Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit ZeroAccess inserted into tcp/ip stack. PEV.exe problem, needs


  • This topic is locked This topic is locked

#16
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm that showed a few junk folders/files so we might as well clear those whilst we are here. Let me know how the computer is behaving please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Posted Image
:Commands
[CREATERESTOREPOINT]

:OTL
[2010/04/17 22:04:02 | 000,010,074 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\58G3tyIDc
[2010/04/17 22:04:02 | 000,010,074 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\58G3tyIDc
[2010/04/16 18:28:28 | 000,009,596 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\3367619789
[2010/04/16 18:20:32 | 000,011,334 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\jrNYi6G
[2010/04/16 18:20:32 | 000,011,334 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\jrNYi6G
[2010/04/14 13:23:03 | 000,009,654 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\3469191438
[2010/04/14 13:22:29 | 000,009,942 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\2509137411
[2010/04/14 13:21:45 | 000,009,466 | --S- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 13:16:40 | 000,010,704 | --S- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 13:16:40 | 000,009,466 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2009/08/20 13:17:14 | 000,017,897 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\cyvykofu.ban
[2009/08/20 13:17:14 | 000,017,687 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\gihusegiki.scr
[2009/08/20 13:17:14 | 000,017,036 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\hazenez.sys
[2009/08/20 13:17:14 | 000,017,010 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\qefyvylam.ban
[2009/08/20 13:17:14 | 000,015,961 | ---- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\wymyfe.bin
[2009/08/20 13:17:14 | 000,012,349 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\azefygo.sys
[2011/01/01 22:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cFdMl01832
[2012/10/09 21:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/04/09 13:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFi01845lLaAa01845
[2011/01/14 20:24:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\hIdEa01827
[2013/05/19 19:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2011/01/10 17:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iCmEm07003
[2011/03/24 03:48:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nOaEiMjOdGp01820
[2011/04/06 21:21:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pJo01819pNfLn01819


:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

Advertisements


#17
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy,

Lost edited post due to connection problem. GTG said it was saved but didn't say where.

Ran OTL Run Fix. Almost missed top line of script, ":Commands" by "not signing in", learned lesson, always sign in. Clicked "Okay" when asked to reboot.

Ran Quick Scan, log below my yakety yak.

Thanks. Search companion working perfectly and very fast. How did you fix the endless loop? I guess I don't really have to know. But when I go into ZAES Application Control Settings and View Programs, I see so many files, about 1,080 that I get dizzy.

ZAES gave Super Trust level, III to winsock_xp_fix, OTL, Gmer, ComboFix and other GTG scan programs.

There were programs in ACS that had ?. For ?'s my Trust Level choices are Super, Trusted, Restricted, Ask, Kill or no Enforcement. It's too much. I choose default settings for most of ZAES and only change those that gave more security without decreasing speed of my 2004 computer.

I think "user profile hive cleanup service" that Dell installed jun16 or that you used can also be removed. Need to check programs.........

1. Computer running slow, not really slow. But slower than in April.

Some sites not popping up, taking a few seconds to load. Sometimes image by image or no images and without some links working. Same problem I had with GTG. Now when using GTG I set Internet Options' Privacy to: Accept All Cookies and Low: Allow popups from secured sites. Now, no more image or link problems with GTG.

But image missing problems with some web sites. Clicked and unclicked and....but compatiblity button appears to make no difference. But it does activate on its own.

Prior to two months ago in April when running Auslogics Defrag at High Priority in Normal mode, Defrag would read continuously without stopping and slow down only after all files are read and defragging begins. In Safe Mode Auslogics reads about 3,300 files, stops for a second then reads another 3300 and repeats about 23x and then defrags with the 23 pauses.
But since April, the computer slows down in Normal mode just as in Safe Mode.

Also more pauses in movies and tv-shows that I stream only from sites approved by Google Safebrowsing, Website Antivirus and Norton Safeweb.

If I notice computer slowing down during the day, I'll run 1. Internet Properties Delete-Detete 2. Default CCleaner-Windows-Analyze-Run Clearner 3. Default Auslogics Disk Defrag-Defrag. I often run Internet Options at "High" for cookies and "High" which blocks most popups, not at "Block all pop-ups".

Today I enabled Virtual Browsing: "Builds a protective shield around your web browser. It creates a temporary clone of your browser so that anything you do on the web runs in a protected shell, sealed off from your PC." I hope.

And, "Keylogger & Screengrabber Jamming: Keeps your keystrokes and click trails private. Discovers and blocks silent spyware from stealing your identity. Doesn't appear like these two additions slow my computer down.

2. On Jun 14 I downloaded .net Framework 4 which is required to download Dell's diagnostic programs for my Dell computer. Ran one 30 min diagnostic program which indicated 3 programs had 2007 updates. Will thoroughly check on Dell community for comments before replacing older programs. Plan to do this after GTG's cleaning is done. Don't repair something that's working!! Any comments appreciated.

Considering continued disabling of PC Doctor, installed jun 16 by Dell. Will check how much it slows computer.

3. Running ComboFix again under your supervision will show me that Rootkit ZeroAccess has been totally eliminated and not hiding someplace. It's still on my desktop with Gmer, OTL and winsock.
Going to watch Warehouse 13, Defiance to test speed, connections, pauses, etc.

