Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"System Check" and "Zeroaccess!kmem" Virus


  • This topic is locked This topic is locked

#1
malmbor

malmbor

    Member

  • Member
  • PipPip
  • 72 posts
I had been dealing with Macboatmaster for some svchost issues. (see thread) http://www.geekstogo...-lot-of-memory/

On Saturday evening, while attempting to deal with my slow computer issues, I started to receive "system check" and "file indexation process" pop-ups. My computer screen went black and I lost many of my icons on the desktop page. Many programs were missing from the program folder. Also, the computer ran very slow and had trouble shutting down and restarting.

I contaced Norton and they remotely accessed my computer to address the issue. The scan showed "Zeroaccess!kmem." The Norton log shows it as "c:\windows\system32\ntos Manual removal required." They got rid of the pop-ups and seemed to get the computer functioning again, but they said they were not done and asked me to back up my data and that my computer might crash. I backed up my data and waited for a reply from Macboatmaster. He told me to post here. I do not want to go back to Norton - I really didn't understand what they were doing. They loaded a couple programs to my computer - Zero Access Fix Tool and TDSS Fix Tool.

At this point the computer still runs very slowly and I still get some "intrusion attempts" warnings from Norton 360. Malware was showing the following issue: "C:\WINDOWS\SYSTEM32\swmidi.dll (RootKit.0Access.H) -> Delete on reboot."



Here is the OTL log:


OTL logfile created on: 2/20/2012 6:27:08 PM - Run 2
OTL by OldTimer - Version 3.2.33.1 Folder = C:\Documents and Settings\Robert C. Ferguson\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.77 Gb Available Physical Memory | 38.38% Memory free
2.23 Gb Paging File | 1.08 Gb Available in Paging File | 48.32% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 43.01 Gb Free Space | 57.75% Space Free | Partition Type: NTFS
Drive F: | 29.80 Gb Total Space | 18.74 Gb Free Space | 62.89% Space Free | Partition Type: FAT32

Computer Name: COMPUTER1 | User Name: Robert C. Ferguson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/20 18:26:37 | 000,583,168 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert C. Ferguson\Desktop\OTL.exe
PRC - [2012/01/31 17:10:10 | 000,026,264 | ---- | M] (PC Pitstop LLC) -- C:\Program Files\PCPitstop\Info Center\InfoCenter.exe
PRC - [2011/08/03 23:18:43 | 000,126,400 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360 Premier Edition\Engine\4.4.0.12\ccsvchst.exe
PRC - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2008/04/13 19:12:36 | 000,014,336 | ---- | M] () -- \\.\globalroot\SystemRoot\system32\svchost.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/08/13 11:27:40 | 000,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe
PRC - [2003/06/11 08:34:58 | 000,155,770 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PRC - [2002/04/30 03:00:00 | 000,167,424 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files\Creative\ShareDLL\Mediadet.exe
PRC - [2002/04/03 02:01:00 | 000,135,264 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
PRC - [2001/12/26 03:00:00 | 000,191,488 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files\Creative\ShareDLL\CTNotify.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/03 10:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\SYSTEM32\quartz.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/04/13 19:12:36 | 000,050,688 | ---- | M] () -- \\.\globalroot\SystemRoot\system32\smss.exe
MOD - [2008/04/13 19:12:36 | 000,014,336 | ---- | M] () -- \\.\globalroot\SystemRoot\system32\svchost.exe
MOD - [2008/04/13 19:12:04 | 000,064,000 | ---- | M] () -- \\.\globalroot\SystemRoot\system32\SAMLIB.dll
MOD - [2008/04/13 19:12:03 | 000,562,176 | ---- | M] () -- C:\WINDOWS\SYSTEM32\qedit.dll
MOD - [2008/04/13 19:12:02 | 000,118,784 | ---- | M] () -- \\.\globalroot\SystemRoot\system32\NTMARTA.DLL
MOD - [2008/04/13 19:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\SYSTEM32\msdmo.dll
MOD - [2008/04/13 19:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\SYSTEM32\devenum.dll
MOD - [2008/04/13 12:39:24 | 002,897,920 | ---- | M] () -- \\.\globalroot\SystemRoot\system32\xpsp2res.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (sermouse)
SRV - File not found [Auto | Stopped] -- -- (hpqddsvc)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (ggsemc)
SRV - File not found [Auto | Stopped] -- -- (CWShredder Service)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/08/03 23:18:43 | 000,126,400 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton 360 Premier Edition\Engine\4.4.0.12\ccSvcHst.exe -- (N360)
SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2008/04/13 19:12:36 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\mbackmonitor.dll -- (z800obex)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2004/10/15 10:12:38 | 000,131,072 | ---- | M] (SonicWALL, Inc.) [On_Demand | Stopped] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe -- (RampartSvc)
SRV - [2003/06/11 08:34:58 | 000,155,770 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)


========== Driver Services (SafeList) ==========

DRV - [2012/02/03 22:34:35 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/03 22:34:35 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/12/15 18:33:22 | 000,356,280 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20120217.003\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/11/30 21:25:03 | 000,820,344 | -H-- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20120215.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/08/21 21:53:36 | 000,362,360 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0404000.00C\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/08/21 21:53:35 | 000,173,176 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\SYMEFA.SYS -- (SymEFA)
DRV - [2011/08/03 23:19:30 | 000,485,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\ccHPx86.sys -- (ccHP)
DRV - [2011/08/03 20:39:50 | 001,576,312 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20120220.001\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/08/03 20:39:50 | 000,086,136 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20120220.001\NAVENG.SYS -- (NAVENG)
DRV - [2010/06/10 18:00:06 | 000,022,528 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\intelsmb.sys -- (smbusp) Intel®
DRV - [2010/04/29 00:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 21:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0404000.00C\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 21:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/03/09 15:09:09 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/14 22:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0404000.00C\SYMDS.SYS -- (SymDS)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2007/02/25 12:10:48 | 000,005,376 | ---- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/09/05 11:03:16 | 000,003,968 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys -- (AvgAsCln)
DRV - [2005/06/25 22:45:32 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2004/10/15 10:46:12 | 000,091,136 | ---- | M] (SonicWALL, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\RCFOX.sys -- (RCFOX)
DRV - [2004/08/04 00:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 00:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 00:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 00:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 00:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 00:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 00:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 00:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/05/14 17:15:22 | 000,147,236 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dne2000.sys -- (DNE)
DRV - [2003/08/29 03:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys -- (BCMModem)
DRV - [2003/08/20 14:01:22 | 000,023,180 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\rcvpn.sys -- (rcvpn)
DRV - [2003/08/14 11:58:12 | 001,296,384 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2003/05/23 13:58:30 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [1999/12/17 02:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\PFMODNT.SYS -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?...=OIE8HP&PC=B8MC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = cdn;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = actsvr.comcastonline.com:8100

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...TDF&PC=SUN1&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100127023632
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:3.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:2010.9.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..keyword.URL: "http://www.bing.com/...TDF&PC=SUN1&q="
FF - prefs.js..network.proxy.ftp: "actsvr.comcastonline.com"
FF - prefs.js..network.proxy.ftp_port: 8100
FF - prefs.js..network.proxy.gopher: "actsvr.comcastonline.com"
FF - prefs.js..network.proxy.gopher_port: 8100
FF - prefs.js..network.proxy.http: "actsvr.comcastonline.com"
FF - prefs.js..network.proxy.http_port: 8100
FF - prefs.js..network.proxy.no_proxies_on: "cdn"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "actsvr.comcastonline.com"
FF - prefs.js..network.proxy.socks_port: 8100
FF - prefs.js..network.proxy.ssl: "actsvr.comcastonline.com"
FF - prefs.js..network.proxy.ssl_port: 8100

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@funwebproducts.com/Plugin: C:\Program Files\FunWebProducts\Installr\4.bin\NPFunWeb.dll File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Robert C. Ferguson\Application Data\Move Networks\plugins\npqmp071503000010.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Robert C. Ferguson\Application Data\Move Networks\plugins\npqmp071503000010.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2011/08/10 15:22:24 | 000,000,000 | -H-D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn_2010_9_0_6 [2012/02/20 15:26:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/17 04:50:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/30 19:27:11 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Documents and Settings\Robert C. Ferguson\Application Data\Move Networks [2009/07/29 18:18:05 | 000,000,000 | ---D | M]

[2010/03/08 19:15:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Mozilla\Extensions
[2012/02/02 23:15:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Mozilla\Firefox\Profiles\wqypj6ug.default\extensions
[2007/07/22 13:17:06 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Mozilla\Firefox\Profiles\wqypj6ug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2012/01/25 17:56:50 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Mozilla\Firefox\Profiles\wqypj6ug.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/06/20 10:41:21 | 000,001,832 | ---- | M] () -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Mozilla\Firefox\Profiles\wqypj6ug.default\searchplugins\bing.xml
[2012/01/05 23:40:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2006/07/26 22:56:24 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2012/02/17 04:50:35 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/05/05 19:11:59 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/12/20 23:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/06/20 10:40:05 | 000,003,803 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\MyHeritage.xml
[2011/12/20 23:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2010/03/21 15:58:18 | 000,000,098 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\4.4.0.12\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [cwuKGCkVOILNu.exe] C:\Documents and Settings\All Users\Application Data\cwuKGCkVOILNu.exe File not found
O4 - HKLM..\Run: [diagent] C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CTNotify.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [Info Center] C:\Program Files\PCPitstop\Info Center\InfoCenter.exe (PC Pitstop LLC)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKCU..\Run: [RegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000 File not found
O4 - HKCU..\Run: [SpeedUpMyPC] "C:\Program Files\Uniblue\SpeedUpMyPC\launcher.exe" delay 20000 File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O9 - Extra Button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ File not found
O9 - Extra Button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ File not found
O9 - Extra Button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcp...ols/pcmatic.cab (PCPitstop Utility)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...84/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D4779D47-6AF9-4F52-A463-793D6EDFFE56}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - (WRLogonNTF.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 09:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/08/04 18:13:52 | 000,000,110 | -H-- | M] () - F:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (SsiEfr.e)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/20 18:26:21 | 000,583,168 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Robert C. Ferguson\Desktop\OTL.exe
[2012/02/19 06:53:03 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Robert C. Ferguson\Desktop\FixTDSS.exe
[2012/02/19 05:19:05 | 000,091,136 | ---- | C] (SonicWALL, Inc.) -- C:\RCFOX.SYS
[2012/02/19 04:37:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert C. Ferguson\Application Data\FixZeroAccess
[2012/02/19 04:36:44 | 001,766,312 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Robert C. Ferguson\Desktop\FixZeroAccess.exe
[2012/02/19 04:29:45 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Robert C. Ferguson\Desktop\smtmp
[2012/02/19 04:28:50 | 000,000,000 | ---D | C] -- C:\smtmp
[2012/02/18 22:07:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert C. Ferguson\Recent
[2012/02/18 21:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\LogMeIn Rescue Applet
[2012/02/18 00:06:33 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/02/18 00:06:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert C. Ferguson\Start Menu\Programs\HiJackThis
[2012/02/17 15:36:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Powertoys for Windows XP
[2012/02/17 00:13:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2006/08/20 22:08:30 | 004,313,776 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\IconCache.db
[2006/07/22 19:27:19 | 000,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/10/18 21:19:22 | 000,218,112 | ---- | C] (Soeperman Enterprises Ltd.) -- C:\Program Files\HJT.exe
[2005/10/16 18:12:01 | 000,020,504 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2004/02/18 19:32:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Application Data\dm.ini
[2004/02/14 11:16:54 | 000,043,008 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/02/10 21:45:28 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\fusioncache.dat
[2004/02/06 22:31:30 | 000,024,392 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/20 18:42:00 | 000,000,448 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{AFCCDFC2-FB0D-4266-BCBF-75A25037715A}.job
[2012/02/20 18:30:06 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/20 18:26:37 | 000,583,168 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert C. Ferguson\Desktop\OTL.exe
[2012/02/20 18:14:45 | 000,043,008 | ---- | M] () -- C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/20 18:11:19 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2012/02/20 18:11:11 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/20 18:06:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/20 15:25:48 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/20 15:25:46 | 000,002,048 | ---- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012/02/20 15:25:42 | 2145,456,128 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/20 03:21:11 | 000,143,624 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/19 09:44:55 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\ZoomBrowser EX.lnk
[2012/02/19 06:53:05 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Robert C. Ferguson\Desktop\FixTDSS.exe
[2012/02/19 05:17:39 | 007,584,182 | ---- | M] () -- C:\Documents and Settings\Robert C. Ferguson\Application Data\SMRBackup162.dat
[2012/02/19 04:36:52 | 001,766,312 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Robert C. Ferguson\Desktop\FixZeroAccess.exe
[2012/02/18 20:03:26 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/02/18 00:06:33 | 000,002,010 | ---- | M] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\HiJackThis.lnk
[2012/02/17 14:21:06 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\Microsoft Office Word 2003.lnk
[2012/02/16 03:53:39 | 000,445,830 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2012/02/16 03:53:39 | 000,073,036 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2012/02/16 00:58:40 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/14 03:29:19 | 000,002,460 | ---- | M] () -- C:\WINDOWS\System32\ASOROSet.bin
[2012/02/03 15:37:21 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\Malwarebytes Anti-Malware.lnk
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/19 09:01:46 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\Mozilla Firefox.lnk
[2012/02/19 06:27:48 | 000,002,473 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\ZoomBrowser EX.lnk
[2012/02/19 06:24:09 | 000,001,554 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\iTunes.lnk
[2012/02/19 06:24:00 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/19 06:22:11 | 000,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/02/19 06:22:09 | 000,001,077 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Live ID.lnk
[2012/02/19 06:22:07 | 000,001,889 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\SonicWALL Global VPN Client.lnk
[2012/02/19 06:22:03 | 000,001,687 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Solution Center.lnk
[2012/02/19 06:21:58 | 000,001,750 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Explorer.lnk
[2012/02/19 06:21:56 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/02/19 06:21:54 | 000,001,077 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Default Manager.lnk
[2012/02/19 06:21:48 | 000,001,744 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Dell Networking Guide.lnk
[2012/02/19 06:21:43 | 000,001,486 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Broadcom Advanced Control Suite.lnk
[2012/02/19 06:21:40 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/02/19 06:21:38 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/02/19 06:21:34 | 000,001,988 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Photoshop Album 2.0 Starter Edition.lnk
[2012/02/19 06:21:30 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat_com.lnk
[2012/02/19 05:02:29 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/19 05:02:29 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/19 04:59:26 | 007,584,182 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Application Data\SMRBackup162.dat
[2012/02/18 22:27:26 | 2145,456,128 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/18 20:03:25 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/02/18 19:39:20 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/18 00:06:33 | 000,002,010 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Desktop\HiJackThis.lnk
[2012/02/17 05:17:28 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/29 15:34:02 | 000,002,460 | ---- | C] () -- C:\WINDOWS\System32\ASOROSet.bin
[2011/05/12 14:18:33 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Robert C. Ferguson\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/04/12 17:57:08 | 000,026,048 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat

========== LOP Check ==========

[2008/08/03 17:14:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Amazon
[2011/12/10 01:01:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2011/12/29 15:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2007/06/28 20:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2012/02/20 12:40:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2011/12/09 21:36:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005/10/22 20:10:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/08/03 21:47:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/04/12 00:46:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/02/19 04:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert C. Ferguson\Application Data\FixZeroAccess
[2010/06/06 15:46:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert C. Ferguson\Application Data\gtk-2.0
[2007/04/21 20:34:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert C. Ferguson\Application Data\ICAClient
[2004/02/07 10:59:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Leadertech
[2005/01/20 23:54:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert C. Ferguson\Application Data\STOPzilla!
[2010/03/08 21:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Tific
[2010/08/28 22:46:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert C. Ferguson\Application Data\Uniblue
[2012/02/20 18:42:00 | 000,000,448 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{AFCCDFC2-FB0D-4266-BCBF-75A25037715A}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Robert C. Ferguson\Desktop\1432KA01.EXE:SummaryInformation

< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
You would think a big anti-virus company like Norton would have a fix for ZA. It's not like it just started yesterday. It's been around for months.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan (allow the Avast Engine)
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.


Copy the text in the code box:

nnetsvcs
%SYSTEMDRIVE%\*.exe
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
mswsock.dll
smss.exe
SAMLIB.dll
qedit.dll
NTMARTA.DLL
msdmo.dll
devenum.dll
xpsp2res.dll
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Ron
  • 0

#3
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I ran ComboFix. It detected a virus and rebooted. Upon restarting my computer went to a blue screen with the following technical info: xxx STOP: 0x0000007B (0xf78AA528, 0xc0000034, 0x00000000, 0x00000000).

It mentioned something about running CHKDSK/F.

I cannot start the computer in any mode (Safe Mode, Last Known Good Configuration, etc). It always goes to the same blue screen.

What should I do?

Thanks.
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
I assume it doesn't get far enough to offer you the Recovery Console which Combofix should have installed at the beginning of its run?

Do you have an XP CD? If you have the XP CD then boot off it and input R to get to the Recovery Console.

or a second computer or a friend with a PC that could download and burn a CD?

Download Hiren's Boot Cd and boot off it.
http://www.hirensbootcd.org/download/
This a BIG! Zip File so save it. Then right click on it and Extract all. Put a blank CD in the drive and then double click on BurnToCD.cmd. When it finishes you boot off it and run the MiniXP program. This will give you a fake XP desktop. From there we can run several programs to fix the MBR if the drive is still good.
  • 0

#5
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I thought it had installed recovery console because I got to the screen that said it was scanning and could take 10 minutes, etc. When I try to start my computer I can get options for "Microsoft Windows Recovery Console," "do not select this [debugger enabled]." What would I see if I had ComboFix Recovery Console?
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Select
"Microsoft Windows Recovery Console"

That's the recovery console. It should take you to a black screen with a prompt.

Type with an Enter after each line):

map

What does it show?
  • 0

#7
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I'm away from computer right now in order to access the internet. What should I see/do? I'm going to have to get some basic instructions and then go back home and see what I can do. (It might be a bit of going back and forth).

From what I remember, I got some kind of prompt and some instruction that said press "enter" if I wanted to end the mode.

I have also burned the Hiren's Boot Cd if I need it.

Edited by malmbor, 21 February 2012 - 12:51 PM.

  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
It depends on who makes your PC but there should be at least one line that says something like:

C: NTFS 120254MB \Device\Harddisk0\Partition1

Then run:

bootcfg  /list

It should show you the same 3 options you had when you selected the recovery console. Does one of them point to C: drive that you found in map? Or does it point to a different partition?

bootcfg  /scan

Will show you if there are other possible bootable drives. If you see one then you can do:

bootcfg /rebuild

This will step you through rebuilding boot.ini so that it includes all possible bootable drives. (You only want the ones on Harddisk0)
If you rebuild boot.ini then reboot and try each of the Windows options and see if one works for you.

If you don't see any other drives when you run the map command then:

and only then you can do

fixmbr

If an invalid or nonstandard partition table signature is detected, you will be prompted whether you want to continue. Writing a new master boot record to your system partition could damage your partition tables and cause your partitions to become inaccessible so tell it to cancel

fixboot

then reboot and see if it will boot.

We may need to download:

http://sourceforge.n...ed-live-stable/

This is a Zip file so save it, right click on it and Extract All. Then burn the .iso file to a cd using free iso burner:
http://www.freeisoburner.com/

Then boot off it. This lets you make the partition that is the C: drive active then you can boot back into the recovery console and run

fixmbr

fixboot.
  • 0

#9
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Once I selected "Microsoft Windows Recovery Console" it took me to a black screen that showed:

1: C:\WINDOWS
Which Wndows installation would you like to log onto?

I then entered 1 at the prompt and saw the line that was similar to "C: NTFS 120254MB \Device\Harddisk0\Partition1"

I then ran bootcfg /list

That took me to another prompt and I ran bootcfg /scan and then bootcfg /rebuild.

It indicated it would take a while then took me to a prompt that said "Add installation to boot list?" Yes, No, All.

I selected Yes and it prompted "Enter Load Identifier."

I stopped there.

I never did anything with "map." Not sure where I should have done that.

Not sure what to do or if I need to start over. If I need to start over, how do I get back from the "Enter Load Identifier" prompt?
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Not my area of expertise but try Ctrl + C or the Esc button. If neither works then just reboot.
  • 0

Advertisements


#11
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I guess my question is does it sound like everything was proceeding as it should have in the steps I was taking? Should I have ended up at an "add installation to boot list" prompt? If so, should I have typed "yes." And what should I enter when it asks for "load identifier."

If I was off track, where does it seem I went off course?

Thanks.
  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
No need to add anything so you should have said no. Please run the Map command and tell me what it says. What make and model PC is this?

I asked about this bug on our internal forum and one of the guys has seen it before. Says that the service

SRV - [2008/04/13 19:12:36 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\mbackmonitor.dll -- (z800obex) is at fault.

We can use the recovery console to kill the dll which should stop the service from running. Don't know if it will help with the boot but worth a shot:

cd  \windows\system32

(Prompt should change to show you are in C:\Windows\System32)

ren  mbackmonitor.dll  mbackmonitor.bad

exit
  • 0

#13
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Here is some info on my computer:

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name COMPUTER1
System Manufacturer Dell Computer Corporation
System Model Dimension 2400
System Type X86-based PC
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~2392 Mhz
BIOS Version/Date Dell Computer Corporation A05, 12/2/2003
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name COMPUTER1\RC
Time Zone Eastern Standard Time
Total Physical Memory 2,048.00 MB
Available Physical Memory 897.84 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.95 GB
Page File Space 2.23 GB
Page File C:\pagefile.sys


The prompt screens I was getting looked like the ones from this thread. http://www.geekstogo...25080xf78a2204/

Posted Image

In that thread it said to do the following at this prompt: "For the Enter Load Identifier portion of this command, you should enter the name of the operating system you have installed. If, for example, you are using Windows XP Home, you could type Microsoft Windows XP Home Edition for the identifier (it's not crucial, however what the name is, as long, as it's meaningful)."

Than it said run CHKDSK /R and then FIXBOOT


I should or should not be taking those steps? Sorry for all the questions, I'm not really well versed in doing this type of thing.
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
I think since you have deleted boot.ini you will need to Add the recovery console or you will lose it as an option:

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

I suppose Microsoft Windows Recovery Console is the identifier. Not sure how to input it tho.

Since you only have the one partition you can run fixmbr and fixboot but make sure you delete the dll file I told you to do in the last post.
  • 0

#15
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I didn't delete boot.ini. I just posted that screen shot from the other thread I linked to show you the "installation boot list" and "load identifier" prompts I was getting. Up to those prompts I had only run bootcfg /list, bootcfg /scan, bootcfg /rebuild. After running bootcfg /rebuild, I was taken to the "installation boot list prompt." That was where I was stuck because your original instructions didn't mention those prompts. That other thread also mentions having to enter /fastdetect and noexecute=optin at the "load option" prompt. Do I need to do those things?


I can still run "Microsoft Windows Recovery Console"

I was able to run map and it showed:

? FAT16 32MB \Device\Harddisk0\Partition1
C: NTFS 76254MB \Device\Harddisk0\Partition2
A: \Device\Floppy0
D: \Device\CdRom0
E: \Device\CdRom1


It looks like there are 2 partitions - not sure what that means. I basically need to start over, but need to know what to do at the prompts I mentioned above. Also, at what point in the process do I run "ren mbackmonitor.dll mbackmonitor.bad?" Before the other steps? How do I get back to C:\WINDOWS from C:\Windows\System32 if I need to?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP