Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

is it possible that I found a new virus?


  • Please log in to reply
9 replies to this topic

#1 michael mellner

michael mellner

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 13 February 2013 - 03:24 AM

Hello there. the subject might sound a bit too far but I'm trying to figure this thing out and dont know what else to do.

 

I have a HP envy 3D 2199 laptop fully loaded with everything. it works like charm, so no slowing or anything that can make me think of something going on inside of it.

 

yesterday while checking for the processes that were on I noticed a process called pyweil.exe.

 

It got my attention even because windows firewall asked me what to do with this process which was requesting an incoming access. of course I denied it.

 

not recognizing it as a known process I did a search on the net but didn't find anything. the location of this thing is the following:

users/mic/AppData/Roaming/Zeob were mic is my name.

 

I run a search fot this forlder as well, the Zeob one but couldn't find anything: zero information on both this exe file and its folder.

 

I run CCleaner and checked the startup processes and found this exe was in the list of the things going at start up. I deactivated and rebooted the laptop but it was still there, both in the processes and in Ccleaner start up process list.

 

I installed malwarebytes and run a full scale analisys but everything was perfect: no infection at all.

 

This morning the process is not on and running again Ccleaner it is no longer there in the list of start up processes.

 

I really don't know what to do. I'm tempted to take that folder away from the AppData folder but don't know if I do the right thing.

 

what do you expert suggest?

 

all the best

 

michael


Edited by michael mellner, 13 February 2013 - 03:31 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:53 PM

Posted 13 February 2013 - 11:34 AM

Hi,

 

This smells like a Zbot variant. Do you still have that folder and file present? If so, can you upload the pyweil.exe file to here please?

http://www.bleepingcomputer.com/submit-malware.php?channel=8

I am 99% sure you can delete the folder Zeob afterwards though.


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 14 February 2013 - 04:06 AM

Hi Miekiemoes and thanks for your reply. after my post something happened. Yesterday morning (i opened the thread the night before), while checking the processes opened I didn't find the pyweil.exe in the list. and it was no longer in the Zeob folder.

 

So I deleted the folder and that was it. it was no longer in the CCleaner startup list as well. I remember though that after I manually terminated the process I also cancelled the entry on Ccleaner as well.

 

and that might be the cuase I couldn't finde th thing anymore. after some hours though I find a simila thing going on: same location, different folder. this time name Conia (the folder) and the file is named piygi.exe. this is still there and will upload it right away.

 

all the best for now



#4 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 14 February 2013 - 04:10 AM

I already uploaded it. you should have it there at disposal for you checking


Edited by michael mellner, 14 February 2013 - 04:11 AM.


#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:53 PM

Posted 14 February 2013 - 04:33 AM

Hi,

 

As expected, this is indeed a Zbot variant. Detection for this one will be added to Malwarebytes in next database update.

This Zbot variant always creates 2 random named folders under AppData/Roaming with random named files in it.

Please also delete the Conia folder and let me know if it returns afterwards.

In case it doesn't return, please change all your passwords, because Zbot is known to be a passwordstealing trojan.

 

As an extra checkup, Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 14 February 2013 - 05:24 AM

ok. I'm running the dds now...........here's the pasting of the DDS:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464
Run by mic at 11:18:36 on 2013-02-14
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.39.1040.18.8140.5671 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it/
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Guida per l'accesso a Windows Live ID: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [AdobeBridge] <no file>
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [HP CoolSense] C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe -byrunkey
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&sporta in Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: I&nvia a OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Invia immagine alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Invia pagina alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {DED4D168-AEEE-4E0C-B699-36A9A320ED5E} - hxxp://www.cyberlink.com/prog/win8/js/UpdateAdvisor.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{B0555723-5E88-4A35-A93E-8EE4E8D7AE21} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{CE50699B-FD9D-4035-AEB6-9BBC807CE1EA} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{CE50699B-FD9D-4035-AEB6-9BBC807CE1EA}\E4564777F627B613 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{CE50699B-FD9D-4035-AEB6-9BBC807CE1EA}\E4F6273627F63737 : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-5-18 55856]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-9-30 169408]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-5-25 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-3-31 203776]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-7-5 227384]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-1-26 30520]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-5-25 13336]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 128456]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-5-25 2656280]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-28 31088]
R3 IntcDAud;Audio schermo Intel®;C:\Windows\System32\drivers\IntcDAud.sys [2010-10-15 317440]
R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2011-1-27 12273408]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2011-9-2 76056]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2011-9-2 15128]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-12-10 80384]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-12-10 181248]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-25 412264]
R3 wdkmd;Intel WiDi KMD;C:\Windows\System32\drivers\WDKMD.sys [2010-12-1 42392]
S2 CLKMSVC10_38F51D56;CyberLink Product - 2013/01/15 18:14:56;C:\Program Files (x86)\Cyberlink\PowerDVD10\NavFilter\kmsvc.exe [2012-9-3 245264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2011-5-25 344616]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-5-25 39464]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-1-4 340240]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-5-25 246376]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Servizio Windows Activation Technologies;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-3-23 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-02-14 08:34:08 9161176 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E5EC790F-2D78-4E10-B2FD-D2C769324FB3}\mpengine.dll
2013-02-14 08:23:46 -------- d-----w- C:\Users\mic\AppData\Local\{54A6C95B-EFFE-4EAF-AA10-E5158D67A929}
2013-02-13 14:43:01 996352 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 14:43:01 768000 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 14:37:54 -------- d-----w- C:\Users\mic\AppData\Roaming\Yfwo
2013-02-13 14:37:54 -------- d-----w- C:\Users\mic\AppData\Roaming\Fiab
2013-02-13 13:47:51 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-02-13 13:47:50 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-02-13 13:47:50 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-02-13 13:47:42 3153408 ----a-w- C:\Windows\System32\win32k.sys
2013-02-13 13:47:41 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-02-13 13:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-02-13 13:47:41 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-02-13 13:47:41 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-02-13 13:47:41 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-02-13 13:47:40 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-02-13 13:47:40 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-02-13 13:47:39 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2013-02-13 08:46:23 -------- d-----w- C:\Users\mic\AppData\Local\{8B101252-B592-41F6-9C44-A71E4058B802}
2013-02-13 08:01:27 9161176 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-02-12 22:23:37 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-02-12 22:23:37 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-02-12 22:23:22 -------- d-----w- C:\Users\mic\AppData\Local\Programs
2013-02-12 20:45:58 -------- d-----w- C:\Users\mic\AppData\Local\{BA32FBB5-9576-4B3F-99AA-5AC70154FEB6}
2013-02-12 07:43:58 -------- d-----w- C:\Users\mic\AppData\Local\{46A9F1AD-5C80-4552-A9CE-7A226504F725}
2013-02-11 07:49:14 -------- d-----w- C:\Users\mic\AppData\Local\{39BFA581-54FB-4065-A866-415DD20A7B6F}
2013-02-10 13:46:21 -------- d-----w- C:\Users\mic\AppData\Local\{03A91D29-6E03-408C-80E3-A05EBC73D892}
2013-02-09 10:03:44 -------- d-----w- C:\Users\mic\AppData\Local\{982A63F2-AAF4-4748-9184-709152185148}
2013-02-08 13:34:21 -------- d-----w- C:\Users\mic\AppData\Local\{318A8EED-6272-470B-89B9-EEC7EDC93B1E}
2013-02-07 19:48:06 -------- d-----w- C:\Users\mic\AppData\Local\{08A96D48-4AF7-49B7-B024-FF3416C78E23}
2013-02-07 07:47:41 -------- d-----w- C:\Users\mic\AppData\Local\{DAF1F7B1-32A0-45BB-AAE3-1C62AC079EF9}
2013-02-06 08:02:10 -------- d-----w- C:\Users\mic\AppData\Local\{8CAC82BE-6A83-40F1-A5A6-D093AD315BE5}
2013-02-05 19:44:50 -------- d-----w- C:\Users\mic\AppData\Local\{7EC3BD57-242E-4A6A-ADB7-5680F131CE6E}
2013-02-05 07:44:25 -------- d-----w- C:\Users\mic\AppData\Local\{1FC7744B-5C8A-4D94-BAFE-C66ADC0E7C29}
2013-02-04 07:51:48 -------- d-----w- C:\Users\mic\AppData\Local\{66FDBC1A-F2FE-49CE-B93B-0D4F4E9BD8CE}
2013-02-03 12:14:20 -------- d-----w- C:\Users\mic\AppData\Local\{0F783173-D4C0-4CD3-B924-71B51D26666B}
2013-02-02 10:50:34 -------- d-----w- C:\Users\mic\AppData\Local\{FC293E4B-8B30-45A4-80BB-F641A1E57D86}
2013-02-01 07:47:29 -------- d-----w- C:\Users\mic\AppData\Local\{422E134C-BD98-445E-9017-E925EDB4F469}
2013-01-31 07:52:12 -------- d-----w- C:\Users\mic\AppData\Local\{4D450719-9A2A-497D-8020-7C4F66F20205}
2013-01-30 07:48:30 -------- d-----w- C:\Users\mic\AppData\Local\{24BC1EB0-EF75-4BDD-9A56-D9FAB886EA72}
2013-01-29 07:47:29 -------- d-----w- C:\Users\mic\AppData\Local\{D96A3097-DA2F-445C-AC71-E01DBE0343E5}
2013-01-28 09:09:58 -------- d-----w- C:\Users\mic\AppData\Local\{FAAA6AE2-381F-4B53-A3DA-3F8498E36891}
2013-01-27 21:09:33 -------- d-----w- C:\Users\mic\AppData\Local\{5D2B733A-9DA4-4810-B743-19272D2520BB}
2013-01-27 09:09:13 -------- d-----w- C:\Users\mic\AppData\Local\{CC667EAA-5246-4081-AC4E-77C1DD62AC7D}
2013-01-26 08:48:15 -------- d-----w- C:\Users\mic\AppData\Local\{F155ADC8-947A-4E63-BC04-E694A81BDB90}
2013-01-25 19:58:24 -------- d-----w- C:\Users\mic\AppData\Local\{83FAB837-CFFF-408F-B49F-1371A1E6F9E6}
2013-01-25 07:47:33 -------- d-----w- C:\Users\mic\AppData\Local\{7A0DF1E9-3441-4417-A578-675DF6D4C754}
2013-01-24 19:43:51 -------- d-----w- C:\Users\mic\AppData\Local\{976D2EFA-D6FC-4D4B-AFEF-6C33EE8086E5}
2013-01-24 07:43:26 -------- d-----w- C:\Users\mic\AppData\Local\{C4B45757-F21D-4206-9D7F-B3834F513F9E}
2013-01-23 07:50:16 -------- d-----w- C:\Users\mic\AppData\Local\{581E4E00-F2FA-4A33-B53B-5D02B90EA1D6}
2013-01-22 19:49:51 -------- d-----w- C:\Users\mic\AppData\Local\{3005494A-0D52-4ED9-B5A1-1C2D5DD5C757}
2013-01-22 07:49:27 -------- d-----w- C:\Users\mic\AppData\Local\{11B4951D-F68B-432F-95A5-25D5DFD15584}
2013-01-21 07:51:43 -------- d-----w- C:\Users\mic\AppData\Local\{D7188423-7C37-4B94-92BB-8C2CBF2CEBCF}
2013-01-20 09:44:14 -------- d-----w- C:\Users\mic\AppData\Local\{5426947F-7C7C-45F2-81BA-0F2C540F820D}
2013-01-19 11:32:27 -------- d-----w- C:\Users\mic\AppData\Local\{1CF2E762-C889-41BF-9CB3-45B7F2AB4A51}
2013-01-18 07:46:56 -------- d-----w- C:\Users\mic\AppData\Local\{9F939308-1F81-4058-ADCA-6194AA01EA65}
2013-01-17 07:56:40 -------- d-----w- C:\Users\mic\AppData\Local\{2422687C-EA4D-4B31-8EE6-4E38537922D3}
2013-01-16 07:52:20 -------- d-----w- C:\Users\mic\AppData\Local\{BC2CA077-8D0E-49A9-8BD7-187464D2889A}
2013-01-15 19:49:56 -------- d-----w- C:\Users\mic\AppData\Local\{B24605A3-EBD5-4BE3-8571-F50B16D28D1A}
2013-01-15 17:16:06 -------- d-----w- C:\Users\mic\AppData\Roaming\WebApp
2013-01-15 17:15:20 -------- d-----w- C:\Users\mic\AppData\Local\Packages
.
==================== Find3M  ====================
.
2013-02-09 21:04:34 697712 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-09 21:04:33 74096 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-30 10:53:22 273840 ------w- C:\Windows\System32\MpSigStub.exe
2013-01-15 17:12:07 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2013-01-15 17:12:07 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2013-01-09 01:19:09 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-01-09 01:12:03 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-01-09 01:11:06 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-01-09 01:07:51 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-01-09 01:07:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-01-09 01:04:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-01-08 22:11:21 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-01-08 22:03:20 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-01-08 22:03:12 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-01-08 21:59:02 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-01-08 21:58:29 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-01-08 21:56:23 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 05:41:07 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:13:57 68608 ----a-w- C:\Windows\System32\taskhost.exe
2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll
2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2012-11-20 05:48:49 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-20 04:51:09 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
.
============= FINISH: 11:19:05,01 ===============
 

one last thing: what about the registry entries? shall I delete them manually? I mean the one with the name Conia and Zeob..............

 

thanks again

Attached Files



#7 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 14 February 2013 - 05:36 AM

another thing: the 2 folder Zbot creates contain always exe files or else? because in that folder I see some other folders which have strange names but don't contain exe files. the majority of them are familiar but a couple don't.............



#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:53 PM

Posted 14 February 2013 - 05:43 AM

Hi,

 

You also have to delete the following folders:

C:\Users\mic\AppData\Roaming\Yfwo
C:\Users\mic\AppData\Roaming\Fiab

 

another thing: the 2 folder Zbot creates contain always exe files or
else? because in that folder I see some other folders which have strange
names but don't contain exe files. the majority of them are familiar
but a couple don't.............

Yes, one contains exe files (random named), the other folder contains other files (no exe), but also random. The non exe files are mainly "data" files.

 

one last thing: what about the registry entries? shall I delete them
manually? I mean the one with the name Conia and Zeob..............

 

I actually don't see any startup references in the DDS log with these anymore. They normally have a reference in your startup items. It could be possible that Ccleaner already cleared those out since it scans for orphaned keys/entries as well.

But yes, you can delete additional references (if still present). In case you're not sure what to delete, export the key, so I can have a look at it :)


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 14 February 2013 - 05:52 AM

Thanks a lot for the help: really appreciate it! and you have been wonderful.

yes, the two folder mentioned were the one I noticed: deleted now!

 

I will try to clean the registry of the entries having those pyweil and  piygi name

 

many thanks again

 

michael



#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:53 PM

Posted 14 February 2013 - 06:01 AM

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again!


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users