Good Night, thanks, john

OTL QUICK SCAN LOG JUN 24

OTL logfile created on: 06/24/13 1:05:17 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\johnt\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

2.00 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 78.59% Memory free
4.85 Gb Paging File | 4.52 Gb Available in Paging File | 93.25% Paging File free
Paging file location(s): C:\pagefile.sys 3069 3069 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 16.24 Gb Free Space | 43.62% Space Free | Partition Type: NTFS

Computer Name: JOHN | User Name: johnt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/15 18:24:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
PRC - [2013/06/12 21:45:17 | 000,182,184 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2013/01/26 07:08:30 | 004,480,768 | ---- | M] (Akamai Technologies, Inc.) -- C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai\netsession_win.exe
PRC - [2012/08/30 04:03:36 | 000,497,320 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2012/08/30 04:03:12 | 000,738,984 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2012/08/29 16:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2012/08/29 15:45:24 | 000,073,392 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/04/19 16:39:30 | 000,935,744 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
PRC - [2010/03/11 12:07:54 | 000,124,432 | ---- | M] ( Pro-Softnet) -- C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe
PRC - [2010/03/11 12:01:32 | 000,149,008 | ---- | M] (Pro Softnet Corporation) -- C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2001/08/17 16:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe


========== Modules (No Company Name) ==========

MOD - [2012/08/29 15:45:16 | 000,074,928 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\fde\fde_api.dll
MOD - [2011/04/19 16:40:06 | 000,088,896 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\crsrpt.dll
MOD - [2011/04/19 16:39:34 | 000,013,120 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\MlfHook.dll
MOD - [2011/04/19 16:39:32 | 000,290,112 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mtdsdk.dll
MOD - [2011/04/19 16:39:24 | 000,222,016 | ---- | M] () -- C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\resources\mbzaenu.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/06/12 21:45:17 | 000,182,184 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013/02/16 17:28:26 | 000,277,744 | ---- | M] (SpeedBit Ltd.) [Disabled | Stopped] -- C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorService.exe -- (VideoAcceleratorService)
SRV - [2012/09/13 06:50:41 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2012/08/30 04:03:36 | 000,497,320 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2012/08/29 16:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/05/25 15:14:34 | 000,053,248 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper)
SRV - [2010/03/11 12:07:54 | 000,124,432 | ---- | M] ( Pro-Softnet) [Auto | Running] -- C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe -- (ZABackupWebM)
SRV - [2010/03/11 12:01:32 | 000,149,008 | ---- | M] (Pro Softnet Corporation) [Auto | Running] -- C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe -- (ZoneAlarmBackup Service)
SRV - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\johnt\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/08/30 04:03:48 | 000,027,056 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2012/08/30 04:03:08 | 000,036,784 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys -- (icsak)
DRV - [2012/08/29 15:45:24 | 000,526,640 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2012/01/09 18:59:34 | 000,485,808 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2012/01/09 18:59:30 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (KL1)
DRV - [2012/01/09 18:59:30 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
DRV - [2011/07/22 09:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 14:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/07/22 12:13:20 | 000,028,592 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2008/06/19 17:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/04/13 11:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 11:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/05/07 16:54:38 | 000,008,960 | ---- | M] (Prolific Technology Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\usbbc2.sys -- (PLUsbbc2)
DRV - [2001/08/17 05:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman)
DRV - [2001/08/17 05:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1)
DRV - [2001/08/17 05:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k)
DRV - [2001/08/17 05:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes,DefaultScope = {1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C4 1C C2 05 D2 5A CE 01 [binary data]
IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {6C73F24A-310C-41FE-8601-CEDBBF4C03B5}
IE - HKCU\..\SearchScopes,DefaultScope = {1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}
IE - HKCU\..\SearchScopes\{1AC1A6B1-4A97-1E66-7281-6ED8C4DF2D7E}: "URL" = http://www.google.co...hi=&safe=images
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10516.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.100: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.102: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.103: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.97: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/10/09 21:04:48 | 000,000,000 | ---D | M]

[2012/08/14 15:35:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2013/06/24 12:53:19 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Zonealarm Helper Object) - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll (Montera Technologeis LTD)
O2 - BHO: (Google Analytics Opt-out Browser Add-on) - {75EF13CE-B59E-41ba-8A5A-A944031BD8B4} - C:\Program Files\Google\Google Analytics Opt-Out\gaoptout.dll (Google, Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll (Montera Technologeis LTD)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\toolbars present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun- = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun- = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: dell.com ([]* in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://qtinstall.app...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1369263711078 (MUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{81C850C1-0954-4D79-8392-C01EBD557CC6}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (mirpywre.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/10 11:40:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/09/04 14:54:31 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/24 02:34:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\johnt\Recent
[2013/06/23 22:39:26 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/06/21 14:24:43 | 000,000,000 | ---D | C] -- C:\my documents
[2013/06/21 14:10:18 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\johnt\Desktop\winsockxpfix.exe
[2013/06/21 13:12:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Geeks to Go Repair
[2013/06/21 13:09:17 | 000,000,000 | ---D | C] -- C:\ERDNT
[2013/06/18 18:41:14 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/06/18 15:00:27 | 005,081,021 | R--- | C] (Swearware) -- C:\Documents and Settings\johnt\Desktop\ComboFix.exe
[2013/06/17 13:40:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% a Go to Geek repair jun17
[2013/06/17 12:11:38 | 000,000,000 | ---D | C] -- C:\Gmer
[2013/06/16 20:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iolo
[2013/06/16 19:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Dell
[2013/06/16 19:21:12 | 000,000,000 | ---D | C] -- C:\Program Files\Dell Support Center
[2013/06/16 19:18:55 | 000,000,000 | ---D | C] -- C:\Program Files\My Dell
[2013/06/16 19:08:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\Application Data\PCDr
[2013/06/16 19:06:50 | 000,000,000 | ---D | C] -- C:\temp
[2013/06/16 19:05:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\Start Menu\Programs\Dell
[2013/06/15 18:24:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
[2013/06/15 16:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2013/06/15 14:53:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\ComboFix log jun15
[2013/06/15 11:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Problems Registry Change History
[2013/06/15 11:18:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Problems Repair Fixes Links
[2013/06/15 11:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Deleting Temp _Temporary Internet Files
[2013/06/14 23:32:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Local Services Configurations Checking
[2013/06/14 16:10:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Active x Controls and Plug-Ins Settings
[2013/06/14 14:10:43 | 000,000,000 | ---D | C] -- C:\Program Files\autoruns filealyz
[2013/06/14 13:04:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer New possible downloads programs etc
[2013/06/14 13:00:53 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2013/06/14 12:19:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Dell diagnoses downloads etc
[2013/06/14 12:01:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\Local Settings\Application Data\Akamai
[2013/06/10 12:22:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Combinations
[2013/06/09 17:09:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/06/09 17:09:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/06/09 17:09:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/06/09 17:09:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/06/09 17:08:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/09 14:20:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer AUTORUNS changes jun 2013
[2013/06/09 12:38:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Free Jun 2013
[2013/06/09 12:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Create System Restore Point
[2013/06/09 10:33:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% uninstall programs from msconfig computer
[2013/06/09 03:41:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Computer Repairs Tweaks June 2013
[2013/06/08 20:09:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% My Awake Experiences
[2013/06/08 14:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\TagsRevisited
[2013/06/08 14:29:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Safer Networking
[2013/06/08 14:29:44 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2013/06/08 14:09:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\New Folder
[2013/06/08 14:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Repair Programs for Event Viewer Application Files
[2013/06/08 02:38:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Combofix Total Removal
[2013/06/07 12:45:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Complete Specs
[2013/06/06 22:42:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer chkdsk & sfc commands & use
[2013/06/06 22:09:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\StarApp
[2013/06/06 22:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2013/06/06 20:28:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2013/06/06 17:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer superantispyware online scan
[2013/06/06 02:02:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Google Prevent tracking by google
[2013/06/06 01:37:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Changes Registry __Dates
[2013/06/03 02:07:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer %Problems to correct
[2013/06/03 01:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer useful RUN links
[2013/06/03 00:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Internet Explorer IE8
[2013/06/03 00:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Online Forums
[2013/06/02 15:53:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs Problems
[2013/06/02 15:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer test programs
[2013/06/02 15:46:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Ads and Files to block
[2013/06/02 13:02:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\$ Wise Information
[2013/06/02 12:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Polar Manuals
[2013/06/02 12:34:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer desktop icons
[2013/06/02 12:32:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Dell
[2013/06/02 12:30:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Copying music talks to disc
[2013/06/02 12:28:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole misc government improvements
[2013/06/02 12:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Buddhism
[2013/06/02 12:14:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Money Making Schemes
[2013/06/02 12:10:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\johnt\My Documents\& MajorGeeK repair May june 2013
[2013/06/02 11:41:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Family Tree
[2013/06/02 11:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Synonyms Antonyms
[2013/06/02 11:39:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% Safety Check_Online_links sites
[2013/06/02 11:32:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Warnings desktop icons
[2013/06/02 10:34:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Mental Health
[2013/06/02 10:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Class Reunion
[2013/06/02 09:50:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Searching
[2013/06/02 09:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Shopping
[2013/06/02 09:45:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Files Unknown To Check
[2013/06/02 09:33:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Passwords Names
[2013/06/02 09:24:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Auto
[2013/06/02 09:24:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Cats
[2013/06/02 09:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Changes
[2013/06/02 08:31:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Terms such as %windir%
[2013/06/01 20:09:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Dates of Installments Updates Modification
[2013/06/01 19:21:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer files folders in question
[2013/06/01 17:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Programs
[2013/06/01 17:24:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer ZoneAlarm Extreme Security
[2013/06/01 17:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Health Improving
[2013/06/01 17:13:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Contra Costa College
[2013/06/01 17:07:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Meier Billy
[2013/06/01 17:04:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Nursing Home References
[2013/06/01 17:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Nardil
[2013/06/01 16:55:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Movies To watch Actors Etc
[2013/06/01 16:53:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Mental Telepathy
[2013/06/01 16:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Repair Current
[2013/06/01 16:45:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Songs
[2013/06/01 16:43:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Health of John
[2013/06/01 16:34:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer Files Deletion_Exempt
[2013/06/01 16:33:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\eyes
[2013/06/01 16:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\66 villa dr
[2013/06/01 16:31:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Dizziness
[2013/06/01 16:13:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Politics
[2013/06/01 15:42:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Friends
[2013/06/01 15:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Spiritual___AfterDeath AstralTravel
[2013/06/01 15:17:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Computer
[2013/06/01 15:06:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\% aa videos saved vlc etc
[2013/06/01 15:05:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Juan Cole Posts
[2013/06/01 15:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnt\My Documents\Healthcare Plan by John B
[2013/05/28 23:17:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2013/05/26 16:43:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2009/08/11 15:41:36 | 000,553,832 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Program Files\autorunsc.exe

========== Files - Modified Within 30 Days ==========

[2013/06/24 12:57:35 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2013/06/24 12:56:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/06/24 12:56:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/06/24 12:53:19 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2013/06/24 00:40:29 | 000,000,315 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Advanced Web Search.url
[2013/06/24 00:37:59 | 000,000,247 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Google AdvBrit.url
[2013/06/23 22:52:45 | 000,008,608 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\wklnhst.dat
[2013/06/23 22:29:47 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Geeks to Go scan and reply jun 23 2013.wps
[2013/06/23 21:33:35 | 000,000,282 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\15 Project Free TV.url
[2013/06/23 14:46:45 | 000,000,236 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\12 Rolling Stone.url
[2013/06/22 22:33:49 | 000,002,022 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\16Watch Btvguide.url
[2013/06/21 14:10:21 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\johnt\Desktop\winsockxpfix.exe
[2013/06/21 13:06:46 | 000,038,028 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\winsock_xp_fix.html
[2013/06/20 12:29:38 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\SystemToolsDailyTest.job
[2013/06/20 12:29:31 | 000,000,520 | ---- | M] () -- C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
[2013/06/19 12:54:25 | 000,377,856 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\voxmlicm.exe
[2013/06/18 16:27:55 | 000,000,678 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Dictionary and Thesaurus - Merriam-Webster Online.url
[2013/06/18 15:13:55 | 002,145,792 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Geeks to Go jun 18.wps
[2013/06/18 15:00:39 | 005,081,021 | R--- | M] (Swearware) -- C:\Documents and Settings\johnt\Desktop\ComboFix.exe
[2013/06/17 18:11:44 | 000,001,833 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\10 imdb movies.url
[2013/06/17 15:47:21 | 000,000,461 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\Geek to Go Jun 17.url
[2013/06/17 12:15:51 | 000,000,439 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\9 Cnet.url
[2013/06/16 20:07:03 | 000,074,703 | ---- | M] () -- C:\WINDOWS\System32\mfc45.dat
[2013/06/16 19:44:04 | 001,059,558 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Computer Technical Info.nfo
[2013/06/16 16:18:07 | 000,503,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/06/16 16:18:07 | 000,088,884 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/06/15 18:24:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnt\Desktop\OTL.exe
[2013/06/15 01:14:05 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\11 Knowing.url
[2013/06/12 20:11:12 | 000,005,762 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\% % movie jun 12 RBkkAq.html
[2013/06/09 22:45:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2013/06/09 22:33:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/06/09 10:31:51 | 000,000,346 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\Unable to uninstall PC Tools Utilities Product.url
[2013/06/08 15:26:38 | 000,000,082 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\CCleaner reg backup cc_20130608_152607.reg
[2013/06/08 03:46:47 | 000,000,393 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Google AdvUSA.url
[2013/06/06 21:42:14 | 000,010,617 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\a07kyxersblo.htm
[2013/06/05 23:11:57 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\johnt\defogger_reenable
[2013/06/05 22:40:27 | 000,002,556 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\MajorGeeks cleanup jun 5 steps.rtf
[2013/06/04 02:58:59 | 000,000,357 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\My Documents.lnk
[2013/06/03 15:59:40 | 000,000,410 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\% a may 20 bootkit zeroaccess repair ltr jun 3 wpad.rtf
[2013/06/03 00:34:37 | 000,165,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/06/02 18:02:24 | 000,000,373 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\8 Mercola Archive.url
[2013/06/02 14:47:41 | 000,740,309 | ---- | M] () -- C:\Documents and Settings\johnt\My Documents\Gold Star button removal.mht
[2013/05/31 11:15:37 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics Disk Defrag.lnk
[2013/05/31 11:09:49 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner.lnk
[2013/05/27 20:04:27 | 000,001,094 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Options.lnk
[2013/05/27 20:00:56 | 000,000,541 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\All Docs.lnk
[2013/05/27 19:57:12 | 000,001,699 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/05/27 19:55:39 | 000,000,557 | ---- | M] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Paint Docs.lnk
[2013/05/27 19:48:52 | 000,001,533 | ---- | M] () -- C:\Documents and Settings\johnt\Desktop\4 Comcast.url
[2013/05/26 14:51:49 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI

========== Files Created - No Company Name ==========

[2013/06/23 22:29:47 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Geeks to Go scan and reply jun 23 2013.wps
[2013/06/21 13:06:46 | 000,038,028 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\winsock_xp_fix.html
[2013/06/19 12:54:23 | 000,377,856 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\voxmlicm.exe
[2013/06/18 15:07:56 | 002,145,792 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Geeks to Go jun 18.wps
[2013/06/17 15:47:21 | 000,000,461 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\Geek to Go Jun 17.url
[2013/06/16 22:05:14 | 000,158,970 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1614895754-1004336348-725345543-1004-0.dat
[2013/06/16 22:05:11 | 000,158,970 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/06/16 20:07:03 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dat
[2013/06/16 19:55:33 | 000,000,520 | ---- | C] () -- C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
[2013/06/16 19:55:32 | 000,000,458 | ---- | C] () -- C:\WINDOWS\tasks\SystemToolsDailyTest.job
[2013/06/16 19:41:16 | 001,059,558 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Computer Technical Info.nfo
[2013/06/13 03:55:21 | 000,098,008 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2013/06/12 20:11:46 | 000,005,762 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\% % movie jun 12 RBkkAq.html
[2013/06/09 17:09:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/06/09 17:09:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/06/09 17:09:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/06/09 17:09:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/06/09 17:09:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/06/09 10:31:51 | 000,000,346 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\Unable to uninstall PC Tools Utilities Product.url
[2013/06/08 15:26:38 | 000,000,082 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\CCleaner reg backup cc_20130608_152607.reg
[2013/06/06 21:42:25 | 000,010,617 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\a07kyxersblo.htm
[2013/06/05 23:11:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\johnt\defogger_reenable
[2013/06/05 22:40:27 | 000,002,556 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\MajorGeeks cleanup jun 5 steps.rtf
[2013/06/04 02:58:59 | 000,000,357 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\My Documents.lnk
[2013/06/03 15:59:40 | 000,000,410 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\% a may 20 bootkit zeroaccess repair ltr jun 3 wpad.rtf
[2013/06/02 18:02:23 | 000,000,373 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\8 Mercola Archive.url
[2013/06/02 14:47:38 | 000,740,309 | ---- | C] () -- C:\Documents and Settings\johnt\My Documents\Gold Star button removal.mht
[2013/05/31 11:15:37 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics Disk Defrag.lnk
[2013/05/30 11:29:45 | 000,000,315 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Advanced Web Search.url
[2013/05/27 19:11:49 | 000,002,022 | ---- | C] () -- C:\Documents and Settings\johnt\Desktop\16Watch Btvguide.url
[2013/05/25 10:48:12 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2013/05/19 13:59:16 | 000,004,334 | ---- | C] () -- C:\Documents and Settings\johnt\ie-guid.reg
[2013/02/16 17:28:59 | 000,109,256 | ---- | C] () -- C:\WINDOWS\System32\EasyHook64.dll
[2013/02/16 17:28:59 | 000,090,824 | ---- | C] () -- C:\WINDOWS\System32\EasyHook32.dll
[2012/08/13 14:19:45 | 000,000,144 | ---- | C] () -- C:\WINDOWS\System32\lkfl.dat
[2012/08/13 14:19:45 | 000,000,128 | ---- | C] () -- C:\WINDOWS\System32\pdfl.dat
[2012/08/13 14:19:45 | 000,000,080 | ---- | C] () -- C:\WINDOWS\System32\ibfl.dat
[2012/05/29 23:45:15 | 000,645,632 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2012/05/29 23:45:15 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2012/05/26 09:47:05 | 000,008,608 | ---- | C] () -- C:\Documents and Settings\johnt\Application Data\wklnhst.dat
[2012/05/12 17:27:23 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/15 10:49:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/07 04:16:34 | 000,026,128 | ---- | C] () -- C:\WINDOWS\System32\ZABackupXceedCryReg.exe
[2011/09/07 04:16:33 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2011/09/07 04:16:32 | 000,441,705 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
[2011/01/03 12:22:15 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xYQ6vl.dat
[2010/12/08 16:31:57 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\johnt\Cache.db
[2010/07/08 03:43:41 | 000,000,144 | ---- | C] () -- C:\Program Files\Filter On.reg
[2010/07/08 03:39:36 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\johnt\Filter On.reg
[2009/07/12 15:05:01 | 000,056,832 | ---- | C] () -- C:\Documents and Settings\johnt\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/16 17:46:54 | 000,049,244 | ---- | C] () -- C:\Program Files\autoruns.chm

========== ZeroAccess Check ==========

[2009/07/27 05:31:09 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/10/28 19:51:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2011/01/01 22:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cFdMl01832
[2012/10/09 21:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/04/09 13:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFi01845lLaAa01845
[2011/01/14 20:24:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\hIdEa01827
[2011/01/10 17:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iCmEm07003
[2013/06/10 22:56:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2013/06/16 20:15:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2009/09/06 11:41:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky SDK
[2013/03/02 14:30:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Licenses
[2011/03/24 03:48:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nOaEiMjOdGp01820
[2012/07/14 14:33:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Utility Kit
[2013/06/16 19:16:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2011/04/06 21:21:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pJo01819pNfLn01819
[2013/02/16 17:29:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Speedbit
[2013/06/06 22:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\StarApp
[2013/06/23 10:20:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/11/13 03:26:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\#ISW.FS#
[2012/03/31 14:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\0 final solutions to America's & world's crises
[2012/07/14 16:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Auslogics
[2012/10/09 21:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Check Point Software Technologies LTD
[2012/08/13 14:20:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\CheckPoint
[2011/02/16 22:19:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/07/12 15:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\CyberScrub
[2012/05/22 14:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\ElevatedDiagnostics
[2011/12/21 03:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\ieSpell
[2011/01/06 17:29:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\MailFrontier
[2012/07/14 14:33:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\PC Utility Kit
[2013/06/16 19:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\PCDr
[2011/11/19 22:40:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Product_RM
[2012/05/26 09:47:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnt\Application Data\Template

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4AF47A7
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >
  • 0

#18
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You do need to temper the security applications against the ease of use of the system as trying to lock to much down will cause problems especially with cookies and web page speed/ease of use

Defragmentation in reality should never be more than a monthly exercise as the hard drive has a finite number of read/write operations. Generally in the scheme of things they will last out the other computer components, but high read/write operations will cut that down.

If it's not broke don't fix it holds well for drivers but not for other programmes they should be kept updated

All in all the system looks clean now :)

If you only use IE then you can set that to empty the temp files and cookies when the browser closes
  • 0

#19
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

1. Computer still slow.

2. Two Blue Screen crashes on jun24, 25, 2013.

3. PEV.exe error appears to associate with ComboFix use, will check dates and times this evening.

4. I will be satisfied that Rootkit ZeroAccesss is not in my tcpip stack when it is ran again under your
assistance and it does not indicate that Rootkit ZeroAccesss inserted in tcp/ip stack for months.

5. I added Microsoft .NET Framework 4 to computer since it was required to download Dell's analyzing
programs which identified "serious errors" and other changes as listed below. Listed serious errors since
9/3/12 and earlier below, can't remember, but there were months if not a year without serious errors.

I will do a thorough checking of dates and times of files in Search Companion to determine possible files

causing the serious errors and the Blue Screen crashes (black to me since I set background to None).
2x means error twice for the day.

Serious Errors I'll add changes if they appear associated with errors.

1. faulting application & module pev.exe version 0.0.0.0. 2012: 9/19, 10/31(2x), 11/8 // 2013 5/19 5/24(2x)
2. faulting application iexplore.exe version 8.0.6001.18702 faulting module mshtml.dll
2012 9/5, 10/24 // 2013 6/17/13
3. faulting application nvcplui.exe faulting module nvcpl.dll 2013 5/28 6/17, 19
4. faulting application iexplore.exe version 8.0.6001.18702 faulting module unknown 6/12/13
5. faulting application iexplore.exe version 8.0.6001.18702 faulting module trustchecker.dll 9/12/12
6. faulting application iexplore.exe version 8.0.6001.18702 faulting module kernel.dll 9/3/12
7. faulting application iexplore.exe version 8.0.6001.18702 faulting module jscript.dll 5/17/13
8. faulting application iexplore.exe version 0.0.0.0 faulting module 0.0.0.0 2013 6/18,24,25
9. Blue Screen Crashes 2013 jun 24,25.


Perhaps the loading of Microsoft .NET Framework 4 and/or Dells programs were too much for my computer and caused the crashes

6. My DVD ROM disk tray stopped opening and I always cured this with Command Prompt: chkdsk /r.
I conclude that a system file gets corrupted and prevents drive D from opening. Which files I know not.
But will review chkdsk reports.

No more time today.
Thanks, john
  • 0

#20
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK run Combofix, but allow it to update post the log on completion
  • 0

#21
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

Computer still infected with Rootkit ZeroAccess inserted in tcp/ip stack.

Computer faster after ComboFix but still slow.
More web sites are showing lack of images.
I'm communicating in Safe Mode with Networking to minimize infection spread by ZeroAccess. Lots of Black Screen after combo completed, actual scanning of stages 1 to 50 took about 23 min. Combo recommends second scan if unable to connect to web. But since I experienced longer Black Screen, I'm getting paranoid of shutdown.

Is running ComboFix in Safe Mode with Networking better than Normal mode?

Possible infection of all Restore Points. Should I restore to an earlier Point? Earliest is Jun 14 before the two Black Screen Crashes I recovered from in Safe Mode and other serious errors on jun 17 to 25, see list on my jun 26 response? Or are all my Points infected?

Nothing has eliminated ZeroAccess, it's well hidden.

If I run a Restore Point with errors in it "after doing sfc and chkdsk" does the restore change any correction made by the sfc and chkdsk?

Should I run another two ComboFix scans in Safe Mode with Networking or it a waste of time? enough of my inexperience yacking.

Today's ComboFix

ComboFix 13-06-08.02 - johnt 06/09/13 18:33:35.1.1 - x86
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Privacy Suite RiskMonitor - (no file)
HKLM-Run-ISW - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-09 18:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-09 18:58:19
ComboFix-quarantined-files.txt 2013-06-10 01:58
.
Pre-Run: 23,599,026,176 bytes free
Post-Run: 23,670,849,536 bytes free
.
- - End Of File - - 183B9FCEB175422EA4CFD4307BCB4C3F
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/09/13 19:21:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1298 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-09 19:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-09 19:48:06
ComboFix-quarantined-files.txt 2013-06-10 02:48
ComboFix2.txt 2013-06-10 01:58
.
Pre-Run: 23,646,531,584 bytes free
Post-Run: 23,687,942,144 bytes free
.
- - End Of File - - 73D4F5BD54E0A576DC398857118D843F
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/10/13 1:56.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1328 [GMT -7:00]
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-10 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-10 02:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-10 02:21:25
ComboFix-quarantined-files.txt 2013-06-10 09:21
ComboFix2.txt 2013-06-10 02:48
ComboFix3.txt 2013-06-10 01:58
.
Pre-Run: 23,660,453,888 bytes free
Post-Run: 23,661,826,048 bytes free
.
- - End Of File - - 0FD37415ADD2D211D072348053B019CD
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/10/13 11:41:53.4.1 - x86
Running from: c:\documents and settings\johnt\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-10 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-10 12:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-10 12:07:05
ComboFix-quarantined-files.txt 2013-06-10 19:06
ComboFix2.txt 2013-06-10 09:21
ComboFix3.txt 2013-06-10 02:48
ComboFix4.txt 2013-06-10 01:58
.
Pre-Run: 23,641,251,840 bytes free
Post-Run: 23,642,259,456 bytes free
.
- - End Of File - - B97C7BE428FFF87B2BE067122F439B8E
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/10/13 12:49:05.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1294 [GMT -7:00]
Running from: c:\documents and settings\johnt\desktop\combofix.exe
Command switches used :: /killall
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-10 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:21 . 2006-11-29 20:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2013-05-29 06:21 . 2006-09-28 23:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2013-05-29 06:21 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2013-05-21 11:34 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-08-30 738984]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-10 13:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'lsass.exe'(612)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'explorer.exe'(2620)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\progra~1\CheckPoint\ZONEAL~1\MAILFR~1\mlfhook.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(512)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\CheckPoint\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2013-06-10 13:28:25 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-10 20:28
ComboFix2.txt 2013-06-10 19:07
ComboFix3.txt 2013-06-10 09:21
ComboFix4.txt 2013-06-10 02:48
ComboFix5.txt 2013-06-10 19:33
.
Pre-Run: 23,661,428,736 bytes free
Post-Run: 23,660,019,712 bytes free
.
- - End Of File - - BA0086FBE87170E498D79F9F3D05E899
8F558EB6672622401DA993E1E865C861
ComboFix 13-06-08.02 - johnt 06/10/13 14:10:45.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1296 [GMT -7:00]
Running from: c:\documents and settings\johnt\desktop\combofix.exe
Command switches used :: /killall
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2013-05-10 to 2013-06-10 )))))))))))))))))))))))))))))))
.
.
2013-06-08 21:29 . 2013-06-08 21:29 -------- d-----w- c:\program files\Safer Networking
2013-06-08 21:23 . 2013-06-08 21:23 4333832 ----a-w- c:\program files\filealyz-2.0.5.57.exe
2013-06-07 05:09 . 2013-06-07 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\StarApp
2013-06-07 05:08 . 2013-06-10 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-31 19:00 . 2013-06-03 12:16 -------- d-----w- C:\State Farm 2013 Auto Accident
2013-05-29 06:22 . 2007-04-05 01:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-05-29 06:22 . 2007-03-15 23:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2013-05-29 06:22 . 2007-03-12 23:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2013-05-29 06:22 . 2007-01-24 22:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2013-05-29 06:22 . 2006-12-08 19:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2013-05-29 06:17 . 2013-05-29 07:40 -------- d-----w- c:\windows\Logs
2013-05-26 23:43 . 2013-05-26 23:43 -------- d-----w- c:\windows\ERUNT
2013-05-21 11:34 . 2013-05-21 11:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-21 11:34 . 2013-05-21 11:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-19 20:59 . 2013-05-19 23:02 4334 ----a-w- c:\documents and settings\johnt\ie-guid.reg
2013-05-16 21:56 . 2013-05-16 21:56 -------- d-----w- c:\program files\MSXML 4.0
2013-05-14 03:02 . 2013-05-20 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-05-14 00:10 . 2013-05-14 00:10 1898001 ----a-w- C:\may 13.exe
2013-05-13 23:29 . 2013-05-13 23:29 -------- d-----w- c:\documents and settings\Administrator.JOHN-F8EF23E355.000\Application Data\CyberScrub
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-27 12:10 . 2012-11-13 09:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-27 12:10 . 2012-11-13 09:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 11:33 . 2012-06-17 22:20 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-21 11:33 . 2010-04-18 19:07 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-16 22:17 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 10:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-07-08 10:43 . 2010-07-08 10:43 144 ----a-w- c:\program files\Filter On.reg
2009-08-30 23:59 . 2009-08-11 22:41 661864 ----a-w- c:\program files\autoruns.exe
2009-08-30 23:59 . 2009-08-11 22:41 553832 ----a-w- c:\program files\autorunsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-08-29 73392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISW"="" [BU]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirpywre.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/03/09 8:29 AM 28544]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [08/14/12 3:36 PM 11352]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [08/30/12 4:03 AM 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [08/30/12 4:03 AM 497320]
R2 ZABackupWebM;ZoneAlarmBackup WebManager;c:\program files\ZoneAlarmBackup\ZABackupWebM.exe [09/07/11 4:16 AM 124432]
R2 ZoneAlarmBackup Service;ZoneAlarmBackup Service;c:\program files\ZoneAlarmBackup\ZABackup Service.exe [09/07/11 4:16 AM 149008]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [08/30/12 4:03 AM 36784]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [08/11/11 4:38 PM 116608]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [08/04/04 3:00 AM 14336]
S4 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [11/06/09 7:27 PM 8960]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [07/22/11 9:27 AM 12880]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/17/10 11:15 AM 12872]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [07/12/11 2:55 PM 67664]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
2012-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-13 00:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-10 14:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1004336348-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(516)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'lsass.exe'(572)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'explorer.exe'(2712)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(492)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\CheckPoint\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2013-06-10 14:44:42 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-10 21:44
ComboFix2.txt 2013-06-10 20:28
ComboFix3.txt 2013-06-10 19:07
ComboFix4.txt 2013-06-10 09:21
ComboFix5.txt 2013-06-10 20:54
.
Pre-Run: 23,645,429,760 bytes free
Post-Run: 23,640,039,424 bytes free
.
- - End Of File - - 0AF72E476C3F334FCBE689584DD1425C
8F558EB6672622401DA993E1E865C861

Edited by johneangel, 27 June 2013 - 10:42 AM.

  • 0

#22
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I think combofix is hitting on a false positive here as the TCPIP has been reset to default, and there are no other indications of ZA at all

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.
Posted Image
Posted Image

Do not close AVPTool or it will self uninstall, if it does uninstall - - then just rerun the setup file on your desktop

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Posted Image
  • 0

#23
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

Ran Kaspersky Scan: It reported: "Scan of 62,027 objects completed, no threats detected"
Forgot to save and attached report. Maybe the above sentence was the report since no malware.
Scan took over about 4 hours! ZoneAlarm uses Kaspersky.

Also, I use zaes advanced secure browser settings:
Check file downloads for spyware.
Enable: site status check; anti-phishing (heuristics) & anti-phishing (signature).
Block programs that secretly record your keystrokes - Only in allegedly secure sessions (https).
I'll change to Always(may conflict with some web sites & programs) when watching tv, movies.
Zonealarm used to scan files for malware when opened & closed. Don't know if it still does.

Ran Kaspersky's Gather System Information, but couldn't find "last report saved".
I'm assuming "last report saved" is available once I select Step 2 of Manual Disenfection.
But I don't want to chance losing files or messing up.
Please advise assumption is correct ASAP since I'll keep Kaspersky on desktop.
"Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip"

Searched, found at: C:\Documents and Settings\your name\Local Settings\temp\8138526\LOG\
A zip archive. Can't copy a zip archive.

On yesterday's post, the ComboFix log is incomplete. It contains logs from some recent scans, but not
of the scan ran yesterday. Somehow I lost it. I'll run another CF scan after we complete the current
cleaning. I numbered the logs in Qoobox, perhaps this modificationis caused problems, usually warned when "not to change" a folder's name.

john

Edited by johneangel, 28 June 2013 - 03:58 PM.

  • 0

#24
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

I clicked 2nd step, Report Sending which opened Log file: avptool_sysinfo made at 12:40 at: C:\DOCUME~1\myname\LOCALS~1\Temp\8138526\LOG

Can't find any "last report saved folder".

Don't know what to open the log file with: 7-Zip File Manager, Compressed(zipped)folders or Notepad.

Opened with Notepad and saved both files. But they wouldn't Attach.

Attached avz_sysinfo.xml but it looks useless.
Wouldn't download avz_sysinfo.html

Don't know how to attach these files and don't understand instructions.
I have 7-Zip but don't know how to use it.

I'll keep Kaspersky open until I heard from you

Help would be appreciated.

john

Attached File  avz_sysinfo.xml   45.52KB   31 downloads

Edited by johneangel, 28 June 2013 - 07:54 PM.

  • 0

#25
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Where did you run AVP from ?

The file I am after is the HTML one, you should be able to attach the entire zip. Based on the AV report there is no infection
  • 0

Advertisements


#26
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

Did exactly as you directed which I could have misunderstood.
I right clicked the red "Here" which popped up the "Save As" window.
Lf clicked Desktop, didn't change the name of the file which was "AVPTool", not randomly named.
And clicked "Save".

I was tired and not thinking too much. I probably should have changed the name to Hot Water, but didn't.
Some of your directions are not easy to follow. I know that virus programs can scan the desktop and other places to stop valid cleaning programs from running, that's why you use a random name for saving on desktop.
Your directions is faulty, incorrect. Correct so that another customer does get messed up.

Concerning the easily attached file: I searched and found the file location. Browsed to it, clicked it once and nothing happened. Next, clicked it twice and two files would open, but nothing would attach. I next double clicked slowly and the single zip file attached. Didn't realize you have to click slowly. Yes it is easy once you have done it. But it crapola if you don't do it right.

Where in the h..l is the "last report saved" folder? Follow your own directions and then write and tell me how to do it correctly.

Tired and ain't going to proof read.

john

Attached File  avptool_sysinfo.zip   21.83KB   27 downloads
  • 0

#27
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi I have just downloaded and run AVP tool on my system and it downloaded as setup_11.0.0.1245.x01_2013_06_29_14_12 The analysis file was also in the correct location as a Zip file

I can find no indication at all of Zero Access on your computer
  • 0

#28
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

Computer approaching peak performance. Thanks.

I now know why my computer shows things differently. I'm an old man that prefers the Windows Classic style that includes on the left, "Folders" with folder names, and on the right, "Name" with name, size, type, etc of folders and files. The classic style also affects how things are displayed. It's my fault not yours.

I'd still be driving my 1975 Dodge Dart, if a man had not driven thru a stop sign, ran into my driver's side door, moved the car 15 feet, totalling my car.

My computer is now free of malware. You repaired most of the malware damage, but to return computer to it's peak performance the following is required:

1. Run sfc /scannow and chkdsk /r using Dell's Reinstallation CD.
Done and will repeat as required.
2. Remove GTG cleaning programs and other malware removing programs from desktop and computer.
3. Determine cause of serious errors.
4. Run and remove ComboFix per GTG: RUN ComboFix /Uninstall
5. Remove unused and useless programs.
6. Defrag computer.
7. Reinstall IE8 and other programs that may have been corrupted.
8. Reinstall, update ZoneAlarm

Q1. Is dragging and dropping the cleaning programs' *.exe files into the Hunter Mode box of RevoUninstaller safe and thorough enough?

Q2. For logs and non-.exe files I'll drag and drop into CyberScrub using 3 or 7 passes to erase, okay?

Q3. Do I understand your statement correctly?
"Defragmentation in reality should never be more than a monthly exercise as the hard drive has a finite number of read/write operations."
Erasing files even with 35 passes doesn't make erased space reuseable.

Thanks for your patience,
john
  • 0

#29
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Q1. Is dragging and dropping the cleaning programs' *.exe files into the Hunter Mode box of RevoUninstaller safe and thorough enough?

For standard programmes, yes :)

Q3. Do I understand your statement correctly?
"Defragmentation in reality should never be more than a monthly exercise as the hard drive has a finite number of read/write operations."
Erasing files even with 35 passes doesn't make erased space reuseable.

Not quite the space is re-usable however, continual defrags reduce the MTF (mean time between failure)



Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [emptytemp]
    [CLEARALLRESTOREPOINTS]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall
    (Notice the space between the "x" and "/")
    then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Posted Image Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:
  • 0

#30
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

Thanks for accepting my apology.

In order to see, display repairs as you do I'm will make the following temporary security changes to Internet Properties and ZoneAlarm prior to booting up and signing into GTG. If still not seeing what you see and advise, I'll changing Windows Classic style to Modified or another style downloaded from Mircrosoft.

I will hold off performing your directions until I have answers to the below questions.

Q1 Am I vulnerable to hackers and malware if I only bootup, go to GTG and sign in? I ask since some changes to ZoneAlarm require booting up to activate changes made. I would be without some items of security proteciton.

Q2 Are different statuses of web connection indicated by different patterns of blinking of the two tiny computer screens in the icon in the Notification area? That I'm could be receiving communications, some accepted, some blocked, some hacking? Assume both tiny screens lit mean solid incoming and/or outgoing traffic? Is blinking of upper tiny screen indicating incoming? lower outgoing? Couldn't find web info.

TEMPORARY SECURITY CHANGES TO BE MADE BEFORE BOOTING UP AND SIGNING INTO GTG - Internet Properties

1. Internet Options- Privacy- Settings: "Accept All Cookies"
(My setting: Default, Medium High, High or Block All Cookies)

2. Internet Options- Privacy- Pop-up Blocker- Settings: "Low: Allow pop-ups from secure sites"
(My setting: Medium or High)

3. Internet Options- Security- Trusted Sites- Security level for this zone- Allowed level for this zone: All- Low (----Appropriate for sites you absolutely trust)
(My setting: ------Trusted Sites- Security Allowed level for this zone: All - Medium)
(My setting: ------Internet - Security Allowed level for this zone: All - Medium)

Confusion: But Trusted Sites settings are for https connection which appears absent with GTG. I get a pop-up saying "You are leaving a secured site" which confuses me in that I see a http address, not a https address shaded pink or green like when connected with Dell.

Low setting for Internet and for Trusted sites are different.
Internet low: "Unsigned ActiveX controls will not be downloaded. Have to go into Custom level... to allow unsigned ActiveX in Internet. Necessary?

Q3 Is connection with GTG a highly secured https connection? No color nor https. Can I absolutely trust GTG?
Or there is no https connection with GTG so I need to temporarily change things in the Internet Zone using Custom level... access? Don't know what to change or are no changes necessary? Allow unsigned ActiveX, etc?

-------------------------
TEMPORARY SECURITY CHANGES TO BE MADE BEFORE BOOTING UP AND SIGNING INTO GTG - ZoneAlarm

Q4 Saw in ComboFix log:

"FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active"

Does Resident AV mean that resident Anti-Virus program is active? ZoneAlarm uses Kaspersky.

Q5 Do I exit ZoneAlarm, no rebooting required? or Just disable the below which requires rebooting?
Both leave ZA files in Task Managers' Processes.

WEB PROTECTION
Enable site status check Enabled
anti-phishing (heuristics) Enabled
Enable anti-phishing (signature) Enabled

ADVANCED DOWNLOAD PROTECTION
Check file downloads for spyware Enabled

ANTI-KEYLOGGER
Scan for spyware that watches you surf. Enabled

Block programs that secretly record your keystrokes
Only in allegedly secure sessions (https) Enabled
Always Not Enabled

VIRTUALIZATION
Enable vitualization Not Enabled
Virtualization uses encryption and emulation to prevent malicious programs from reaching your computer.
---------------------

I know, too much. But need to understand and see and what you see.

john
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP