Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

iexploror.exe malware infection


  • Please log in to reply

#1
kjojo

kjojo

    New Member

  • Member
  • Pip
  • 8 posts
My computer at work is having some sort of malware issue. It is getting a popup almost continuously that LOOKS like part of Windows XP, that says "Are you sure you want to navigate away from the page? Wait! Wait! Press OK to continue, or Cancel to stay on the current page." In the task manager, there are 2 instances of iexploror.exe running.

I would appreciate any help or information you could provide me :)

I read the "Welcome" post on this forum and downloaded OTL and Quick Scanned with it. Here is the OTL file (and at the bottom is the extras.txt file):




OTL logfile created on: 09/10/2013 6:48:08 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = J:\Kristen's Shared Stuff\computer cleanup
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

1015.48 Mb Total Physical Memory | 497.10 Mb Available Physical Memory | 48.95% Memory free
1.26 Gb Paging File | 0.88 Gb Available in Paging File | 69.37% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 59.43 Gb Free Space | 79.74% Space Free | Partition Type: NTFS
Drive J: | 265.39 Gb Total Space | 207.33 Gb Free Space | 78.12% Space Free | Partition Type: NTFS
Drive Z: | 265.39 Gb Total Space | 207.33 Gb Free Space | 78.12% Space Free | Partition Type: NTFS

Computer Name: KRISTEN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/09/10 18:29:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- J:\Kristen's Shared Stuff\computer cleanup\OTL.exe
PRC - [2013/09/10 14:40:06 | 000,261,632 | ---- | M] () -- C:\Microsoft__SDK\lib\include\iexploror.exe
PRC - [2013/09/10 14:39:33 | 000,057,344 | ---- | M] () -- C:\Microsoft_SDK\lib\include\iexploror.exe
PRC - [2012/05/21 11:34:26 | 001,937,408 | ---- | M] (USB Server) -- C:\Program Files\USB Server 2\USB Server.exe
PRC - [2012/03/20 15:00:40 | 000,471,040 | ---- | M] () -- C:\Program Files\Generic\Network Printer Wizard\NPWService.exe
PRC - [2011/10/11 21:34:47 | 000,117,648 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
PRC - [2009/11/15 01:56:20 | 000,324,976 | ---- | M] (Flexera Software, Inc.) -- C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 15:58:34 | 001,757,696 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\WINDOWS\system32\hasplms.exe
PRC - [2006/07/29 22:16:26 | 000,040,960 | ---- | M] (Dolphin Imaging Systems, LLC) -- C:\Dolphin\smss1.exe
PRC - [2003/12/17 10:50:00 | 000,037,888 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
PRC - [2003/12/12 19:22:36 | 000,094,208 | ---- | M] (ICSI Technology Ltd.) -- C:\WINDOWS\Dit.exe
PRC - [2002/09/12 13:13:18 | 001,101,824 | ---- | M] (Copyright © ahead software gmbh and its licensors) -- C:\Program Files\Ahead\InCD\InCD.exe
PRC - [2001/01/05 15:40:58 | 001,701,888 | ---- | M] (Inprise Corporation) -- C:\Program Files\InterBase\Bin\ibserver.exe
PRC - [2001/01/05 12:41:24 | 000,022,016 | ---- | M] (Inprise Corporation) -- C:\Program Files\InterBase\Bin\ibguard.exe


========== Modules (No Company Name) ==========

MOD - [2013/09/10 14:40:06 | 000,261,632 | ---- | M] () -- C:\Microsoft__SDK\lib\include\iexploror.exe
MOD - [2013/09/10 14:39:33 | 000,057,344 | ---- | M] () -- C:\Microsoft_SDK\lib\include\iexploror.exe
MOD - [2012/05/21 11:34:12 | 000,487,424 | ---- | M] () -- C:\Program Files\USB Server 2\PSMDLL.dll
MOD - [2012/05/21 11:34:06 | 000,245,760 | ---- | M] () -- C:\Program Files\USB Server 2\DCPDLL.dll
MOD - [2012/05/21 11:34:06 | 000,106,496 | ---- | M] () -- C:\Program Files\USB Server 2\UNTPDLL.dll
MOD - [2012/05/21 11:34:04 | 000,090,112 | ---- | M] () -- C:\Program Files\USB Server 2\ESTLogDLL.dll
MOD - [2012/03/20 15:00:40 | 000,471,040 | ---- | M] () -- C:\Program Files\Generic\Network Printer Wizard\NPWService.exe
MOD - [2012/03/20 15:00:36 | 000,253,952 | ---- | M] () -- C:\Program Files\Generic\Network Printer Wizard\NPWpsm.dll
MOD - [2012/03/20 15:00:32 | 000,299,008 | ---- | M] () -- C:\Program Files\Generic\Network Printer Wizard\NPWdcp.dll
MOD - [2012/03/20 15:00:30 | 000,110,592 | ---- | M] () -- C:\Program Files\Generic\Network Printer Wizard\NPWuntp.dll
MOD - [2012/03/20 15:00:28 | 000,090,112 | ---- | M] () -- C:\Program Files\Generic\Network Printer Wizard\NPWlog.dll
MOD - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/03/25 00:50:40 | 000,355,112 | ---- | M] () -- C:\WINDOWS\system32\msjetoledb40.dll
MOD - [2002/09/13 11:08:28 | 000,458,752 | ---- | M] () -- C:\Program Files\Ahead\InCD\Res.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\GoogleUpdate.exe < [WARNING: C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \???\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\GoogleUpdate.exe <] -- (etadpug)
SRV - [2012/03/20 15:00:40 | 000,471,040 | ---- | M] () [Auto | Running] -- C:\Program Files\Generic\Network Printer Wizard\NPWService.exe -- (NPWService)
SRV - [2011/10/11 21:34:47 | 000,117,648 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe -- (N360)
SRV - [2007/08/09 15:58:34 | 001,757,696 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Auto | Running] -- C:\WINDOWS\system32\hasplms.exe -- (hasplms)
SRV - [2001/01/05 15:40:58 | 001,701,888 | ---- | M] (Inprise Corporation) [On_Demand | Running] -- C:\Program Files\InterBase\Bin\ibserver.exe -- (InterBaseServer)
SRV - [2001/01/05 12:41:24 | 000,022,016 | ---- | M] (Inprise Corporation) [Auto | Running] -- C:\Program Files\InterBase\Bin\ibguard.exe -- (InterBaseGuardian)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SNTNLUSB.SYS -- (SNTNLUSB)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/09/07 02:26:22 | 000,380,832 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20130910.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2012/02/28 07:05:56 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120305.032\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/02/28 07:05:54 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120305.032\NAVENG.SYS -- (NAVENG)
DRV - [2012/02/05 05:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/05 05:00:00 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/10/27 14:27:56 | 000,220,160 | ---- | M] (Elite Silicon Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NUServerXP32.sys -- (NUServerXP32)
DRV - [2011/10/14 10:24:16 | 000,029,184 | ---- | M] (Elite Silicon Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NUS_BusXP32.sys -- (NUS_BusXP32)
DRV - [2011/10/11 21:34:47 | 000,467,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\cchpx86.sys -- (ccHP)
DRV - [2011/10/11 21:34:47 | 000,217,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\symtdi.sys -- (SYMTDI)
DRV - [2011/10/11 21:34:47 | 000,089,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\symfw.sys -- (SYMFW)
DRV - [2011/10/11 21:34:47 | 000,036,472 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\symndis.sys -- (SYMNDIS)
DRV - [2011/10/11 21:34:47 | 000,033,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\symids.sys -- (SYMIDS)
DRV - [2010/03/18 14:40:47 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/03/18 14:40:34 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\SymEFA.sys -- (SymEFA)
DRV - [2010/03/18 14:40:34 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\srtsp.sys -- (SRTSP)
DRV - [2010/03/18 14:40:34 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\srtspx.sys -- (SRTSPX)
DRV - [2010/03/18 14:40:34 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2010/03/18 14:40:34 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2010/03/18 14:40:32 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308030.006\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/07/28 17:25:22 | 000,027,136 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GenBus.sys -- (EST_BusEnum)
DRV - [2007/08/06 16:25:44 | 000,585,728 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2007/05/28 11:02:02 | 000,352,256 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\aksfridge.sys -- (aksfridge)
DRV - [2005/06/06 17:04:01 | 000,013,440 | ---- | M] (ICSI Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBCRFT.SYS -- (CardReaderFilter)
DRV - [2004/10/01 10:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139)
DRV - [2003/12/17 13:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)
DRV - [2003/12/17 13:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042pr2.Sys -- (L8042pr2)
DRV - [2002/09/13 08:35:44 | 000,448,640 | ---- | M] (ahead software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\bsudf.sys -- (BsUDF)
DRV - [2002/06/05 19:07:00 | 000,009,344 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\bsstor.sys -- (BsStor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKLM\..\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}: "URL" = http://search.tb.ask...r={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {4600E86F-6ABF-4285-BB1E-A8C38D3FF220}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{4600E86F-6ABF-4285-BB1E-A8C38D3FF220}: "URL" = http://www.google.co...&rlz=1I7GGLL_en
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKCU\..\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}: "URL" = http://search.tb.ask...r={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.1.1:80


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2011/11/01 07:21:25 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.8.3.6\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.8.3.6\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.3.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.3.6\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Dit] C:\WINDOWS\Dit.exe (ICSI Technology Ltd.)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Copyright © ahead software gmbh and its licensors)
O4 - HKLM..\Run: [ISUSPM] C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\isuspm.exe (Flexera Software, Inc.)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SMSS1] C:\Dolphin\SMSS1.LNK ()
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKCU..\Run: [\\PC742115302836\EPSON Stylus Photo R1900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICUA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [AdobeUpdater] C:\Documents and Settings\Administrator\Application Data\Adobe\AdobeUpdaterInstallMgr.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [ctfm0n] C:\Microsoft_SDK\lib\include\cc1xb.js ()
O4 - HKCU..\Run: [Ctfmon] C:\Microsoft__SDK\lib\include\cc1xm.js ()
O4 - HKCU..\Run: [Google Update] Reg Error: Value error. File not found
O4 - HKCU..\Run: [USB Server] C:\Program Files\USB Server 2\USB Server.exe (USB Server)
O4 - HKCU..\Run: [USBServer] C:\Program Files\USB Server 2\USB Server.exe (USB Server)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\smss1.lnk = C:\startupdolph\smss1.exe (Dolphin Imaging Systems, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll (Elite Silicon Technology Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Generic\Network Printer Wizard\NPWprint.dll File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKCU\..Trusted Domains: mytelevox.com ([www-atl] https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1193164949828 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 4.2.2.1 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ED69CD04-FBF0-41D8-9B6C-1160C0356587}: DhcpNameServer = 4.2.2.1 208.67.222.222
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.8.3.6\CoIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IUNPOService: DllName - (IUNPYw32.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2000/01/23 03:22:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\Shell - "" = AutoRun
O33 - MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{dbe12a2c-f493-11da-aab1-001109131c2e}\Shell\AutoRun\command - "" = E:\setupSNK.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[9999/04/26 20:21:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[9999/04/26 17:55:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2013/09/10 14:18:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2013/09/10 14:18:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2013/09/10 14:12:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ncpa
[2013/09/10 14:12:27 | 000,000,000 | ---D | C] -- C:\Microsoft__SDK
[2013/09/10 14:12:19 | 000,000,000 | ---D | C] -- C:\Microsoft_SDK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\My Documents\*.tmp files -> C:\Documents and Settings\Administrator\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/09/10 18:56:11 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/09/10 18:39:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/09/10 15:43:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/09/10 15:39:19 | 000,432,838 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/09/10 15:39:19 | 000,067,794 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/09/10 15:36:54 | 000,000,367 | ---- | M] () -- C:\WINDOWS\Opmspath.ini
[2013/09/10 15:35:42 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/09/10 15:35:30 | 000,052,304 | ---- | M] () -- C:\WINDOWS\dolphin.ini
[2013/09/10 15:35:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/09/10 15:34:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/09/10 14:18:48 | 000,105,324 | ---- | M] () -- C:\WINDOWS\System32\itusbcore.dat
[2013/09/10 14:18:48 | 000,000,198 | ---- | M] () -- C:\WINDOWS\System32\itlsvc.dat
[2013/09/10 14:13:24 | 000,235,144 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\adodbupd.dat
[2013/09/09 09:38:47 | 000,000,036 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2013/08/16 14:45:46 | 001,892,785 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\phone contract.PDF
[2013/08/14 17:56:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/08/12 14:03:12 | 000,025,555 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\logo.JPG
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\My Documents\*.tmp files -> C:\Documents and Settings\Administrator\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/09/10 14:19:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/09/10 14:17:38 | 000,105,324 | ---- | C] () -- C:\WINDOWS\System32\itusbcore.dat
[2013/09/10 14:17:38 | 000,000,198 | ---- | C] () -- C:\WINDOWS\System32\itlsvc.dat
[2013/09/10 14:13:24 | 000,235,144 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\adodbupd.dat
[2013/08/16 13:31:48 | 001,892,785 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\phone contract.PDF
[2013/08/12 14:03:12 | 000,025,555 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\logo.JPG
[2012/02/15 08:07:19 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/05/23 07:36:23 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2011/05/23 07:31:20 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/05/10 13:44:55 | 000,000,781 | ---- | C] () -- C:\Documents and Settings\Administrator\SDM-2.4-851-c850-advsecurityk9-mz.124-4.T8.bin
[2008/06/11 17:27:32 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2010/12/08 12:34:38 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
[2013/09/10 15:35:25 | 000,005,632 | -HS- | M] () -- C:\WINDOWS\assembly\GAC\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\System32\shdocvw.dll -- [2008/04/13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2006/08/28 13:50:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterTrust
[2010/03/31 15:55:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2007/09/04 14:56:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Template
[2013/05/20 11:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\USB Server
[2005/12/13 14:04:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2005/12/13 14:05:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund LLC
[2005/12/13 13:52:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2013/01/08 15:57:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/07/22 16:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2010/12/08 12:43:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Imtec
[2013/09/10 14:12:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ncpa
[2005/04/21 11:40:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT

========== Purity Check ==========



< End of report >































And here is the Extras.txt file (I put blank lines in between so they were easier to tell apart.)



OTL Extras logfile created on: 09/10/2013 6:48:08 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = J:\Kristen's Shared Stuff\computer cleanup
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

1015.48 Mb Total Physical Memory | 497.10 Mb Available Physical Memory | 48.95% Memory free
1.26 Gb Paging File | 0.88 Gb Available in Paging File | 69.37% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 59.43 Gb Free Space | 79.74% Space Free | Partition Type: NTFS
Drive J: | 265.39 Gb Total Space | 207.33 Gb Free Space | 78.12% Space Free | Partition Type: NTFS
Drive Z: | 265.39 Gb Total Space | 207.33 Gb Free Space | 78.12% Space Free | Partition Type: NTFS

Computer Name: KRISTEN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_PRO-100_series" = Canon PRO-100 series Printer Driver
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 24
"{2704E68E-BDD9-4D4E-8FA1-7810546FF9BC}" = IMTEC Licensing
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{383986D5-3689-4C07-8F9E-4B517123EE14}" = USB Server
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75AF7C73-E860-498B-A576-4028E1896323}" = Dolphin Imaging
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7F5FDEA1-D0AC-4D80-9D95-59775FCCFA40}" = HP Photosmart Plus B210 series Help
"{83F08BEC-A663-43D7-983C-172DBD29B56D}" = Dolphin Imaging
"{88B6A180-773C-439C-BCA1-F4BC5AB451B0}" = Dolphin Integration
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.3
"{B4E96960-5F6B-48B9-A5BD-6A5A9BB4F027}" = Avery Wizard 3.1
"{BE962181-E347-464E-AE70-276DD63A8293}" = HP Photosmart Plus B210 series Basic Device Software
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E832A8-D827-403F-A525-25DB7D0EC260}" = ILUMAPrerequisites
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E45D1CA0-C70E-4FF4-B46B-1F6ED85501F9}" = ClinCheck
"{EA1CB7AC-E221-4822-A789-0ADB051DC498}" = Multi-Card Reader & Flash Disk
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{FD2D70B9-BF5D-45B8-80B1-CF83AC73ACFE}" = Network Printer Wizard
"1.0_is1" = CareCredit CCware Version 2.8
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"CareCredit CCware_is1" = CCWare version 2.2
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"DYMO Label Software" = DYMO Label Software
"EPSON Printer and Utilities" = EPSON Printer Software
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InCD!UninstallKey" = InCD (Ahead Software)
"InstallShield_{383986D5-3689-4C07-8F9E-4B517123EE14}" = USB Server
"InstallShield_{75AF7C73-E860-498B-A576-4028E1896323}" = Dolphin Imaging
"InstallShield_{83F08BEC-A663-43D7-983C-172DBD29B56D}" = Dolphin Imaging 10
"InstallShield_{88B6A180-773C-439C-BCA1-F4BC5AB451B0}" = Dolphin Integration
"InstallShield_{E45D1CA0-C70E-4FF4-B46B-1F6ED85501F9}" = ClinCheck
"InstallShield_{FD2D70B9-BF5D-45B8-80B1-CF83AC73ACFE}" = Network Printer Wizard
"InterBase 6.0" = InterBase 6.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"N360" = Norton Security Suite
"NETGEAR Print Server Utility" = NETGEAR Print Server Utility
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OPMS for Windows Setup" = OPMS for Windows Setup
"Shockwave" = Shockwave
"USB FlashLink 2.00" = SimpleTech USB FlashLink
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows XP Service Pack" = Windows XP Service Pack 3
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 08/24/2033 6:10:08 AM | Computer Name = STATION3 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 08/24/2033 6:10:08 AM | Computer Name = STATION3 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 08/24/2033 6:10:08 AM | Computer Name = STATION3 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 03/19/2012 9:09:04 AM | Computer Name = STATION3 | Source = Application Hang | ID = 1002
Description = Hanging application Opms32.exe, version 8.7.0.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 03/19/2012 9:10:27 AM | Computer Name = STATION3 | Source = Application Hang | ID = 1002
Description = Hanging application Opms32.exe, version 8.7.0.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 03/19/2012 9:10:37 AM | Computer Name = STATION3 | Source = Application Hang | ID = 1002
Description = Hanging application Opms32.exe, version 8.7.0.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 03/19/2012 9:10:40 AM | Computer Name = STATION3 | Source = Application Hang | ID = 1002
Description = Hanging application Opms32.exe, version 8.7.0.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 03/19/2012 9:10:43 AM | Computer Name = STATION3 | Source = Application Hang | ID = 1002
Description = Hanging application Opms32.exe, version 8.7.0.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 03/30/2012 7:50:23 AM | Computer Name = STATION3 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19190, fault address 0x00067978.

Error - 03/30/2012 7:50:27 AM | Computer Name = STATION3 | Source = Application Error | ID = 1001
Description = Fault bucket -1459084313.

[ System Events ]
Error - 04/04/2005 2:32:31 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 04/04/2005 2:32:34 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 04/04/2005 2:32:34 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 04/04/2005 2:47:34 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 04/04/2005 2:47:34 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 04/04/2005 3:14:57 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 04/04/2005 3:14:57 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 04/04/2005 3:15:00 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 04/04/2005 3:15:00 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 04/04/2005 3:15:00 PM | Computer Name = STATION3 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.


< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
IF a step won't work, skip to the next. Multiple replies are fine. Easier for you to keep track of the logs if you post them right away.

1.
Copy the text in the code box by highlighting and Ctrl + c

:OTL
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKCU..\Run: [ctfm0n] C:\Microsoft_SDK\lib\include\cc1xb.js ()
O4 - HKCU..\Run: [Ctfmon] C:\Microsoft__SDK\lib\include\cc1xm.js ()
O4 - HKCU..\Run: [Google Update] Reg Error: Value error. File not found
O20 - Winlogon\Notify\IUNPOService: DllName - (IUNPYw32.dll) - File not found
O33 - MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\Shell - "" = AutoRun
O33 - MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{dbe12a2c-f493-11da-aab1-001109131c2e}\Shell\AutoRun\command - "" = E:\setupSNK.exe
[2013/09/10 18:39:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/09/10 15:35:42 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/09/10 14:18:48 | 000,105,324 | ---- | M] () -- C:\WINDOWS\System32\itusbcore.dat
[2013/09/10 14:18:48 | 000,000,198 | ---- | M] () -- C:\WINDOWS\System32\itlsvc.dat
[2013/09/10 14:13:24 | 000,235,144 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\adodbupd.dat
O4 - HKCU..\Run: [Google Update] Reg Error: Value error. File not found

:files
C:\Program Files\Google\Desktop\Install
C:\Microsoft_SDK
sc delete etadpug /c
reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters %userprofile%\Desktop\winsock2.reg /c

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]


then Double on OTL to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.

2.
Download aswMBR.exe to your desktop.
Double click aswMBR.exe
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply


3.
ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Double click on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

4.
Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe and to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


5.
Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:
http://www.malwareby...lwarebytes_free

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe to start the program.
* follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

6.
Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software (XP) or Programs and Features (Vista/Win 7) and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:

Java™ 6 Update 24
Java™ 6 Update 7

Java has been very vulnerable to infection so unless you absolutely need it you should not reinstall it.

If you feel you must have Java:
Get the latest Java at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.
Once installed, go into Control Panel, Java, Security and set the slider to the Highest then OK.

(If you also want the 64 bit version then use the 64 bit version of IE to get it.)

Also uninstall
Google Toolbar for Internet Explorer
Google Update Helper

7.
Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application. (This will overwrite the first log so make sure you copy and paste it to a Reply before the second run.)

8.
Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Ron
  • 0

#3
kjojo

kjojo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you for your prompt reply, RKinner!

I did the first step, putting the text into the OTL program and hitting "Run Fix"... It seemed to work well, said processing complete, then it asked or permission to reboot, I told it yes, then OTL, my taskbar, and Task Manager all froze. I still can click on and highlight the icons on the desktop that aren't covered by a window, but I can't do anything that seems important, like move the OTL window, or restart the computer... I think I am going to have to do a forced shutdown with the power button on the tower :(
  • 0

#4
kjojo

kjojo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I did shut down and restart the computer. It took FOREVER to come back up and I had almost given up, but it opened and gave me this log!


========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ctfm0n deleted successfully.
C:\Microsoft_SDK\lib\include\cc1xb.js moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Ctfmon deleted successfully.
C:\Microsoft__SDK\lib\include\cc1xm.js moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IUNPOService\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c498f8f1-922f-11dc-abef-001109131c2e}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c498f8f1-922f-11dc-abef-001109131c2e}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c498f8f1-922f-11dc-abef-001109131c2e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c498f8f1-922f-11dc-abef-001109131c2e}\ not found.
File F:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbe12a2c-f493-11da-aab1-001109131c2e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dbe12a2c-f493-11da-aab1-001109131c2e}\ not found.
File E:\setupSNK.exe not found.
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job moved successfully.
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job moved successfully.
C:\WINDOWS\system32\itusbcore.dat moved successfully.
C:\WINDOWS\system32\itlsvc.dat moved successfully.
C:\Documents and Settings\Administrator\Application Data\adodbupd.dat moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update not found.
========== FILES ==========
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install scheduled to be moved on reboot.
Folder move failed. C:\Microsoft_SDK\lib\include scheduled to be moved on reboot.
Folder move failed. C:\Microsoft_SDK\lib scheduled to be moved on reboot.
Folder move failed. C:\Microsoft_SDK scheduled to be moved on reboot.
< sc delete etadpug /c >
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
J:\Kristen's Shared Stuff\computer cleanup\cmd.bat deleted successfully.
J:\Kristen's Shared Stuff\computer cleanup\cmd.txt deleted successfully.
< reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters %userprofile%\Desktop\winsock2.reg /c >
J:\Kristen's Shared Stuff\computer cleanup\cmd.bat deleted successfully.
J:\Kristen's Shared Stuff\computer cleanup\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 3853559 bytes

User: All Users

User: Default User
->Flash cache emptied: 41044 bytes

User: LocalService
->Flash cache emptied: 67527 bytes

User: NetworkService

Total Flash Files Cleaned = 4.00 mb


[EMPTYJAVA]

User: Administrator
->Java cache emptied: 16773464 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 16.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 09112013_115332

Files\Folders moved on Reboot...
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \ﯹ๛ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f} scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Google\Desktop\Install scheduled to be moved on reboot.
C:\Microsoft_SDK\lib\include folder moved successfully.
C:\Microsoft_SDK\lib folder moved successfully.
C:\Microsoft_SDK folder moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#5
kjojo

kjojo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-11 12:50:16
-----------------------------
12:50:16.968 OS Version: Windows 5.1.2600 Service Pack 3
12:50:16.968 Number of processors: 1 586 0x209
12:50:17.000 ComputerName: KRISTEN UserName:
12:50:19.968 Initialize success
12:51:08.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3
12:51:08.515 Disk 0 Vendor: WDC_WD800JB-00JJA0 05.01C05 Size: 76319MB BusType: 3
12:51:08.671 Disk 0 MBR read successfully
12:51:08.671 Disk 0 MBR scan
12:51:08.671 Disk 0 Windows XP default MBR code
12:51:08.671 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
12:51:08.687 Disk 0 scanning sectors +156295440
12:51:08.765 Disk 0 scanning C:\WINDOWS\system32\drivers
12:51:21.671 Service scanning
12:51:34.265 Service ?etadpug C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \???\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\GoogleUpdate.exe **HIDDEN**
12:51:34.765 Modules scanning
12:51:46.000 Scan finished successfully
12:59:43.671 Disk 0 MBR has been saved successfully to "J:\Kristen's Shared Stuff\computer cleanup\MBR.dat"
12:59:43.671 The log file has been saved successfully to "J:\Kristen's Shared Stuff\computer cleanup\aswMBR log 9-11-13 12-59pm.txt"





At the end, "Fix" was not enabled, so I did not click it.
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
This is the latest Zero Access:

12:51:34.265 Service ?etadpug C:\Program Files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\ \ \???\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\GoogleUpdate.exe **HIDDEN**

When you run Combofix the first time you will probably not get a log. Run it a second time and it should finish removing Zero Access and give you a log.
  • 0

#7
kjojo

kjojo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I don't understand what you mean by "latest zero access".

I ran combo fix and got a log, but somehow my internet connection is no longer working on that computer, so I can't post the log. All the other computers on the network are still connected to the Internet. I am still connected to the network and can access shared drives.

I have done steps 1, 2, and 3 now; what would you like me to do next?
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
zero access is the name of a family of really nasty malware infections.

Try the following to get back on line:

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, (Tools or the Firefox button), Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.

Restart browser and test. If still no good:

Start, All Programs, Accessories, Command Prompt. Type (with an Enter after each line) in the code box:

ipconfig /flushdns

proxycfg  -d

netsh  winsock  reset catalog

netsh  int ip reset reset.log


(I use two spaces in the code box so you will be sure to see where 1 space goes.)

Reboot and test. If it still doesn't work:


1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."

4. Click "Use the following DNS server addresses," and then type 8.8.8.8 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes.

5. Click "OK"

Reboot and test. If it still doesn't work:

(Start) Right click on My Computer, select Manage then Device Manager. Find the Network Adapters and click on the + in front to open up the sub entries. Right click on each sub-entry under Network Adapters and Uninstall. (Doesn't hurt to write down the names in case you need to download the drivers from the PC Maker's website. Normally you don't but with malware you never know.) Reboot and test. If it still doesn't work:

Start, All Programs, Accessories, Command Prompt. Type with an Enter after each line in the code box:

net start dhcp
ipconfig  /all
ipconfig  /release
ipconfig  /renew
ipconfig  /all


Report any errors you get and the IP addresses of the last ipconfig /all
  • 0

#9
kjojo

kjojo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Internet explorer is working again! :) thank you!
  • 0

#10
kjojo

kjojo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the first Combofix log (I ran it a second time, will post that log in another post)

ComboFix 13-09-10.03 - Administrator 09/11/2013 13:16:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.534 [GMT -4:00]
Running from: j:\kristen's shared stuff\computer cleanup\ComboFix.exe
AV: Norton Security Suite *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Google\Desktop\Install
c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\C3C1~1\01C8~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\@
c:\documents and settings\Administrator\Application Data\Adobe\AdobeUpdaterInstallMgr.exe
c:\documents and settings\Administrator\My Documents\~WRL0003.tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\[email protected]!-3049710d-d10d-42c0-9490-bd81c1feee14.tmp
c:\program files\Google\Desktop\Install
c:\program files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\0103~1\0103~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\@
c:\program files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\0103~1\0103~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\GoogleUpdate.exe
c:\program files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\0103~1\0103~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\L\[email protected]
c:\program files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\0103~1\0103~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\L\76603ac3
c:\program files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\0103~1\0103~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\U\[email protected]
c:\program files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\0103~1\0103~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\U\[email protected]
c:\program files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\0103~1\0103~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\U\[email protected]
c:\program files\Google\Desktop\Install\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\0103~1\0103~1\CFFE~1\{9740a6a4-c0a3-d4b0-d07c-4fd33b91363f}\U\[email protected]
.
.
((((((((((((((((((((((((( Files Created from 2013-08-11 to 2013-09-11 )))))))))))))))))))))))))))))))
.
.
9999-04-27 00:21 . 9999-04-27 00:21 -------- d-----w- c:\windows\Downloaded Installations
9999-04-26 21:55 . 2012-02-13 15:06 -------- d-----w- c:\program files\Common Files\Adobe
2013-09-11 02:30 . 2013-09-11 02:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2013-09-10 19:20 . 2012-05-09 00:23 495464 ----a-r- c:\windows\system32\HPWia1_PS7520.dll
2013-09-10 19:20 . 2012-05-09 00:23 1961320 ----a-r- c:\windows\system32\HPScanTRDrv_PS7520.dll
2013-09-10 18:12 . 2013-09-10 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ncpa
2013-09-10 18:12 . 2013-09-10 18:12 -------- d-----w- C:\Microsoft__SDK
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-31 19:11 . 2001-08-23 12:00 810496 ----a-w- c:\windows\system32\wmvdmod.dll
2013-07-26 02:47 . 2004-01-08 19:23 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2013-07-10 10:37 . 2001-08-23 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 02:59 . 2001-08-23 12:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2001-08-17 13:48 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-19 68856]
"\\PC742115302836\EPSON Stylus Photo R1900 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICUA.EXE" [2007-04-10 182272]
"USBServer"="c:\program files\USB Server 2\USB Server.exe" [2012-05-21 1937408]
"USB Server"="c:\program files\USB Server 2\USB Server.exe" [2012-05-21 1937408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2002-09-12 1101824]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SMSS1"="c:\dolphin\SMSS1.LNK" [2005-03-11 1408]
"Dit"="Dit.exe" [2003-12-12 94208]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\\isuspm.exe" [2009-11-15 324976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
smss1.lnk - c:\startupdolph\smss1.exe [2002-1-1 40960]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [01/01/2002 5:11 AM 9344]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308030.006\SymEFA.sys [10/31/2011 3:01 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308030.006\BHDrvx86.sys [10/31/2011 3:01 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308030.006\cchpx86.sys [10/31/2011 3:01 PM 467592]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20130910.001\IDSXpx86.sys [09/10/2013 5:14 PM 380832]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [01/01/2002 5:11 AM 448640]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe [10/31/2011 3:00 PM 117648]
R2 NPWService;NPWService;c:\program files\Generic\Network Printer Wizard\NPWService.exe [03/20/2012 3:00 PM 471040]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [09/10/2013 11:08 AM 108120]
R3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\drivers\GenBus.sys [07/28/2009 5:25 PM 27136]
R3 NUS_BusXP32;Network USB Server Bus XP;c:\windows\system32\drivers\NUS_BusXP32.sys [10/14/2011 10:24 AM 29184]
S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [06/06/2005 5:04 PM 13440]
S3 NUServerXP32;Network USB Server Device XP;c:\windows\system32\drivers\NUServerXP32.sys [10/27/2011 2:27 PM 220160]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 10.1.1.1:80
uInternet Settings,ProxyOverride = <local>
Trusted Zone: mytelevox.com\www-atl
TCP: DhcpNameServer = 4.2.2.1 208.67.222.222
.
- - - - ORPHANS REMOVED - - - -
.
Notify-IUNPOService - IUNPYw32.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-11 13:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-725345543-2000478354-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,3c,ac,93,33,f1,10,4d,a5,0b,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,3c,ac,93,33,f1,10,4d,a5,0b,fe,\
.
Completion time: 2013-09-11 13:28:01
ComboFix-quarantined-files.txt 2013-09-11 17:27
.
Pre-Run: 65,672,097,792 bytes free
Post-Run: 66,090,315,776 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 09EB19E3D13F85ED4DF6EBDB4B528B8A
8F558EB6672622401DA993E1E865C861
  • 0

#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Looks like Combofix took out the Zero Access. I'd run the other scans just to make sure it didn't bring a friend.
  • 0

#12
kjojo

kjojo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you so much! I really appreciate you spending your time to help me :) You still want me to run TDSSKiller, Malwarebtyes', clear java cache, uninstall java, google toolbar, and google update helper... right? Should I post the logs for you to look at?
  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Yes. Sometimes Zero Access brings his friends and sometimes it damages the Operating System so we need to check that everything is OK.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP