
2013-04-16 10:52 . 2013-04-16 10:52   92160   ----a-w-   c:\windows\system32\SetIEInstalledDate.exe
2013-04-16 10:52 . 2013-04-16 10:52   77312   ----a-w-   c:\windows\system32\tdc.ocx
2013-04-16 10:52 . 2013-04-16 10:52   62976   ----a-w-   c:\windows\system32\pngfilt.dll
2013-04-16 10:52 . 2013-04-16 10:52   599552   ----a-w-   c:\windows\system32\vbscript.dll
2013-04-16 10:52 . 2013-04-16 10:52   52224   ----a-w-   c:\windows\system32\msfeedsbs.dll
2013-04-16 10:52 . 2013-04-16 10:52   51200   ----a-w-   c:\windows\system32\imgutil.dll
2013-04-16 10:52 . 2013-04-16 10:52   48640   ----a-w-   c:\windows\system32\mshtmler.dll
2013-04-16 10:52 . 2013-04-16 10:52   173568   ----a-w-   c:\windows\system32\ieUnatt.exe
2013-04-16 10:52 . 2013-04-16 10:52   167424   ----a-w-   c:\windows\system32\iexpress.exe
2013-04-16 10:52 . 2013-04-16 10:52   149504   ----a-w-   c:\windows\system32\occache.dll
2013-04-16 10:52 . 2013-04-16 10:52   144896   ----a-w-   c:\windows\system32\wextract.exe
2013-04-16 10:52 . 2013-04-16 10:52   13824   ----a-w-   c:\windows\system32\mshta.exe
2013-04-16 10:52 . 2013-04-16 10:52   136192   ----a-w-   c:\windows\system32\iepeers.dll
2013-04-16 10:52 . 2013-04-16 10:52   135680   ----a-w-   c:\windows\system32\IEAdvpack.dll
2013-04-16 10:52 . 2013-04-16 10:52   12800   ----a-w-   c:\windows\system32\msfeedssync.exe
2013-04-16 10:52 . 2013-04-16 10:52   102912   ----a-w-   c:\windows\system32\inseng.dll
2013-04-13 05:49 . 2013-05-15 10:28   135168   ----a-w-   c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-15 10:28   350208   ----a-w-   c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-15 10:28   308736   ----a-w-   c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-15 10:28   111104   ----a-w-   c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-15 10:28   474624   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 10:28   2176512   ----a-w-   c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-24 10:42   1656680   ----a-w-   c:\windows\system32\drivers\ntfs.sys
2013-04-04 18:50 . 2009-11-25 20:44   25928   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-04-04 09:35 . 2013-04-18 23:03   95648   ----a-w-   c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-27 22:52 . 2013-03-27 22:52   28600   ----a-w-   c:\windows\system32\drivers\avkmgr.sys
2013-03-27 22:52 . 2013-03-27 22:52   130016   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2013-03-27 22:52 . 2013-03-27 22:52   100712   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2013-03-19 06:04 . 2013-04-10 10:57   5550424   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-10 10:57   43520   ----a-w-   c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-10 10:57   3968856   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-10 10:57   3913560   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-10 10:57   6656   ----a-w-   c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-10 10:57   112640   ----a-w-   c:\windows\system32\smss.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\users\MyName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
Resolution.lnk - c:\users\MyName\Desktop\Shortcuts\Resolution Changer\Resolution.exe [2003-3-19 57344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files (x86)\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files (x86)\SUPERAntiSpyware\SASWINLO.dll
.
R1 SASDIFSV;SASDIFSV;c:\program files (x86)\SUPERAntiSpyware\SASDIFSV.SYS;c:\program files (x86)\SUPERAntiSpyware\SASDIFSV.SYS

R1 SASKUTIL;SASKUTIL;c:\program files (x86)\SUPERAntiSpyware\SASKUTIL.SYS;c:\program files (x86)\SUPERAntiSpyware\SASKUTIL.SYS
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
R2 DirMngr;DirMngr;c:\program files (x86)\GNU\GnuPG\dirmngr.exe;c:\program files (x86)\GNU\GnuPG\dirmngr.exe
R3 SASENUM;SASENUM;c:\program files (x86)\SUPERAntiSpyware\SASENUM.SYS;c:\program files (x86)\SUPERAntiSpyware\SASENUM.SYS
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys
R3 UsbGps;LGE Mobile USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgx64gps.sys;c:\windows\SYSNATIVE\DRIVERS\lgx64gps.sys
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys;c:\windows\SYSNATIVE\drivers\keyscrambler.sys
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 48281302
*NewlyCreated* - 9402526DRV
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Subscribe in RSS Bandit - c:\users\MyName\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
Trusted Zone: emaildiscussions.com
Trusted Zone: fastmail.fm\www
Trusted Zone: gmail.com\www
Trusted Zone: hushmail.com\www
Trusted Zone: live.com\www
Trusted Zone: msn.com\www
Trusted Zone: openmail.cc\webmail
Trusted Zone: yahoo.com\www.mail
TCP: DhcpNameServer = 204.186.110.76 204.186.80.251 216.144.187.199
FF - ProfilePath - c:\users\MyName\AppData\Roaming\Mozilla\Firefox\Profiles\lcjohkxi.Scott\
FF - prefs.js: browser.search.selectedEngine - Startpage Search Engine
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2013-06-12 06:13; {b9ebc846-d1ed-11e2-8276-b8ac6f996f26}; c:\users\MyName\AppData\Roaming\Mozilla\Firefox\Profiles\lcjohkxi.Scott\extensions\{b9ebc846-d1ed-11e2-8276-b8ac6f996f26}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-uinco - c:\users\MyName\AppData\Roaming\uinco.dll
Wow6432Node-HKLM-Run-B2C_AGENT - c:\programdata\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-06-13 19:04:53
ComboFix-quarantined-files.txt 2013-06-13 23:04
.
Pre-Run: 107,468,087,296 bytes free
Post-Run: 109,224,837,120 bytes free
.
- - End Of File - - 357B8605A0FD698BDE78309AF026E4CD
A36C5E4F47E84449FF07ED3517B43A31

Corrine · June 14, 2013, 12:24:03 AM

Hi, JazzPurr.

ComboFix nicely removed the orphan uinco.dll so you won't receive that error message at startup.

Although the choice is yours, personally, I would not allow any programs in the Trusted Zone. After all, even well known sites can be the victim of an SQL injection, hidden scripts, and more.If you elect to remove the entries from the Trusted Zone, please do the following:

Launch Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
Click Trusted Sites, and then click Sites.
Click the site you want to delete, and then click Remove.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.

Please refer to the Safe Computing Practices and other recommendations in this updated copy of "So how did I get infected in the first place?".

JazzPurr · June 14, 2013, 10:39:05 AM

Quote from: Corrine on June 14, 2013, 12:24:03 AM
Hi, JazzPurr.

ComboFix nicely removed the orphan uinco.dll so you won't receive that error message at startup.

Although the choice is yours, personally, I would not allow any programs in the Trusted Zone. After all, even well known sites can be the victim of an SQL injection, hidden scripts, and more.If you elect to remove the entries from the Trusted Zone, please do the following:

Launch Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
Click Trusted Sites, and then click Sites.
Click the site you want to delete, and then click Remove.
.

Done ! And, yes, the uinco.dll message is gone, too !

Most importantly, THANK YOU for all your help and patience ! :grin:

Some other comments:

I also removed the Adobe Spelling Dictionaries program you noted earlier.

Re: Java: I would love to remove it, but the other user of this computer likes to play the Pogo games which need it. :rolleyes:

I understand about the need for the password changes (because of the trojans), but I'm obviously not looking forward to changing dozens of passwords (email accounts, message boards, etc.). I do use LastPass, so that should make things easier.

Speaking of trojans, do all my scan results above indicate that I am most likely completely rid of the trojans, as well ? I.e. was my suspicion correct that the name of the trojan found by Microsoft's MSRT was probably one of the "variants" noted by the ESET scan ? (It struck me as odd that the MSRT scan only noted the one trojan, when ESET found four, none of which had the identical file name of the MSRT find. So, my initial concern was that the ones removed by ESET did not include the one found and not removed by MSRT.)

Corrine · June 14, 2013, 02:04:11 PM

Hi, JazzPurr.

The primary concern for password changes is because the initial trojan from the MSRT scan was identified as a password stealing trojan. Thus, the concern is if you had done any banking or online bill paying while the trojan was on your computer, you would want to change the passwords for those sensitive accounts.

Regarding your last question, MSRT is not a full antivirus software. It is for specific, prevalent malicious software with a new version issued every month with the security updates.

JazzPurr · June 16, 2013, 09:04:47 PM

Follow-up question: A member at Garden Web Computer Help found this site claiming to remove the particular infection/trojan that Microsoft's MSRT first discovered (http://www.removepcthreat.com/remove-pwswin32zbot-genal-infection-quick-and-easy-way-to-remove-pwswin32zbot-genal/) For future reference, is this the kind of thing that can be trusted ?

Corrine · June 17, 2013, 01:13:50 AM

I most certainly would not download a removal tool from an unknown site! It looks like one of those scam sites with their "live operator online" (See the About page). Your computer would probably be in worse shape after running the tool than before -- or there would be multiple false/positives (fake) findings that would cost money to remove (or to remove what the tool added).

JazzPurr · June 17, 2013, 10:23:58 AM

Thank you, Corrine ! I am very leery of such 'magic pill' type of claims. I'm glad to have my caution confirmed by your reply. And thank you for taking the time to comment on this at the Garden Web thread. :smiley:

Corrine · June 17, 2013, 01:29:29 PM

You're welcome.