Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Cannot remove Win32/Zbot, keeps re-installing itself

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 8:18 pm

Addition.txt:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Kitty Clark at 2014-03-17 19:12:53
Running from C:\Users\Kitty Clark\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

Adobe Flash Player 12 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ASUS nVidia Driver (x32 Version: 1.00.0000 - ASUSTek) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Canon Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version: - )
Canon Easy-WebPrint EX (HKLM-x32\...\Easy-WebPrint EX) (Version: - )
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: - )
Canon MP Navigator EX 4.0 (HKLM-x32\...\MP Navigator EX 4.0) (Version: - )
Canon MP280 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP280_series) (Version: - )
Canon MP280 series User Registration (HKLM-x32\...\Canon MP280 series User Registration) (Version: - )
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: - )
Canon Solution Menu EX (HKLM-x32\...\CanonSolutionMenuEX) (Version: - )
Core Temp 1.0 RC2 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.0 - Alcpu)
CPUID CPU-Z 1.58 (HKLM\...\CPUID CPU-Z_is1) (Version: - )
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{92C42EDD-6524-4577-B2EB-6C68C63B6D4A}) (Version: - Microsoft)
DVD Profiler Version 3.8.2 (HKLM-x32\...\InvelosDVDProfiler_is1) (Version: - )
EasyBCD 2.0 (HKLM-x32\...\EasyBCD) (Version: 2.0 - NeoSmart Technologies)
EasySaver B9.0904.1 (HKLM-x32\...\{07300F01-89CA-4CF8-92BD-2A605EB83C95}) (Version: 1.00.0000 - Gigabyte)
eReg (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version: - Lars Hederer)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - )
GeForce Experience NvStream Client Components (Version: 1.6.28 - NVIDIA Corporation) Hidden
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
Java 7 Update 51 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417051FF}) (Version: 7.0.510 - Oracle)
Logitech SetPoint 6.32 (HKLM\...\sp6) (Version: 6.32.20 - Logitech)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook Connector (HKLM-x32\...\{95140000-007A-0409-0000-0000000FF1CE}) (Version: 14.0.5118.5000 - Microsoft Corporation)
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Outlook Social Connector Provider for Facebook 32-bit (HKLM-x32\...\{95140000-007C-0409-0000-0000000FF1CE}) (Version: 14.0.6114.5003 - Microsoft Corporation)
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit (HKLM-x32\...\{95140000-007D-0409-0000-0000000FF1CE}) (Version: 14.0.5120.5000 - Microsoft Corporation)
Microsoft Security Client (Version: 4.4.0304.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (HKLM\...\{EE936C7A-EA40-31D5-9B65-8E3E089C3828}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 27.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 27.0.1 (x86 en-US)) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 27.0.1 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NVIDIA 3D Vision Controller Driver (x32 Version: 280.19 - NVIDIA Corporation) Hidden
NVIDIA 3D Vision Controller Driver 331.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 331.65 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 331.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 331.65 - NVIDIA Corporation)
NVIDIA Control Panel 331.65 (Version: 331.65 - NVIDIA Corporation) Hidden
NVIDIA Display Control Panel (HKLM\...\NVIDIA Display Control Panel) (Version: 6.14.11.9745 - NVIDIA Corporation)
NVIDIA GeForce Experience 1.7.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 1.7.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 331.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 331.65 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.26.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.26.4 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.141.953 - NVIDIA Corporation) Hidden
NVIDIA LED Visualizer 1.0 (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.13.0725 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.13.0725 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.0725 - NVIDIA Corporation)
NVIDIA ShadowPlay 9.3.21 (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.13.3165 - NVIDIA Corporation) Hidden
NVIDIA Update 9.3.21 (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Update Components (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Virtual Audio 1.2.9 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_VirtualAudio.Driver) (Version: 1.2.9 - NVIDIA Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
PVSonyDll (Version: 1.00.0001 - NVIDIA Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version: - Microsoft) Hidden
SHIELD Streaming (Version: 1.6.53 - NVIDIA Corporation) Hidden
SiSoftware Sandra Lite 2011.SP1a (HKLM\...\{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1) (Version: 17.43.2011.4 - SiSoftware)
The Weather Channel App (HKLM-x32\...\{167158CE-1637-4167-8A1C-C2549EEA966A}) (Version: 1.00.0000 - The Weather Channel)
The Weather Channel App (HKLM-x32\...\The Weather Channel App) (Version: - )
The Weather Channel Desktop 6 (HKLM-x32\...\The Weather Channel Desktop 6) (Version: - )
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.7.0 - Tweaking.com)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{3FCFD88F-4D13-4F38-8625-ABABEA7F61EA}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{BA610006-2C39-4419-9834-CF61AB24810A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{5E8EB600-8B94-429E-873E-98369C6DC1BC}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{83B1B530-7D9E-4C6A-907F-E979CEE9C295}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{EFF5EBA3-40AD-4859-85E7-3C1CF4F297EB}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (HKLM-x32\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{DA2F7ECE-6629-4A80-9CDE-EC95261B75E2}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{80F56E3F-1D47-4E45-B6E0-FEF4E919F4F9}) (Version: - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)
Update for Microsoft Visio 2010 (KB2878227) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{5D357893-40BA-4323-86BA-D97C66CD72F4}) (Version: - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{8C55AA83-54C2-4236-A622-78440A411DC5}) (Version: - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{E78E2B68-8FD1-42EE-BB74-99A4D9E6222D}) (Version: - Microsoft)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (x32 Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM-x32\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Family Safety (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

==================== Restore Points =========================

17-03-2014 07:30:06 Windows Backup
17-03-2014 23:00:07 Windows Backup

==================== Hosts content: ==========================

2009-07-13 21:34 - 2014-03-07 18:37 - 00450811 ____R C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============

Task: {0AA09166-4C6D-4D6A-A4B7-64D1E37E6109} - System32\Tasks\Core Temp Autostart Stephen Clark => C:\Program Files\Core Temp\Core Temp.exe [2011-09-02] ()
Task: {352A4730-4409-4101-A024-0483ADE65582} - System32\Tasks\Ad-Aware Update (Daily 4) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {37B0ACCA-6E7C-4720-B9AC-F1855923C319} - System32\Tasks\Security Center Update - 11611984 => C:\Users\Kitty Clark\AppData\Roaming\Zoakow\olemfu.exe <==== ATTENTION
Task: {4A84D423-0977-49FB-863B-8ADC07398630} - System32\Tasks\Core Temp Autostart Kitty Clark => C:\Program Files\Core Temp\Core Temp.exe [2011-09-02] ()
Task: {5DC18D57-52E1-4089-B60F-D7FE6F1F1246} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {75822CBE-3CC0-4481-9EF5-8C98A4CF4D2B} - System32\Tasks\Ad-Aware Update (Daily 2) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {8030BCA4-A939-46E1-9961-CB29ECCE51BD} - System32\Tasks\SmartDefrag_Startup => C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
Task: {87392479-CA7F-4D46-9AA7-5AE260D355C7} - System32\Tasks\Ad-Aware Scan (Weekly Full Scan) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {9E24D99B-F16C-477E-8F8A-5A3A80826755} - System32\Tasks\Ad-Aware Update (Daily 3) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {B9632049-70BE-43D6-BBEF-F1D5AC730139} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-12] (Adobe Systems Incorporated)
Task: {D5A4F8CB-03BA-4DEC-8552-CB17A73D7D03} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {FBD02650-9D9C-4D86-A525-89F8F4CA5DED} - System32\Tasks\Ad-Aware Update (Daily 1) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Security Center Update - 11611984.job => C:\Users\Kitty Clark\AppData\Roaming\Zoakow\olemfu.exe
Task: C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job => C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
Task: C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job => C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdate.exe

==================== Loaded Modules (whitelisted) =============

2012-04-10 17:21 - 2013-10-23 03:20 - 00102176 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-09-05 01:17 - 2013-09-05 01:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2011-04-11 00:07 - 2011-09-02 00:29 - 00826832 _____ () C:\Program Files\Core Temp\Core Temp.exe
2011-04-11 01:02 - 2009-08-24 14:38 - 00068136 _____ () C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
2011-08-26 14:45 - 2010-04-05 14:55 - 00116104 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2011-10-07 04:39 - 2011-10-07 04:39 - 01304856 _____ () C:\Program Files\Logitech\SetPointP\Macros\MacroCore.dll
2014-02-24 19:01 - 2014-02-24 19:01 - 00047616 _____ () C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe
2014-02-24 19:01 - 2014-02-24 19:01 - 01154560 _____ () C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.UI.dll
2014-02-24 19:01 - 2014-02-24 19:01 - 00246272 _____ () C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.Services.dll
2014-02-24 19:01 - 2014-02-24 19:01 - 00109056 _____ () C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.Models.dll
2014-03-17 18:59 - 2014-03-17 18:59 - 00279739 _____ () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
2014-02-12 21:58 - 2014-02-12 21:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 21:58 - 2014-02-12 21:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2011-04-11 01:02 - 2009-03-13 11:30 - 00109096 _____ () C:\Program Files (x86)\Gigabyte\EasySaver\YCC.DLL
2014-02-14 21:57 - 2014-02-14 21:57 - 03578992 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Disabled items from MSCONFIG ==============

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/17/2014 07:05:56 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 07:05:53 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 06:51:50 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 06:51:46 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 06:10:27 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 06:10:24 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 06:07:58 PM) (Source: Windows Backup) (User: )
Description: The backup was not successful. The error is: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. (0x80070548).

Error: (03/17/2014 06:07:58 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine OpenSCManager(NULL,NULL,SC_MANAGER_CONNECT). hr = 0x8007045b, A system shutdown is in progress.
.


Operation:
Initialize For Backup

Error: (03/17/2014 06:07:57 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine OpenSCManager(NULL,NULL,SC_MANAGER_CONNECT). hr = 0x8007045b, A system shutdown is in progress.
.


Operation:
Initialize For Backup

Error: (03/17/2014 06:07:56 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine IVssAsrWriterBackup::GetDiskComponents. hr = 0x8007045b, A system shutdown is in progress.
.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: ASR Writer
Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
Writer Name: ASR Writer
Writer Instance ID: {5224a9e9-3806-4fc0-af56-3942a20973e2}


System errors:
=============
Error: (03/17/2014 07:03:13 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.167.2104.0

Update Source: %NT AUTHORITY59

Update Stage: 4.4.0304.00

Source Path: 4.4.0304.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (03/17/2014 07:03:13 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.167.2104.0

Update Source: %NT AUTHORITY59

Update Stage: 4.4.0304.00

Source Path: 4.4.0304.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (03/17/2014 07:03:08 PM) (Source: DCOM) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

Error: (03/17/2014 06:49:54 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 6:25:55 PM on ‎3/‎17/‎2014 was unexpected.

Error: (03/17/2014 06:15:45 PM) (Source: Service Control Manager) (User: )
Description: The Windows Update service hung on starting.

Error: (03/17/2014 02:50:43 PM) (Source: Service Control Manager) (User: )
Description: The Windows Update service hung on starting.

Error: (03/17/2014 02:42:20 PM) (Source: DCOM) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

Error: (03/16/2014 05:06:21 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 05:06:01 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 04:41:41 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.


Microsoft Office Sessions:
=========================
Error: (03/17/2014 07:05:56 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 07:05:53 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 06:51:50 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 06:51:46 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 06:10:27 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 06:10:24 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 06:07:58 PM) (Source: Windows Backup)(User: )
Description: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. (0x80070548)

Error: (03/17/2014 06:07:58 PM) (Source: VSS)(User: )
Description: OpenSCManager(NULL,NULL,SC_MANAGER_CONNECT)0x8007045b, A system shutdown is in progress.


Operation:
Initialize For Backup

Error: (03/17/2014 06:07:57 PM) (Source: VSS)(User: )
Description: OpenSCManager(NULL,NULL,SC_MANAGER_CONNECT)0x8007045b, A system shutdown is in progress.


Operation:
Initialize For Backup

Error: (03/17/2014 06:07:56 PM) (Source: VSS)(User: )
Description: IVssAsrWriterBackup::GetDiskComponents0x8007045b, A system shutdown is in progress.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: ASR Writer
Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
Writer Name: ASR Writer
Writer Instance ID: {5224a9e9-3806-4fc0-af56-3942a20973e2}


CodeIntegrity Errors:
===================================
Date: 2011-10-16 18:01:08.887
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 17:21:48.482
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 17:02:14.911
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 16:46:56.737
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\pcrelib.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 16:43:28.177
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 16:29:12.023
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\pcrelib.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 16:23:30.793
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 13:58:38.653
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 12:39:40.035
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 12:26:26.599
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 44%
Total physical RAM: 4093.55 MB
Available physical RAM: 2258.83 MB
Total Pagefile: 8185.29 MB
Available Pagefile: 6268.98 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: (Local Disk) (Fixed) (Total:232.76 GB) (Free:91.78 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Backup Disk) (Fixed) (Total:232.76 GB) (Free:230.35 GB) NTFS
Drive e: (Archive & Media Disk) (Fixed) (Total:233.11 GB) (Free:94.73 GB) NTFS
Drive f: (Working Files K4) (CDROM) (Total:4.37 GB) (Free:3.8 GB) UDF
Drive i: (KITTY'S USB) (Removable) (Total:7.47 GB) (Free:0.11 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 00000001)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm
Advertisement
Register to Remove

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 8:53 pm

9. Reset router - completed successfully.
KITTY4 still sending out spam emails - disconnected from internet.

Where do we stand now? Thanks!
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 17th, 2014, 9:00 pm

OK, obviously we're missing something since the infection has regenerated again.

It's 1 am where I am, so I'll look over your logs again in the morning, and see if I can work out how the machine is being re-infected.

Talk to you then.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 1:18 am

More info on the spam emails being sent out - I have had the machine off for four hours and we are still getting over 1000 bounce messages from our Email ISP, Oplink. Is it possible that another machine in the botnet is attempting to send spam using her email address? I have no idea how to stop it if that is the case

Thanks for your persistence!
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 18th, 2014, 2:47 am

If you haven't already done so, please backup your personal files and folders before proceeding with the instructions below.

After going through your logs again, I've decided that I'd like to try using a different tool, to see if that flags anything that we haven't found yet. There's not much showing in your FRST log that we haven't already removed once, which suggests that if we remove it again it will just regenerate.

Download ComboFix and save it to your Desktop: (if you already have a copy of Combofix, delete it and use this version)

Link

A detailed Tutorial for how to use Combofix is available here.

Please post me the log it creates ... C:\combofix.txt
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 2:52 am

In process...
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 4:05 am

12. Run ComboFix - downloaded and ran successfully. It requested me to turn off MSE while it was running, which I did. Machine rebooted during the process, I assume this is normal. Looks like it fixed some things. Bootup was faster, and the machine seems to be running faster now. MSE is not discovering any Zbot infection, and the "UpdateFlashPlayer" messages have disappeared. There is no unusual activity! Bravo! ComboFix log follows:

ComboFix 14-03-16.01 - Kitty Clark 03/18/2014 2:37.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.1418 [GMT -5:00]
Running from: c:\users\Kitty Clark\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\AutocompletePro
c:\users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
c:\users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
c:\users\Kitty Clark\WINDOWS
c:\users\Stephen Clark\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2014-02-18 to 2014-03-18 )))))))))))))))))))))))))))))))
.
.
2014-03-18 07:44 . 2014-03-18 07:44 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-03-18 07:44 . 2014-03-18 07:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-18 07:44 . 2014-03-18 07:44 -------- d-----w- c:\users\Stephen Clark\AppData\Local\temp
2014-03-18 07:44 . 2014-03-18 07:44 -------- d-----w- c:\users\Guest\AppData\Local\temp
2014-03-18 00:16 . 2014-03-07 04:43 10521840 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ED3E4440-0902-40C8-B9F8-C4B25B72F244}\mpengine.dll
2014-03-17 23:59 . 2014-03-18 07:47 -------- d-----w- c:\users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-17 23:59 . 2014-03-18 07:47 -------- d-----w- c:\users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-17 23:05 . 2014-02-06 06:01 10536864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-03-17 19:53 . 2014-03-17 19:53 -------- d-----w- c:\program files (x86)\ESET
2014-03-17 07:56 . 2014-03-18 00:13 -------- d-----w- C:\FRST
2014-03-17 07:31 . 2014-03-17 07:31 -------- d-----w- C:\RegBackup
2014-03-17 07:29 . 2014-03-17 07:29 -------- d-----w- c:\program files (x86)\Tweaking.com
2014-03-14 22:13 . 2014-03-14 22:13 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9106129A-BBFE-4095-A575-1FFA4761E3FC}\gapaengine.dll
2014-03-14 22:12 . 2014-03-14 22:12 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2014-03-14 22:12 . 2014-03-14 22:13 -------- d-----w- c:\program files\Microsoft Security Client
2014-03-13 10:34 . 2014-03-15 23:33 -------- d-----w- c:\windows\Microsoft Antimalware
2014-03-11 22:51 . 2014-02-04 02:32 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-03-11 22:51 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-02-26 23:18 . 2014-02-26 23:18 -------- d-----w- c:\program files\iPod
2014-02-26 23:18 . 2014-02-26 23:18 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-26 23:18 . 2014-02-26 23:18 -------- d-----w- c:\program files\iTunes
2014-02-26 23:18 . 2014-02-26 23:18 -------- d-----w- c:\program files (x86)\iTunes
2014-02-26 23:13 . 2014-02-26 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-02-26 23:13 . 2014-02-26 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-02-26 23:13 . 2014-02-26 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-02-26 23:13 . 2014-02-26 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-02-26 23:13 . 2014-02-26 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-02-26 23:12 . 2014-02-26 23:13 -------- d-----w- c:\program files (x86)\QuickTime
2014-02-26 19:57 . 2014-01-09 02:22 5694464 ----a-w- c:\windows\SysWow64\mstscax.dll
2014-02-26 19:57 . 2014-01-03 22:44 6574592 ----a-w- c:\windows\system32\mstscax.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-18 07:46 . 2011-04-26 02:06 25640 ----a-w- c:\windows\gdrv.sys
2014-03-12 19:50 . 2012-04-07 20:30 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-12 19:50 . 2011-06-02 20:44 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-02 19:05 . 2011-04-11 02:52 90015360 ----a-w- c:\windows\system32\MRT.exe
2014-01-19 07:33 . 2011-04-11 02:19 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-17 22:24 . 2014-01-17 22:24 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2014-01-17 22:24 . 2014-01-17 22:24 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2014-01-16 20:16 . 2014-01-16 20:16 108968 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2014-01-16 20:16 . 2014-01-16 20:16 312744 ----a-w- c:\windows\system32\javaws.exe
2014-01-16 20:16 . 2014-01-16 20:16 189352 ----a-w- c:\windows\system32\javaw.exe
2014-01-16 20:16 . 2014-01-16 20:16 189352 ----a-w- c:\windows\system32\java.exe
2013-12-24 23:09 . 2014-02-11 19:33 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2013-12-24 22:48 . 2014-02-11 19:33 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2013-12-21 09:53 . 2014-02-11 19:36 548864 ----a-w- c:\windows\system32\vbscript.dll
2013-12-21 08:56 . 2014-02-11 19:36 454656 ----a-w- c:\windows\SysWow64\vbscript.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2013-04-22 720064]
"TWC.Win7"="c:\program files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe" [2014-02-25 47616]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstall ... fec08d808c" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2011.SP1a\RpcAgentSrv.exe;c:\program files\SiSoftware\SiSoftware Sandra Lite 2011.SP1a\RpcAgentSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys;c:\windows\SYSNATIVE\drivers\SBREdrv.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz135_x64.sys [x]
S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 ALSysIO;ALSysIO;c:\users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys;c:\users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTBS26.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
S3 UsbFltr;WayTech USB Filter Driver;c:\windows\system32\Drivers\UsbFltr.sys;c:\windows\SYSNATIVE\Drivers\UsbFltr.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 19:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2726728]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-11-08 1028384]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2013-11-08 1064224]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 1266912]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:8080
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?gl=us&ned= ... ebook.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Buleodliyg - c:\users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
Wow6432Node-HKCU-Run-Afwoynunylo - c:\users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
Wow6432Node-HKLM-Run-Afwoynunylo - c:\users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
Wow6432Node-HKLM-Run-Buleodliyg - c:\users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-The Weather Channel App - c:\program files (x86)\The Weather Channel\The Weather Channel App\TheWeatherChannelCustomUninstall.exe
AddRemove-The Weather Channel Desktop 6 - c:\program files (x86)\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2014-03-18 02:53:53 - machine was rebooted
ComboFix-quarantined-files.txt 2014-03-18 07:53
.
Pre-Run: 97,799,786,496 bytes free
Post-Run: 97,588,617,216 bytes free
.
- - End Of File - - 5EE912B255B4B03B6AAD4FB614DCC8C0
A36C5E4F47E84449FF07ED3517B43A31
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 18th, 2014, 8:24 am

OK, there's a few things we still need to take care of ....

  • Click Start
  • Type notepad.exe in the search programs and files box and clcik Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
C:\Program Files (x86)\The Weather Channel
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
c:\users\Kitty Clark\AppData\Roaming\Vyoqti
c:\users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys
HKLM-x32\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2014-03-17] ()
HKLM-x32\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2014-03-17] ()
HKLM-x32\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstall ... 0EtSzZIVTk "&"inst=NzctNzExNTI1MDAxLVhPMTArMTEtTElDKzItVklQKzEtRkwxMCsxLVRVRyszLUREVCs2MTYwMy1ERDEwRisxLVNUMTBGQVBQKzEtU1QxMkZPSSsxLUVVTEErMS1TVDEyRkFQUCsx"&"prod=90"&"ver=2012.0.1809"&"mid=ec2ba82855f747d6a39abdb90fe5910e-473b8ab7618aadb6b0f68fdc49d2c8fec08d808c [X]
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [TWC.Win7] - C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe [47616 2014-02-24] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2014-03-17] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2014-03-17] ()
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
CHR HKLM-x32\...\Chrome\Extension: [defdhglnppeioeflggkmglipcecffkhk] - C:\Program Files (x86)\AutocompletePro\chrome\autocompleteprochrome.crx []
R3 ALSysIO; \??\C:\Users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys [X]
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-17 19:00 - 2014-03-17 14:30 - 00000834 _____ () C:\Windows\Tasks\Security Center Update - 11611984.job
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-17 18:59 - 2009-07-13 23:45 - 00025552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-17 18:59 - 2009-07-13 23:45 - 00025552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-17 14:30 - 2014-03-17 14:30 - 00003854 _____ () C:\Windows\System32\Tasks\Security Center Update - 11611984
2014-03-16 15:11 - 2013-10-03 20:15 - 00000338 _____ () C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2014-03-16 15:11 - 2013-10-03 20:14 - 00000352 _____ () C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe.

Next ....

Run a new scan with E-Set online scanner and post me the log please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 2:35 pm

Before I begin, I ran a full scan with MSE last night (it took over six hours) and it found the following:
Win32/Upatre
Win32/Zbot.AKZ
Win32/Rovnix
Win32/Rovnix.I

Working on your next procedure now. Contacted our ISP about the spam emails, and he said her email account had been hacked, and he changed the password.
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 3:21 pm

13. Run fixlist - Ran ok, but restarted computer, and got a warning from Windows Activation saying an unauthorized change was made to Windows. There was a link for more information, and it wants to re-install Windows activation software. Should I do it or not?

Fixlog,txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Kitty Clark at 2014-03-18 14:14:13 Run:3
Running from C:\Users\Kitty Clark\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Program Files (x86)\The Weather Channel
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
c:\users\Kitty Clark\AppData\Roaming\Vyoqti
c:\users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys
HKLM-x32\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2014-03-17] ()
HKLM-x32\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2014-03-17] ()
HKLM-x32\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstall ... 0EtSzZIVTk "&"inst=NzctNzExNTI1MDAxLVhPMTArMTEtTElDKzItVklQKzEtRkwxMCsxLVRVRyszLUREVCs2MTYwMy1ERDEwRisxLVNUMTBGQVBQKzEtU1QxMkZPSSsxLUVVTEErMS1TVDEyRkFQUCsx"&"prod=90"&"ver=2012.0.1809"&"mid=ec2ba82855f747d6a39abdb90fe5910e-473b8ab7618aadb6b0f68fdc49d2c8fec08d808c [X]
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [TWC.Win7] - C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe [47616 2014-02-24] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2014-03-17] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2014-03-17] ()
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
CHR HKLM-x32\...\Chrome\Extension: [defdhglnppeioeflggkmglipcecffkhk] - C:\Program Files (x86)\AutocompletePro\chrome\autocompleteprochrome.crx []
R3 ALSysIO; \??\C:\Users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys [X]
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-17 19:00 - 2014-03-17 14:30 - 00000834 _____ () C:\Windows\Tasks\Security Center Update - 11611984.job
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-17 18:59 - 2009-07-13 23:45 - 00025552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-17 18:59 - 2009-07-13 23:45 - 00025552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-17 14:30 - 2014-03-17 14:30 - 00003854 _____ () C:\Windows\System32\Tasks\Security Center Update - 11611984
2014-03-16 15:11 - 2013-10-03 20:15 - 00000338 _____ () C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2014-03-16 15:11 - 2013-10-03 20:14 - 00000352 _____ () C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
*****************


"C:\Program Files (x86)\The Weather Channel" directory move:

C:\Program Files (x86)\The Weather Channel\The Weather Channel App\UNWISE.EXE => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\Microsoft.Expression.Drawing.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\Microsoft.Expression.Interactions.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\Microsoft.Maps.MapControl.WPF.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\Microsoft.Threading.Tasks.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\Microsoft.Threading.Tasks.Extensions.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\System.IO.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\System.Net.Http.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\System.Runtime.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\System.Threading.Tasks.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\System.Windows.Interactivity.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe.config => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.Models.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.Services.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.UI.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\Microsoft.Expression.Drawing.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\Microsoft.Maps.MapControl.WPF.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\Microsoft.Threading.Tasks.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\Microsoft.Threading.Tasks.Extensions.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\System.IO.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\System.Net.Http.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\System.Runtime.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\System.Threading.Tasks.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\TWC.Win7.exe => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\TWC.Win7.Models.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\TWC.Win7.Services.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\TWC.Win7.UI.dll => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\upgrade\upgrade.bat => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\DiskStorage\DownloadInfo.json => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\DiskStorage\LocalSettings.json => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\DiskStorage\SavedLocations.json => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\DiskStorage\ViewingLocation.json => Moved successfully.
C:\Program Files (x86)\The Weather Channel\Desktop Weather\Assets\TWC.ico => Moved successfully.
Could not move "C:\Program Files (x86)\The Weather Channel" directory. => Scheduled to move on reboot.

C:\Users\Kitty Clark\AppData\Roaming\Omvutyg => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti => Moved successfully.
"c:\users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys" => File/Directory not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Afwoynunylo => Value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Buleodliyg => Value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\AvgUninstallURL => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\TWC.Win7 => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Buleodliyg => Value not found.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Afwoynunylo => Value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000} => Key deleted successfully.
HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer => Key deleted successfully.
C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll => Moved successfully.
HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer => Key deleted successfully.
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll => Moved successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\defdhglnppeioeflggkmglipcecffkhk => Key deleted successfully.
"C:\Program Files (x86)\AutocompletePro\chrome\autocompleteprochrome.crx" => File/Directory not found.
ALSysIO => Service stopped successfully.
ALSysIO => Service deleted successfully.
"C:\Users\Kitty Clark\AppData\Roaming\Vyoqti" => File/Directory not found.
"C:\Users\Kitty Clark\AppData\Roaming\Omvutyg" => File/Directory not found.
"C:\Windows\Tasks\Security Center Update - 11611984.job" => File/Directory not found.
"C:\Users\Kitty Clark\AppData\Roaming\Vyoqti" => File/Directory not found.
"C:\Users\Kitty Clark\AppData\Roaming\Omvutyg" => File/Directory not found.
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.
"C:\Windows\System32\Tasks\Security Center Update - 11611984" => File/Directory not found.
"C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job" => File/Directory not found.
"C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job" => File/Directory not found.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-03-18 14:16:04)<=

C:\Program Files (x86)\The Weather Channel => Moved successfully.

==== End of Fixlog ====
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 18th, 2014, 4:16 pm

StephenClark wrote:.... got a warning from Windows Activation saying an unauthorized change was made to Windows. There was a link for more information, and it wants to re-install Windows activation software. Should I do it or not?


How exactly was the message worded? Please include details of the link.

We haven't altered any kernel or system settings directly, so it's hard to see what "unauthorised changes" we might have made.

In the meantime, please run the e-set scan and post me the log from it.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 4:29 pm

A window came up titled Windows Activation, and the message was "an unauthorized change was made to windows that might cause it to run incorrectly" or something of that nature. Then a "more information' link to this:

http://www.microsoft.com/genuine/valida ... 00000&ls=2

In the meantime my wallpaper has turned black and a message at the lower right corner says "Windows 7 Build 7601 This copy of Windows is not genuine"

ESET scan is running 31% done. I unchecked the fix box before starting the scan.
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 18th, 2014, 4:52 pm

I downloaded a copy of the file linked to, and have done a rudimentary analysis of it, and it appears to be a genuine Windows download, I've also had it scanned at VirusTotal and it looks good ...

See ... https://www.virustotal.com/en/file/7be5 ... 395175888/

... so I'd download and run the tool if I were you.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 5:01 pm

Thanks for the verification. I thought it looked like a valid Windows message, but one never knows for sure, does one?
I'll run it after the scan completes. It's at 33% now.
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 6:13 pm

14. Run ESET scan, no fix - Completed successfully. I'm going to run the Windows Validation link now, and I'll report in next post.

ESET.txt:

C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe.xBAD a variant of Win32/Kryptik.BXBS trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\gvupnbox.exe.xBAD a variant of Win32/Injector.AZZY trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe.xBAD a variant of Win32/Kryptik.BXBS trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\kquxiuqo.exe.xBAD a variant of Win32/Kryptik.BXBS trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\rfexcbap.exe.xBAD a variant of Win32/Kryptik.BXBS trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_6edee315.exe.xBAD a variant of Win32/Injector.AZZY trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Izcailfo\alodxab.exe a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe.xBAD a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Omvutyg\Omvutyg\laubycy.exe a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Omvutyg\Omvutyg\Omvutyg\laubycy.exe a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe.xBAD a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Vyoqti\Vyoqti\ygotoxu.exe a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Vyoqti\Vyoqti\Vyoqti\ygotoxu.exe a variant of Win32/Kryptik.BXLT trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Zoakow\olemfu.exe.xBAD a variant of Win32/Kryptik.BXLT trojan
C:\Qoobox\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe.vir a variant of Win32/Kryptik.BXLT trojan
C:\Qoobox\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe.vir a variant of Win32/Kryptik.BXLT trojan
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 128 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware