Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Tisaerv Activity, Rootkit infection [Solved]

Started by gstrom99 , Feb 16 2012 09:57 PM

This topic is locked

#1
gstrom99

Posted 16 February 2012 - 09:57 PM

Member

Member
19 posts

I picked up my first real bad bug in this Dell Dimension pc. I'm running XP and picked it up at some website, I'm pretty sure. It got by Norton AV and Spywareblaster. Norton gave me "Tidserv Activity 2" and "zeroaccess" messages, but of course it couldn't eliminate it. I tried their FixTDSS, FixZeroAccess and NPE. FixZeroAccess found something and deleted it but the other didn't - FixTDSS hangs up and doen't do much else. Safe Mode is no better. I did run Kapersky's TDSSkiller and it cured something like "access.virus"(?) or "rootkit"(?). Malwarebytes found 3 things on an initial scan, but nothing since. The system is actually better, but there is definately something still amiss. It hangs on shutdown at "saving your settings", Contol Panel function is irratic, and is generally much, much slower. I need help clearing out whatever is still in here messing this up. I am typing this on the affected machine.

Here is the initial OTL log.
Thanks!

OTL Extras logfile created on: 2/16/2012 9:32:57 PM - Run 1
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Documents and Settings\Gary\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 605.05 Mb Available Physical Memory | 59.15% Memory free
2.14 Gb Paging File | 1.87 Gb Available in Paging File | 87.39% Paging File free
Paging file location(s): C:\pagefile.sys 1268 1636 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 61.54 Gb Free Space | 82.65% Space Free | Partition Type: NTFS

Computer Name: RACERX | User Name: Gary | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"8097:TCP" = 8097:TCP:*:Enabled:EarthLink UHP Modem Support

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{03CDDD00-BD57-4326-9480-4C74449AF597}" = PhotoStitch
"{07982F29-C7D6-423F-A100-C0FC67D0EC2F}" = EarthLink Wireless High Speed
"{093625E3-7B87-49D3-AA53-AD0FCFABAF49}" = Camera Window
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{40939C6D-8F27-40B8-9CBC-72701624185D}" = Redistributed Files
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5034E22F-C283-4A1E-9753-AFB1AC87B298}" = EarthLink Accelerator
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7148F0A8-6813-11D6-A77B-00B0D0142050}" = Java 2 Runtime Environment, SE v1.4.2_05
"{71A4C7E7-1792-4895-A403-36814B2B4151}" = EarthLink FastLane
"{735D1A97-3711-7F70-406E-D714EBD9E852}" = ioDesktop
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7797C70B-11EB-446A-9B1E-3D9039DB581F}" = TotalAccess Core Applications
"{77F9D52A-C8D7-4FE8-8510-19FC6CF75BC3}" = Access Drivers
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = RemoteCapture 2.7.0
"{C057F6D0-0E4C-4B18-B645-9D0804FCFAFD}" = EarthLink Common Authentication
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CD1CD48D-7B18-4254-B43D-AEAB704AB063}" = EarthLink MailBox
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = File Viewer Utility 1.2
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"CANONBJ_Deinstall_CNMCP58.DLL" = Canon i560
"CCleaner" = CCleaner
"CXT1059" = Broadxent V.92 PCI DI3631-1
"EarthLink TotalAccess 2004" = EarthLink Software
"FREE Hi-Q Recorder_is1" = FREE Hi-Q Recorder 1.92
"Get In The Game!" = Get In The Game!
"Hoyle Card Games 2008" = Hoyle Card Games 2008 (remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ieSpell" = ieSpell
"InstallShield_{03CDDD00-BD57-4326-9480-4C74449AF597}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{093625E3-7B87-49D3-AA53-AD0FCFABAF49}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = Canon Utilities RemoteCapture 2.7
"InstallShield_{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = Canon Utilities File Viewer Utility 1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NAV" = Norton AntiVirus
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PhotoRecord" = Canon PhotoRecord
"PROSet" = Intel® PRO Network Connections Drivers
"SpywareBlaster_is1" = SpywareBlaster 4.6
"v4 RDP Only Web Push (nstl chk)" = v4 RDP Only Web Push (nstl chk)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/9/2012 8:43:16 AM | Computer Name = RACERX | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/7/2012 12:35:28 AM | Computer Name = RACERX | Source = Application Error | ID = 1000
Description = Faulting application spybotsd.exe, version 1.6.2.46, faulting module
spybotsd.exe, version 1.6.2.46, fault address 0x0002950a.

Error - 2/14/2012 12:28:28 AM | Computer Name = RACERX | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Professional -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Professional. The Windows
installer cannot continue.

Error - 2/14/2012 12:29:16 AM | Computer Name = RACERX | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Professional -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Professional. The Windows
installer cannot continue.

Error - 2/14/2012 12:30:11 AM | Computer Name = RACERX | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Professional -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Professional. The Windows
installer cannot continue.

Error - 2/14/2012 12:30:29 AM | Computer Name = RACERX | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Professional -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Professional. The Windows
installer cannot continue.

Error - 2/14/2012 12:31:36 AM | Computer Name = RACERX | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Professional -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Professional. The Windows
installer cannot continue.

Error - 2/16/2012 8:12:19 PM | Computer Name = RACERX | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\Gary\Application Data\Sun\Java\jre1.6.0_31\jre1.6.0_31-c.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 2/16/2012 8:26:56 PM | Computer Name = RACERX | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\Administrator\Application
Data\Sun\Java\jre1.6.0_31\jre1.6.0_31-c.msi is not permitted due to an error in
software restriction policy processing. The object cannot be trusted.

Error - 2/16/2012 11:04:41 PM | Computer Name = RACERX | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.60.0.61, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/16/2012 9:10:10 PM | Computer Name = RACERX | Source = Service Control Manager | ID = 7023
Description = The RMCAST service terminated with the following error: %%126

Error - 2/16/2012 10:40:10 PM | Computer Name = RACERX | Source = Service Control Manager | ID = 7023
Description = The Mcstrm service terminated with the following error: %%126

Error - 2/16/2012 10:40:10 PM | Computer Name = RACERX | Source = Service Control Manager | ID = 7023
Description = The Eventclientmultiplexer service terminated with the following error:
%%126

Error - 2/16/2012 10:40:10 PM | Computer Name = RACERX | Source = Service Control Manager | ID = 7023
Description = The RMCAST service terminated with the following error: %%126

Error - 2/16/2012 11:09:36 PM | Computer Name = RACERX | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/16/2012 11:10:41 PM | Computer Name = RACERX | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
BHDrvx86 ccSet_NAV eeCtrl Fips intelppm SRTSPX SymIRON SYMTDI

Error - 2/16/2012 11:11:31 PM | Computer Name = RACERX | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/16/2012 11:24:29 PM | Computer Name = RACERX | Source = Service Control Manager | ID = 7023
Description = The Mcstrm service terminated with the following error: %%126

Error - 2/16/2012 11:24:29 PM | Computer Name = RACERX | Source = Service Control Manager | ID = 7023
Description = The Eventclientmultiplexer service terminated with the following error:
%%126

Error - 2/16/2012 11:24:29 PM | Computer Name = RACERX | Source = Service Control Manager | ID = 7023
Description = The RMCAST service terminated with the following error: %%126

< End of report >

#2
gstrom99

Posted 16 February 2012 - 10:35 PM

Member

Topic Starter
Member
19 posts

Here is the OTL Text log:

OTL logfile created on: 2/16/2012 9:32:57 PM - Run 1
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Documents and Settings\Gary\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 605.05 Mb Available Physical Memory | 59.15% Memory free
2.14 Gb Paging File | 1.87 Gb Available in Paging File | 87.39% Paging File free
Paging file location(s): C:\pagefile.sys 1268 1636 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 61.54 Gb Free Space | 82.65% Space Free | Partition Type: NTFS

Computer Name: RACERX | User Name: Gary | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/16 21:29:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\1OTL.exe
PRC - [2011/11/29 20:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ccsvchst.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (NTIDrvr)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (FA312)
SRV - File not found [Auto | Stopped] -- -- (AVCamUSB20)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/11/29 20:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe -- (NAV)
SRV - [2008/01/29 15:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) [Auto | Running] -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe -- (EarthLinkMonitor)
SRV - [2003/03/03 12:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)

========== Driver Services (SafeList) ==========

DRV - [2012/02/03 20:42:16 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/03 20:42:16 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/02/01 18:14:49 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/12/15 17:33:22 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120216.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/11/30 20:25:03 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120215.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/11/23 20:23:47 | 000,905,336 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMEFA.SYS -- (SymEFA)
DRV - [2011/11/23 20:23:20 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - [2011/11/23 20:23:20 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIM)
DRV - [2011/11/23 19:50:26 | 000,574,584 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NAV\1305000.091\SRTSP.SYS -- (SRTSP)
DRV - [2011/11/23 19:50:26 | 000,032,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/11/16 21:37:59 | 000,388,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1305000.091\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/11/16 21:17:48 | 000,149,624 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\Ironx86.SYS -- (SymIRON)
DRV - [2011/11/04 17:59:35 | 000,132,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\ccSetx86.sys -- (ccSet_NAV)
DRV - [2011/09/29 00:00:00 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120216.018\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/29 00:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120216.018\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/25 20:18:35 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMDS.SYS -- (SymDS)
DRV - [2004/11/01 14:16:34 | 000,017,536 | R--- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BW2NDIS5.SYS -- (BW2NDIS5)
DRV - [2004/08/03 21:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 21:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 21:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 21:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 21:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 21:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 21:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 21:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 21:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 21:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2003/05/14 13:42:58 | 000,013,920 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmHidLo.sys -- (WmHidLo)
DRV - [2003/05/14 13:42:56 | 000,021,216 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmFilter.sys -- (WmFilter)
DRV - [2003/05/14 13:42:50 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmBEnum.sys -- (WmBEnum)
DRV - [2003/05/14 13:42:48 | 000,005,728 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmVirHid.sys -- (WmVirHid)
DRV - [2003/05/14 13:42:44 | 000,044,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmXlCore.sys -- (WmXlCore)
DRV - [2002/11/08 12:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/10/18 03:06:28 | 000,842,128 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\winachcf.sys -- (Winachcf)
DRV - [2001/08/17 12:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/08/17 11:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll (EarthLink, Inc.)
IE - HKCU\..\URLSearchHook: ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\IPSFFPlgn\ [2012/02/01 17:49:31 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/02/10 18:15:22 | 000,446,846 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 coolwwwsearch.com
O1 - Hosts: 127.0.0.1 coolwebsearch.com
O1 - Hosts: 127.0.0.1 hi.studioaperto.net
O1 - Hosts: 127.0.0.1 www.webbrowser.tv
O1 - Hosts: 127.0.0.1 www.wazzupnet.com
O1 - Hosts: 127.0.0.1 gueb.com
O1 - Hosts: 127.0.0.1 kabex.com
O1 - Hosts: 127.0.0.1 www.hityou.com
O1 - Hosts: 127.0.0.1 miosearch.com
O1 - Hosts: 127.0.0.1 wazzupnet.com
O1 - Hosts: 127.0.0.1 213.131.225.2
O1 - Hosts: 127.0.0.1 www.blue-elefant.com
O1 - Hosts: 127.0.0.1 babeweb.de
O1 - Hosts: 127.0.0.1 start-seite.com
O1 - Hosts: 127.0.0.1 sexolymp.com
O1 - Hosts: 127.0.0.1 toriii.cc
O1 - Hosts: 127.0.0.1 www.xtipp.de
O1 - Hosts: 127.0.0.1 urawa.cool.ne.jp
O1 - Hosts: 127.0.0.1 777search.com
O1 - Hosts: 127.0.0.1 ace-webmaster.com
O1 - Hosts: 127.0.0.1 aifind.info
O1 - Hosts: 127.0.0.1 amateurliveshow.com
O1 - Hosts: 127.0.0.1 anarchylolita.com
O1 - Hosts: 127.0.0.1 anarchyporn.com
O1 - Hosts: 15404 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (IE_PopupBlocker Class) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll (Propel Software Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} http://employees.old...om/v4rdpchk.cab (v4 silent install)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg...l_v1-0-3-48.cab (EPUImageControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1120313456515 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} http://www.facebook....ls/contactx.dll (ContactExtractor Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1126533491875 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: NameServer = 207.69.188.185,207.69.188.186
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 07:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/16 21:29:52 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\1OTL.exe
[2012/02/16 21:04:01 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/02/16 19:29:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2012/02/16 19:28:35 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2012/02/16 19:28:35 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/02/16 19:28:35 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/02/16 19:28:35 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/02/15 21:54:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Gary\Recent
[2012/02/15 17:41:41 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/15 17:38:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Desktop\123myapp
[2012/02/15 17:38:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\My Documents\New Folder
[2012/02/13 22:28:30 | 001,766,312 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\FixZeroAccess.exe
[2012/02/13 22:27:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/13 22:27:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/13 22:21:01 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\FixTDSS.exe
[2012/02/13 22:07:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Local Settings\Application Data\NPE
[2012/02/13 22:06:23 | 002,804,808 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\NPE.exe
[2012/02/09 19:26:47 | 000,000,000 | ---D | C] -- C:\Program Files\ioDesktop
[2012/02/04 11:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Local Settings\Application Data\Deployment
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/16 21:29:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\1OTL.exe
[2012/02/16 21:12:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012/02/16 21:12:18 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/16 21:09:39 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2012/02/16 21:04:01 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/02/16 20:27:26 | 000,000,210 | -HS- | M] () -- C:\BOOT.INI
[2012/02/16 20:11:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
[2012/02/16 19:28:12 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2012/02/16 19:28:12 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/02/16 19:28:12 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/02/16 19:28:12 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/02/16 19:28:12 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/02/15 22:27:54 | 000,110,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/15 22:25:37 | 000,443,334 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2012/02/15 22:25:37 | 000,072,496 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2012/02/15 22:22:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/15 22:22:49 | 000,799,722 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1305000.091\Cat.DB
[2012/02/15 17:44:06 | 000,004,782 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1305000.091\VT20111023.024
[2012/02/15 17:30:56 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/14 21:52:55 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\Microsoft Word (2).lnk
[2012/02/13 22:32:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/13 22:28:30 | 001,766,312 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\FixZeroAccess.exe
[2012/02/13 22:21:01 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\FixTDSS.exe
[2012/02/13 22:06:23 | 002,804,808 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\NPE.exe
[2012/02/12 11:11:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
[2012/02/12 08:48:55 | 000,000,388 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\EarthLink Web Mail.url
[2012/02/11 18:02:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1007087799-3521379142-2447425561-1007.job
[2012/02/10 18:15:22 | 000,446,846 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\HOSTS
[2012/02/09 19:26:47 | 000,000,640 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ioDesktop.lnk
[2012/02/07 22:40:02 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\SpywareBlaster.lnk
[2012/02/02 20:27:57 | 000,446,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120210-181522.backup
[2012/02/02 20:08:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/02 17:20:52 | 000,001,896 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2012/02/01 18:14:49 | 000,141,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2012/02/01 18:14:49 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2012/02/01 18:14:49 | 000,007,468 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2012/02/01 18:14:49 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2012/01/29 09:09:31 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/01/28 07:19:53 | 000,446,600 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120202-202757.backup
[2012/01/26 22:33:46 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1305000.091\isolate.ini
[2012/01/25 20:49:34 | 000,090,827 | ---- | M] () -- C:\Documents and Settings\Gary\My Documents\il1040return.pdf
[2012/01/19 22:33:34 | 000,445,787 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120128-071953.backup
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/16 21:12:18 | 1072,746,496 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/15 22:21:37 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/02/15 20:20:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 20:20:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/13 22:31:59 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/13 22:00:29 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/04 11:06:56 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
[2012/02/04 11:06:56 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
[2012/01/25 20:49:28 | 000,090,827 | ---- | C] () -- C:\Documents and Settings\Gary\My Documents\il1040return.pdf
[2012/01/07 07:36:29 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2011/10/23 20:35:59 | 000,308,096 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/10/11 20:21:51 | 000,000,152 | ---- | C] () -- C:\WINDOWS\System32\RSLSP.ini
[2011/02/20 08:58:25 | 000,007,680 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nt838cc.com
[2010/10/14 16:42:07 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2008/09/23 22:05:29 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Gary\Local Settings\Application Data\fusioncache.dat
[2007/10/15 21:20:13 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/10/26 19:06:41 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2005/05/23 19:38:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Webspace.INI
[2005/05/23 18:42:00 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2005/05/22 10:01:47 | 000,003,137 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/05/09 16:20:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Gary\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/10 19:24:35 | 000,001,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\papycpu2.sys
[2004/11/10 19:24:35 | 000,001,856 | ---- | C] () -- C:\WINDOWS\System32\drivers\papyjoy.sys
[2004/11/10 18:29:13 | 000,000,395 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/11/06 08:01:52 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2004/10/27 17:29:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/10/26 19:33:47 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2004/10/26 17:14:11 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Gary\Application Data\PFP120JPR.{PB
[2004/10/26 17:14:11 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Gary\Application Data\PFP120JCM.{PB
[2004/10/26 17:09:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/10/26 17:06:30 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS58.DLL
[2004/10/26 16:45:52 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/10/13 00:38:55 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/10/13 00:34:57 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/10/13 00:30:58 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/10/13 00:30:56 | 000,000,384 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/10/13 00:26:46 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/10/13 00:13:04 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/10/13 00:11:14 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/10/13 00:11:10 | 000,443,334 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/10/13 00:11:10 | 000,072,496 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/10/12 23:55:46 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/03/26 16:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/09/03 08:05:08 | 000,110,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 07:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 07:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 07:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 07:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 04:00:00 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\drivers\ipsec.sys_backup
[2002/08/29 04:00:00 | 000,062,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\cdrom.sys_backup
[2002/08/29 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 04:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\ONETW.DRV
[2002/08/29 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2002/03/13 16:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll
[1999/01/22 12:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

#3
gstrom99

Posted 20 February 2012 - 07:23 AM

Member

Topic Starter
Member
19 posts

Still running irratic. When able to run, Malwarebytes has found and deleted:

PUM.Hijack.Taskmanager
Trojan.Dropper.PGen
Rootkit.OAccess.H (severl times)

gs

#4
gstrom99

Posted 21 February 2012 - 07:53 AM

Member

Topic Starter
Member
19 posts

Title s/b: Tidserv Activity 2, Rootkit infection.
I posted this 2/16/12, no help yet. Runs irratic, slow, etc. Found some things, but it still is messed up.

http://www.geekstogo..._1#entry2123502

Edited by gstrom99, 21 February 2012 - 07:55 AM.

#5
Crag_Hack

Posted 21 February 2012 - 03:54 PM

Trusted Helper

Malware Removal
1,839 posts

Hello and welcome to the Geeks to Go Virus, Spyware & Malware Removal forum. My name is Josh and I will be helping you remove your infection. I am only human not superman - I can make errors but will do my best to help you as best I can so we can solve your problems. Some of the following instructions to begin the malware removal process can be hard to follow - let me know if you have any questions. Please read all of my responses through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. Also please do not attempt any disinfection procedures without my instruction as things can go wrong that way. One more thing - please refrain from using your computer until it is disinfected unless you absolutely have to (unless you are following my disinfection procedures) - when you are using it the current malware infection could propagate further infections - forcing us to do a second or even third round of disinfection after the first. If you do have to use it please disconnect it from the Internet - that way the current malware cannot propagate further infections. I will get back to you soon with further instructions. Expect no more than 24 hours between your post and my response unless World War 3 breaks out and I will need at most 36 hours for initial analysis of your OTL log. Good luck!

#6
gstrom99

Posted 21 February 2012 - 04:12 PM

Member

Topic Starter
Member
19 posts

thanks. pc is offline. using laptop right next to it to write this. I'll probably download and transfer stuff between 'em via thumb drive.

gary

#7
Crag_Hack

Posted 22 February 2012 - 10:46 PM

Trusted Helper

Malware Removal
1,839 posts

Hello gstrom99. I finished analyzing your OTL log file. We will now clean a couple things with OTL, run a scan with OTL, upload a couple files to see if they are malware, and finally run a scan with aswMBR.

Step 1

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL

[2012/02/15 17:30:56 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2011/02/20 08:58:25 | 000,007,680 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nt838cc.com

:Commands
[purity]
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
Open OTL again

Under the Custom Scans/Fixes box at the bottom, paste in the following

C:\WINDOWS\System32\iacenc.dll /md5
C:\WINDOWS\System32\ZWebAuth.dll /md5
C:\WINDOWS\System32\vidx16.dll /md5
C:\WINDOWS\System32\MSRTEDIT.DLL /md5

Click the Quick Scan button. Post the log it produces in your next reply as well.

Step 2

There are several suspicious files on your machine that might or might not be malware. We will scan them to verify. Let me know if you have any trouble following these instructions. Please do the following:

Go to this site
Click the browse button on the top of the page
Navigate to this file C:\WINDOWS\UNWISE.EXE and click the open button
Click the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button
Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Repeat the above instructions this time for C:\WINDOWS\ONETW.DRV

Step 3

Download aswMBR.exe ( 1870KB ) to your desktop.
Double click the aswMBR.exe to run it
It will ask you if you want to download the latest Avast! virus definitions, answer no
Click the Scan button to start scan
On completion of the scan click Save log, save it to your desktop and post in your next reply

Things to see in your next post:
OTL fix log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
OTL quick scan log
virscan upload results
aswMBR log

#8
gstrom99

Posted 23 February 2012 - 09:25 AM

Member

Topic Starter
Member
19 posts

I had to reconnect the pc to the internet to do this. Turned Norton AV off temporarily.
Thanks.

OK, here are the results:

========== OTL ==========
C:\WINDOWS\SYSTEM32\dds_trash_log.cmd moved successfully.
C:\Documents and Settings\All Users\Application Data\nt838cc.com moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.32.0 log created on 02232012_082805

OTL logfile created on: 2/23/2012 8:44:39 AM - Run 2
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Documents and Settings\Gary\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 735.03 Mb Available Physical Memory | 71.85% Memory free
2.14 Gb Paging File | 1.98 Gb Available in Paging File | 92.25% Paging File free
Paging file location(s): C:\pagefile.sys 1268 1636 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 61.50 Gb Free Space | 82.60% Space Free | Partition Type: NTFS
Drive E: | 1.87 Gb Total Space | 1.87 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Computer Name: RACERX | User Name: Gary | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/16 21:29:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\1OTL.exe
PRC - [2012/01/24 04:41:23 | 000,684,488 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\cltlmh.exe
PRC - [2011/11/29 20:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ccsvchst.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Start_Pending] -- -- (NTIDrvr)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stop_Pending] -- -- (FA312)
SRV - File not found [Auto | Stop_Pending] -- -- (AVCamUSB20)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/11/29 20:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe -- (NAV)
SRV - [2008/01/29 15:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) [Auto | Running] -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe -- (EarthLinkMonitor)
SRV - [2003/03/03 12:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)

========== Driver Services (SafeList) ==========

DRV - [2012/02/03 20:42:16 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/03 20:42:16 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/02/01 18:14:49 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/12/15 17:33:22 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120216.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/11/30 20:25:03 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120215.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/11/23 20:23:47 | 000,905,336 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMEFA.SYS -- (SymEFA)
DRV - [2011/11/23 20:23:20 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - [2011/11/23 20:23:20 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIM)
DRV - [2011/11/23 19:50:26 | 000,574,584 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NAV\1305000.091\SRTSP.SYS -- (SRTSP)
DRV - [2011/11/23 19:50:26 | 000,032,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/11/16 21:37:59 | 000,388,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1305000.091\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/11/16 21:17:48 | 000,149,624 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\Ironx86.SYS -- (SymIRON)
DRV - [2011/11/04 17:59:35 | 000,132,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\ccSetx86.sys -- (ccSet_NAV)
DRV - [2011/09/29 00:00:00 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120217.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/29 00:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120217.004\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/25 20:18:35 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMDS.SYS -- (SymDS)
DRV - [2004/11/01 14:16:34 | 000,017,536 | R--- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BW2NDIS5.SYS -- (BW2NDIS5)
DRV - [2004/08/03 21:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 21:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 21:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 21:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 21:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 21:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 21:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 21:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 21:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 21:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2003/05/14 13:42:58 | 000,013,920 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmHidLo.sys -- (WmHidLo)
DRV - [2003/05/14 13:42:56 | 000,021,216 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmFilter.sys -- (WmFilter)
DRV - [2003/05/14 13:42:50 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmBEnum.sys -- (WmBEnum)
DRV - [2003/05/14 13:42:48 | 000,005,728 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmVirHid.sys -- (WmVirHid)
DRV - [2003/05/14 13:42:44 | 000,044,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmXlCore.sys -- (WmXlCore)
DRV - [2002/11/08 12:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/10/18 03:06:28 | 000,842,128 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\winachcf.sys -- (Winachcf)
DRV - [2001/08/17 12:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/08/17 11:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll (EarthLink, Inc.)
IE - HKCU\..\URLSearchHook: ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\IPSFFPlgn\ [2012/02/01 17:49:31 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/02/23 08:28:05 | 000,000,098 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (IE_PopupBlocker Class) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll (Propel Software Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} http://employees.old...om/v4rdpchk.cab (v4 silent install)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg...l_v1-0-3-48.cab (EPUImageControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1120313456515 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} http://www.facebook....ls/contactx.dll (ContactExtractor Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1126533491875 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: NameServer = 207.69.188.185,207.69.188.186
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 07:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/23 08:28:05 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/19 14:57:18 | 000,032,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\FixZeroAccess.sys
[2012/02/19 14:54:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Gary\Recent
[2012/02/16 21:29:52 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\1OTL.exe
[2012/02/16 19:29:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2012/02/15 17:41:41 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/15 17:38:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Desktop\123myapp
[2012/02/15 17:38:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\My Documents\New Folder
[2012/02/13 22:27:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/13 22:27:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/13 22:07:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Local Settings\Application Data\NPE
[2012/02/13 22:06:23 | 002,804,808 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\NPE.exe
[2012/02/09 19:26:47 | 000,000,000 | ---D | C] -- C:\Program Files\ioDesktop
[2012/02/04 11:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Local Settings\Application Data\Deployment
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/23 08:37:54 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/23 08:37:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012/02/23 08:28:05 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\Hosts
[2012/02/23 08:11:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
[2012/02/23 08:02:57 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2012/02/19 14:57:18 | 000,032,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\FixZeroAccess.sys
[2012/02/19 14:51:37 | 000,004,782 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1305000.091\VT20111023.024
[2012/02/19 14:34:15 | 000,002,451 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2012/02/19 11:11:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
[2012/02/16 21:29:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\1OTL.exe
[2012/02/16 20:27:26 | 000,000,210 | -HS- | M] () -- C:\BOOT.INI
[2012/02/15 22:27:54 | 000,110,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/15 22:25:37 | 000,443,334 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2012/02/15 22:25:37 | 000,072,496 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2012/02/15 22:22:49 | 000,799,722 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1305000.091\Cat.DB
[2012/02/14 21:52:55 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\Microsoft Word (2).lnk
[2012/02/13 22:32:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/13 22:06:23 | 002,804,808 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\NPE.exe
[2012/02/12 08:48:55 | 000,000,388 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\EarthLink Web Mail.url
[2012/02/11 18:02:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1007087799-3521379142-2447425561-1007.job
[2012/02/09 19:26:47 | 000,000,640 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ioDesktop.lnk
[2012/02/07 22:40:02 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\SpywareBlaster.lnk
[2012/02/02 20:27:57 | 000,446,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120210-181522.backup
[2012/02/02 20:08:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/02 17:20:52 | 000,001,896 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2012/02/01 18:14:49 | 000,141,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2012/02/01 18:14:49 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2012/02/01 18:14:49 | 000,007,468 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2012/02/01 18:14:49 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2012/01/29 09:09:31 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/01/28 07:19:53 | 000,446,600 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120202-202757.backup
[2012/01/26 22:33:46 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1305000.091\isolate.ini
[2012/01/25 20:49:34 | 000,090,827 | ---- | M] () -- C:\Documents and Settings\Gary\My Documents\il1040return.pdf
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/20 07:59:15 | 1072,746,496 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/15 20:20:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 20:20:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/13 22:31:59 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/04 11:06:56 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
[2012/02/04 11:06:56 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
[2012/01/25 20:49:28 | 000,090,827 | ---- | C] () -- C:\Documents and Settings\Gary\My Documents\il1040return.pdf
[2012/01/07 07:36:29 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2011/10/23 20:35:59 | 000,308,096 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/10/11 20:21:51 | 000,000,152 | ---- | C] () -- C:\WINDOWS\System32\RSLSP.ini
[2010/10/14 16:42:07 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2008/09/23 22:05:29 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Gary\Local Settings\Application Data\fusioncache.dat
[2007/10/15 21:20:13 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/10/26 19:06:41 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2005/05/23 19:38:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Webspace.INI
[2005/05/23 18:42:00 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2005/05/22 10:01:47 | 000,003,137 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/05/09 16:20:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Gary\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/10 19:24:35 | 000,001,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\papycpu2.sys
[2004/11/10 19:24:35 | 000,001,856 | ---- | C] () -- C:\WINDOWS\System32\drivers\papyjoy.sys
[2004/11/10 18:29:13 | 000,000,395 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/11/06 08:01:52 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2004/10/27 17:29:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/10/26 19:33:47 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2004/10/26 17:14:11 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Gary\Application Data\PFP120JPR.{PB
[2004/10/26 17:14:11 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Gary\Application Data\PFP120JCM.{PB
[2004/10/26 17:09:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/10/26 17:06:30 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS58.DLL
[2004/10/26 16:45:52 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/10/13 00:38:55 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/10/13 00:34:57 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/10/13 00:30:58 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/10/13 00:30:56 | 000,000,384 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/10/13 00:26:46 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/10/13 00:13:04 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/10/13 00:11:14 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/10/13 00:11:10 | 000,443,334 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/10/13 00:11:10 | 000,072,496 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/10/12 23:55:46 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/03/26 16:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/09/03 08:05:08 | 000,110,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 07:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 07:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 07:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 07:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 04:00:00 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\drivers\ipsec.sys_backup
[2002/08/29 04:00:00 | 000,062,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\cdrom.sys_backup
[2002/08/29 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 04:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\ONETW.DRV
[2002/08/29 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2002/03/13 16:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll
[1999/01/22 12:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2011/02/20 08:57:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Encore
[2010/01/13 22:00:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Euchre
[2011/10/11 20:49:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/03/23 19:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2012/02/16 19:56:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/10/13 00:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2004/11/02 20:38:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Aim
[2009/12/11 13:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/02/12 18:36:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\com.radioio.ioDesktop.CB8A51FDBDF8B5F2BC25A3DD7F59CC4ED6D8CF65.1
[2008/12/28 12:01:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Earthlink
[2008/02/14 20:28:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\EarthLink Toolbar
[2011/03/01 21:43:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\ElevatedDiagnostics
[2011/02/20 07:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\GetRightToGo
[2012/02/14 22:15:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Hoyle Card Games
[2010/03/07 12:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Hoyle FaceCreator
[2011/02/07 20:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\ieSpell
[2004/10/28 18:29:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\JoiExpress
[2004/10/31 08:11:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Leadertech
[2011/10/11 20:47:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\NCH Swift Sound
[2010/09/23 07:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Tific
[2012/01/07 09:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Uniblue

========== Purity Check ==========

========== Custom Scans ==========

< C:\WINDOWS\System32\iacenc.dll /md5 >
[2012/01/11 13:06:47 | 000,003,072 | ---- | M] () MD5=C30B851A482C4549125F4209788791E6 -- C:\WINDOWS\System32\iacenc.dll

< C:\WINDOWS\System32\ZWebAuth.dll /md5 >
[2001/09/18 18:37:34 | 000,016,973 | ---- | M] () MD5=A1CC9E1DB0840F4DB88AF99CB584971D -- C:\WINDOWS\System32\ZWebAuth.dll

< C:\WINDOWS\System32\vidx16.dll /md5 >
[1998/08/17 03:21:56 | 000,010,240 | ---- | M] () MD5=550BA20DF6C08E628CA9ABD0F6E917B8 -- C:\WINDOWS\System32\vidx16.dll

< C:\WINDOWS\System32\MSRTEDIT.DLL /md5 >
[1999/01/22 12:46:58 | 000,065,536 | ---- | M] () MD5=968A5129FBE4EA13B31BDA7F47392729 -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

VirSCAN.org Scanned Report :
Scanned time : 2012/02/23 08:54:13 (CST)
Scanner results: Scanners did not find malware!
File Name : UNWISE.EXE
File Size : 149504 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 443e13846997c537e8f5ed61130ab705
SHA1 : 6b10d458a5f1e3dbf8dfa96b118cf232d3a66f5f
Online report : http://r.virscan.org...0e119013b27076a

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120223143709 2012-02-23 0.34 -
AhnLab V3 2012.02.24.00 2012.02.24 2012-02-24 3.46 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.25 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.29 -
Arcavir 2011 201202170436 2012-02-17 4.07 -
Authentium 5.1.1 201202230136 2012-02-23 1.57 -
AVAST! 4.7.4 120223-0 2012-02-23 0.24 -
AVG 12.0.1782 2113/4827 2012-02-23 0.28 -
BitDefender 7.90123.7381873 7.41087 2012-02-21 4.13 -
ClamAV 0.97.3 14507 2012-02-23 0.30 -
Comodo 5.1 11588 2012-02-23 2.92 -
CP Secure 1.3.0.5 2012.02.23 2012-02-23 0.23 -
Dr.Web 7.0.0.11250 2012.02.23 2012-02-23 12.31 -
F-Prot 4.6.2.117 20120222 2012-02-22 1.45 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.68 -
Fortinet 4.3.388 15.239 2012-02-23 0.38 -
GData 22.3956 20120223 2012-02-23 6.84 -
ViRobot 20120223 2012.02.23 2012-02-23 0.96 -
Ikarus T3.1.32.20.0 2012.02.23.80555 2012-02-23 5.62 -
JiangMin 13.0.900 2012.02.22 2012-02-22 3.19 -
Kaspersky 5.5.10 2012.02.20 2012-02-20 0.42 -
KingSoft 2009.2.5.15 2012.2.23.9 2012-02-23 1.05 -
McAfee 5400.1158 6628 2012-02-22 11.82 -
Microsoft 1.8101 2012.02.23 2012-02-23 3.75 -
NOD32 3.0.21 6841 2012-01-30 0.16 -
Panda 9.05.01 2012.02.22 2012-02-22 6.13 -
Trend Micro 9.500-1005 8.796.05 2012-02-23 0.22 -
Quick Heal 11.00 2012.02.23 2012-02-23 1.43 -
Rising 20.0 23.98.03.03 2012-02-23 4.52 -
Sophos 3.28.1 4.74 2012-02-23 5.07 -
Sunbelt 3.9.2527.2 11581 2012-02-23 0.98 -
Symantec 1.3.0.24 20120222.001 2012-02-22 0.41 -
nProtect 20120222.01 11293847 2012-02-22 8.16 -
The Hacker 6.7.0.1 v00406 2012-02-22 0.56 -
VBA32 3.12.16.4 20120223.0717 2012-02-23 5.33 -
VirusBuster 5.4.1.7 14.1.232.0/79478492012-02-23 0.27 -

VirSCAN.org Scanned Report :
Scanned time : 2012/02/23 09:11:55 (CST)
Scanner results: Scanners did not find malware!
File Name : ONETW.DRV
File Size : 1024 byte
File Type : Sendmail frozen configuration - version çË¾
MD5 : 6929f7a34199ddc083abfad91659ba09
SHA1 : 6ada9cf340285593121bec336c884255dc9b3a22
Online report : http://r.virscan.org...7593a4db2227df1

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120223143709 2012-02-23 0.36 -
AhnLab V3 2012.02.24.00 2012.02.24 2012-02-24 3.35 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.28 -
Antiy 2.0.18 2.0.18. 0002-18-00 1.19 -
Arcavir 2011 201202170436 2012-02-17 5.31 -
Authentium 5.1.1 201202230136 2012-02-23 2.28 -
AVAST! 4.7.4 120223-0 2012-02-23 0.23 -
AVG 12.0.1782 2113/4827 2012-02-23 0.40 -
BitDefender 7.90123.7381873 7.41087 2012-02-21 6.78 -
ClamAV 0.97.3 14507 2012-02-23 0.22 -
Comodo 5.1 11588 2012-02-23 3.24 -
CP Secure 1.3.0.5 2012.02.23 2012-02-23 0.20 -
Dr.Web 7.0.0.11250 2012.02.23 2012-02-23 16.37 -
F-Prot 4.6.2.117 20120223 2012-02-23 1.62 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.30 -
Fortinet 4.3.388 15.239 2012-02-23 0.19 -
GData 22.3956 20120223 2012-02-23 5.29 -
ViRobot 20120223 2012.02.23 2012-02-23 0.42 -
Ikarus T3.1.32.20.0 2012.02.23.80555 2012-02-23 5.12 -
JiangMin 13.0.900 2012.02.23 2012-02-23 6.32 -
Kaspersky 5.5.10 2012.02.20 2012-02-20 0.37 -
KingSoft 2009.2.5.15 2012.2.23.9 2012-02-23 1.08 -
McAfee 5400.1158 6628 2012-02-22 14.04 -
Microsoft 1.8101 2012.02.23 2012-02-23 4.28 -
NOD32 3.0.21 6841 2012-01-30 0.26 -
Panda 9.05.01 2012.02.22 2012-02-22 2.53 -
Trend Micro 9.500-1005 8.796.05 2012-02-23 0.32 -
Quick Heal 11.00 2012.02.23 2012-02-23 0.97 -
Rising 20.0 23.98.03.03 2012-02-23 0.49 -
Sophos 3.28.1 4.74 2012-02-23 7.53 -
Sunbelt 3.9.2527.2 11581 2012-02-23 0.95 -
Symantec 1.3.0.24 20120222.001 2012-02-22 0.68 -
nProtect 20120222.01 11293847 2012-02-22 1.73 -
The Hacker 6.7.0.1 v00406 2012-02-22 2.70 -
VBA32 3.12.16.4 20120223.1035 2012-02-23 3.39 -
VirusBuster 5.4.1.7 14.1.232.0/79478492012-02-23 0.17 -

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 09:21:34
-----------------------------
09:21:34.250 OS Version: Windows 5.1.2600 Service Pack 3
09:21:34.250 Number of processors: 1 586 0x304
09:21:34.250 ComputerName: RACERX UserName: Gary
09:21:35.109 Initialize success
09:21:48.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:21:48.718 Disk 0 Vendor: ST380011A 8.16 Size: 76293MB BusType: 3
09:21:48.734 Disk 0 MBR read successfully
09:21:48.734 Disk 0 MBR scan
09:21:48.734 Disk 0 Windows XP default MBR code
09:21:48.734 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
09:21:48.750 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76245 MB offset 80325
09:21:48.750 Disk 0 scanning sectors +156232125
09:21:48.828 Disk 0 scanning C:\WINDOWS\system32\drivers
09:21:58.453 Service scanning
09:22:24.859 Modules scanning
09:22:42.203 Disk 0 trace - called modules:
09:22:42.218 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
09:22:42.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87368ab8]
09:22:42.218 3 CLASSPNP.SYS[f7861fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87362d98]
09:22:42.218 Scan finished successfully
09:23:15.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gary\Desktop\MBR.dat"
09:23:15.343 The log file has been saved successfully to "C:\Documents and Settings\Gary\Desktop\aswMBR.txt"

#9
Crag_Hack

Posted 23 February 2012 - 04:48 PM

Trusted Helper

Malware Removal
1,839 posts

Hello gstrom99. Your OTL fix worked, your OTL scan turned up clean, your virscan upload results turned up clean, and your aswMBR scan did as well. We will now upload one file to see if it is malware or not and also run a very powerful utility called Combofix. Please do the following:

Step 1

There are several suspicious files on your machine that might or might not be malware. We will scan them to verify. Let me know if you have any trouble following these instructions. Please do the following:

Go to this site
Click the browse button on the top of the page
Navigate to this file C:\WINDOWS\System32\iacenc.dll and click the open button
Click the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button
Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Step 2

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Things to see in your next post:
Virscan upload result
Combofix log
Updated computer status - describe symptoms if any

#10
gstrom99

Posted 23 February 2012 - 06:52 PM

Member

Topic Starter
Member
19 posts

I lost the first two virusscans of the iacenc.dll file; one to IE closing on its own... Here is one ran after ComboFix:

VirSCAN.org Scanned Report :
Scanned time : 2012/02/23 18:45:59 (CST)
Scanner results: Scanners did not find malware!
File Name : iacenc.dll
File Size : 3072 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : c30b851a482c4549125f4209788791e6
SHA1 : b170f99cd33266d67b18f6bea3b7ba153aa75b72
Online report : http://r.virscan.org...1ebf93ec6b17a74

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120224011554 2012-02-24 0.32 -
AhnLab V3 2012.02.24.00 2012.02.24 2012-02-24 2.74 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.17 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.28 -
Arcavir 2011 201202170436 2012-02-17 3.73 -
Authentium 5.1.1 201202231216 2012-02-23 1.49 -
AVAST! 4.7.4 120223-1 2012-02-23 0.17 -
AVG 12.0.1782 2114/4827 2012-02-23 0.25 -
BitDefender 7.90123.7381873 7.41087 2012-02-21 3.75 -
ClamAV 0.97.3 14507 2012-02-23 0.16 -
Comodo 5.1 11593 2012-02-23 2.63 -
CP Secure 1.3.0.5 2012.02.24 2012-02-24 0.20 -
Dr.Web 7.0.0.11250 2012.02.24 2012-02-24 12.24 -
F-Prot 4.6.2.117 20120223 2012-02-23 0.84 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.22 -
Fortinet 4.3.388 15.240 2012-02-23 0.26 -
GData 22.3959 20120224 2012-02-24 6.04 -
ViRobot 20120223 2012.02.23 2012-02-23 0.43 -
Ikarus T3.1.32.20.0 2012.02.23.80561 2012-02-23 7.59 -
JiangMin 13.0.900 2012.02.23 2012-02-23 2.20 -
Kaspersky 5.5.10 2012.02.20 2012-02-20 0.29 -
KingSoft 2009.2.5.15 2012.2.23.9 2012-02-23 1.06 -
McAfee 5400.1158 6629 2012-02-23 12.34 -
Microsoft 1.8101 2012.02.24 2012-02-24 3.73 -
NOD32 3.0.21 6841 2012-01-30 0.16 -
Panda 9.05.01 2012.02.23 2012-02-23 3.10 -
Trend Micro 9.500-1005 8.796.07 2012-02-23 0.20 -
Quick Heal 11.00 2012.02.23 2012-02-23 1.19 -
Rising 20.0 23.98.03.03 2012-02-23 3.89 -
Sophos 3.28.1 4.74 2012-02-24 5.50 -
Sunbelt 3.9.2527.2 11583 2012-02-23 0.87 -
Symantec 1.3.0.24 20120223.001 2012-02-23 0.51 -
nProtect 20120223.01 11266673 2012-02-23 1.42 -
The Hacker 6.7.0.1 v00408 2012-02-23 0.63 -
VBA32 3.12.16.4 20120223.1035 2012-02-23 3.67 -
VirusBuster 5.4.1.7 14.1.232.0/79478492012-02-23 0.17 -

Here is the ComboFix log. It id'd a rootkit zeroaccess in tcp/ip stack. IE was very slow to load to get me to post this... Should I re-run it?

ComboFix 12-02-23.02 - Gary 02/23/2012 18:18:10.1.1 - x86
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\microsoft\media index\wmplibrary_v_0_12.lrd
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Gary\Application Data\Microsoft\1eaadjc.dll
c:\documents and settings\Gary\Application Data\Microsoft\bass.dll
c:\documents and settings\Gary\Application Data\Microsoft\kfgresk.dll
c:\documents and settings\Gary\WINDOWS
c:\windows\$NtUninstallKB22887$
c:\windows\$NtUninstallKB22887$\2823251935
c:\windows\$NtUninstallKB22887$\3589901470\@
c:\windows\$NtUninstallKB22887$\3589901470\cfg.ini
c:\windows\$NtUninstallKB22887$\3589901470\Desktop.ini
c:\windows\$NtUninstallKB22887$\3589901470\L\asobptkf
c:\windows\$NtUninstallKB22887$\3589901470\U\00000001.@
c:\windows\$NtUninstallKB22887$\3589901470\U\00000002.@
c:\windows\$NtUninstallKB22887$\3589901470\U\00000004.@
c:\windows\$NtUninstallKB22887$\3589901470\U\80000000.@
c:\windows\$NtUninstallKB22887$\3589901470\U\80000004.@
c:\windows\$NtUninstallKB22887$\3589901470\U\80000032.@
c:\windows\$NtUninstallKB22887$\3589901470\version
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\tmp.reg
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-23 14:28 . 2012-02-23 14:28 -------- d-----w- C:\_OTL
2012-02-19 20:57 . 2012-02-19 20:57 32808 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-02-17 01:28 . 2012-02-17 01:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-17 00:55 . 2012-02-17 00:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\com.radioio.ioDesktop.CB8A51FDBDF8B5F2BC25A3DD7F59CC4ED6D8CF65.1
2012-02-17 00:55 . 2012-02-17 00:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-02-16 02:20 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-16 02:20 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 23:41 . 2012-02-15 23:41 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-14 04:07 . 2012-02-16 02:06 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\NPE
2012-02-10 01:26 . 2012-02-10 01:26 -------- d-----w- c:\program files\ioDesktop
2012-02-04 17:06 . 2012-02-04 17:06 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Deployment
2012-02-02 00:14 . 2012-02-02 23:19 -------- d-----w- c:\windows\system32\drivers\NAV\1305000.091
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-17 01:28 . 2008-10-29 01:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-15 23:44 . 2002-08-29 10:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-02 00:14 . 2010-08-12 02:07 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-02-02 00:14 . 2010-08-12 02:07 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-12 16:53 . 2002-08-29 10:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-24 23:48 . 2003-02-21 10:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-24 23:48 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-17 19:46 . 2004-02-06 23:05 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2002-08-29 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2002-08-29 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-10-27 03:04 385024 ----a-w- c:\windows\system32\html.iec
2011-12-10 21:24 . 2012-01-09 14:14 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R0 SMR250;Symantec SMR Utility Service 2.5.0;c:\windows\System32\drivers\SMR250.SYS [x]
R3 12386535;12386535; [x]
R3 16470951;16470951; [x]
R3 39392380;39392380; [x]
R3 57557279;57557279; [x]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
R3 TIDHOOK;TIDHOOK;c:\docume~1\Gary\LOCALS~1\Temp\fxjl958o.tmp\tidhook.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1305000.091\SYMDS.SYS [2011-07-26 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1305000.091\SYMEFA.SYS [2011-11-24 905336]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120215.001\BHDrvx86.sys [2011-12-01 820344]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1305000.091\ccSetx86.sys [2011-11-04 132744]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1305000.091\Ironx86.SYS [2011-11-17 149624]
S2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe [2011-11-30 138248]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 106104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120223.002\IDSxpx86.sys [2011-12-15 356280]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NTIDrvr
FA312
AVCamUSB20
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-04 17:06]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-04 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = My Browser
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: NameServer = 207.69.188.185,207.69.188.186
DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} - hxxp://employees.oldrepublic.com/v4rdpchk.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
SafeBoot-16954307.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-23 18:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.5.0.145\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(624)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2012-02-23 18:30:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 00:29
.
Pre-Run: 65,905,451,008 bytes free
Post-Run: 65,947,193,344 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 1E6BD686AC17C802293A0B482ACC16CD

#11
gstrom99

Posted 23 February 2012 - 07:16 PM

Member

Topic Starter
Member
19 posts

Now there's two threads here... dunno how.

I'm typing this from my laptop.

PC Status:

I turned Norton back on.

I get Windows Explorer hanging/error messages.
IE still takes a long, long time to load, if at all
Can't look at files, ie: "my computer" has the flashing looking...
system hangs on "Saving your settings"

Not really any better, yet.

Ideas?

Thanks.

Gary

#12
gstrom99

Posted 23 February 2012 - 09:53 PM

Member

Topic Starter
Member
19 posts

The pc is still acting up. It needs to sit idle for 10 mins or so before IE or most other programs will load. Once past this idle time, IE loads fine and others work OK too.

Thanks.

Gary

#13
Crag_Hack

Posted 25 February 2012 - 03:58 PM

Trusted Helper

Malware Removal
1,839 posts

Hello gstrom99. I finished analyzing your ComboFix log. We will now run a fix with ComboFix. Then we will run a scan with TDSSKiller. We will also look at your NPE log to see if it damaged any system files. Then finally we will do a scan with AVP. Please elaborate with regard to this:

Can't look at files, ie: "my computer" has the flashing looking...

Then please do the following:

Step 1

Make sure to take note if ComboFix gives you any messages - especially if they are related to ZeroAccess.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\docume~1\Gary\LOCALS~1\Temp\fxjl958o.tmp\tidhook.sys

Driver::
12386535
16470951
39392380
57557279
TIDHOOK
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Step 3

Please follow the instructions here to view your NPE log. Then save the file to your computer and attach it to your next post - make sure to attach not copy.

Step 4

Download AVPTool from Here to your desktop (use version 11)
Run the program you have just downloaded to your desktop
Accept the license agreement

First we will run a virus scan
Click the cog in the upper right
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
On completion click the link to locate the zip file to upload and attach to your next post

Things to see in your next post:
C:\ComboFix.txt
TDSSKiller log (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt"
NPE log
AVP scan results
attached AVP analysis results

#14
gstrom99

Posted 25 February 2012 - 10:30 PM

Member

Topic Starter
Member
19 posts

Quote

"Can't look at files, ie: "my computer" has the flashing looking..."

What I meant was: Unless the pc has been running for at least 5 minutes, when I try to open "My Computer" there is a flashlight pointing back and forth "looking" for the contents of the folder. Once the pc's been on for awhile, it opens the file fine. Sorry for the confusion. It's late and I've got family stuff tomorow so I'll run the tests asap after that and post the results then. Thanks.
gs

#15
gstrom99

Posted 26 February 2012 - 10:24 PM

Member

Topic Starter
Member
19 posts

Thanks. TDSSKiller did not offer the "cure" option. AVP reported a bunch of files as password protected, but I don't even know how to do that...

The NPE Log is ~1.7mb and is too big to attach... (?)

Here are the logs/reports.

ComboFix 12-02-23.02 - Gary 02/26/2012 19:48:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.626 [GMT -6:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\cfscript.txt
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
FILE ::
"c:\docume~1\Gary\LOCALS~1\Temp\fxjl958o.tmp\tidhook.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Gary\Application Data\Microsoft\~DFK303752.tmp
c:\documents and settings\Gary\Application Data\Microsoft\mjcriu.dll
c:\documents and settings\Gary\Application Data\Microsoft\peaadje.dll
c:\documents and settings\Gary\Application Data\Microsoft\qwadjb.dll
c:\documents and settings\Gary\Application Data\Microsoft\rsaadjd.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_12386535
-------\Legacy_16470951
-------\Legacy_39392380
-------\Legacy_57557279
-------\Legacy_TIDHOOK
-------\Service_12386535
-------\Service_16470951
-------\Service_39392380
-------\Service_57557279
-------\Service_TIDHOOK
.
.
((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))
.
.
2012-02-23 14:28 . 2012-02-23 14:28 -------- d-----w- C:\_OTL
2012-02-19 20:57 . 2012-02-19 20:57 32808 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-02-17 01:28 . 2012-02-17 01:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-17 00:55 . 2012-02-17 00:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\com.radioio.ioDesktop.CB8A51FDBDF8B5F2BC25A3DD7F59CC4ED6D8CF65.1
2012-02-17 00:55 . 2012-02-17 00:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-02-16 02:20 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-16 02:20 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 23:41 . 2012-02-15 23:41 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-14 04:07 . 2012-02-16 02:06 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\NPE
2012-02-10 01:26 . 2012-02-10 01:26 -------- d-----w- c:\program files\ioDesktop
2012-02-04 17:06 . 2012-02-04 17:06 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Deployment
2012-02-02 00:14 . 2012-02-02 23:19 -------- d-----w- c:\windows\system32\drivers\NAV\1305000.091
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-17 01:28 . 2008-10-29 01:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-15 23:44 . 2002-08-29 10:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-02 00:14 . 2010-08-12 02:07 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-02-02 00:14 . 2010-08-12 02:07 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-12 16:53 . 2002-08-29 10:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-24 23:48 . 2003-02-21 10:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-24 23:48 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-17 19:46 . 2004-02-06 23:05 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2002-08-29 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2002-08-29 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-10-27 03:04 385024 ----a-w- c:\windows\system32\html.iec
2011-12-10 21:24 . 2012-01-09 14:14 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-24_00.26.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-27 01:54 . 2012-02-27 01:54 16384 c:\windows\Temp\Perflib_Perfdata_758.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R0 SMR250;Symantec SMR Utility Service 2.5.0;c:\windows\System32\drivers\SMR250.SYS [x]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1305000.091\SYMDS.SYS [2011-07-26 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1305000.091\SYMEFA.SYS [2011-11-24 905336]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120215.001\BHDrvx86.sys [2011-12-01 820344]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1305000.091\ccSetx86.sys [2011-11-04 132744]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1305000.091\Ironx86.SYS [2011-11-17 149624]
S2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe [2011-11-30 138248]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 106104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120223.002\IDSxpx86.sys [2011-12-15 356280]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NTIDrvr
FA312
AVCamUSB20
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-04 17:06]
.
2012-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-04 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = My Browser
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: microsoft.com\www.update
TCP: Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: NameServer = 207.69.188.185,207.69.188.186
DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} - hxxp://employees.oldrepublic.com/v4rdpchk.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-26 19:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.5.0.145\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3928)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2012-02-26 19:58:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-27 01:58
ComboFix2.txt 2012-02-24 00:30
.
Pre-Run: 65,826,488,320 bytes free
Post-Run: 65,865,605,120 bytes free
.
- - End Of File - - 9CC22516DECB373CAF76ED2406D33E9C

20:22:02.0921 2904 TDSS rootkit removing tool 2.7.14.0 Feb 22 2012 16:54:49
20:22:02.0937 2904 ============================================================
20:22:02.0937 2904 Current date / time: 2012/02/26 20:22:02.0937
20:22:02.0937 2904 SystemInfo:
20:22:02.0937 2904
20:22:02.0937 2904 OS Version: 5.1.2600 ServicePack: 3.0
20:22:02.0937 2904 Product type: Workstation
20:22:02.0937 2904 ComputerName: RACERX
20:22:02.0937 2904 UserName: Gary
20:22:02.0937 2904 Windows directory: C:\WINDOWS
20:22:02.0937 2904 System windows directory: C:\WINDOWS
20:22:02.0937 2904 Processor architecture: Intel x86
20:22:02.0937 2904 Number of processors: 1
20:22:02.0937 2904 Page size: 0x1000
20:22:02.0937 2904 Boot type: Normal boot
20:22:02.0937 2904 ============================================================
20:22:04.0109 2904 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:22:04.0109 2904 Drive \Device\Harddisk1\DR7 - Size: 0x78000000 (1.88 Gb), SectorSize: 0x200, Cylinders: 0xF4, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
20:22:04.0125 2904 \Device\Harddisk0\DR0:
20:22:04.0125 2904 MBR used
20:22:04.0125 2904 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x94EAFF8
20:22:04.0125 2904 \Device\Harddisk1\DR7:
20:22:04.0125 2904 MBR used
20:22:04.0125 2904 \Device\Harddisk1\DR7\Partition0: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x3BFFC1
20:22:04.0187 2904 Initialize success
20:22:04.0187 2904 ============================================================
20:22:15.0343 2928 ============================================================
20:22:15.0343 2928 Scan started
20:22:15.0343 2928 Mode: Manual; SigCheck; TDLFS;
20:22:15.0343 2928 ============================================================
20:22:15.0640 2928 Abiosdsk - ok
20:22:15.0718 2928 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
20:22:16.0000 2928 abp480n5 - ok
20:22:16.0156 2928 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:22:16.0328 2928 ACPI - ok
20:22:16.0468 2928 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:22:16.0609 2928 ACPIEC - ok
20:22:16.0750 2928 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
20:22:16.0890 2928 adpu160m - ok
20:22:17.0062 2928 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
20:22:17.0109 2928 aeaudio - ok
20:22:17.0265 2928 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:22:17.0421 2928 aec - ok
20:22:17.0578 2928 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:22:17.0625 2928 AFD - ok
20:22:17.0734 2928 AFGMp50 - ok
20:22:17.0765 2928 AFGSp50 - ok
20:22:17.0859 2928 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
20:22:18.0015 2928 agp440 - ok
20:22:18.0171 2928 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
20:22:18.0312 2928 agpCPQ - ok
20:22:18.0468 2928 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
20:22:18.0531 2928 Aha154x - ok
20:22:18.0687 2928 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
20:22:18.0843 2928 aic78u2 - ok
20:22:19.0015 2928 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
20:22:19.0156 2928 aic78xx - ok
20:22:19.0312 2928 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
20:22:19.0453 2928 AliIde - ok
20:22:19.0593 2928 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
20:22:19.0750 2928 alim1541 - ok
20:22:19.0937 2928 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
20:22:20.0078 2928 amdagp - ok
20:22:20.0234 2928 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
20:22:20.0312 2928 amsint - ok
20:22:20.0453 2928 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
20:22:20.0609 2928 asc - ok
20:22:20.0750 2928 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
20:22:20.0812 2928 asc3350p - ok
20:22:21.0000 2928 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
20:22:21.0140 2928 asc3550 - ok
20:22:21.0296 2928 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:22:21.0453 2928 AsyncMac - ok
20:22:21.0609 2928 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:22:21.0750 2928 atapi - ok
20:22:21.0875 2928 Atdisk - ok
20:22:21.0937 2928 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:22:22.0093 2928 Atmarpc - ok
20:22:22.0265 2928 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:22:22.0421 2928 audstub - ok
20:22:22.0578 2928 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:22:22.0750 2928 Beep - ok
20:22:23.0109 2928 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120215.001\BHDrvx86.sys
20:22:23.0156 2928 BHDrvx86 - ok
20:22:23.0312 2928 BW2NDIS5 (71cb7616cb36d43ea787c41ab55fe458) C:\WINDOWS\system32\Drivers\BW2NDIS5.sys
20:22:23.0328 2928 BW2NDIS5 ( UnsignedFile.Multi.Generic ) - warning
20:22:23.0328 2928 BW2NDIS5 - detected UnsignedFile.Multi.Generic (1)
20:22:23.0359 2928 catchme - ok
20:22:23.0500 2928 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
20:22:23.0656 2928 cbidf - ok
20:22:23.0796 2928 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:22:23.0937 2928 cbidf2k - ok
20:22:24.0156 2928 ccSet_NAV (599e7f6259a127c174c49938d2aa6a60) C:\WINDOWS\system32\drivers\NAV\1305000.091\ccSetx86.sys
20:22:24.0171 2928 ccSet_NAV - ok
20:22:24.0343 2928 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
20:22:24.0406 2928 cd20xrnt - ok
20:22:24.0562 2928 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:22:24.0718 2928 Cdaudio - ok
20:22:24.0890 2928 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:22:25.0046 2928 Cdfs - ok
20:22:25.0218 2928 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:22:25.0375 2928 Cdrom - ok
20:22:25.0484 2928 Changer - ok
20:22:25.0562 2928 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
20:22:25.0718 2928 CmdIde - ok
20:22:25.0890 2928 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
20:22:26.0046 2928 Cpqarray - ok
20:22:26.0265 2928 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
20:22:26.0421 2928 dac2w2k - ok
20:22:26.0578 2928 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
20:22:26.0734 2928 dac960nt - ok
20:22:26.0906 2928 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:22:27.0062 2928 Disk - ok
20:22:27.0250 2928 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:22:27.0406 2928 dmboot - ok
20:22:27.0546 2928 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:22:27.0703 2928 dmio - ok
20:22:27.0843 2928 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:22:28.0000 2928 dmload - ok
20:22:28.0171 2928 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:22:28.0328 2928 DMusic - ok
20:22:28.0468 2928 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
20:22:28.0625 2928 dpti2o - ok
20:22:28.0796 2928 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:22:28.0937 2928 drmkaud - ok
20:22:29.0125 2928 drvmcdb (049177996e5e33b5faf40cad2b82098c) C:\WINDOWS\system32\drivers\drvmcdb.sys
20:22:29.0156 2928 drvmcdb ( UnsignedFile.Multi.Generic ) - warning
20:22:29.0156 2928 drvmcdb - detected UnsignedFile.Multi.Generic (1)
20:22:29.0312 2928 drvnddm (2f4134d073f972575c174e3d621f0107) C:\WINDOWS\system32\drivers\drvnddm.sys
20:22:29.0343 2928 drvnddm ( UnsignedFile.Multi.Generic ) - warning
20:22:29.0343 2928 drvnddm - detected UnsignedFile.Multi.Generic (1)
20:22:29.0500 2928 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
20:22:29.0531 2928 E100B - ok
20:22:29.0734 2928 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
20:22:29.0750 2928 eeCtrl - ok
20:22:29.0921 2928 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
20:22:30.0078 2928 EL90XBC - ok
20:22:30.0250 2928 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
20:22:30.0265 2928 EraserUtilRebootDrv - ok
20:22:30.0453 2928 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:22:30.0609 2928 Fastfat - ok
20:22:30.0750 2928 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:22:30.0921 2928 Fdc - ok
20:22:31.0093 2928 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:22:31.0609 2928 Fips - ok
20:22:31.0765 2928 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:22:31.0921 2928 Flpydisk - ok
20:22:32.0093 2928 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:22:32.0265 2928 FltMgr - ok
20:22:32.0406 2928 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:22:32.0562 2928 Fs_Rec - ok
20:22:32.0734 2928 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:22:32.0921 2928 Ftdisk - ok
20:22:33.0078 2928 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:22:33.0234 2928 Gpc - ok
20:22:33.0390 2928 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
20:22:33.0609 2928 HCF_MSFT - ok
20:22:33.0750 2928 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:22:33.0890 2928 HidUsb - ok
20:22:34.0062 2928 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
20:22:34.0203 2928 hpn - ok
20:22:34.0375 2928 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:22:34.0406 2928 HTTP - ok
20:22:34.0562 2928 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:22:34.0718 2928 i2omgmt - ok
20:22:34.0906 2928 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
20:22:35.0046 2928 i2omp - ok
20:22:35.0203 2928 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:22:35.0359 2928 i8042prt - ok
20:22:35.0500 2928 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
20:22:35.0625 2928 i81x - ok
20:22:35.0765 2928 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
20:22:35.0890 2928 iAimFP0 - ok
20:22:36.0046 2928 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
20:22:36.0171 2928 iAimFP1 - ok
20:22:36.0328 2928 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
20:22:36.0484 2928 iAimFP2 - ok
20:22:36.0640 2928 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
20:22:36.0750 2928 iAimFP3 - ok
20:22:36.0937 2928 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
20:22:37.0062 2928 iAimFP4 - ok
20:22:37.0203 2928 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
20:22:37.0328 2928 iAimTV0 - ok
20:22:37.0484 2928 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
20:22:37.0609 2928 iAimTV1 - ok
20:22:37.0718 2928 iAimTV2 - ok
20:22:37.0796 2928 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
20:22:37.0921 2928 iAimTV3 - ok
20:22:38.0062 2928 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
20:22:38.0187 2928 iAimTV4 - ok
20:22:38.0562 2928 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120223.002\IDSxpx86.sys
20:22:38.0593 2928 IDSxpx86 - ok
20:22:38.0765 2928 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:22:38.0906 2928 Imapi - ok
20:22:39.0093 2928 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
20:22:39.0234 2928 ini910u - ok
20:22:39.0390 2928 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
20:22:39.0531 2928 IntelIde - ok
20:22:39.0703 2928 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:22:39.0843 2928 intelppm - ok
20:22:40.0000 2928 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:22:40.0140 2928 ip6fw - ok
20:22:40.0296 2928 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:22:40.0437 2928 IpFilterDriver - ok
20:22:40.0593 2928 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:22:40.0734 2928 IpInIp - ok
20:22:40.0906 2928 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:22:41.0078 2928 IpNat - ok
20:22:41.0234 2928 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:22:41.0390 2928 IPSec - ok
20:22:41.0750 2928 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:22:41.0890 2928 IRENUM - ok
20:22:42.0062 2928 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:22:42.0218 2928 isapnp - ok
20:22:42.0375 2928 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:22:42.0531 2928 Kbdclass - ok
20:22:42.0687 2928 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:22:42.0843 2928 kbdhid - ok
20:22:43.0015 2928 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:22:43.0171 2928 kmixer - ok
20:22:43.0328 2928 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:22:43.0359 2928 KSecDD - ok
20:22:43.0484 2928 lbrtfdc - ok
20:22:43.0578 2928 mdmxsdk (29174d3d90ee4244fda6355a859691be) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:22:43.0578 2928 mdmxsdk - ok
20:22:43.0765 2928 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:22:43.0921 2928 mnmdd - ok
20:22:44.0109 2928 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:22:44.0265 2928 Modem - ok
20:22:44.0421 2928 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
20:22:44.0578 2928 MODEMCSA - ok
20:22:44.0734 2928 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:22:44.0890 2928 Mouclass - ok
20:22:45.0046 2928 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:22:45.0187 2928 mouhid - ok
20:22:45.0343 2928 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:22:45.0500 2928 MountMgr - ok
20:22:45.0640 2928 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
20:22:45.0781 2928 mraid35x - ok
20:22:45.0953 2928 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:22:46.0109 2928 MRxDAV - ok
20:22:46.0265 2928 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:22:46.0328 2928 MRxSmb - ok
20:22:46.0484 2928 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:22:46.0640 2928 Msfs - ok
20:22:46.0781 2928 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:22:46.0921 2928 MSKSSRV - ok
20:22:47.0062 2928 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:22:47.0203 2928 MSPCLOCK - ok
20:22:47.0343 2928 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:22:47.0484 2928 MSPQM - ok
20:22:47.0640 2928 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:22:47.0781 2928 mssmbios - ok
20:22:47.0937 2928 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:22:47.0968 2928 Mup - ok
20:22:48.0265 2928 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120223.017\NAVENG.SYS
20:22:48.0281 2928 NAVENG - ok
20:22:48.0578 2928 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120223.017\NAVEX15.SYS
20:22:48.0671 2928 NAVEX15 - ok
20:22:48.0843 2928 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:22:49.0015 2928 NDIS - ok
20:22:49.0156 2928 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:22:49.0203 2928 NdisTapi - ok
20:22:49.0343 2928 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:22:49.0500 2928 Ndisuio - ok
20:22:49.0640 2928 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:22:49.0796 2928 NdisWan - ok
20:22:49.0968 2928 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:22:50.0015 2928 NDProxy - ok
20:22:50.0171 2928 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:22:50.0312 2928 NetBIOS - ok
20:22:50.0484 2928 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:22:50.0640 2928 NetBT - ok
20:22:50.0812 2928 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:22:50.0953 2928 Npfs - ok
20:22:51.0140 2928 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:22:51.0328 2928 Ntfs - ok
20:22:51.0515 2928 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:22:51.0671 2928 Null - ok
20:22:51.0875 2928 nv (66c90afbf0d10a93789f6544be459e72) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:22:51.0953 2928 nv - ok
20:22:52.0109 2928 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:22:52.0250 2928 NwlnkFlt - ok
20:22:52.0406 2928 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:22:52.0562 2928 NwlnkFwd - ok
20:22:52.0718 2928 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
20:22:52.0750 2928 omci ( UnsignedFile.Multi.Generic ) - warning
20:22:52.0750 2928 omci - detected UnsignedFile.Multi.Generic (1)
20:22:52.0937 2928 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
20:22:53.0078 2928 P3 - ok
20:22:53.0234 2928 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:22:53.0390 2928 Parport - ok
20:22:53.0546 2928 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:22:53.0703 2928 PartMgr - ok
20:22:53.0859 2928 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:22:54.0015 2928 ParVdm - ok
20:22:54.0187 2928 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:22:54.0343 2928 PCI - ok
20:22:54.0453 2928 PCIDump - ok
20:22:54.0531 2928 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:22:54.0703 2928 PCIIde - ok
20:22:54.0843 2928 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:22:55.0000 2928 Pcmcia - ok
20:22:55.0125 2928 PDCOMP - ok
20:22:55.0218 2928 PDFRAME - ok
20:22:55.0250 2928 PDRELI - ok
20:22:55.0281 2928 PDRFRAME - ok
20:22:55.0328 2928 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
20:22:55.0484 2928 perc2 - ok
20:22:55.0625 2928 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
20:22:55.0781 2928 perc2hib - ok
20:22:55.0953 2928 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:22:56.0109 2928 PptpMiniport - ok
20:22:56.0281 2928 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
20:22:56.0406 2928 Processor - ok
20:22:56.0593 2928 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:22:56.0734 2928 PSched - ok
20:22:56.0906 2928 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:22:57.0062 2928 Ptilink - ok
20:22:57.0218 2928 PxHelp20 (b5dfb86a6caeae9b2bf3dedb43be6393) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:22:57.0250 2928 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
20:22:57.0250 2928 PxHelp20 - detected UnsignedFile.Multi.Generic (1)
20:22:57.0406 2928 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
20:22:57.0562 2928 ql1080 - ok
20:22:57.0703 2928 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
20:22:57.0859 2928 Ql10wnt - ok
20:22:58.0000 2928 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
20:22:58.0156 2928 ql12160 - ok
20:22:58.0312 2928 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
20:22:58.0453 2928 ql1240 - ok
20:22:58.0609 2928 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
20:22:58.0765 2928 ql1280 - ok
20:22:58.0937 2928 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:22:59.0093 2928 RasAcd - ok
20:22:59.0265 2928 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:22:59.0421 2928 Rasl2tp - ok
20:22:59.0578 2928 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:22:59.0718 2928 RasPppoe - ok
20:22:59.0890 2928 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:23:00.0046 2928 Raspti - ok
20:23:00.0234 2928 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:23:00.0375 2928 Rdbss - ok
20:23:00.0546 2928 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:23:00.0703 2928 RDPCDD - ok
20:23:00.0859 2928 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:23:01.0015 2928 rdpdr - ok
20:23:01.0171 2928 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:23:01.0203 2928 RDPWD - ok
20:23:01.0359 2928 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:23:01.0500 2928 redbook - ok
20:23:01.0687 2928 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:23:01.0828 2928 Secdrv - ok
20:23:02.0000 2928 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:23:02.0156 2928 serenum - ok
20:23:02.0312 2928 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:23:02.0468 2928 Serial - ok
20:23:02.0625 2928 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:23:02.0781 2928 Sfloppy - ok
20:23:02.0906 2928 Simbad - ok
20:23:03.0031 2928 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
20:23:03.0156 2928 sisagp - ok
20:23:03.0265 2928 SMR250 - ok
20:23:03.0375 2928 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
20:23:03.0421 2928 smwdm - ok
20:23:03.0562 2928 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
20:23:03.0640 2928 Sparrow - ok
20:23:03.0781 2928 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:23:03.0937 2928 splitter - ok
20:23:04.0078 2928 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:23:04.0218 2928 sr - ok
20:23:04.0453 2928 SRTSP (c16d048faf2978d2121f9f40594a6bdc) C:\WINDOWS\System32\Drivers\NAV\1305000.091\SRTSP.SYS
20:23:04.0484 2928 SRTSP - ok
20:23:04.0703 2928 SRTSPX (f0d02c2e25970c9c72a5cd278c17cdb6) C:\WINDOWS\system32\drivers\NAV\1305000.091\SRTSPX.SYS
20:23:04.0718 2928 SRTSPX - ok
20:23:04.0890 2928 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:23:04.0906 2928 Srv - ok
20:23:05.0078 2928 sscdbhk5 (7c0c9bdca2d351ff3b4f9b69f99aa995) C:\WINDOWS\system32\drivers\sscdbhk5.sys
20:23:05.0109 2928 sscdbhk5 ( UnsignedFile.Multi.Generic ) - warning
20:23:05.0109 2928 sscdbhk5 - detected UnsignedFile.Multi.Generic (1)
20:23:05.0281 2928 ssrtln (31726706d54894d5059f7471111a87bb) C:\WINDOWS\system32\drivers\ssrtln.sys
20:23:05.0281 2928 ssrtln ( UnsignedFile.Multi.Generic ) - warning
20:23:05.0281 2928 ssrtln - detected UnsignedFile.Multi.Generic (1)
20:23:05.0437 2928 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:23:05.0593 2928 swenum - ok
20:23:05.0718 2928 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:23:05.0875 2928 swmidi - ok
20:23:06.0031 2928 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
20:23:06.0171 2928 symc810 - ok
20:23:06.0312 2928 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
20:23:06.0468 2928 symc8xx - ok
20:23:06.0671 2928 SymDS (690fa0e61b90084c4d9a721bd4f3d779) C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMDS.SYS
20:23:06.0703 2928 SymDS - ok
20:23:06.0953 2928 SymEFA (4e55148a2e044d02245cbcdbb266b98c) C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMEFA.SYS
20:23:07.0031 2928 SymEFA - ok
20:23:07.0203 2928 SymEvent (74e2521e96176a4449570e50be91954d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
20:23:07.0203 2928 SymEvent - ok
20:23:07.0390 2928 SymIM (a7100ea17ed9eaf365362a05bf430e77) C:\WINDOWS\system32\DRIVERS\SymIM.sys
20:23:07.0406 2928 SymIM - ok
20:23:07.0406 2928 SymIMMP (a7100ea17ed9eaf365362a05bf430e77) C:\WINDOWS\system32\DRIVERS\SymIM.sys
20:23:07.0421 2928 SymIMMP - ok
20:23:07.0656 2928 SymIRON (2c356cca706505cf63cbe39d532b9236) C:\WINDOWS\system32\drivers\NAV\1305000.091\Ironx86.SYS
20:23:07.0671 2928 SymIRON - ok
20:23:07.0921 2928 SYMTDI (508bd882040f9cb12319e3a4fc78edb9) C:\WINDOWS\System32\Drivers\NAV\1305000.091\SYMTDI.SYS
20:23:07.0937 2928 SYMTDI - ok
20:23:08.0093 2928 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
20:23:08.0234 2928 sym_hi - ok
20:23:08.0375 2928 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
20:23:08.0515 2928 sym_u3 - ok
20:23:08.0687 2928 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:23:08.0843 2928 sysaudio - ok
20:23:09.0031 2928 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:23:09.0062 2928 Tcpip - ok
20:23:09.0234 2928 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:23:09.0359 2928 TDPIPE - ok
20:23:09.0515 2928 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:23:09.0656 2928 TDTCP - ok
20:23:09.0796 2928 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:23:09.0953 2928 TermDD - ok
20:23:10.0078 2928 tfsnboio (b0d311f33c5b4a5858e4e6c965a79267) C:\WINDOWS\system32\dla\tfsnboio.sys
20:23:10.0109 2928 tfsnboio ( UnsignedFile.Multi.Generic ) - warning
20:23:10.0109 2928 tfsnboio - detected UnsignedFile.Multi.Generic (1)
20:23:10.0234 2928 tfsncofs (250f74fce5d1eccb29ad9abeb55f35d8) C:\WINDOWS\system32\dla\tfsncofs.sys
20:23:10.0265 2928 tfsncofs ( UnsignedFile.Multi.Generic ) - warning
20:23:10.0265 2928 tfsncofs - detected UnsignedFile.Multi.Generic (1)
20:23:10.0406 2928 tfsndrct (e23291934c59e1741ba83582e7a209c0) C:\WINDOWS\system32\dla\tfsndrct.sys
20:23:10.0437 2928 tfsndrct ( UnsignedFile.Multi.Generic ) - warning
20:23:10.0437 2928 tfsndrct - detected UnsignedFile.Multi.Generic (1)
20:23:10.0593 2928 tfsndres (0d863d020633025f1e4ad3e0e325d503) C:\WINDOWS\system32\dla\tfsndres.sys
20:23:10.0609 2928 tfsndres ( UnsignedFile.Multi.Generic ) - warning
20:23:10.0609 2928 tfsndres - detected UnsignedFile.Multi.Generic (1)
20:23:10.0765 2928 tfsnifs (e3e10696663e35062851a376299198bd) C:\WINDOWS\system32\dla\tfsnifs.sys
20:23:10.0796 2928 tfsnifs ( UnsignedFile.Multi.Generic ) - warning
20:23:10.0812 2928 tfsnifs - detected UnsignedFile.Multi.Generic (1)
20:23:10.0953 2928 tfsnopio (00cc366bdcbd8a9a1c95c1c59900dd9b) C:\WINDOWS\system32\dla\tfsnopio.sys
20:23:10.0984 2928 tfsnopio ( UnsignedFile.Multi.Generic ) - warning
20:23:10.0984 2928 tfsnopio - detected UnsignedFile.Multi.Generic (1)
20:23:11.0125 2928 tfsnpool (84a91d08f49831e8c24e4d25ddefae87) C:\WINDOWS\system32\dla\tfsnpool.sys
20:23:11.0156 2928 tfsnpool ( UnsignedFile.Multi.Generic ) - warning
20:23:11.0156 2928 tfsnpool - detected UnsignedFile.Multi.Generic (1)
20:23:11.0296 2928 tfsnudf (55b761c6e2d4fcedac3b46b6c0724830) C:\WINDOWS\system32\dla\tfsnudf.sys
20:23:11.0312 2928 tfsnudf ( UnsignedFile.Multi.Generic ) - warning
20:23:11.0312 2928 tfsnudf - detected UnsignedFile.Multi.Generic (1)
20:23:11.0421 2928 tfsnudfa (64c6e8c217e30ee595120c66f6e783ba) C:\WINDOWS\system32\dla\tfsnudfa.sys
20:23:11.0453 2928 tfsnudfa ( UnsignedFile.Multi.Generic ) - warning
20:23:11.0453 2928 tfsnudfa - detected UnsignedFile.Multi.Generic (1)
20:23:11.0609 2928 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
20:23:11.0750 2928 TosIde - ok
20:23:11.0906 2928 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:23:12.0046 2928 Udfs - ok
20:23:12.0218 2928 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
20:23:12.0281 2928 ultra - ok
20:23:12.0453 2928 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:23:12.0609 2928 Update - ok
20:23:12.0765 2928 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:23:12.0921 2928 usbehci - ok
20:23:13.0093 2928 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:23:13.0250 2928 usbhub - ok
20:23:13.0406 2928 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:23:13.0546 2928 usbscan - ok
20:23:13.0671 2928 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:23:13.0812 2928 USBSTOR - ok
20:23:13.0968 2928 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:23:14.0125 2928 usbuhci - ok
20:23:14.0281 2928 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:23:14.0421 2928 VgaSave - ok
20:23:14.0593 2928 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
20:23:14.0718 2928 viaagp - ok
20:23:14.0921 2928 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
20:23:15.0046 2928 ViaIde - ok
20:23:15.0203 2928 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:23:15.0359 2928 VolSnap - ok
20:23:15.0531 2928 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:23:15.0671 2928 Wanarp - ok
20:23:15.0781 2928 wanatw - ok
20:23:15.0921 2928 WDICA - ok
20:23:16.0046 2928 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:23:16.0203 2928 wdmaud - ok
20:23:16.0421 2928 Winachcf (0ab973f5c373d58839632da1bee4c20b) C:\WINDOWS\system32\DRIVERS\winachcf.sys
20:23:16.0484 2928 Winachcf - ok
20:23:16.0656 2928 WmBEnum (671db6a9b772b807721147c28faf760f) C:\WINDOWS\system32\drivers\WmBEnum.sys
20:23:16.0687 2928 WmBEnum - ok
20:23:16.0843 2928 WmFilter (cffe18db8140b00335221907a694dd01) C:\WINDOWS\system32\drivers\WmFilter.sys
20:23:16.0890 2928 WmFilter - ok
20:23:17.0046 2928 WmHidLo (b1e80727e9b79b5c3c7ef5fba517f107) C:\WINDOWS\system32\drivers\WmHidLo.sys
20:23:17.0062 2928 WmHidLo - ok
20:23:17.0218 2928 WmVirHid (2e17ea3b132963e3c07d50d68d2df54e) C:\WINDOWS\system32\drivers\WmVirHid.sys
20:23:17.0250 2928 WmVirHid - ok
20:23:17.0406 2928 WmXlCore (0ece3bb49eb9ee42c411a0f1ec39dda9) C:\WINDOWS\system32\drivers\WmXlCore.sys
20:23:17.0421 2928 WmXlCore - ok
20:23:17.0593 2928 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:23:17.0750 2928 WS2IFSL - ok
20:23:17.0937 2928 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:23:17.0953 2928 WudfPf - ok
20:23:17.0984 2928 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:23:18.0234 2928 \Device\Harddisk0\DR0 - ok
20:23:18.0234 2928 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR7
20:23:22.0046 2928 \Device\Harddisk1\DR7 - ok
20:23:22.0078 2928 Boot (0x1200) (f7642172070d61af367481a7e25514f6) \Device\Harddisk0\DR0\Partition0
20:23:22.0078 2928 \Device\Harddisk0\DR0\Partition0 - ok
20:23:22.0078 2928 Boot (0x1200) (7d150c9438ebad2edee76a270e138327) \Device\Harddisk1\DR7\Partition0
20:23:22.0078 2928 \Device\Harddisk1\DR7\Partition0 - ok
20:23:22.0078 2928 ============================================================
20:23:22.0093 2928 Scan finished
20:23:22.0093 2928 ============================================================
20:23:22.0203 2936 Detected object count: 16
20:23:22.0203 2936 Actual detected object count: 16
20:24:41.0562 2936 BW2NDIS5 ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0562 2936 BW2NDIS5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0578 2936 drvmcdb ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0578 2936 drvmcdb ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0578 2936 drvnddm ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0578 2936 drvnddm ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0578 2936 omci ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0578 2936 omci ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0578 2936 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0578 2936 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0578 2936 sscdbhk5 ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0578 2936 sscdbhk5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0578 2936 ssrtln ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0578 2936 ssrtln ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0593 2936 tfsnboio ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0593 2936 tfsnboio ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0593 2936 tfsncofs ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0593 2936 tfsncofs ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0593 2936 tfsndrct ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0593 2936 tfsndrct ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0593 2936 tfsndres ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0593 2936 tfsndres ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0593 2936 tfsnifs ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0593 2936 tfsnifs ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0593 2936 tfsnopio ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0593 2936 tfsnopio ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0609 2936 tfsnpool ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0609 2936 tfsnpool ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0609 2936 tfsnudf ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0609 2936 tfsnudf ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:24:41.0609 2936 tfsnudfa ( UnsignedFile.Multi.Generic ) - skipped by user
20:24:41.0609 2936 tfsnudfa ( UnsignedFile.Multi.Generic ) - User select action: Skip

AVP scan:
Status: Deleted (events: 3)
2/26/2012 21:34:45 Deleted virus Virus.Win32.ZAccess.c C:\TDSSKiller_Quarantine\15.02.2012_17.40.10\rtkt0000\svc0000\tsk0000.dta High
2/26/2012 21:34:48 Deleted virus Virus.Win32.ZAccess.k C:\WINDOWS\SYSTEM32\DRIVERS\cdrom.sys_backup High
2/26/2012 21:34:53 Deleted virus Virus.Win32.ZAccess.c C:\WINDOWS\SYSTEM32\DRIVERS\ipsec.sys_backup High

Thanks.

gary