Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Rootkit ZeroAccess inserted into tcp/ip stack. PEV.exe problem, needs

Started by johneangel , Jun 16 2013 12:14 AM

This topic is locked

#1
johneangel

Posted 16 June 2013 - 12:14 AM

Member

Member
19 posts

Hi. Please bear with me, I'm a little slow and a wee senile.

I watch TV shows & movies online, no TV. Thus some malware & junk gets through protection, even with "Block All Cookies", "High: Block all pop-ups" and individual sites blocked in ZoneAlarm, Internet Options & SpywareBlaster.

Computer is working fast since I just ran ComboFix today and uninstalled it using RUN:"%userprofile%\desktop\combofix.exe" /killall But in a few days the computer will slow down to a crawl.

ComboFix stated for about 3 months when I ran it: "Rootkit ZeroAccess inserted into tcp/ip stack". It rebooted computer. During its scan of the 50 Stages, a message pops up: "PEV.exe has encountered---".

I possibly infected my computer and the Registry Mechanic program with the Rootkit ZeroAccess when I used the Mechanic while I was online, infected and had a movie running. Solution: Have your assistance in removing all malware and Mechanic.

PROBLEMS
1. Computer works good and fast after malware cleaning, defragging computer and some very careful registry cleaning and then scanning with sfc /scannow, chkdsk /r. But often in a couple weeks, computer slows way down taking 10 seconds and longer to load some web site. Lately it slows down in 4 or less days.

2. ComboFix taking about 16 minutes to scan the 50 stages since infected with ZeroAccess. For over 7 years it constantly took only about 5 to 8 minutes. I would save to desktop, run scan and then remove/uninstall it with RUN: "%userprofile%\desktop\combofix.exe" /killall

3. Internet Explorer is corrupted since I keep getting official Microsoft notices to Install IE8 which I installed in 2009. MS Updates are up to date, but still get these notices.

4. Search Companion repeats some searches without stopping, endless loop. Tried RUN:%systemroot%\inf and install Srchasst.inf. Did not repair.

5. I will only install(reinstall) IE8 after the ZeroAccess is removed which means ComboFix will not show it present and computer continually works fast for 10 days. ZeroAccess is hidden deep or why else would computer work fastest after ComboFix. I'm not a computer geek and thus, I could be wrong.

COMPUTER PROTECTION & CLEANING
ZoneAlarm Extreme Security, CCleaner, Auslogics Disks Defrag, MalwareBytes Anti-Malware free, SpywareBlaster, SuperAntiSpyware free.

Daily Cleaning: Quick scans with ZAES, MBAM, SASS, Internet Options, CCleaner, PCTools Reg Mechanic(now corrupted) and Auslogics Defrag.

Weekly, monthly or as needed full scans with above programs, scans with sfc /scannow and chkdsk /r and with ComboFix which is saved on desktop. After its scan, it is removed, uninstalled with RUN:"%userprofile%\desktop\combofix.exe" /killall. Normally, ComboFix scans the "50 stages" in about 6 to 9 minutes. Found that my 9 year old used Dell works fastest after ComboFix.

I made a mistake. I clicked the OTM icon under Step 2 and Item 2 and nothing happened. Then I clicked the "desktop OTL icon" and clicked "Run Scan" which performed a full scan. My screen colorsvery light since watching a dark movie and thus couldn'd read the very light pink "Quick Scan" button. Saw my mistake and then clicked "Quick Scan" button. I then messed up trying to determine which scan was quick and lost a scan, blah, blah. Ran "quick scan" again. Lost full scan, but attached Extras.txt

OTLq.Txt 93.34KB 164 downloads

Extras.Txt 31.24KB 183 downloads

thanks.

OTL logfile created on: 06/15/13 6:49:41 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\johnt\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

2.00 Gb Total Physical Memory | 1.11 Gb Available Physical Memory | 55.28% Memory free
3.35 Gb Paging File | 2.53 Gb Available in Paging File | 75.54% Paging File free
Paging file location(s): C:\pagefile.sys 1534 1534 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 18.32 Gb Free Space | 49.20% Space Free | Partition Type: NTFS

Computer Name: JOHN | User Name: johnt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/15 18:24:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
PRC - [2013/05/21 04:33:54 | 000,181,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2013/01/26 07:08:30 | 004,480,768 | ---- | M] (Akamai Technologies, Inc.) -- C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai\netsession_win.exe
PRC - [2012/08/30 04:03:36 | 000,497,320 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2012/08/30 04:03:12 | 000,738,984 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2012/08/29 16:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2012/08/29 15:45:24 | 000,073,392 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/04/19 16:39:30 | 000,935,744 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
PRC - [2010/03/11 12:07:54 | 000,124,432 | ---- | M] ( Pro-Softnet) -- C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe
PRC - [2010/03/11 12:01:32 | 000,149,008 | ---- | M] (Pro Softnet Corporation) -- C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2001/08/17 16:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe

========== Modules (No Company Name) ==========

MOD - [2012/08/29 15:45:16 | 000,074,928 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\fde\fde_api.dll
MOD - [2011/04/19 16:40:06 | 000,088,896 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\crsrpt.dll
MOD - [2011/04/19 16:39:34 | 000,013,120 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\MlfHook.dll
MOD - [2011/04/19 16:39:32 | 000,290,112 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mtdsdk.dll
MOD - [2011/04/19 16:39:24 | 000,222,016 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\resources\mbzaenu.dll
MOD - [2006/10/22 12:22:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2006/10/22 12:22:00 | 000,212,992 | ---- | M] () -- C:\WINDOWS\system32\nvapi.dll

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/05/21 04:33:54 | 000,181,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013/02/16 17:28:26 | 000,277,744 | ---- | M] (SpeedBit Ltd.) [Disabled | Stopped] -- C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorService.exe -- (VideoAcceleratorService)
SRV - [2012/09/13 06:50:41 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2012/08/30 04:03:36 | 000,497,320 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2012/08/29 16:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/05/25 15:14:34 | 000,053,248 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper)
SRV - [2010/03/11 12:07:54 | 000,124,432 | ---- | M] ( Pro-Softnet) [Auto | Running] -- C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe -- (ZABackupWebM)
SRV - [2010/03/11 12:01:32 | 000,149,008 | ---- | M] (Pro Softnet Corporation) [Auto | Running] -- C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe -- (ZoneAlarmBackup Service)
SRV - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2012/08/30 04:03:48 | 000,027,056 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2012/08/30 04:03:08 | 000,036,784 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys -- (icsak)
DRV - [2012/08/29 15:45:24 | 000,526,640 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2012/01/09 18:59:34 | 000,485,808 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2012/01/09 18:59:30 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (KL1)
DRV - [2012/01/09 18:59:30 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
DRV - [2011/07/22 09:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 14:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/07/22 12:13:20 | 000,028,592 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2008/06/19 17:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/04/13 11:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 11:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/05/07 16:54:38 | 000,008,960 | ---- | M] (Prolific Technology Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\usbbc2.sys -- (PLUsbbc2)
DRV - [2001/08/17 05:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman)
DRV - [2001/08/17 05:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1)
DRV - [2001/08/17 05:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k)
DRV - [2001/08/17 05:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes,DefaultScope = {1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C4 1C C2 05 D2 5A CE 01 [binary data]
IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {6C73F24A-310C-41FE-8601-CEDBBF4C03B5}
IE - HKCU\..\SearchScopes,DefaultScope = {1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}
IE - HKCU\..\SearchScopes\{1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}: "URL" = http://www.google.co...hi=&safe=images
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10516.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.100: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.102: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.103: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.97: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/10/09 21:04:48 | 000,000,000 | ---D | M]

[2012/08/14 15:35:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2013/06/15 15:41:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Zonealarm Helper Object) - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll (Montera Technologeis LTD)
O2 - BHO: (Google Analytics Opt-out Browser Add-on) - {75EF13CE-B59E-41ba-8A5A-A944031BD8B4} - C:\Program Files\Google\Google Analytics Opt-Out\gaoptout.dll (Google, Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll (Montera Technologeis LTD)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
O4 - HKCU..\RunOnce: [Privacy Suite] C:\Program Files\CyberScrub Privacy Suite\CSPSeraser.exe (CyberScrub LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\toolbars present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun- = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun- = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://qtinstall.app...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1369263711078 (MUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{81C850C1-0954-4D79-8392-C01EBD557CC6}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (mirpywre.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/10 11:40:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/09/04 14:54:31 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/15 18:24:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
[2013/06/15 17:52:06 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\johnt\Recent
[2013/06/15 16:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2013/06/15 16:04:10 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/06/15 14:53:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\ComboFix log jun15
[2013/06/15 11:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Problems Registry Change History
[2013/06/15 11:18:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Problems Repair Fixes Links
[2013/06/15 11:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Deleting Temp _Temporary Internet Files
[2013/06/14 23:32:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Local Services Configurations Checking
[2013/06/14 16:10:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Active x Controls and Plug-Ins Settings
[2013/06/14 14:10:43 | 000,000,000 | ---D | C] -- C:\Program Files\autoruns filealyz
[2013/06/14 13:04:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer New possible downloads programs etc
[2013/06/14 13:00:53 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2013/06/14 12:19:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Dell diagnoses downloads etc
[2013/06/14 12:01:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai
[2013/06/10 12:22:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Combinations
[2013/06/09 17:09:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/06/09 17:09:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/06/09 17:09:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/06/09 17:09:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/06/09 17:08:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/09 14:20:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer AUTORUNS changes jun 2013
[2013/06/09 12:38:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Free Jun 2013
[2013/06/09 12:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Create System Restore Point
[2013/06/09 10:33:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% uninstall programs from msconfig computer
[2013/06/09 03:41:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Computer Repairs Tweaks June 2013
[2013/06/08 20:09:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% My Awake Experiences
[2013/06/08 14:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\TagsRevisited
[2013/06/08 14:29:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Safer Networking
[2013/06/08 14:29:44 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2013/06/08 14:09:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\New Folder
[2013/06/08 14:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Repair Programs for Event Viewer Application Files
[2013/06/08 02:38:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Combofix Total Removal
[2013/06/07 12:45:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Complete Specs
[2013/06/06 22:42:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer chkdsk & sfc commands & use
[2013/06/06 22:09:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\StarApp
[2013/06/06 22:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2013/06/06 20:28:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2013/06/06 17:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer superantispyware online scan
[2013/06/06 02:02:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Google Prevent tracking by google
[2013/06/06 01:37:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Changes Registry __Dates
[2013/06/03 02:07:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer %Problems to correct
[2013/06/03 01:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer useful RUN links
[2013/06/03 00:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Internet Explorer IE8
[2013/06/03 00:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Online Forums
[2013/06/02 15:53:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Problems
[2013/06/02 15:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer test programs
[2013/06/02 15:46:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Ads and Files to block
[2013/06/02 13:02:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\$ Wise Information
[2013/06/02 12:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Polar Manuals
[2013/06/02 12:34:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer desktop icons
[2013/06/02 12:32:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Dell
[2013/06/02 12:30:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Copying music talks to disc
[2013/06/02 12:28:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole misc government improvements
[2013/06/02 12:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Buddhism
[2013/06/02 12:14:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Money Making Schemes
[2013/06/02 12:10:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\johnt\My Documents\& MajorGeeK repair May june 2013
[2013/06/02 11:41:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Family Tree
[2013/06/02 11:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Synonyms Antonyms
[2013/06/02 11:39:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Safety Check_Online_links sites
[2013/06/02 11:32:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Warnings desktop icons
[2013/06/02 10:34:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Mental Health
[2013/06/02 10:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Class Reunion
[2013/06/02 09:50:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Searching
[2013/06/02 09:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Shopping
[2013/06/02 09:45:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Files Unknown To Check
[2013/06/02 09:33:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Passwords Names
[2013/06/02 09:24:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Auto
[2013/06/02 09:24:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Cats
[2013/06/02 09:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Changes
[2013/06/02 08:31:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Terms such as %windir%
[2013/06/01 20:09:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Dates of Installments Updates Modification
[2013/06/01 19:21:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer files folders in question
[2013/06/01 17:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs
[2013/06/01 17:24:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer ZoneAlarm Extreme Security
[2013/06/01 17:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Health Improving
[2013/06/01 17:13:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Contra Costa College
[2013/06/01 17:07:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Meier Billy
[2013/06/01 17:04:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Nursing Home References
[2013/06/01 17:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Nardil
[2013/06/01 16:55:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Movies To watch Actors Etc
[2013/06/01 16:53:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Mental Telepathy
[2013/06/01 16:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Repair Current
[2013/06/01 16:45:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Songs
[2013/06/01 16:43:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Health of John
[2013/06/01 16:34:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Files Deletion_Exempt
[2013/06/01 16:33:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\eyes
[2013/06/01 16:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\66 villa dr
[2013/06/01 16:31:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Dizziness
[2013/06/01 16:13:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Politics
[2013/06/01 15:42:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Friends
[2013/06/01 15:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Spiritual___AfterDeath AstralTravel
[2013/06/01 15:17:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer
[2013/06/01 15:06:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% aa videos saved vlc etc
[2013/06/01 15:05:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Posts
[2013/06/01 15:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Healthcare Plan by John B
[2013/05/28 23:17:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2013/05/26 16:43:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/05/20 14:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\My Pictures for Paint
[2009/08/11 15:41:36 | 000,553,832 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Program Files\autorunsc.exe

========== Files - Modified Within 30 Days ==========

[2013/06/15 18:24:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
[2013/06/15 17:54:06 | 000,000,315 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Advanced Web Search.url
[2013/06/15 17:45:04 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2013/06/15 17:43:33 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/06/15 17:42:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/06/15 15:41:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/06/15 11:51:50 | 000,000,247 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Google AdvBrit.url
[2013/06/15 10:04:39 | 000,000,282 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\15 Project Free TV.url
[2013/06/15 01:14:05 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\11 Knowing.url
[2013/06/14 18:12:18 | 000,001,779 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\10 imdb movies.url
[2013/06/14 17:18:27 | 000,000,236 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\12 Rolling Stone.url
[2013/06/14 16:15:14 | 000,000,439 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\9 Cnet.url
[2013/06/14 13:19:31 | 000,503,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/06/14 13:19:31 | 000,088,884 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/06/12 20:11:12 | 000,005,762 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\% % movie jun 12 RBkkAq.html
[2013/06/10 23:34:31 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\Watch Odyssey 5 Online - LetMeWatchThis.url
[2013/06/10 20:16:06 | 000,002,023 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\16Watch Btvguide.url
[2013/06/09 22:45:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2013/06/09 22:33:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/06/09 10:31:51 | 000,000,346 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\Unable to uninstall PC Tools Utilities Product.url
[2013/06/08 16:56:42 | 000,007,896 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\wklnhst.dat
[2013/06/08 15:26:38 | 000,000,082 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\CCleaner reg backup cc_20130608_152607.reg
[2013/06/08 03:46:47 | 000,000,393 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Google AdvUSA.url
[2013/06/06 21:42:14 | 000,010,617 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\a07kyxersblo.htm
[2013/06/05 23:11:57 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\johnt\defogger_reenable
[2013/06/05 22:40:27 | 000,002,556 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\MajorGeeks cleanup jun 5 steps.rtf
[2013/06/04 02:58:59 | 000,000,357 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\My Documents.lnk
[2013/06/03 15:59:40 | 000,000,410 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\% a may 20 bootkit zeroaccess repair ltr jun 3 wpad.rtf
[2013/06/03 00:34:37 | 000,165,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/06/02 18:02:24 | 000,000,373 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\8 Mercola Archive.url
[2013/06/02 14:47:41 | 000,740,309 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Gold Star button removal.mht
[2013/05/31 11:15:37 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics Disk Defrag.lnk
[2013/05/31 11:09:49 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner.lnk
[2013/05/27 20:04:27 | 000,001,094 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Options.lnk
[2013/05/27 20:00:56 | 000,000,541 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\All Docs.lnk
[2013/05/27 19:57:12 | 000,001,699 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/05/27 19:55:39 | 000,000,557 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Paint Docs.lnk
[2013/05/27 19:48:52 | 000,001,533 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\4 Comcast.url
[2013/05/26 14:51:49 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2013/05/20 19:20:49 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\19 Revo Uninstaller.lnk
[2013/05/19 16:02:09 | 000,004,334 | ---- | M] () -- C:\Documents and Settings\johnt\ie-guid.reg
[2013/05/18 16:27:31 | 000,000,678 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Dictionary and Thesaurus - Merriam-Webster Online.url

========== Files Created - No Company Name ==========

[2013/06/13 03:55:21 | 000,098,008 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2013/06/12 20:11:46 | 000,005,762 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\% % movie jun 12 RBkkAq.html
[2013/06/09 17:09:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/06/09 17:09:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/06/09 17:09:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/06/09 17:09:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/06/09 17:09:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/06/09 10:31:51 | 000,000,346 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\Unable to uninstall PC Tools Utilities Product.url
[2013/06/08 15:26:38 | 000,000,082 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\CCleaner reg backup cc_20130608_152607.reg
[2013/06/06 22:04:01 | 000,000,319 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\Watch Odyssey 5 Online - LetMeWatchThis.url
[2013/06/06 21:42:25 | 000,010,617 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\a07kyxersblo.htm
[2013/06/05 23:11:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\johnt\defogger_reenable
[2013/06/05 22:40:27 | 000,002,556 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\MajorGeeks cleanup jun 5 steps.rtf
[2013/06/04 02:58:59 | 000,000,357 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\My Documents.lnk
[2013/06/03 15:59:40 | 000,000,410 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\% a may 20 bootkit zeroaccess repair ltr jun 3 wpad.rtf
[2013/06/02 18:02:23 | 000,000,373 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\8 Mercola Archive.url
[2013/06/02 14:47:38 | 000,740,309 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Gold Star button removal.mht
[2013/05/31 11:15:37 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics Disk Defrag.lnk
[2013/05/30 11:29:45 | 000,000,315 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Advanced Web Search.url
[2013/05/27 19:11:49 | 000,002,023 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\16Watch Btvguide.url
[2013/05/25 10:48:12 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2013/05/20 19:20:49 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\19 Revo Uninstaller.lnk
[2013/05/19 15:45:37 | 000,001,699 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/05/19 13:59:16 | 000,004,334 | ---- | C] () -- C:\Documents and Settings\johnt\ie-guid.reg
[2013/02/16 17:28:59 | 000,109,256 | ---- | C] () -- C:\WINDOWS\System32\EasyHook64.dll
[2013/02/16 17:28:59 | 000,090,824 | ---- | C] () -- C:\WINDOWS\System32\EasyHook32.dll
[2012/08/13 14:19:45 | 000,000,144 | ---- | C] () -- C:\WINDOWS\System32\lkfl.dat
[2012/08/13 14:19:45 | 000,000,128 | ---- | C] () -- C:\WINDOWS\System32\pdfl.dat
[2012/08/13 14:19:45 | 000,000,080 | ---- | C] () -- C:\WINDOWS\System32\ibfl.dat
[2012/05/29 23:45:15 | 000,645,632 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2012/05/29 23:45:15 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2012/05/26 09:47:05 | 000,007,896 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\wklnhst.dat
[2012/05/12 17:27:23 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/15 10:49:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/07 04:16:34 | 000,026,128 | ---- | C] () -- C:\WINDOWS\System32\ZABackupXceedCryReg.exe
[2011/09/07 04:16:33 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2011/09/07 04:16:32 | 000,441,705 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
[2011/01/03 12:22:15 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xYQ6vl.dat
[2010/12/08 16:31:57 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\johnt\Cache.db
[2010/07/08 03:43:41 | 000,000,144 | ---- | C] () -- C:\Program Files\Filter On.reg
[2010/07/08 03:39:36 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\johnt\Filter On.reg
[2010/04/17 22:04:02 | 000,010,074 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\58G3tyIDc
[2010/04/17 22:04:02 | 000,010,074 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\58G3tyIDc
[2010/04/16 18:28:28 | 000,009,596 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\3367619789
[2010/04/16 18:20:32 | 000,011,334 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\jrNYi6G
[2010/04/16 18:20:32 | 000,011,334 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\jrNYi6G
[2010/04/14 13:23:03 | 000,009,654 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\3469191438
[2010/04/14 13:22:29 | 000,009,942 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\2509137411
[2010/04/14 13:21:45 | 000,009,466 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 13:16:40 | 000,010,704 | --S- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 13:16:40 | 000,009,466 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2009/08/20 13:17:14 | 000,017,897 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\cyvykofu.ban
[2009/08/20 13:17:14 | 000,017,687 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\gihusegiki.scr
[2009/08/20 13:17:14 | 000,017,036 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\hazenez.sys
[2009/08/20 13:17:14 | 000,017,010 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\qefyvylam.ban
[2009/08/20 13:17:14 | 000,015,961 | ---- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\wymyfe.bin
[2009/08/20 13:17:14 | 000,012,349 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\azefygo.sys
[2009/07/12 15:05:01 | 000,056,832 | ---- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/16 17:46:54 | 000,049,244 | ---- | C] () -- C:\Program Files\autoruns.chm

========== ZeroAccess Check ==========

[2009/07/27 05:31:09 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/10/28 19:51:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2011/01/01 22:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cFdMl01832
[2012/10/09 21:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/04/09 13:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFi01845lLaAa01845
[2011/01/14 20:24:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\hIdEa01827
[2013/05/19 19:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2011/01/10 17:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iCmEm07003
[2013/06/10 22:56:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2009/09/06 11:41:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky SDK
[2013/03/02 14:30:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Licenses
[2011/03/24 03:48:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nOaEiMjOdGp01820
[2012/07/14 14:33:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Utility Kit
[2012/10/11 07:31:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2011/04/06 21:21:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pJo01819pNfLn01819
[2013/02/16 17:29:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Speedbit
[2013/06/06 22:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\StarApp
[2013/06/15 17:36:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/11/13 03:26:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\#ISW.FS#
[2012/03/31 14:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\0 final solutions to America's & world's crises
[2012/07/14 16:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Auslogics
[2012/10/09 21:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Check Point Software Technologies LTD
[2012/08/13 14:20:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\CheckPoint
[2011/02/16 22:19:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/07/12 15:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\CyberScrub
[2012/05/22 14:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\ElevatedDiagnostics
[2011/12/21 03:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\ieSpell
[2011/01/06 17:29:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\MailFrontier
[2012/07/14 14:33:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\PC Utility Kit
[2011/11/19 22:40:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Product_RM
[2012/05/26 09:47:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Template

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4AF47A7

< End of report >

#2
tom982

Posted 16 June 2013 - 05:48 AM

Member 1K

Member
1,183 posts

Hello John, welcome to GeeksToGo!

My name is Tom and I am going to be helping you with your malware removal.

Before we continue, I would like you to read the following text:

Some of my instructions may be carried out in safe mode, where you will not have access to GeeksToGo, I suggest you save or print my instructions for later reference
Please do not attach your logs to your post, instead I would like you to copy and paste the contents into your post
Please do NOT use any other tools, fixes or scripts unless instructed to do so by myself. Not only could this damage your system, but it will make it harder for me to fix your problem
If you do not understand any of my instructions, then feel free to ask me and I will explain in further detail
Please be patient. Malware removal is a long process and requires many steps, if you stick with me, I'll help you get through this
Stay with me until I deem your computer clean. A lack of symptoms does not always mean that the system is clean
Please make sure you have read and understood my instructions before continuing with them, spelling errors in the scripts etc. could cause adverse effects to your system
If you do not hear a reply from me in 36 hours, then simply post "bump" on the thread
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed

I have submitted a fix to my instructors and will get back to you as soon as possible :thumbsup:

Tom

#3
tom982

Posted 16 June 2013 - 06:57 AM

Member 1K

Member
1,183 posts

Hi John,

Combofix isn't designed to be run as a general tool; it is an extremely powerful anti rootkit tool that shouldn't be used unless under supervision of a trained analyst. As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

For the safety of your computer, I would highly recommend against using it in the way that you currently are. You don't need to use it at all.

Uninstall ComboFix

Hold the Windows Key and press R to bring up the Run dialogue box
In this box, type Combofix /Uninstall and press OK
Notice the space between the x and the /
Follow the prompts on the screen
A message should appear confirming that ComboFix was uninstalled

GMER

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror which will download a randomly named file
Zipped Mirror - Unzip the file to its own folder such as C:\gmer
Disconnect from the Internet and close all running programs
Temporarily disable any real-time active protection
It is very important you do not use your computer while GMER is running
Double-click on the randomly named GMER icon
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
If you receive a warning about rootkit activity and are asked to fully scan your system click NO
Please check in the Quick scan box
Please uncheck the following:
- IAT/EAT
- Show All <<< Important
Click Scan
If you see a rootkit warning window click OK
When the scan is finished, Save the results to your desktop as gmer.log
Click Copy then paste the results in your reply
Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled

Note:

If you encounter any problems, try running GMER in Safe Mode
If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning

Run ComboFix

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

Please download Combofix from one of the following locations:

Download Mirror #1
Download Mirror #2
Download Mirror #3

Note: You must save this directly to your Desktop.

Save any open documents, then close any open programs.
Disable all anti-virus and anti-malware software to prevent them inhibiting Combofix in any way. If you are unsure how to do this, see THIS
Double-click on combofix.exe then follow the on screen prompts
When Combofix finishes, it will open the log. Please Copy (Ctrl + C) and Paste (Ctrl + V) all of this text into your next post.

If, for whatever reason, the log does not open, it can be found in this location: C:\combofix.txt

Tom

#4
johneangel

Posted 17 June 2013 - 04:45 PM

Member

Topic Starter
Member
19 posts

Tom,

Maybe I misunderstood initial and revised directions.

Since I couldn't run Gmer, I didn't go to the next step, ComboFix.
But on rereading revised directions I didn't find anything saying that I don't proceed to the next step, ComboFix if I can't start and/or complete Gmer.

Thus, I ran combofix and pasted Combo log below.

ComboFix log states:
"FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active"

Does "* Resident AV is active" mean that my resident anti-virus program, ZAES is active or something else? Do I need to "end process" and/or "end process tree" to all ZoneAlarm *.exe files in the Task Manger's Processes list?

When I "exit" ZAES in the lower right corner box, all ZA security and online web connections are shutdown/disconnected. But computer is still connected to the web without security protection per popup warning.

Ran RUN ComboFix /Uninstall but it didn't find anything since I always
RUN "%userprofile%\desktop\combofix.exe" /killall after Combofix saves file to computer.

COMBOFIX LOG
ComboFix 13-06-18.02 - johnt 06/18/13 15:36:30.10.1 - x86
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-18 to 2013-06-18 )))))))))))))))))))))))))))))))
.
.
2013-06-17 19:11 . 2013-06-17 19:11 -------- d-----w- C:\Gmer
2013-06-17 03:07 . 2013-06-17 03:07 74703 ----a-w- c:\windows\system32\mfc45.dat
2013-06-17 03:06 . 2013-06-17 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2013-06-17 02:21 . 2013-06-17 02:21 -------- d-----w- c:\program files\Dell Support Center
2013-06-17 02:18 . 2013-06-17 02:26 -------- d-----w- c:\program files\My Dell
2013-06-17 02:08 . 2013-06-17 02:24 -------- d-----w- c:\documents and settings\johnt\Application Data\PCDr
2013-06-17 02:06 . 2013-06-17 02:28 -------- d-----w- C:\temp
2013-06-15 23:18 . 2013-06-18 22:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2013-06-14 21:10 . 2013-06-14 21:12 -------- d-----w- c:\program files\autoruns filealyz
2013-06-14 20:00 . 2013-06-14 20:00 -------- d-----w- c:\program files\Microsoft.NET
2013-06-14 19:01 . 2013-06-14 19:02 -------- d-----w- c:\documents and settings\johnt\Local Settings\Application Data\Akamai
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-11 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 03:56 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 03:56 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-19 23:02 . 2013-05-19 20:59 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-07 22:30 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-05-03 01:30 . 2005-03-30 01:23 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2005-03-30 01:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\johnt\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-01-26 4480768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2013-06-18 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\My Dell\uaclauncher.exe [2013-06-17 17:10]
.
2013-06-18 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\My Dell\uaclauncher.exe [2013-06-17 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
Trusted Zone: dell.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-18 15:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-18 16:04:06
ComboFix-quarantined-files.txt 2013-06-18 23:03
ComboFix2.txt 2013-06-15 22:58
ComboFix3.txt 2013-06-15 21:47
ComboFix4.txt 2013-06-10 21:44
ComboFix5.txt 2013-06-18 22:20
.
Pre-Run: 18,075,312,128 bytes free
Post-Run: 18,139,279,360 bytes free
.
- - End Of File - - C42A7C6D67135D5E9D6D1187A6F5566F
8F558EB6672622401DA993E1E865C861

Edited by johneangel, 18 June 2013 - 07:15 PM.

#5
johneangel

Posted 19 June 2013 - 03:38 PM

Member

Topic Starter
Member
19 posts

Tom,

I'm trying my best to follow your instructions. But I get confused as you can see, old man with dysfunctional memory.

Ran ComboFix per your instructions and it stated "Rootkit ZeroAccess inserted into tcp/ip stack". Then it rebooted computer and ran. PEV error pop-ups during scan, maybe during Combo's preparation for scanning, don't remember.

Tried downloading gmer from both links, both blocked. Exited ZoneAlarm Extreme, Security ZAES but it closed this web connection. Rebooted, tried with ZA exited, shut down. Both blocked. Saved links' addresses and tried Safe Mode with Networking. Both blocked. All trys with Internet Properties- privacy at lowest settings, Accept All Cookies & Low: Allow pop-ups from secured sites. Blocked again.

Finally tried Safe Mode with Networking using http://www.gmer.net/download.php and it loaded gmer with a
"randomly named file". I'm computer ignorant. Don't know if www.gmer.net is the same as gmer.net??
I'm not taking chances in loading a fake gmer.

Why was I able to connect to www.gmer.net and not gmer.net? Usually if the www is require my computer adds it.

Please advise if www.gmer.net is OKAY?

john

#6
tom982

Posted 19 June 2013 - 05:00 PM

Member 1K

Member
1,183 posts

Hi John,

Sorry for the delay, I've had exams recently and I've got a ridiculous number of threads to catch up on!

www.gmer.net is the same as gmer.net, so that's fine. Repeat my GMER instructions from safe mode with networking and post the log please

I would like to remind you that watching movies and TV shows online is not only illegal, but dangerous. The websites that host those files quite often give you more than you wanted and there's a very good chance that that is how you got infected. Should you continue to do so you will be putting your computer and files at risk.

Tom

#7
johneangel

Posted 20 June 2013 - 08:57 PM

Member

Topic Starter
Member
19 posts

Thanks Tom,

Timely reply. No apology needed for being busy. GTG: Response sometimes takes a few days.

1. I used www with the Gmer link in normal mode and connected to site. Didn't download since I had the desktop Gmer icon from yesterday using Safe Mode with Networking. Safe Mode with Networking loads all of ZoneAlarm since I can turn its protection on, update, and change settings. ZA turned off still interfers with the running of some malware cleaning programs. But in Safe Mode without Networking no ZA files are loaded.

With this info, do you still want me to run Gmer in Safe Mode with Networking?

If updating is required for some files in Gmer, before running Gmer in Safe Mode with Networking I can uncheck all interferring Processes listed in Task Manager from ZoneAlarm, SuperAntiSpyware and other programs that load on bootup using a microsoft program in Normal Mode that lists everything loaded. To return to normal boot I run the program again, manually check those unchecked and refresh.

Normal mode bootup loads processes: 18 zaes(3 are kaspersky), 9 SuperAntiSpyware, none from free Malwarebytes and SpywareBlaster has all protection disabled.

Don't want to do this unless you advise. If Gmer doesn't work in Safe Mode with Networking, then I'll use Safe Mode as originally instructed. Maybe first try is Safe Mode "without" Networking unless updates are required.

Microsoft program useful in finding programs you're not aware, ie, PC Doctor that Dell loaded Jun 16, 2013 to auto load in bootup. I know that unchecked programs will not load in normal mode but can't check in Safe Mode with Networking since keying for Task Manager freezes computer, have to hold in start button.

Possible mistake using Dell to check Dell Computer problems. Acamai NetSession Interface also download by Dell to speed up bootup.

Will not make any other changes until GTG cleaning is done.

2. PC Doctor will be unchecked, prevented from loading prior to Gmer run.

3. Things that blocked, stopped me from downloading gmer.net and from connecting to or downloading from some sites in Normal mode and in Safe Mode with Networking with ZoneAlarm loaded but not activated probably include some ZoneAlarm advanced settings enabled as listed below.

My comments prefaced with " john: "
ZoneAlarm's additional comments in brackets: ( ) (heuristics)

WEB PROTECTION
Enable site status check Enabled
anti-phishing (heuristics) Enabled
Enable anti-phishing (signature) Enabled

ADVANCED DOWNLOAD PROTECTION
Check file downloads for spyware Enabled

john: This probably stops downloading some movie/tv shows and web sites with malware.

ANTI-KEYLOGGER
Block programs that secretly record your keystrokes
Only in allegedly secure sessions (https) Enabled
Always Not Enabled
john: I'll try Always when selecting TV shows & movies since your warning reminded me that "some TV shows and movies sites" are illegal and/or have malware, after I find what's currently blocking many sites now.

Scan for spyware that watches you surf. Enabled

VIRTUALIZATION
Enable vitualization Not Enabled
Virtualization uses encryption and emulation to prevent malicious programs from reaching your computer.

john: I have not enabled Virtual since it may slow my computer way down or stop some programs. Will try after cleaning completed. Sounds like serious protection.

4. Does changing a file's properties to Read-only and Hidden prevent or reduce the infection from malware?
Assume some hackers circumvent such settings.

5. Why isn't computer adding the www if it's needed as it's done in the pass? Is malware preventing adding www?

More than enough, john

Edited by johneangel, 21 June 2013 - 02:37 AM.

#8
Essexboy

Posted 21 June 2013 - 11:35 AM

GeekU Moderator

Retired Staff
69,964 posts

Hi Tom is taking a break so I will be continuing.. GMER is a standalone programme so it will not need to download any files

Could you download and run winsockfix from here http://www.majorgeek...ock_xp_fix.html

Then let me know what problems are currently outstanding

#9
johneangel

Posted 21 June 2013 - 12:18 PM

Member

Topic Starter
Member
19 posts

Tom,

Have two updates in Notification area, both stating they should be installed: Microsoft Security Update for Microsoft .NET Framework 1.1 SP1 and Oracle Java update to Version 7 Update 21.

Is it okay to install MS Update or should I wait until GTG malware cleaning is completed?

Do I need Oracle's Java or any other Java for anything, for all my programs and web sites to work properly?
I don't do programming, play games, only email no camera or live connections.

Per web searching: "Oracle Corporation now owns Java. Oracle is a RDBMS, while Java is a programming language. Therefore Java and Oracle cannot be directly compared", and blah, blah. Then I get Java Oracle download??

thanks, john

#10
Essexboy

Posted 21 June 2013 - 12:36 PM

GeekU Moderator

Retired Staff
69,964 posts

No if you have no requirement for Java I would recommend a full uninstall of the programme

Allow the windows update. What are your current problems ?

#11
johneangel

Posted 21 June 2013 - 12:43 PM

Member

Topic Starter
Member
19 posts

Hi Essexboy.

Do I run Gmer? If yes in Safe Mode without Networking?

"Could you download and run winsockfix from here http://www.majorgeek...ck_xp_fix.html"

Which program first? Or it doesn't matter.
Download to where?
Run in what mode?
ZoneAlarm and all other security programs protecting or shutoff?

ZoneAlarm Extreme Security screws up, interfers with some cleaning programs.

My initial reaction is to download to desktop and run in Safe Mode "without" Networking.
Okay?

I'm computer ignorant. Got [bleep] for running a program in safe mode. Thus, I ask questions.

thanks, john

#12
Essexboy

Posted 21 June 2013 - 12:47 PM

GeekU Moderator

Retired Staff
69,964 posts

Not a problem run the winsock programme first, just download then run, nothing needs to be disabled. This will reset some data on your system that zero access plays with

Then run GMER from safe mode no requirement for networking to be selected

#13
johneangel

Posted 21 June 2013 - 07:52 PM

Member

Topic Starter
Member
19 posts

Essexboy,

I messed up.
Winsock saved to desktop. Tried normal, but would not save backup. Tried Safe Mode without networking but page loaded but without images just like some web sites I go to. Found out that Internet Properties-Privacy has to be set to Low and not to default for me to get images on some links in Geeks to Go and on other web sites.

This is a major problem, don't like low security. Why doesn't default work for me? Malware infection??

When I finally got Winsock to run, I overlooked that I had to scrool down the directions in the small box.
Thus, I think I need to rerun it.

When I ran Gmer I messed again.

Tell me what to do for rerunning them.

Should I rerun Gmer? Don't know if the info below is enough?

Misplaced, lost final Gmer page which said something like, "scan finished successfully" and there was only one line at the top I don't remember. I hit my Windows button to get the address, but page disappeared, usually this doesn't happen. Forgot about the "Save" button on page. Senile and dysfunctional memory.

Haven't erased any files. Before running Gmer I set Internet Properties "Days to keep pages in history" to 3 days and unchecked "Delete browsing history on exit"--if this matters to recovering final Gmer page.

Search files before leaving page for those created and/or modified today between 2:00pm and 4:10pm.
Lost pages about 4:04pm.

1 page 4:07pm C:\Docs & Sett\my name\edb.chk Being used. *Rebooted and file gone.
1 page 4:04 C:\Windows\system32\edb.chk Nope, FileAlyzer
1 page 4:04 C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Being used.*
1 page 4:04 C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Being used.*
1 page 3:57 C:\Windows\system32\catroot2\dberr Checked being used. Rebooted,found file info below:
I'm trying to opening the latter two 4:04pm files which may have info on Gmer run.

Part of 4:04pm dberr file from todays' Gmer run:
CatalogDB: 1:42:38 PM 06/19/13: WAITSVC: Calling StartService(): ProtectedStorage jun 19
CatalogDB: 2:04:00 PM 06/21/13: WAITSVC: Calling StartService(): ProtectedStorage Jun 21 Gmer starts here or
CatalogDB: 2:29:53 PM 6/21/2013: File #3 at line #330 encountered error 0x000006b5 here or below
CatalogDB: 2:29:53 PM 6/21/2013: File #2 at line #2208 encountered error 0x000006b5
CatalogDB: 2:29:53 PM 6/21/2013: File #2 at line #874 encountered error 0x000006b5
CatalogDB: 3:03:47 PM 6/21/2013: File #3 at line #330 encountered error 0x000006b5
CatalogDB: 3:03:48 PM 6/21/2013: File #2 at line #2208 encountered error 0x000006b5
CatalogDB: 3:03:48 PM 6/21/2013: File #2 at line #874 encountered error 0x000006b5
CatalogDB: 3:09:16 PM 06/21/13: WAITSVC: Calling StartService(): ProtectedStorage
CatalogDB: 3:09:16 PM 06/21/13: WAITSVC: Calling StartService(): ProtectedStorage
CatalogDB: 3:09:16 PM 06/21/13: WAITSVC: Calling StartService(): ProtectedStorage
CatalogDB: 3:09:16 PM 06/21/13: WAITSVC: Calling StartService(): ProtectedStorage 28 min to scan 2000 files?
CatalogDB: 3:36:26 PM 06/21/13: File #2 at line #1477 encountered error 0x00000057
CatalogDB: 3:39:15 PM 06/21/13: File #2 at line #1477 encountered error 0x00000057
CatalogDB: 3:39:25 PM 06/21/13: File #2 at line #1477 encountered error 0x00000057
CatalogDB: 3:39:33 PM 06/21/13: File #2 at line #1477 encountered error 0x00000057 53 min to scan?
CatalogDB: 3:39:36 PM 06/21/13: File #2 at line #1477 encountered error 0x00000057 Ended Gmer about 4:04pm
CatalogDB: 4:57:33 PM 06/21/13: WAITSVC: Calling StartService(): ProtectedStorage
CatalogDB: 4:57:33 PM 06/21/13: WAITSVC: Calling StartService(): ProtectedStorage

Feeling like throwing computer away. 3 hours gone and nothing.

john

Edited by johneangel, 22 June 2013 - 01:11 AM.

#14
Essexboy

Posted 22 June 2013 - 11:50 AM

GeekU Moderator

Retired Staff
69,964 posts

OK lets look at the tcpip stack

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands
[CREATERESTOREPOINT]

:Files
netsh winsock reset /c
netsh int ip reset c:\resetlog.txt /c

:Commands
[resethosts]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#15
johneangel

Posted 24 June 2013 - 12:49 AM

Member

Topic Starter
Member
19 posts

Essexboy,

Computer in normal mode with all security programs running: Pasted script into into CSF box, clicked "Run Fix" and didn't do anything. "Program rebooted computer". Ran "Quick Scan"

A week or so ago, I think I ran a program that checked and repaired my tcpip stack. I was thinking about it, but not sure if I ran it. Forgot to mention this to you, it should show up in programs run in last 30 days. I can't remember if I took vitamins this morning-no memory.

It's late, I'll report tomorrow afternoon on computer health.

thanks, john

Quick Scan
OTL logfile created on: 06/23/13 10:53:07 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\johnt\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

2.00 Gb Total Physical Memory | 1.17 Gb Available Physical Memory | 58.64% Memory free
4.85 Gb Paging File | 4.10 Gb Available in Paging File | 84.56% Paging File free
Paging file location(s): C:\pagefile.sys 3069 3069 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 15.88 Gb Free Space | 42.64% Space Free | Partition Type: NTFS

Computer Name: JOHN | User Name: johnt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/15 18:24:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
PRC - [2013/06/12 21:45:17 | 000,182,184 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2013/01/26 07:08:30 | 004,480,768 | ---- | M] (Akamai Technologies, Inc.) -- C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai\netsession_win.exe
PRC - [2012/08/30 04:03:36 | 000,497,320 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2012/08/30 04:03:12 | 000,738,984 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2012/08/29 16:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2012/08/29 15:45:24 | 000,073,392 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/04/19 16:39:30 | 000,935,744 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
PRC - [2010/03/11 12:07:54 | 000,124,432 | ---- | M] ( Pro-Softnet) -- C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe
PRC - [2010/03/11 12:01:32 | 000,149,008 | ---- | M] (Pro Softnet Corporation) -- C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/20 14:04:51 | 000,046,432 | ---- | M] (Microsoft® Corporation) -- C:\Program Files\Microsoft Works\WkCalRem.exe
PRC - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2001/08/17 16:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe

========== Modules (No Company Name) ==========

MOD - [2012/08/29 15:45:16 | 000,074,928 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\fde\fde_api.dll
MOD - [2011/04/19 16:40:06 | 000,088,896 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\crsrpt.dll
MOD - [2011/04/19 16:39:34 | 000,013,120 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\MlfHook.dll
MOD - [2011/04/19 16:39:32 | 000,290,112 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mtdsdk.dll
MOD - [2011/04/19 16:39:24 | 000,222,016 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\resources\mbzaenu.dll

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/06/12 21:45:17 | 000,182,184 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013/02/16 17:28:26 | 000,277,744 | ---- | M] (SpeedBit Ltd.) [Disabled | Stopped] -- C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorService.exe -- (VideoAcceleratorService)
SRV - [2012/09/13 06:50:41 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2012/08/30 04:03:36 | 000,497,320 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2012/08/29 16:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/05/25 15:14:34 | 000,053,248 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper)
SRV - [2010/03/11 12:07:54 | 000,124,432 | ---- | M] ( Pro-Softnet) [Auto | Running] -- C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe -- (ZABackupWebM)
SRV - [2010/03/11 12:01:32 | 000,149,008 | ---- | M] (Pro Softnet Corporation) [Auto | Running] -- C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe -- (ZoneAlarmBackup Service)
SRV - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\johnt\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/08/30 04:03:48 | 000,027,056 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2012/08/30 04:03:08 | 000,036,784 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys -- (icsak)
DRV - [2012/08/29 15:45:24 | 000,526,640 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2012/01/09 18:59:34 | 000,485,808 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2012/01/09 18:59:30 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (KL1)
DRV - [2012/01/09 18:59:30 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
DRV - [2011/07/22 09:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 14:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/07/22 12:13:20 | 000,028,592 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2008/06/19 17:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/04/13 11:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 11:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/05/07 16:54:38 | 000,008,960 | ---- | M] (Prolific Technology Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\usbbc2.sys -- (PLUsbbc2)
DRV - [2001/08/17 05:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman)
DRV - [2001/08/17 05:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1)
DRV - [2001/08/17 05:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k)
DRV - [2001/08/17 05:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes,DefaultScope = {1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C4 1C C2 05 D2 5A CE 01 [binary data]
IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {6C73F24A-310C-41FE-8601-CEDBBF4C03B5}
IE - HKCU\..\SearchScopes,DefaultScope = {1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}
IE - HKCU\..\SearchScopes\{1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}: "URL" = http://www.google.co...hi=&safe=images
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10516.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.100: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.102: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.103: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.97: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/10/09 21:04:48 | 000,000,000 | ---D | M]

[2012/08/14 15:35:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2013/06/23 22:40:33 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Zonealarm Helper Object) - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll (Montera Technologeis LTD)
O2 - BHO: (Google Analytics Opt-out Browser Add-on) - {75EF13CE-B59E-41ba-8A5A-A944031BD8B4} - C:\Program Files\Google\Google Analytics Opt-Out\gaoptout.dll (Google, Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll (Montera Technologeis LTD)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\toolbars present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun- = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun- = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: dell.com ([]* in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://qtinstall.app...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1369263711078 (MUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{81C850C1-0954-4D79-8392-C01EBD557CC6}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (mirpywre.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/10 11:40:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/09/04 14:54:31 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/23 22:39:26 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/06/23 22:08:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\johnt\Recent
[2013/06/21 14:24:43 | 000,000,000 | ---D | C] -- C:\my documents
[2013/06/21 14:10:18 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\johnt\Desktop\winsockxpfix.exe
[2013/06/21 13:12:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Geeks to Go Repair
[2013/06/21 13:09:17 | 000,000,000 | ---D | C] -- C:\ERDNT
[2013/06/18 18:41:14 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/06/18 15:00:27 | 005,081,021 | R--- | C] (Swearware) -- C:\Documents and Settings\johnt\Desktop\ComboFix.exe
[2013/06/17 13:40:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% a Go to Geek repair jun17
[2013/06/17 12:11:38 | 000,000,000 | ---D | C] -- C:\Gmer
[2013/06/16 20:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iolo
[2013/06/16 19:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Dell
[2013/06/16 19:21:12 | 000,000,000 | ---D | C] -- C:\Program Files\Dell Support Center
[2013/06/16 19:18:55 | 000,000,000 | ---D | C] -- C:\Program Files\My Dell
[2013/06/16 19:08:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\Application Data\PCDr
[2013/06/16 19:06:50 | 000,000,000 | ---D | C] -- C:\temp
[2013/06/16 19:05:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\Start Menu\Programs\Dell
[2013/06/15 18:24:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
[2013/06/15 16:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2013/06/15 14:53:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\ComboFix log jun15
[2013/06/15 11:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Problems Registry Change History
[2013/06/15 11:18:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Problems Repair Fixes Links
[2013/06/15 11:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Deleting Temp _Temporary Internet Files
[2013/06/14 23:32:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Local Services Configurations Checking
[2013/06/14 16:10:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Active x Controls and Plug-Ins Settings
[2013/06/14 14:10:43 | 000,000,000 | ---D | C] -- C:\Program Files\autoruns filealyz
[2013/06/14 13:04:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer New possible downloads programs etc
[2013/06/14 13:00:53 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2013/06/14 12:19:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Dell diagnoses downloads etc
[2013/06/14 12:01:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai
[2013/06/10 12:22:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Combinations
[2013/06/09 17:09:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/06/09 17:09:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/06/09 17:09:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/06/09 17:09:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/06/09 17:08:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/09 14:20:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer AUTORUNS changes jun 2013
[2013/06/09 12:38:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Free Jun 2013
[2013/06/09 12:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Create System Restore Point
[2013/06/09 10:33:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% uninstall programs from msconfig computer
[2013/06/09 03:41:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Computer Repairs Tweaks June 2013
[2013/06/08 20:09:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% My Awake Experiences
[2013/06/08 14:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\TagsRevisited
[2013/06/08 14:29:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Safer Networking
[2013/06/08 14:29:44 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2013/06/08 14:09:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\New Folder
[2013/06/08 14:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Repair Programs for Event Viewer Application Files
[2013/06/08 02:38:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Combofix Total Removal
[2013/06/07 12:45:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Complete Specs
[2013/06/06 22:42:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer chkdsk & sfc commands & use
[2013/06/06 22:09:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\StarApp
[2013/06/06 22:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2013/06/06 20:28:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2013/06/06 17:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer superantispyware online scan
[2013/06/06 02:02:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Google Prevent tracking by google
[2013/06/06 01:37:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Changes Registry __Dates
[2013/06/03 02:07:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer %Problems to correct
[2013/06/03 01:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer useful RUN links
[2013/06/03 00:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Internet Explorer IE8
[2013/06/03 00:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Online Forums
[2013/06/02 15:53:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Problems
[2013/06/02 15:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer test programs
[2013/06/02 15:46:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Ads and Files to block
[2013/06/02 13:02:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\$ Wise Information
[2013/06/02 12:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Polar Manuals
[2013/06/02 12:34:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer desktop icons
[2013/06/02 12:32:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Dell
[2013/06/02 12:30:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Copying music talks to disc
[2013/06/02 12:28:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole misc government improvements
[2013/06/02 12:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Buddhism
[2013/06/02 12:14:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Money Making Schemes
[2013/06/02 12:10:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\johnt\My Documents\& MajorGeeK repair May june 2013
[2013/06/02 11:41:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Family Tree
[2013/06/02 11:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Synonyms Antonyms
[2013/06/02 11:39:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Safety Check_Online_links sites
[2013/06/02 11:32:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Warnings desktop icons
[2013/06/02 10:34:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Mental Health
[2013/06/02 10:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Class Reunion
[2013/06/02 09:50:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Searching
[2013/06/02 09:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Shopping
[2013/06/02 09:45:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Files Unknown To Check
[2013/06/02 09:33:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Passwords Names
[2013/06/02 09:24:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Auto
[2013/06/02 09:24:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Cats
[2013/06/02 09:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Changes
[2013/06/02 08:31:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Terms such as %windir%
[2013/06/01 20:09:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Dates of Installments Updates Modification
[2013/06/01 19:21:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer files folders in question
[2013/06/01 17:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs
[2013/06/01 17:24:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer ZoneAlarm Extreme Security
[2013/06/01 17:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Health Improving
[2013/06/01 17:13:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Contra Costa College
[2013/06/01 17:07:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Meier Billy
[2013/06/01 17:04:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Nursing Home References
[2013/06/01 17:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Nardil
[2013/06/01 16:55:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Movies To watch Actors Etc
[2013/06/01 16:53:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Mental Telepathy
[2013/06/01 16:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Repair Current
[2013/06/01 16:45:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Songs
[2013/06/01 16:43:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Health of John
[2013/06/01 16:34:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Files Deletion_Exempt
[2013/06/01 16:33:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\eyes
[2013/06/01 16:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\66 villa dr
[2013/06/01 16:31:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Dizziness
[2013/06/01 16:13:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Politics
[2013/06/01 15:42:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Friends
[2013/06/01 15:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Spiritual___AfterDeath AstralTravel
[2013/06/01 15:17:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer
[2013/06/01 15:06:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% aa videos saved vlc etc
[2013/06/01 15:05:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Posts
[2013/06/01 15:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Healthcare Plan by John B
[2013/05/28 23:17:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2013/05/26 16:43:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2009/08/11 15:41:36 | 000,553,832 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Program Files\autorunsc.exe

========== Files - Modified Within 30 Days ==========

[2013/06/23 22:52:45 | 000,008,608 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\wklnhst.dat
[2013/06/23 22:46:56 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2013/06/23 22:45:08 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/06/23 22:43:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/06/23 22:40:33 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2013/06/23 22:29:47 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Geeks to Go scan and reply jun 23 2013.wps
[2013/06/23 21:33:35 | 000,000,282 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\15 Project Free TV.url
[2013/06/23 15:44:04 | 000,000,247 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Google AdvBrit.url
[2013/06/23 14:46:45 | 000,000,236 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\12 Rolling Stone.url
[2013/06/23 12:04:25 | 000,000,315 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Advanced Web Search.url
[2013/06/22 22:33:49 | 000,002,022 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\16Watch Btvguide.url
[2013/06/21 14:10:21 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\johnt\Desktop\winsockxpfix.exe
[2013/06/21 13:06:46 | 000,038,028 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\winsock_xp_fix.html
[2013/06/20 12:29:38 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\SystemToolsDailyTest.job
[2013/06/20 12:29:31 | 000,000,520 | ---- | M] () -- C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
[2013/06/19 12:54:25 | 000,377,856 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\voxmlicm.exe
[2013/06/18 16:27:55 | 000,000,678 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Dictionary and Thesaurus - Merriam-Webster Online.url
[2013/06/18 15:13:55 | 002,145,792 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Geeks to Go jun 18.wps
[2013/06/18 15:00:39 | 005,081,021 | R--- | M] (Swearware) -- C:\Documents and Settings\johnt\Desktop\ComboFix.exe
[2013/06/17 18:11:44 | 000,001,833 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\10 imdb movies.url
[2013/06/17 15:47:21 | 000,000,461 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\Geek to Go Jun 17.url
[2013/06/17 12:15:51 | 000,000,439 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\9 Cnet.url
[2013/06/16 20:07:03 | 000,074,703 | ---- | M] () -- C:\WINDOWS\System32\mfc45.dat
[2013/06/16 19:44:04 | 001,059,558 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Computer Technical Info.nfo
[2013/06/16 16:18:07 | 000,503,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/06/16 16:18:07 | 000,088,884 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/06/15 18:24:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
[2013/06/15 01:14:05 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\11 Knowing.url
[2013/06/12 20:11:12 | 000,005,762 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\% % movie jun 12 RBkkAq.html
[2013/06/09 22:45:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2013/06/09 22:33:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/06/09 10:31:51 | 000,000,346 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\Unable to uninstall PC Tools Utilities Product.url
[2013/06/08 15:26:38 | 000,000,082 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\CCleaner reg backup cc_20130608_152607.reg
[2013/06/08 03:46:47 | 000,000,393 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Google AdvUSA.url
[2013/06/06 21:42:14 | 000,010,617 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\a07kyxersblo.htm
[2013/06/05 23:11:57 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\johnt\defogger_reenable
[2013/06/05 22:40:27 | 000,002,556 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\MajorGeeks cleanup jun 5 steps.rtf
[2013/06/04 02:58:59 | 000,000,357 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\My Documents.lnk
[2013/06/03 15:59:40 | 000,000,410 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\% a may 20 bootkit zeroaccess repair ltr jun 3 wpad.rtf
[2013/06/03 00:34:37 | 000,165,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/06/02 18:02:24 | 000,000,373 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\8 Mercola Archive.url
[2013/06/02 14:47:41 | 000,740,309 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Gold Star button removal.mht
[2013/05/31 11:15:37 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics Disk Defrag.lnk
[2013/05/31 11:09:49 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner.lnk
[2013/05/27 20:04:27 | 000,001,094 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Options.lnk
[2013/05/27 20:00:56 | 000,000,541 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\All Docs.lnk
[2013/05/27 19:57:12 | 000,001,699 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/05/27 19:55:39 | 000,000,557 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Paint Docs.lnk
[2013/05/27 19:48:52 | 000,001,533 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\4 Comcast.url
[2013/05/26 14:51:49 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI

========== Files Created - No Company Name ==========

[2013/06/23 22:29:47 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Geeks to Go scan and reply jun 23 2013.wps
[2013/06/21 13:06:46 | 000,038,028 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\winsock_xp_fix.html
[2013/06/19 12:54:23 | 000,377,856 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\voxmlicm.exe
[2013/06/18 15:07:56 | 002,145,792 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Geeks to Go jun 18.wps
[2013/06/17 15:47:21 | 000,000,461 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\Geek to Go Jun 17.url
[2013/06/16 22:05:14 | 000,158,970 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1614895754-1004336348-725345543-1004-0.dat
[2013/06/16 22:05:11 | 000,158,970 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/06/16 20:07:03 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dat
[2013/06/16 19:55:33 | 000,000,520 | ---- | C] () -- C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
[2013/06/16 19:55:32 | 000,000,458 | ---- | C] () -- C:\WINDOWS\tasks\SystemToolsDailyTest.job
[2013/06/16 19:41:16 | 001,059,558 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Computer Technical Info.nfo
[2013/06/13 03:55:21 | 000,098,008 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2013/06/12 20:11:46 | 000,005,762 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\% % movie jun 12 RBkkAq.html
[2013/06/09 17:09:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/06/09 17:09:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/06/09 17:09:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/06/09 17:09:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/06/09 17:09:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/06/09 10:31:51 | 000,000,346 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\Unable to uninstall PC Tools Utilities Product.url
[2013/06/08 15:26:38 | 000,000,082 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\CCleaner reg backup cc_20130608_152607.reg
[2013/06/06 21:42:25 | 000,010,617 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\a07kyxersblo.htm
[2013/06/05 23:11:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\johnt\defogger_reenable
[2013/06/05 22:40:27 | 000,002,556 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\MajorGeeks cleanup jun 5 steps.rtf
[2013/06/04 02:58:59 | 000,000,357 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\My Documents.lnk
[2013/06/03 15:59:40 | 000,000,410 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\% a may 20 bootkit zeroaccess repair ltr jun 3 wpad.rtf
[2013/06/02 18:02:23 | 000,000,373 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\8 Mercola Archive.url
[2013/06/02 14:47:38 | 000,740,309 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Gold Star button removal.mht
[2013/05/31 11:15:37 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics Disk Defrag.lnk
[2013/05/30 11:29:45 | 000,000,315 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Advanced Web Search.url
[2013/05/27 19:11:49 | 000,002,022 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\16Watch Btvguide.url
[2013/05/25 10:48:12 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2013/05/19 13:59:16 | 000,004,334 | ---- | C] () -- C:\Documents and Settings\johnt\ie-guid.reg
[2013/02/16 17:28:59 | 000,109,256 | ---- | C] () -- C:\WINDOWS\System32\EasyHook64.dll
[2013/02/16 17:28:59 | 000,090,824 | ---- | C] () -- C:\WINDOWS\System32\EasyHook32.dll
[2012/08/13 14:19:45 | 000,000,144 | ---- | C] () -- C:\WINDOWS\System32\lkfl.dat
[2012/08/13 14:19:45 | 000,000,128 | ---- | C] () -- C:\WINDOWS\System32\pdfl.dat
[2012/08/13 14:19:45 | 000,000,080 | ---- | C] () -- C:\WINDOWS\System32\ibfl.dat
[2012/05/29 23:45:15 | 000,645,632 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2012/05/29 23:45:15 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2012/05/26 09:47:05 | 000,008,608 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\wklnhst.dat
[2012/05/12 17:27:23 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/15 10:49:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/07 04:16:34 | 000,026,128 | ---- | C] () -- C:\WINDOWS\System32\ZABackupXceedCryReg.exe
[2011/09/07 04:16:33 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2011/09/07 04:16:32 | 000,441,705 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
[2011/01/03 12:22:15 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xYQ6vl.dat
[2010/12/08 16:31:57 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\johnt\Cache.db
[2010/07/08 03:43:41 | 000,000,144 | ---- | C] () -- C:\Program Files\Filter On.reg
[2010/07/08 03:39:36 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\johnt\Filter On.reg
[2010/04/17 22:04:02 | 000,010,074 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\58G3tyIDc
[2010/04/17 22:04:02 | 000,010,074 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\58G3tyIDc
[2010/04/16 18:28:28 | 000,009,596 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\3367619789
[2010/04/16 18:20:32 | 000,011,334 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\jrNYi6G
[2010/04/16 18:20:32 | 000,011,334 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\jrNYi6G
[2010/04/14 13:23:03 | 000,009,654 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\3469191438
[2010/04/14 13:22:29 | 000,009,942 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\2509137411
[2010/04/14 13:21:45 | 000,009,466 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 13:16:40 | 000,010,704 | --S- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 13:16:40 | 000,009,466 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2009/08/20 13:17:14 | 000,017,897 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\cyvykofu.ban
[2009/08/20 13:17:14 | 000,017,687 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\gihusegiki.scr
[2009/08/20 13:17:14 | 000,017,036 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\hazenez.sys
[2009/08/20 13:17:14 | 000,017,010 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\qefyvylam.ban
[2009/08/20 13:17:14 | 000,015,961 | ---- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\wymyfe.bin
[2009/08/20 13:17:14 | 000,012,349 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\azefygo.sys
[2009/07/12 15:05:01 | 000,056,832 | ---- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/16 17:46:54 | 000,049,244 | ---- | C] () -- C:\Program Files\autoruns.chm

========== ZeroAccess Check ==========

[2009/07/27 05:31:09 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/10/28 19:51:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2011/01/01 22:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cFdMl01832
[2012/10/09 21:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/04/09 13:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFi01845lLaAa01845
[2011/01/14 20:24:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\hIdEa01827
[2013/05/19 19:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2011/01/10 17:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iCmEm07003
[2013/06/10 22:56:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2013/06/16 20:15:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2009/09/06 11:41:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky SDK
[2013/03/02 14:30:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Licenses
[2011/03/24 03:48:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nOaEiMjOdGp01820
[2012/07/14 14:33:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Utility Kit
[2013/06/16 19:16:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2011/04/06 21:21:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pJo01819pNfLn01819
[2013/02/16 17:29:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Speedbit
[2013/06/06 22:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\StarApp
[2013/06/23 10:20:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/11/13 03:26:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\#ISW.FS#
[2012/03/31 14:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\0 final solutions to America's & world's crises
[2012/07/14 16:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Auslogics
[2012/10/09 21:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Check Point Software Technologies LTD
[2012/08/13 14:20:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\CheckPoint
[2011/02/16 22:19:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/07/12 15:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\CyberScrub
[2012/05/22 14:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\ElevatedDiagnostics
[2011/12/21 03:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\ieSpell
[2011/01/06 17:29:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\MailFrontier
[2012/07/14 14:33:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\PC Utility Kit
[2013/06/16 19:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\PCDr
[2011/11/19 22:40:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Product_RM
[2012/05/26 09:47:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Template

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4AF47A7
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >