Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Win32/Spy.Zbot.ZR trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32/Spy.Zbot.ZR trojan

Unread postby Sharkz » December 7th, 2011, 3:46 pm

Hey, I've recently had a message popping up from my ESET Nod32 AV telling me about an infection, it seemed to be doing a decent job of cleaning it up at first but it seems to have hit a roadblock. Everytime I scan the system I get this message:
Operating memory » taskhost.exe(2408) - a variant of Win32/Spy.Zbot.ZR trojan - unable to clean

Not a clue on how to get rid of it. DDS and Attach:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.0.0
Run by David at 19:35:37 on 2011-12-07
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3326.1518 [GMT 0:00]
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Last.fm\LastFM.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = Preserve
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Steam] "j:\steam\steam.exe" -silent
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [PlayNC Launcher]
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [{938B4F4F-1FEC-83D9-D888-69DC2B8D7093}] c:\users\david\appdata\roaming\emagn\ciigkiz.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [PlusService] c:\program files\yuna software\messenger plus!\PlusService.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
StartupFolder: c:\users\david\appdata\roaming\micros~1\windows\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDow ... ab_nvd.cab
DPF: {5B54751C-0EDB-4CAE-816C-65BCED3FF818} - hxxp://stable.heroesandgenerals.com/retox.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer =
TCP: Interfaces\{1F09797B-A2F9-41E2-9E03-5F62638433F6} : DhcpNameServer =
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Hosts: easyanticheat.se # misleading site
Hosts: www.easyanticheat.se # misleading site
Hosts: easyanticheat.com # misleading site
Hosts: www.easyanticheat.com # misleading site
Hosts: easyanticheat.org # misleading site
Note: multiple HOSTS entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\hjql9jji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tumblr.com/dashboard
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\battlelog web plugins\0.80.0\npesnlaunch.dll
FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.0\npesnsonar.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\david\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
============= SERVICES / DRIVERS ===============
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-6-3 218688]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-12-21 95384]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2011-11-14 50728]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-6-10 657408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
=============== Created Last 30 ================
2011-12-07 19:01:06 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b1a45612-dd6a-4311-a9b1-bb9d4d76a01f}\offreg.dll
2011-12-07 18:59:56 -------- d-----w- c:\users\david\appdata\local\{54D37641-0F9B-45E2-9D75-8FFB7A174D93}
2011-12-07 18:59:39 -------- d-----w- c:\users\david\appdata\local\{857AC716-7341-4024-A063-5BFA658CB7E7}
2011-12-07 18:32:02 -------- d-----w- c:\users\david\appdata\roaming\Emagn
2011-12-07 18:32:02 -------- d-----w- c:\users\david\appdata\roaming\Baax
2011-12-07 17:59:25 -------- d-----w- c:\users\david\appdata\local\usercfgnt5
2011-12-07 14:51:51 -------- d-----w- c:\users\david\appdata\local\{82914AB4-415D-4640-B559-D41C6D762732}
2011-12-07 14:51:33 -------- d-----w- c:\users\david\appdata\local\{F74ADF0D-3F95-43B8-ADA0-B6CB4C099B0F}
2011-12-07 01:41:27 -------- d-----w- c:\program files\OpenTTD
2011-12-07 01:35:11 -------- d-----w- c:\users\david\appdata\local\{594C05E8-3037-428D-AD7C-DAF12637A795}
2011-12-07 01:34:56 -------- d-----w- c:\users\david\appdata\local\{A1ED8C78-8E6A-415E-B3E7-F22C0856B008}
2011-12-06 14:53:26 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b1a45612-dd6a-4311-a9b1-bb9d4d76a01f}\mpengine.dll
2011-12-06 14:51:58 -------- d-----w- c:\users\david\appdata\local\{AD60E936-4DA1-4AC8-9750-800EB5987835}
2011-12-06 14:51:43 -------- d-----w- c:\users\david\appdata\local\{78BAF971-E753-42BB-895D-8BEAFB3FA6F5}
2011-12-05 14:29:22 -------- d-----w- c:\users\david\appdata\local\{C5C3E6FD-CBC2-4D0F-A10B-200739D63324}
2011-12-05 14:29:07 -------- d-----w- c:\users\david\appdata\local\{D8677748-AA2D-4BC8-802A-E646B60A6CC0}
2011-12-05 12:14:30 -------- d-----w- c:\users\david\appdata\local\{DDEFCCEA-837B-4CFC-AF0D-EA9EB2E8096D}
2011-12-05 12:14:15 -------- d-----w- c:\users\david\appdata\local\{2DD11290-7237-4058-92CC-AF65B82468AC}
2011-12-03 22:52:48 -------- d-----w- c:\users\david\appdata\local\{06CEE8FE-BEBB-4746-A28B-3D8487BB3305}
2011-12-03 22:52:37 -------- d-----w- c:\users\david\appdata\local\{BA56371D-6A62-4BA6-BA3C-34D68D4ED35F}
2011-12-01 08:42:13 -------- d-----w- c:\users\david\appdata\local\{35E85A45-7894-46D9-8711-DF5716C05ACC}
2011-12-01 08:41:55 -------- d-----w- c:\users\david\appdata\local\{08CA1972-8828-40D3-9F20-6600DE4C1B8A}
2011-11-30 14:40:08 -------- d-----w- c:\users\david\appdata\local\{5169F4B5-3592-4515-90C1-FE7140E10B88}
2011-11-30 14:39:53 -------- d-----w- c:\users\david\appdata\local\{9D87BFC0-3CEC-48E2-80DE-29039D659F75}
2011-11-29 18:08:50 -------- d-----w- c:\users\david\appdata\local\Spotify
2011-11-29 18:08:27 -------- d-----w- c:\users\david\appdata\roaming\Spotify
2011-11-29 14:12:56 -------- d-----w- c:\users\david\appdata\local\{1DE770F2-AE4C-47EF-B213-49B8F8582F47}
2011-11-29 14:12:45 -------- d-----w- c:\users\david\appdata\local\{896634CF-48E9-4CEB-8434-DCFAC0FC217E}
2011-11-28 17:16:33 -------- d-----w- c:\users\david\appdata\local\{09E72264-27D8-4225-98C8-679340635F1D}
2011-11-28 17:16:12 -------- d-----w- c:\users\david\appdata\local\{3F647CED-4273-4783-9F01-3FA334BA75FA}
2011-11-27 20:36:08 -------- d-----w- c:\users\david\appdata\local\{B5D97A39-FBFB-4D96-814C-A7E6801AD456}
2011-11-27 20:35:42 -------- d-----w- c:\users\david\appdata\local\{97EDECC9-37EE-4E1E-81AD-7D4F9C876BC6}
2011-11-26 15:47:41 -------- d-----w- c:\users\david\appdata\local\{50C5C775-4A17-4D0F-9D5E-8792C1E191E1}
2011-11-26 15:47:27 -------- d-----w- c:\users\david\appdata\local\{EBB65060-89D4-4227-9403-9697C054052A}
2011-11-25 18:21:41 -------- d-----w- c:\users\david\appdata\local\{3FB0F0B6-C622-4FA8-A71E-7BCB6520B375}
2011-11-25 18:21:25 -------- d-----w- c:\users\david\appdata\local\{B3A143C6-84AA-40C2-B6BE-A73E51D6418D}
2011-11-25 08:33:41 -------- d-----w- c:\users\david\appdata\local\{EEC91F2E-5B15-4633-9625-156D7B5347F3}
2011-11-25 08:33:26 -------- d-----w- c:\users\david\appdata\local\{6D584597-CBCE-4B62-9FCF-7AEC7759D5B1}
2011-11-24 16:58:54 -------- d-----w- c:\users\david\appdata\local\{3A82176B-E4C5-4193-86CC-226AA0B18850}
2011-11-24 16:58:33 -------- d-----w- c:\users\david\appdata\local\{7DA438B4-674E-4EDB-B3C4-672945060EC4}
2011-11-23 22:41:26 -------- d-----w- c:\users\david\appdata\local\{6CF72881-6B3A-402C-ADB5-F2284AD90721}
2011-11-23 22:41:07 -------- d-----w- c:\users\david\appdata\local\{7AF33D5A-566F-48F8-ABE4-94A039A03538}
2011-11-23 14:38:47 -------- d-----w- c:\users\david\appdata\local\{8B886B6F-5FE3-4A4A-9A32-E9CA02821AF3}
2011-11-23 14:38:28 -------- d-----w- c:\users\david\appdata\local\{1B124BAE-AFC6-46E4-9145-FE3D101B301B}
2011-11-22 17:14:51 -------- d-----w- c:\users\david\appdata\local\{653ED9DC-2F24-4158-BD04-D508E54A3D15}
2011-11-22 17:14:35 -------- d-----w- c:\users\david\appdata\local\{D0D6047C-4D4F-4607-AE06-32A2286BB443}
2011-11-21 15:30:23 -------- d-----w- c:\users\david\appdata\local\{684616DF-4B4C-4353-804F-B72507BFC054}
2011-11-21 15:30:08 -------- d-----w- c:\users\david\appdata\local\{FD2BC2FC-6EA2-4450-9464-24ADE31563A5}
2011-11-20 19:13:57 -------- d-----w- c:\users\david\appdata\local\{DF3C5E1C-6B3A-4E37-AF94-893D789113EB}
2011-11-20 19:13:31 -------- d-----w- c:\users\david\appdata\local\{4CBDF50A-5D10-45A4-BCD0-C400E9F42F45}
2011-11-19 22:17:19 -------- d-----w- c:\users\david\appdata\local\{4DBC39F0-6B12-4084-9899-5C7464E25586}
2011-11-19 22:17:03 -------- d-----w- c:\users\david\appdata\local\{3679BD34-E9D9-40FD-AAB3-8FB0335FC66B}
2011-11-19 13:49:11 -------- d-----w- c:\users\david\appdata\local\{773108FE-8FA3-49E2-BC0B-42F471C15507}
2011-11-19 13:48:58 -------- d-----w- c:\users\david\appdata\local\{35B1FFA5-A11E-4FBC-9EC9-68E6F278B1F2}
2011-11-18 22:42:15 -------- d-----w- c:\users\david\appdata\local\{CC04A68F-E499-4734-808E-66B6B7FF7C23}
2011-11-18 22:41:59 -------- d-----w- c:\users\david\appdata\local\{F73C05AF-B9EA-4A54-A733-56124330E498}
2011-11-18 15:47:28 -------- d-----w- c:\users\david\appdata\local\{1E42B338-4FD2-454A-91A6-3E893C225E62}
2011-11-18 15:47:17 -------- d-----w- c:\users\david\appdata\local\{E21B3614-41AA-48E9-B781-E19719B44A3A}
2011-11-17 21:05:01 -------- d-----w- c:\users\david\appdata\local\{CD4E38EB-D6BD-4483-8F5F-CD55ABB9B399}
2011-11-17 21:04:49 -------- d-----w- c:\users\david\appdata\local\{1CD3AB6B-D94C-4F4C-85A0-F437A0705715}
2011-11-17 13:25:41 -------- d-----w- c:\users\david\appdata\local\{C2B30BE8-1CBF-4084-A4C5-3C1979F4D933}
2011-11-17 13:25:26 -------- d-----w- c:\users\david\appdata\local\{E576F7DF-3AFA-4F60-A595-3D79EC776651}
2011-11-16 16:17:42 -------- d-----w- c:\users\david\appdata\local\{15779D7D-6878-4B7D-8691-2461127424EA}
2011-11-16 16:17:24 -------- d-----w- c:\users\david\appdata\local\{07642E9B-1294-49B4-9F7E-37E1673BD4A2}
2011-11-15 21:21:01 -------- d-----w- c:\users\david\appdata\local\{47456668-70B9-4911-8F3F-6987624F7090}
2011-11-15 21:20:49 -------- d-----w- c:\users\david\appdata\local\{B2FCD6DA-21A9-472D-B201-AF4A8DA2A58C}
2011-11-15 11:35:00 -------- d-----w- c:\users\david\appdata\local\{2B2D71BC-B15F-4A0F-AC59-CA04216A3429}
2011-11-15 11:34:46 -------- d-----w- c:\users\david\appdata\local\{50D3ED5C-0673-48D1-B4B7-41EB734BFECB}
2011-11-14 20:45:43 -------- d-----w- c:\users\david\appdata\local\{D540B508-0B64-4050-A5D1-B45D600CEEBC}
2011-11-14 20:45:28 -------- d-----w- c:\users\david\appdata\local\{5C863224-AD9D-4BEB-A41F-B7B03F61C79B}
2011-11-14 14:01:46 -------- d-----w- c:\program files\SHOUTcast
2011-11-14 13:18:15 -------- d-----w- c:\users\david\appdata\roaming\fretsonfire
2011-11-14 13:09:35 50728 ----a-w- c:\windows\system32\drivers\vrtaucbl.sys
2011-11-14 13:09:35 -------- d-----w- c:\program files\Virtual Audio Cable
2011-11-14 12:25:50 -------- d-----w- c:\users\david\appdata\roaming\fofix
2011-11-14 12:06:43 -------- d-----w- c:\program files\Frets on Fire
2011-11-14 11:45:05 -------- d-----w- c:\users\david\appdata\local\{DF6B706F-8313-43FE-8EC8-0E534D96D5F8}
2011-11-14 11:44:48 -------- d-----w- c:\users\david\appdata\local\{DD9C9C42-A87D-4964-93A0-E95E8C2B3C59}
2011-11-13 20:05:21 -------- d-----w- c:\users\david\appdata\local\{81F4AFA9-60A6-4215-9A9A-59603577F86B}
2011-11-13 20:05:05 -------- d-----w- c:\users\david\appdata\local\{DFC7666C-CB04-4316-900B-24CE00D7E7FD}
2011-11-12 22:27:55 -------- d-----w- c:\users\david\appdata\local\{30E0060A-6AD6-46C5-8357-DB21FBB4DB13}
2011-11-12 22:27:30 -------- d-----w- c:\users\david\appdata\local\{D6BC573D-48D8-4986-9604-23B44EF1FE10}
2011-11-11 00:19:58 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2011-11-10 16:09:03 -------- d-----w- c:\users\david\appdata\local\{7968F864-2D38-485A-B01B-1E5B20A7F38C}
2011-11-10 16:08:47 -------- d-----w- c:\users\david\appdata\local\{1E85A1CE-D369-4C03-8468-EDCF2B0B443B}
2011-11-09 22:34:30 -------- d-----w- c:\users\david\appdata\local\{0D214E98-F9FF-4958-93C8-5B4D4ED2B275}
2011-11-09 09:57:39 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 09:57:37 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-09 09:57:36 2339840 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 08:13:59 -------- d-----w- c:\users\david\appdata\local\{9246D305-0F12-4571-A2B4-B047BA8D9CBC}
2011-11-09 08:13:42 -------- d-----w- c:\users\david\appdata\local\{190394F3-9232-4542-84C3-273FBC40A63C}
2011-11-08 15:56:18 -------- d-----w- c:\users\david\appdata\local\{7A713DB7-511A-4004-8267-5DD145202FB8}
2011-11-08 15:55:58 -------- d-----w- c:\users\david\appdata\local\{E64B87AE-8F57-46A7-AC29-E9327A8F50CE}
2011-11-07 22:29:31 -------- d-----w- c:\users\david\appdata\local\{CF67FF5B-987C-465B-80EC-5CC2E6491F99}
2011-11-07 22:29:15 -------- d-----w- c:\users\david\appdata\local\{3B69317C-0DB2-4E7E-8BD3-6BD2E6679D70}
==================== Find3M ====================
2011-11-15 10:08:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-19 10:13:45 72 ----a-w- c:\windows\Vue 7.5 xStream.reg
2011-10-19 10:13:45 70 ----a-w- c:\windows\Vue 7 xStream.reg
2011-10-19 10:13:45 70 ----a-w- c:\windows\Vue 6 xStream.reg
2011-10-17 22:02:26 138160 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-10-17 22:02:21 271200 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-10-17 22:02:21 271200 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-10-17 15:16:45 271200 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-10-04 03:13:26 138056 ----a-w- c:\users\david\appdata\roaming\PnkBstrK.sys
2011-10-04 03:12:52 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-10-01 02:59:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-22 11:29:58 321856 ----a-w- c:\windows\system32\nvStreaming.exe
============= FINISH: 19:40:31.76 ===============

DDS (Ver_2011-08-26.01)
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 20/05/2011 21:34:24
System Uptime: 07/12/2011 18:58:21 (1 hours ago)
Motherboard: Dell Inc. | | 0TP406
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | CPU | 2394/1066mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 581 GiB total, 172.481 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 14.661 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is FIXED (NTFS) - 932 GiB total, 141.351 GiB free.
K: is CDROM ()
L: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP253: 25/11/2011 18:22:39 - Windows Update
RP254: 29/11/2011 14:13:02 - Windows Update
RP255: 02/12/2011 15:55:53 - Windows Update
RP256: 06/12/2011 14:52:53 - Windows Update
==== Hosts File Hijack ======================
Hosts: easyanticheat.se # misleading site
Hosts: www.easyanticheat.se # misleading site
Hosts: easyanticheat.com # misleading site
Hosts: www.easyanticheat.com # misleading site
Hosts: easyanticheat.org # misleading site
Hosts: www.easyanticheat.org # misleading site
==== Installed Programs ======================
Update for Microsoft Office 2007 (KB2508958)
0 A.D.
4chan Image Downloader
7-Zip 9.20
Adobe AIR
Adobe Community Help
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop CS5.1
Adobe Reader X (10.0.1)
Age of Empires Online
APB Reloaded
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ARMA 2: British Armed Forces - Data cache removal
ARMA 2: Private Military Company - Data cache removal
Autodesk 3ds Max 2012 32-bit - English
Autodesk Backburner 2012.0.0
Autodesk FBX Plug-in 2012.0 - 3ds Max 2012
Autodesk Material Library 2012
Autodesk Material Library Base Resolution Image Library 2012
Autodesk Material Library Medium Resolution Image Library 2012
Back to the Future: Ep 1 - It's About Time
Back to the Future: Ep 2 - Get Tannen!
Back to the Future: Ep 3 - Citizen Brown
Back to the Future: Ep 4 - Double Visions
Back to the Future: Ep 5 - OUTATIME
Battlefield 2
Battlefield 3™ Open Beta
Battlelog Web Plugins
BattlEye for OA Uninstall
Brothers in Arms: Earned in Blood
Brothers in Arms: Hell's Highway
Brothers in Arms: Road to Hill 30
Call of Duty
Call of Duty - United Offensive
Call of Duty 2
Call of Duty 4: Modern Warfare
Call of Duty: Black Ops
Call of Duty: Black Ops - Multiplayer
Call of Duty: United Offensive
Cities in Motion
Command and Conquer 3: Kane's Wrath
Command and Conquer 3: Tiberium Wars
Company of Heroes: Tales of Valor
Composite 2012
CorsixTH Beta 6
Counter-Strike: Global Offensive Beta
Counter-Strike: Source
CraftBukkit v8.0
Crazy Taxi
Crazy Taxi 1.0
Creative Centrale
Creative Software Update
DAEMON Tools Lite
Dawn of War - Dark Crusade Mod Tools 1.20
DC Universe Online
Dead Island
Dell Resource CD
Delta Force: Black Hawk Down
Delta Force: Black Hawk Down - Team Sabre
Dino D-Day
DisplayFusion 3.3.1
Dungeon Defenders
Dungeons & Dragons: Daggerdale
Eastern Front
Empire: Total War
ESET NOD32 Antivirus
ESN Sonar
exPressit SE
EZ Vinyl/Tape Converter 7.4 by MixMeister
Far Cry 2
Fraps (remove only)
Frets On Fire
Galcon Fusion
Garry's Mod
Grand Theft Auto IV
Grand Theft Auto: Episodes from Liberty City
Grand Theft Auto: San Andreas
Gravitron 2
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Half-Life Deathmatch: Source
Java Auto Updater
Java(TM) 6 Update 27
Java(TM) 7
JumpStart 4th Grade v1.2
Killing Floor
Kodak AIO Printer
KODAK AiO Software
Kohan II: Kings of War
League of Legends
Left 4 Dead
Left 4 Dead 2
LogMeIn Hamachi
Mafia II
Malwarebytes' Anti-Malware version
ManyCam 2.6.60 (remove only)
Men of War
Messenger Plus! 5
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Chart Controls for Microsoft .NET Framework 3.5
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
Mount & Blade
Mount & Blade: Warband
MountMusket Battalion
Mozilla Firefox 8.0 (x86 en-GB)
Mp3tag v2.49
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mumble(PR edition) and Murmur(PR edition)
Napoleon: Total War
NCsoft Launcher
Neverwinter Nights 2: Platinum
Nuclear Dawn Beta
Numen: Contest of Heroes
NVIDIA 3D Vision Controller Driver
NVIDIA 3D Vision Controller Driver 285.38
NVIDIA 3D Vision Driver 285.38
NVIDIA Control Panel 285.38
NVIDIA Display Control Panel
NVIDIA Graphics Driver 285.38
NVIDIA Install Application
NVIDIA PhysX System Software 9.11.0621
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.5.20
NVIDIA Update Components
OpenTTD 1.1.4
Paint.NET v3.5.8
Pando Media Booster
PDF Settings CS5
Portal 2 - The Final Hours
Project Reality
PunkBuster Services
Python 2.7.2
Rags Suite
Red Faction: Armageddon
Red Orchestra 2: Heroes of Stalingrad
RollerCoaster Tycoon 3: Platinum!
Runaway: The Dream of the Turtle
Rusty Hearts
S.T.A.L.K.E.R.: Call of Pripyat
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SEGA Bass Fishing
SEGA Genesis & Mega Drive Classics
SHOUTcast DNAS Server v2
Sid Meier's Civilization V
SigmaTel Audio
SimCity 4 Deluxe
Skype Click to Call
Skype™ 5.5
Sol Survivor
Sonic Adventure DX
Source SDK
Source SDK Base 2007
Space Channel 5: Part 2
Spybot - Search & Destroy
Star Wars - Battlefront II
Stellar Impact
System Requirements Lab
Tales of Monkey Island: Chapter 1 - Launch of the Screaming Narwhal
Team Fortress 2
TeamSpeak 3 Client
The Elder Scrolls IV: Oblivion
The Elder Scrolls V: Skyrim
The Void
TrackMania United
Transformers: War for Cybertron
Tropico 4 - Demo
Ubisoft Game Launcher
Unity Web Player
Unreal Development Kit
Unreal Development Kit: 2011-05
Unreal Tournament 2004
Unreal Tournament 3: Black Edition
Unreal Tournament: Game of the Year Edition
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Ventrilo Client
Virtual Audio Cable 4.10
VLC media player 1.1.9
Vue 9.5 xStream 32bit
Vue 9.5 xStream plugins 32bit
Warhammer 40,000: Dawn of War – Dark Crusade
Warhammer 40,000: Dawn of War – Winter Assault
WhatPulse 1.7
WIDCOMM Bluetooth Software
Winamp Detector Plug-in
Windows Driver Package - Logitech HIDClass (10/16/2006 1.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.01 beta 1 (32-bit)
World of Tanks v.0.6.4
Zombie Panic Source
==== Event Viewer Messages From Past Week ========
07/12/2011 18:59:22, Error: bowser [8003] - The master browser has received a server announcement from the computer FUZ2Y-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A8F5CAAD-58AE-44AC-8742-C2896AF9E. The master browser is stopping or an election is being forced.
07/12/2011 01:34:41, Error: bowser [8003] - The master browser has received a server announcement from the computer LAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A8F5CAAD-58AE-44AC-8742-C2896AF9E8A. The master browser is stopping or an election is being forced.
07/12/2011 01:30:56, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
06/12/2011 18:57:46, Error: Service Control Manager [7034] - The Steam Client Service service terminated unexpectedly. It has done this 1 time(s).
06/12/2011 14:49:44, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address The computer with the IP address did not allow the name to be claimed by this computer.
==== End Of File ===========================

Active Member
Posts: 1
Joined: December 7th, 2011, 3:32 pm

Re: Win32/Spy.Zbot.ZR trojan

Unread postby diver79 » December 8th, 2011, 2:21 pm

Hi and welcome to MalwareRemoval.com, sorry for any delay in answering your request for help, the forum is really busy.
My name is Diver79, and I will be helping you with your malware problems. I am currently in training at the Malware University. All of my instructions need to be checked and approved by a teacher, which may lead to a slight delay.

Before we start please note the following important guidelines.
  • The instructions given are for THIS computer only! Using these instructions on a different computer, can make it inoperable!
  • Please DO NOT run any other software or scans whilst I am helping you.

Note: If you haven't done so already, please ensure you have read the following article. ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
diver79 wrote:Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
How do I backup my files and folders in XP?
How to backup your data - Vista/Win7

Looking into your logs now. Will post instructions soon...

User avatar
Retired Graduate
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Win32/Spy.Zbot.ZR trojan

Unread postby diver79 » December 13th, 2011, 12:43 pm

Hi Sharkz,

Apologies for the late reply. We had a sudden surge in the number of posts at the forum so it took longer than expected to get to back to you.

Remove P2P Programs
  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Click on the start button.
  • In the Search Programs and Files text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Uninstall" button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • While you are there please also uninstall the following programs;
    • Java(TM) 6 Update 27
    • PunkBuster Services.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Run CKScanner
  • Please download CKScanner from Here
  • Important: - Save it to your desktop.
  • Right-click CKScanner.exe > select " Run as administrator " then click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved. Please Run the program only once.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Run MGADiag
  • Please download MGA Diagnostic Tool and save it to your Desktop.
  • Right click on MGADiag.exe and select Run As Administrator to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.
User avatar
Retired Graduate
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Win32/Spy.Zbot.ZR trojan

Unread postby Wingman » December 19th, 2011, 3:01 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh DDS log, and wait for a new helper.
User avatar
Posts: 11868
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: Thumper and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware