[Jetfueled]

Pup Bundle was quarantined

Trojan.Zero.Access!.Inf needs manual removal


Computer seems ok, but I got the ZeroAcess! Inf once before and the computer came down with a re-direct a few days later

Thank you




OTL logfile created on: 2/22/2012 8:07:00 PM - Run 6
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\HP_Administrator\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.23 Mb Total Physical Memory | 224.66 Mb Available Physical Memory | 22.13% Memory free
2.38 Gb Paging File | 1.77 Gb Available in Paging File | 74.34% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.25 Gb Total Space | 110.46 Gb Free Space | 79.33% Space Free | Partition Type: NTFS
Drive D: | 9.78 Gb Total Space | 6.31 Gb Free Space | 64.52% Space Free | Partition Type: NTFS

Computer Name: YOUR-235B2CE4A2 | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/22 20:06:07 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\My Documents\Downloads\OTL(8).exe
PRC - [2012/01/13 14:53:16 | 000,981,680 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2011/12/18 09:29:40 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/18 09:41:44 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/08/03 23:18:43 | 000,126,400 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccsvchst.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/10 17:20:35 | 003,340,064 | ---- | M] () -- c:\Program Files\Common Files\Akamai\netsession_win_7de0ed9.dll
MOD - [2012/02/01 17:24:26 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/12/18 09:29:38 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/02/10 17:20:35 | 003,340,064 | ---- | M] () [Auto | Running] -- c:\program files\common files\akamai/netsession_win_7de0ed9.dll -- (Akamai)
SRV - [2011/08/03 23:18:43 | 000,126,400 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe -- (N360)
SRV - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Driver Services (SafeList) ==========

DRV - [2012/02/22 20:01:24 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/02/03 22:30:59 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/02/03 22:30:58 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/12/15 18:33:22 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20120218.003\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/11/30 21:25:03 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20120215.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/08/21 21:53:36 | 000,362,360 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0404000.00C\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/08/21 21:53:35 | 000,173,176 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\SYMEFA.SYS -- (SymEFA)
DRV - [2011/08/03 23:19:30 | 000,485,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\ccHPx86.sys -- (ccHP)
DRV - [2011/08/03 20:35:05 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20120222.001\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/08/03 20:35:05 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20120222.001\NAVENG.SYS -- (NAVENG)
DRV - [2011/02/19 16:11:40 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/04/29 00:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 21:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0404000.00C\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 21:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/10/14 22:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\SYMDS.SYS -- (SymDS)
DRV - [2008/10/26 16:48:00 | 004,881,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/09/09 23:10:00 | 000,207,872 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS3.sys -- (HSFHWBS3)
DRV - [2008/09/09 23:09:54 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/09/09 23:09:52 | 000,985,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2008/08/07 06:14:56 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.666: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.666: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2011/07/20 04:57:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn_2010_9_0_6 [2012/02/22 19:28:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/08/18 09:42:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/18 09:29:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/01 16:32:18 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Easy-Hide-IP\ff-extension [2011/02/08 09:59:00 | 000,000,000 | ---D | M]

[2009/07/02 18:38:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2012/01/25 21:08:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\extensions
[2009/09/02 06:39:22 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/25 21:08:09 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/12/18 09:29:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/25 20:51:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2011/04/25 20:51:24 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/12/18 09:29:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/12/18 09:29:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/18 09:29:35 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - Extension: Entanglement = C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.3_0\
CHR - Extension: Poppit = C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2012/01/23 17:39:16 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5A20AA8A-5E6B-4D6C-9022-9199C705DCB0}: DhcpNameServer = 68.87.71.230 68.87.73.246
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/26 17:25:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/22 16:15:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Administrator\Recent
[2012/01/25 17:45:13 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2012/01/23 21:16:22 | 000,000,000 | -HSD | C] -- C:\RECYCLER

========== Files - Modified Within 30 Days ==========

[2012/02/22 19:53:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/22 19:28:05 | 000,000,334 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2012/02/22 19:28:04 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2012/02/22 19:27:55 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/22 19:27:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/22 16:46:54 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
[2012/02/22 16:32:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/18 11:15:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2012/02/15 15:39:45 | 000,000,929 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\ZoomBrowser EX.lnk
[2012/02/15 04:32:54 | 000,151,584 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/14 18:07:37 | 000,432,784 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/14 18:07:37 | 000,067,740 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/07 16:00:00 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/06 17:30:34 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/02 20:55:55 | 000,030,939 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\pig.jpg
[2012/01/25 17:45:18 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe

========== Files Created - No Company Name ==========

[2012/02/15 15:39:45 | 000,000,929 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\ZoomBrowser EX.lnk
[2012/02/14 16:36:44 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/14 16:36:44 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/02 20:55:54 | 000,030,939 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\pig.jpg
[2012/01/23 17:11:42 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/23 17:11:42 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/23 17:11:42 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/23 17:11:42 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/23 17:11:42 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/17 18:06:13 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/21 22:07:09 | 000,721,288 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/09/26 17:15:06 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2011/05/18 16:41:21 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/07/29 18:07:58 | 000,000,785 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/06/11 10:01:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat

========== LOP Check ==========

[2009/10/21 16:06:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
[2011/02/19 15:57:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/10/16 17:51:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/07/02 17:35:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/10/16 18:15:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/05/27 09:21:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2010/10/16 17:47:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/01/27 12:49:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2008/11/26 17:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2011/11/19 17:35:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/10/18 20:28:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2010/08/14 20:43:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2012/02/22 19:28:05 | 000,000,334 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job

========== Purity Check ==========



< End of report >

[Advertisements]

Hello Jetfueled and welcome to GeeksToGo

My nickname is GLeobas and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.

• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
• Please do not try to fix anything without being asked
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
• I am currently reviewing your logs.

[WhiteHat]

Hello Jetfueled and welcome to GeeksToGo

My nickname is GLeobas and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.

• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
• Please do not try to fix anything without being asked
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
• I am currently reviewing your logs.

[WhiteHat]

# Step 1 #

Download aswMBR.exe ( 1.8mB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply


# Step 2 #

I need to see the reports generated by MalwareBytes' Anti-Malware.

Please, reopen MalwareBytes' Anti-Malware and open de Logs tab.

In the Logs tab, search for the search for the most recent logs and post them.


# Step 3 #

I see in your log that you ran ComboFix.

Please, go to C:\ and post the contents of ComboFix.txt file.



# Step 4 #

Logs I want to see in your next reply:

• aswMBR log.
• MalwareBytes' Anti-Malware logs.
• ComboFix log.

[Jetfueled]

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-26 13:14:22
-----------------------------
13:14:22.671 OS Version: Windows 5.1.2600 Service Pack 3
13:14:22.671 Number of processors: 2 586 0x1C02
13:14:22.671 ComputerName: YOUR-235B2CE4A2 UserName:
13:14:23.718 Initialize success
13:14:59.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
13:14:59.781 Disk 0 Vendor: ST3160812AS 3.AHL Size: 152627MB BusType: 3
13:14:59.796 Disk 0 MBR read successfully
13:14:59.796 Disk 0 MBR scan
13:14:59.796 Disk 0 unknown MBR code
13:14:59.796 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 142592 MB offset 63
13:14:59.828 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10017 MB offset 292045635
13:14:59.828 Disk 0 scanning sectors +312560640
13:14:59.843 Disk 0 malicious Win32:MBRoot code @ sector 312560643 !
13:14:59.843 Disk 0 PE file @ sector 312560665 !
13:14:59.890 Disk 0 scanning C:\WINDOWS\system32\drivers
13:15:05.375 Service scanning
13:15:16.671 Modules scanning
13:15:34.031 Disk 0 trace - called modules:
13:15:34.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:15:34.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86571ab8]
13:15:34.546 3 CLASSPNP.SYS[f75c8fd7] -> nt!IofCallDriver -> \Device\00000066[0x865e7558]
13:15:34.546 5 ACPI.sys[f745f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8657f940]
13:15:34.562 Scan finished successfully
13:16:00.562 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
13:16:00.562 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"


-----------------------------------------------------------------------------------------------------------------------------------
ComboFix 12-02-24.02 - HP_Administrator 02/26/2012 13:40:46.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.372 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}


* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-01-26 to 2012-02-26 )))))))))))))))))))))))))))))))
.
.
2012-02-14 21:36 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-14 21:36 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-01 22:24 . 2011-07-02 10:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2008-11-26 21:10 1859968 ------w- c:\windows\system32\win32k.sys
2011-12-19 08:13 . 2008-11-26 21:10 832512 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 08:13 . 2008-11-26 21:10 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-12-19 08:13 . 2008-11-26 21:10 78336 ------w- c:\windows\system32\ieencode.dll
2011-12-19 08:13 . 2008-11-26 21:10 17408 ------w- c:\windows\system32\corpol.dll
2011-12-10 20:24 . 2012-01-23 21:07 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-18 14:29 . 2011-03-24 12:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-09-24 210216]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-08-18 273528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-10-26 21:47 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2009-10-06 22:01 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-Hide-IP]
2010-10-20 20:50 4539392 ----a-w- c:\program files\Easy-Hide-IP\easy-hide-ip.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-26 21:48 17021440 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-11 11:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2010-05-31 11:18 323976 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Easy-Hide-IP\\easy-hide-ip.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"1050:TCP"= 1050:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0404000.00C\symds.sys [10/31/2011 3:33 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0404000.00C\symefa.sys [10/31/2011 3:33 PM 173176]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20120215.001\BHDrvx86.sys [2/15/2012 8:09 PM 820344]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0404000.00C\cchpx86.sys [10/31/2011 3:33 PM 485512]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0404000.00C\ironx86.sys [10/31/2011 3:33 PM 116784]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [11/26/2008 4:10 PM 14336]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.4.0.12\ccsvchst.exe [10/31/2011 3:33 PM 126400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/3/2012 10:30 PM 106104]
R3 HSFHWBS3;HSFHWBS3;c:\windows\system32\drivers\HSFHWBS3.sys [11/26/2008 5:34 PM 207872]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20120224.002\IDSXpx86.sys [2/24/2012 4:58 PM 356280]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/12/2009 12:44 PM 47360]
S2 gupdate1ca021b3d388aee;Google Update Service (gupdate1ca021b3d388aee);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2009 6:32 AM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2009 6:32 AM 133104]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-02-25 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-02-15 14:50]
.
2012-02-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-11 00:54]
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-11 11:32]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-11 11:32]
.
2012-02-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2012-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2464341608-3933873169-3681834009-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\1ehlfnc0.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-26 13:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.4.0.12\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-02-26 13:53:53
ComboFix-quarantined-files.txt 2012-02-26 18:53
ComboFix2.txt 2012-01-23 22:47
.
Pre-Run: 118,466,498,560 bytes free
Post-Run: 118,452,654,080 bytes free
.
- - End Of File - - F6F7110DDAED8E303B6B5D4C4CB513A3

------------------------------------------------------------------------------------------------------------------------------------------------Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.26.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
HP_Administrator :: YOUR-235B2CE4A2 [administrator]

2/26/2012 7:36:32 AM
mbam-log-2012-02-26 (07-36-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186094
Time elapsed: 18 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
--------------------------------------------------------------------------------------------------------------------------------------------

HP_Administrator :: YOUR-235B2CE4A2 [administrator]

2/22/2012 5:54:32 PM
mbam-log-2012-02-22 (17-54-32).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 248345
Time elapsed: 1 hour(s), 22 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Opera\Opera\cache\g_0002\opr00086.tmp (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

(end)
----------------------------------------------------------------------------------------------------------------
zeroaccess!inf was detected by Norton
said manual removal required


I can't see, to copy and paste that

Edited by Jetfueled, 26 February 2012 - 01:05 PM.

[WhiteHat]

Hi,

zeroaccess!inf was detected by Norton
said manual removal required


I can't see, to copy and paste that

Please, can you tell me which file Norton is detecting by Zero.Acess?

You can find this information in own antivirus quarantine.


Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

[Jetfueled]

Norton Security History -

A0065182.sys contains threat Trojan.Zeroaccess!inf

requires manual removal

-----------------------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-27 20:39:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3160812AS rev.3.AHL
Running: c35jrght.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\uwgcyaob.sys


---- System - GMER 1.0.15 ----

SSDT 8643F050 ZwAlertResumeThread
SSDT 85F62050 ZwAlertThread
SSDT 853A4308 ZwAllocateVirtualMemory
SSDT 853C0050 ZwAssignProcessToJobObject
SSDT 863B2460 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA0C2210]
SSDT 85372FC0 ZwCreateMutant
SSDT 85F1BC70 ZwCreateSymbolicLinkObject
SSDT 853538A8 ZwCreateThread
SSDT 85AC4050 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA0C2490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA0C29F0]
SSDT 85351418 ZwDuplicateObject
SSDT 85F96F80 ZwFreeVirtualMemory
SSDT 861E5050 ZwImpersonateAnonymousToken
SSDT 863890D0 ZwImpersonateThread
SSDT 863D8130 ZwLoadDriver
SSDT 85356F70 ZwMapViewOfSection
SSDT 86391150 ZwOpenEvent
SSDT 8535FE18 ZwOpenProcess
SSDT 864C98B0 ZwOpenProcessToken
SSDT 85F93150 ZwOpenSection
SSDT 853514A8 ZwOpenThread
SSDT 85F1BD40 ZwProtectVirtualMemory
SSDT 86440050 ZwResumeThread
SSDT 859B7050 ZwSetContextThread
SSDT 8539DA48 ZwSetInformationProcess
SSDT 85F1B1C0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA0C2C40]
SSDT 85F64150 ZwSuspendProcess
SSDT 86441050 ZwSuspendThread
SSDT 85F999F8 ZwTerminateProcess
SSDT 8637F1C0 ZwTerminateThread
SSDT 863B0DA0 ZwUnmapViewOfSection
SSDT 8535BF80 ZwWriteVirtualMemory

Code \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\program files\real\realplayer\update\realsched.exe[1068] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 312560643
Disk \Device\Harddisk0\DR0 PE file @ sector 312560665

---- EOF - GMER 1.0.15 ----

[WhiteHat]

Hi,

I identified the infection on your computer and I will try to cleanup now.


# Step 1 #

• Re-run aswMBR.exe
• Click [Scan]
• Click the [Fix]
• Reboot

# Step 2 #

Please reopen on your desktop.

• Under the box at the bottom, paste in the following
  
  

  :Commands
  [CLEARALLRESTOREPOINTS]
  

• Then click the button at the top
• Let the program run unhindered, reboot the PC when it is done
• Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 3 #

Run GMER again

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on GMER file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

[Jetfueled]

========== COMMANDS ==========
Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 02292012_155711


--------------------------------------------------------------------------------------------------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-29 21:26:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3160812AS rev.3.AHL
Running: c35jrght.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\uwgcyaob.sys


---- System - GMER 1.0.15 ----

SSDT 859BB050 ZwAlertResumeThread
SSDT 85F22050 ZwAlertThread
SSDT 85369768 ZwAllocateVirtualMemory
SSDT 85F9E050 ZwAssignProcessToJobObject
SSDT 865665D8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA0C2210]
SSDT 8535CC50 ZwCreateMutant
SSDT 8535C4B8 ZwCreateSymbolicLinkObject
SSDT 8536E3F8 ZwCreateThread
SSDT 85F9B050 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA0C2490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA0C29F0]
SSDT 853698C0 ZwDuplicateObject
SSDT 853695C8 ZwFreeVirtualMemory
SSDT 85AC6050 ZwImpersonateAnonymousToken
SSDT 854A6050 ZwImpersonateThread
SSDT 863CA6D0 ZwLoadDriver
SSDT 8536E3A0 ZwMapViewOfSection
SSDT 85ADE050 ZwOpenEvent
SSDT 85369A60 ZwOpenProcess
SSDT 8537C710 ZwOpenProcessToken
SSDT 85F9C050 ZwOpenSection
SSDT 85369990 ZwOpenThread
SSDT 8535C808 ZwProtectVirtualMemory
SSDT 85F93050 ZwResumeThread
SSDT 85F24050 ZwSetContextThread
SSDT 853693E8 ZwSetInformationProcess
SSDT 85AE1050 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA0C2C40]
SSDT 85AE0050 ZwSuspendProcess
SSDT 85F23050 ZwSuspendThread
SSDT 85367160 ZwTerminateProcess
SSDT 85F92050 ZwTerminateThread
SSDT 85F8A3B0 ZwUnmapViewOfSection
SSDT 85369698 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F74 80504810 4 Bytes CALL 8ED57EA8
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\program files\real\realplayer\update\realsched.exe[552] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

[WhiteHat]

# Step 1 #

How your computer is. Please, check if Norton is still showing the infection message

Trojan.Zero.Access!.Inf needs manual removal

# Step 2 #

Disable your antivirus software

• Acess the Eset Online Scanner website using Internet Explorer navigator.
  http://www.eset.com/...escan/index.php
• Do the scan according the image:
  
  
• At the end, check the box "Delete Quarantined files" and click in [FINISH]
• It will be generated a log in C:\Program Files\EsetOnlineScanner\Log.txt
  PS: If you didn't find the log.txt file in \EsetOnlineScanner\, look on \Program Files\Eset\EsetOnlineScanner\log.txt
• Post that log.

[Jetfueled]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17108 (vista_gdr.111215-0007)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=69cd13e13a180a498c8293bf4c40c7e8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-03 10:32:52
# local_time=2012-03-03 05:32:52 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3589 16777173 80 86 9654916 94080525 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=63013
# found=2
# cleaned=2
# scan_time=11742
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\cnet_rrsetup_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\twain_32\My Documents\My Download Files\BSINSTALL.exe a variant of Win32/Adware.WhenUSave application (deleted - quarantined) 00000000000000000000000000000000 C

[WhiteHat]

Hi,

You forgot to reply my question:

How your computer is. Please, check if Norton is still showing the infection message

Trojan.Zero.Access!.Inf needs manual removal

[Jetfueled]

actually i was just testing the computer and i was going to add this.

computer is running slow - long time loading pages

yesterday my wife's hotmail account was hijacked, sending out spam in her name. she changed the password.

edit update -

computer is now running pretty fast

Edited by Jetfueled, 04 March 2012 - 06:14 PM.

[WhiteHat]

Hi,

Sorry for delay.

yesterday my wife's hotmail account was hijacked, sending out spam in her name. she changed the password.

Usually that is the necessary to not happen anymore.

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
• In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

Remove OTL

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

• Go to this site and click Do I have Java
• It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

• Go to Control Panel and select System
• Select System
• On the left select System Protection and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name i.e. Clean
• Select Create

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe.

[Jetfueled]

I've been having a lot of problems today. Computer is VERY slow. For a while I could not type anything in search boxes, although the cursar was working. Also when I tried to run programs and my monitor went into save mode, I could not get back to the programs when I hit enter on the keyboard. Monitor stayed black.

It is better now. Last night was good. Then bad a couple of hours ago. Now okay again.

I think something is still in my computer. Malwarebytes and Norton show no problems.

Edited by Jetfueled, 05 March 2012 - 08:56 PM.

[WhiteHat]

Hi,

Your computer looks like clean but I will check again. Remember, not all computer problems are caused by a malware.

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• In Extra Registry, select Use SafeList
• Under the Custom Scan box paste this in
  netsvcs
  msconfig
  %SYSTEMDRIVE%\*.*
  %systemdrive%\drivers\*.exe
  %systemroot%\system32\drivers\*.* /90
  %PROGRAMFILES%\*.*
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  C:\Windows\assembly\tmp\U /s
  HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs
  HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs
  CREATERESTOREPOINT
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic