[Crag_Hack]

Hello gstrom99. I'd like to upload a few files to see if they are malicious or not. That's it for now. Try testing your computer and see if there are still symptoms.

There are several suspicious files on your machine that might or might not be malware. We will scan them to verify. Let me know if you have any trouble following these instructions. Please do the following:

• Go to this site
• Click the browse button on the top of the page
• Navigate to this file C:\WINDOWS\system32\USB_RNDIS_XP.dll and click the open button
• Click the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button
• Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Now repeat the above instructions for these files:
C:\WINDOWS\system32\UWProSys.dll
C:\WINDOWS\system32\mcrdsvc.dll

Things to see in your next post:
Virscan upload results
computer status

[Advertisements]

The system must sit for 5 mins or more to "stabilize?" for the browser to work and other files to open. Once this happens, it seems to run OK.

I thought I had Norton virusscan completely off, but it wasn't and ran a scan and says it found and fixed a virus in Combofix.exe(!). Norton found Trojan.ADH.2 in Combofix.exe

ComboFix was downloaded from the link you provided. What is that about?

Regarding your last instructions: My system does not have any of the three .dll files you requested, in Windows\system32 or anywhere else.

Gary

[gstrom99]

The system must sit for 5 mins or more to "stabilize?" for the browser to work and other files to open. Once this happens, it seems to run OK.

I thought I had Norton virusscan completely off, but it wasn't and ran a scan and says it found and fixed a virus in Combofix.exe(!). Norton found Trojan.ADH.2 in Combofix.exe

ComboFix was downloaded from the link you provided. What is that about?

Regarding your last instructions: My system does not have any of the three .dll files you requested, in Windows\system32 or anywhere else.

Gary

[Crag_Hack]

The combofix.exe detection is what's called a false positive where code that looks malicious according to the virus scanner is picked up when in fact it's not malicious. Nothing to worry about. Is your system still hanging during shutdown? How about the control panel thing? I will get back to you with further instructions tomorrow.

[Crag_Hack]

Oh and one more thing ... are you waiting for the system to stabilize for 5 minutes upon a fresh boot of the computer? If so how long did the computer take to boot before this whole episode?

[gstrom99]

Since Norton went ahead and fixed the "false positive" without any input from me, will combofix still work, if I need to re-run it? Or, will I need to re-download it?

From what I can see, once the pc is "stabilized" - 5 minutes or so..., the browser opens up fine, control panel and other processes seem to function fine, and it shuts down fine also.

I'm one of those guys that "shuts down" every night.

Before the infection, I could open up the browser and the internet almost right away after startup, even before Norton and other processes were done loading.

Thanks.

Gary

[Crag_Hack]

Hi gstrom99. We will now run a utility called GMER to search for nasty malware. We will also do an OTL scan. But first a couple questions - how much longer do you have for your norton subscription? Norton is a resource hog and can slow down your computer so I would recommend switching to a free antivirus that uses less sytem resources. Also don't worry about Combofix for now but yes if we need it you will have to redownload it. One more thing - are you familiar with hibernation? It saves the contents of memory to the hard drive and then shuts down the computer. The next time you boot the computer it retrieves the memory contents from the hard drive which takes considerable less time than a cold boot. Let me know if you want me to explain how to use hiberation. Please do the following:

Step 1

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Step 2

• Run OTL
• Click the Quick Scan button. Post the log it produces in your next reply as well.

Things to see in your next post:
GMER log
OTL log

[gstrom99]

I've got a year and some left on my Norton subscription, so I'm committed to them for awhile. I've been OK with it until it let this problem in... It never slowed it down too much, but when it's up I will go with something else, like Kopersky(sp?).

I am aware of the Hibernation function and do use it, at times.

No errors or issues running these. Here are the logs:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-01 20:37:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.8.16
Running: gmer.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\kxtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT 86F908A0 ZwConnectPort
SSDT 873360B8 ZwLoadDriver

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7378340, 0xFD9DF, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012300, 0x2342C0, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2652] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 0206003A
.text C:\Program Files\internet explorer\iexplore.exe[2732] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 020600F7
.text C:\Program Files\internet explorer\iexplore.exe[2732] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 020603D2
.text C:\Program Files\internet explorer\iexplore.exe[2732] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 020601B0
.text C:\Program Files\internet explorer\iexplore.exe[2732] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0206031C
.text C:\Program Files\internet explorer\iexplore.exe[2732] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 02060488
.text C:\Program Files\internet explorer\iexplore.exe[2732] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 02060266
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] ole32.dll!CreateBindCtx + B5F 774FF15F 7 Bytes JMP 020605F8
.text C:\Program Files\internet explorer\iexplore.exe[2732] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2732] ole32.dll!CoImpersonateClient + 51 77515200 7 Bytes JMP 0206053E
.text C:\Program Files\internet explorer\iexplore.exe[2732] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\internet explorer\iexplore.exe[2732] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\internet explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device EB499D20

AttachedDevice FLTMGR.SYS (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 3/1/2012 8:37:43 PM - Run 3
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Documents and Settings\Gary\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 401.40 Mb Available Physical Memory | 39.24% Memory free
2.14 Gb Paging File | 1.76 Gb Available in Paging File | 81.99% Paging File free
Paging file location(s): C:\pagefile.sys 1268 1636 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 60.94 Gb Free Space | 81.85% Space Free | Partition Type: NTFS

Computer Name: RACERX | User Name: Gary | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/16 21:29:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\OTL.exe
PRC - [2011/11/29 20:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ccsvchst.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (NTIDrvr)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (FA312)
SRV - File not found [Auto | Stopped] -- -- (AVCamUSB20)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/11/29 20:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe -- (NAV)
SRV - [2008/01/29 15:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) [Auto | Running] -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe -- (EarthLinkMonitor)
SRV - [2003/03/03 12:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2012/02/03 20:42:16 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/03 20:42:16 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/02/01 18:14:49 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/12/15 17:33:22 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120229.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/11/30 20:25:03 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120215.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/11/23 20:23:47 | 000,905,336 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMEFA.SYS -- (SymEFA)
DRV - [2011/11/23 20:23:20 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - [2011/11/23 20:23:20 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIM)
DRV - [2011/11/23 19:50:26 | 000,574,584 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NAV\1305000.091\SRTSP.SYS -- (SRTSP)
DRV - [2011/11/23 19:50:26 | 000,032,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/11/16 21:37:59 | 000,388,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1305000.091\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/11/16 21:17:48 | 000,149,624 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\Ironx86.SYS -- (SymIRON)
DRV - [2011/11/04 17:59:35 | 000,132,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\ccSetx86.sys -- (ccSet_NAV)
DRV - [2011/09/29 00:00:00 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120301.001\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/29 00:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120301.001\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/25 20:18:35 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMDS.SYS -- (SymDS)
DRV - [2004/11/01 14:16:34 | 000,017,536 | R--- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BW2NDIS5.SYS -- (BW2NDIS5)
DRV - [2004/08/03 21:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 21:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 21:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 21:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 21:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 21:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 21:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 21:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 21:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 21:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2003/05/14 13:42:58 | 000,013,920 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmHidLo.sys -- (WmHidLo)
DRV - [2003/05/14 13:42:56 | 000,021,216 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmFilter.sys -- (WmFilter)
DRV - [2003/05/14 13:42:50 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmBEnum.sys -- (WmBEnum)
DRV - [2003/05/14 13:42:48 | 000,005,728 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmVirHid.sys -- (WmVirHid)
DRV - [2003/05/14 13:42:44 | 000,044,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmXlCore.sys -- (WmXlCore)
DRV - [2002/11/08 12:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/10/18 03:06:28 | 000,842,128 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\winachcf.sys -- (Winachcf)
DRV - [2001/08/17 12:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/08/17 11:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll (EarthLink, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\IPSFFPlgn\ [2012/02/01 17:49:31 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2012/02/29 19:28:24 | 000,440,678 | R--- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15173 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (IE_PopupBlocker Class) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll (Propel Software Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} http://employees.old...om/v4rdpchk.cab (v4 silent install)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg...l_v1-0-3-48.cab (EPUImageControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1120313456515 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} http://www.facebook....ls/contactx.dll (ContactExtractor Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1126533491875 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: NameServer = 207.69.188.185,207.69.188.186
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 07:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/29 21:50:40 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Gary\Recent
[2012/02/29 19:26:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/02/28 22:25:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2012/02/26 20:11:39 | 002,062,896 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Gary\Desktop\tdsskiller.exe
[2012/02/26 20:11:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/02/26 19:47:02 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/02/23 17:58:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/23 17:56:19 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/23 17:56:19 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/23 17:56:19 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/23 17:56:19 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/23 17:56:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/23 17:55:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/23 17:55:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/02/23 09:21:25 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Gary\Desktop\aswMBR.exe
[2012/02/23 08:28:05 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/19 14:57:18 | 000,032,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\FixZeroAccess.sys
[2012/02/16 21:29:52 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\OTL.exe
[2012/02/16 19:29:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2012/02/15 17:41:41 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/15 17:38:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\My Documents\New Folder
[2012/02/13 22:27:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/13 22:27:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/13 22:07:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Local Settings\Application Data\NPE
[2012/02/13 22:06:23 | 002,804,808 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\NPE.exe
[2012/02/09 19:26:47 | 000,000,000 | ---D | C] -- C:\Program Files\ioDesktop
[2012/02/04 11:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Local Settings\Application Data\Deployment
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/01 20:11:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
[2012/03/01 19:44:56 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\gmer.zip
[2012/03/01 17:26:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012/03/01 17:26:03 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/29 21:59:03 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2012/02/29 19:28:24 | 000,440,678 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2012/02/29 18:30:07 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2012/02/28 22:25:46 | 000,799,962 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1305000.091\Cat.DB
[2012/02/28 21:57:50 | 000,000,836 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\Norton Installation Files.lnk
[2012/02/27 17:28:12 | 000,004,782 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1305000.091\VT20111023.024
[2012/02/26 21:34:51 | 000,000,376 | -HS- | M] () -- C:\WINDOWS\0178013drv.spi
[2012/02/26 20:43:54 | 122,325,856 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\setup_11.0.0.1245.x01_2012_02_27_05_03.exe
[2012/02/26 19:54:43 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120229-192824.backup
[2012/02/26 19:47:30 | 002,062,896 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Gary\Desktop\tdsskiller.exe
[2012/02/23 09:23:15 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\MBR.dat
[2012/02/23 09:21:33 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Gary\Desktop\aswMBR.exe
[2012/02/19 14:57:18 | 000,032,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\FixZeroAccess.sys
[2012/02/19 14:34:15 | 000,002,451 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2012/02/19 11:11:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
[2012/02/16 21:29:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\OTL.exe
[2012/02/16 20:27:26 | 000,000,210 | ---- | M] () -- C:\Boot.bak
[2012/02/15 22:27:54 | 000,110,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/15 22:25:37 | 000,443,334 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2012/02/15 22:25:37 | 000,072,496 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2012/02/14 21:52:55 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\Microsoft Word (2).lnk
[2012/02/13 22:32:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/13 22:06:23 | 002,804,808 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\NPE.exe
[2012/02/12 08:48:55 | 000,000,388 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\EarthLink Web Mail.url
[2012/02/09 19:26:47 | 000,000,640 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ioDesktop.lnk
[2012/02/07 22:40:02 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\SpywareBlaster.lnk
[2012/02/02 20:27:57 | 000,446,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120210-181522.backup
[2012/02/02 20:08:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/02 17:20:52 | 000,001,896 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2012/02/01 18:14:49 | 000,141,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2012/02/01 18:14:49 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2012/02/01 18:14:49 | 000,007,468 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2012/02/01 18:14:49 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/01 19:44:51 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Gary\Desktop\gmer.zip
[2012/02/26 21:34:45 | 000,000,376 | -HS- | C] () -- C:\WINDOWS\0178013drv.spi
[2012/02/26 20:51:02 | 122,325,856 | ---- | C] () -- C:\Documents and Settings\Gary\Desktop\setup_11.0.0.1245.x01_2012_02_27_05_03.exe
[2012/02/23 17:58:58 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2012/02/23 17:58:56 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/02/23 17:56:19 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/23 17:56:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/23 17:56:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/23 17:56:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/23 17:56:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/23 09:23:15 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Gary\Desktop\MBR.dat
[2012/02/20 07:59:15 | 1072,746,496 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/15 20:20:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 20:20:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/13 22:31:59 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/04 11:06:56 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
[2012/02/04 11:06:56 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
[2012/01/07 07:36:29 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2011/10/23 20:35:59 | 000,308,096 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/10/11 20:21:51 | 000,000,152 | ---- | C] () -- C:\WINDOWS\System32\RSLSP.ini
[2010/10/14 16:42:07 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2008/09/23 22:05:29 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Gary\Local Settings\Application Data\fusioncache.dat
[2007/10/15 21:20:13 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/10/26 19:06:41 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2005/05/23 19:38:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Webspace.INI
[2005/05/23 18:42:00 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2005/05/22 10:01:47 | 000,003,137 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/05/09 16:20:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Gary\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/10 19:24:35 | 000,001,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\papycpu2.sys
[2004/11/10 19:24:35 | 000,001,856 | ---- | C] () -- C:\WINDOWS\System32\drivers\papyjoy.sys
[2004/11/10 18:29:13 | 000,000,395 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/11/06 08:01:52 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2004/10/27 17:29:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/10/26 19:33:47 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2004/10/26 17:14:11 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Gary\Application Data\PFP120JPR.{PB
[2004/10/26 17:14:11 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Gary\Application Data\PFP120JCM.{PB
[2004/10/26 17:09:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/10/26 17:06:30 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS58.DLL
[2004/10/26 16:45:52 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/10/13 00:38:55 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/10/13 00:34:57 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/10/13 00:30:58 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/10/13 00:30:56 | 000,000,384 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/10/13 00:26:46 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/10/13 00:13:04 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/10/13 00:11:14 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/10/13 00:11:10 | 000,443,334 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/10/13 00:11:10 | 000,072,496 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/10/12 23:55:46 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/03/26 16:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/09/03 08:05:08 | 000,110,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 07:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 07:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 07:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 07:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 04:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\ONETW.DRV
[2002/08/29 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2002/03/13 16:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll
[1999/01/22 12:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2011/02/20 08:57:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Encore
[2010/01/13 22:00:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Euchre
[2011/10/11 20:49:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/03/23 19:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2012/03/01 19:46:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/10/13 00:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2004/11/02 20:38:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Aim
[2009/12/11 13:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/02/12 18:36:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\com.radioio.ioDesktop.CB8A51FDBDF8B5F2BC25A3DD7F59CC4ED6D8CF65.1
[2008/12/28 12:01:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Earthlink
[2008/02/14 20:28:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\EarthLink Toolbar
[2011/03/01 21:43:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\ElevatedDiagnostics
[2011/02/20 07:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\GetRightToGo
[2012/02/14 22:15:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Hoyle Card Games
[2010/03/07 12:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Hoyle FaceCreator
[2011/02/07 20:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\ieSpell
[2004/10/28 18:29:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\JoiExpress
[2004/10/31 08:11:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Leadertech
[2011/10/11 20:47:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\NCH Swift Sound
[2010/09/23 07:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Tific
[2012/01/07 09:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Uniblue

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

[Crag_Hack]

Hello gstrom99. I think it is time to run some maintenance tasks on your computer to see if it speeds it up. First we will empty your temporary files, then defrag your hard disk, then run chkdsk, and then use msconfig to tune your startup. Please do the following:

Step 1

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply as well.

Step 2

• Download MyDefrag from here.
• Run the downloaded program and follow the instructions to install on your computer
• Check the Create scheduled tasks for automatic optimization option in the install if you want MyDefrag to automatically defrag at 5 am
• Run MyDefrag from its start menu entry
• Select the System Disk Monthly option in the Select a script section
• Check the disk(s) you want to defrag (C: is probably your main disk)
• Click the Run button
• Let the program run unhindered until it finishes

Step 3

• Go to the start menu
• Click run
• Type cmd
• Press enter
• Type chkdsk /f /r and press enter
• Type Y and press enter in the system restart prompt
• Restart the computer and wait for chkdsk to complete

Step 4

Read this page for instructions on how to use msconfig. This utillity will allow you to disable certain programs that startup with your computer. This can speed up your computer. Make sure to ask me if you are not sure if you need a program to startup with your computer. If you want you can write down the entries and post them and I will help you figure out which entries to remove.

Things to see in your next post:
OTL Fix log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
OTL.txt
msconfig programs if you want me to help you choose which ones to disable

[gstrom99]

Here's the results from OTL. I did the "mydefrag" and chkdsk with /f /r. Not sure if that found anything. I really appriciate all the help and I think the zeroaccess issue is gone. It still needs to sit and stabilize after bootupfor several minutes before most programs run, wierd eh? The startup programs are only two, which I've always been keeping to the bare minimum, using spybot to look at them often. Not sue what else to try. Once its "warmed up" it seems to run fine... See anything in these?



All processes killed
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56823 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56475 bytes

User: Gary
->Temp folder emptied: 124562 bytes
->Temporary Internet Files folder emptied: 711746 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 56996 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49554 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 1859 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.32.0 log created on 03032012_160745

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PDSLB9XI\ads[1].htm not found!
File\Folder C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\CDZKNB32\ads[1].htm not found!
File\Folder C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\CDZKNB32\fastbutton[1].htm not found!
File\Folder C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\CDZKNB32\page__st__15[1].htm not found!
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

OTL logfile created on: 3/3/2012 6:10:02 PM - Run 4
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Documents and Settings\Gary\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 624.55 Mb Available Physical Memory | 61.05% Memory free
2.14 Gb Paging File | 1.91 Gb Available in Paging File | 89.09% Paging File free
Paging file location(s): C:\pagefile.sys 1268 1636 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 61.68 Gb Free Space | 82.84% Space Free | Partition Type: NTFS

Computer Name: RACERX | User Name: Gary | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/16 21:29:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\OTL.exe
PRC - [2011/11/29 20:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ccsvchst.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (NTIDrvr)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (FA312)
SRV - File not found [Auto | Stopped] -- -- (AVCamUSB20)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/11/29 20:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe -- (NAV)
SRV - [2008/01/29 15:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) [Auto | Running] -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe -- (EarthLinkMonitor)
SRV - [2003/03/03 12:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2012/02/03 20:42:16 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/03 20:42:16 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/02/01 18:14:49 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/12/15 17:33:22 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120303.003\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/11/30 20:25:03 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120215.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/11/23 20:23:47 | 000,905,336 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMEFA.SYS -- (SymEFA)
DRV - [2011/11/23 20:23:20 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - [2011/11/23 20:23:20 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys -- (SymIM)
DRV - [2011/11/23 19:50:26 | 000,574,584 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NAV\1305000.091\SRTSP.SYS -- (SRTSP)
DRV - [2011/11/23 19:50:26 | 000,032,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/11/16 21:37:59 | 000,388,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1305000.091\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/11/16 21:17:48 | 000,149,624 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\Ironx86.SYS -- (SymIRON)
DRV - [2011/11/04 17:59:35 | 000,132,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\ccSetx86.sys -- (ccSet_NAV)
DRV - [2011/09/29 00:00:00 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120302.017\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/29 00:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120302.017\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/25 20:18:35 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMDS.SYS -- (SymDS)
DRV - [2004/11/01 14:16:34 | 000,017,536 | R--- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BW2NDIS5.SYS -- (BW2NDIS5)
DRV - [2004/08/03 21:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 21:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 21:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 21:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 21:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 21:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 21:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 21:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 21:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 21:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2003/05/14 13:42:58 | 000,013,920 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmHidLo.sys -- (WmHidLo)
DRV - [2003/05/14 13:42:56 | 000,021,216 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmFilter.sys -- (WmFilter)
DRV - [2003/05/14 13:42:50 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmBEnum.sys -- (WmBEnum)
DRV - [2003/05/14 13:42:48 | 000,005,728 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmVirHid.sys -- (WmVirHid)
DRV - [2003/05/14 13:42:44 | 000,044,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WmXlCore.sys -- (WmXlCore)
DRV - [2002/11/08 12:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/10/18 03:06:28 | 000,842,128 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\winachcf.sys -- (Winachcf)
DRV - [2001/08/17 12:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/08/17 11:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll (EarthLink, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\IPSFFPlgn\ [2012/02/01 17:49:31 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2012/03/03 17:11:09 | 000,000,098 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (IE_PopupBlocker Class) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll (Propel Software Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\19.5.0.145\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} http://employees.old...om/v4rdpchk.cab (v4 silent install)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg...l_v1-0-3-48.cab (EPUImageControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1120313456515 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} http://www.facebook....ls/contactx.dll (ContactExtractor Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1126533491875 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E4BDEE83-9F7E-40C0-A52D-81CE364EE7F8}: NameServer = 207.69.188.185,207.69.188.186
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 07:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/03 15:35:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Desktop\Autoruns
[2012/03/03 09:40:18 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Gary\Recent
[2012/03/01 21:44:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2012/02/29 19:26:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/02/28 22:25:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2012/02/26 20:11:39 | 002,062,896 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Gary\Desktop\tdsskiller.exe
[2012/02/26 20:11:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/02/26 19:47:02 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/02/23 17:58:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/23 17:56:19 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/23 17:56:19 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/23 17:56:19 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/23 17:56:19 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/23 17:56:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/23 17:55:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/23 17:55:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/02/23 09:21:25 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Gary\Desktop\aswMBR.exe
[2012/02/23 08:28:05 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/19 14:57:18 | 000,032,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\FixZeroAccess.sys
[2012/02/16 21:29:52 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\OTL.exe
[2012/02/16 19:29:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2012/02/15 17:41:41 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/15 17:38:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\My Documents\New Folder
[2012/02/13 22:27:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/13 22:27:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/13 22:07:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Local Settings\Application Data\NPE
[2012/02/13 22:06:23 | 002,804,808 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\NPE.exe
[2012/02/09 19:26:47 | 000,000,000 | ---D | C] -- C:\Program Files\ioDesktop
[2012/02/04 11:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gary\Local Settings\Application Data\Deployment

========== Files - Modified Within 30 Days ==========

[2012/03/03 18:11:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
[2012/03/03 17:21:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012/03/03 17:21:24 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/03 17:11:09 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\Hosts
[2012/03/03 16:13:30 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2012/03/03 11:11:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
[2012/03/01 19:44:56 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\gmer.zip
[2012/02/29 18:30:07 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2012/02/28 21:57:50 | 000,000,836 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\Norton Installation Files.lnk
[2012/02/26 21:34:51 | 000,000,376 | -HS- | M] () -- C:\WINDOWS\0178013drv.spi
[2012/02/26 20:43:54 | 122,325,856 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\setup_11.0.0.1245.x01_2012_02_27_05_03.exe
[2012/02/26 19:54:43 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120229-192824.backup
[2012/02/26 19:47:30 | 002,062,896 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Gary\Desktop\tdsskiller.exe
[2012/02/23 09:23:15 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\MBR.dat
[2012/02/23 09:21:33 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Gary\Desktop\aswMBR.exe
[2012/02/19 14:57:18 | 000,032,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\FixZeroAccess.sys
[2012/02/19 14:34:15 | 000,002,451 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2012/02/16 21:29:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gary\Desktop\OTL.exe
[2012/02/16 20:27:26 | 000,000,210 | ---- | M] () -- C:\Boot.bak
[2012/02/15 22:27:54 | 000,110,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/15 22:25:37 | 000,443,334 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2012/02/15 22:25:37 | 000,072,496 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2012/02/14 21:52:55 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\Microsoft Word (2).lnk
[2012/02/13 22:32:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/13 22:06:23 | 002,804,808 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Gary\Desktop\NPE.exe
[2012/02/12 08:48:55 | 000,000,388 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\EarthLink Web Mail.url
[2012/02/09 19:26:47 | 000,000,640 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ioDesktop.lnk
[2012/02/07 22:40:02 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Gary\Desktop\SpywareBlaster.lnk
[2012/02/02 20:27:57 | 000,446,686 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20120210-181522.backup
[2012/02/02 20:08:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/03/01 19:44:51 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Gary\Desktop\gmer.zip
[2012/02/26 21:34:45 | 000,000,376 | -HS- | C] () -- C:\WINDOWS\0178013drv.spi
[2012/02/26 20:51:02 | 122,325,856 | ---- | C] () -- C:\Documents and Settings\Gary\Desktop\setup_11.0.0.1245.x01_2012_02_27_05_03.exe
[2012/02/23 17:58:58 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2012/02/23 17:58:56 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/02/23 17:56:19 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/23 17:56:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/23 17:56:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/23 17:56:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/23 17:56:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/23 09:23:15 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Gary\Desktop\MBR.dat
[2012/02/20 07:59:15 | 1072,746,496 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/15 20:20:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 20:20:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/13 22:31:59 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/04 11:06:56 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007UA.job
[2012/02/04 11:06:56 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1007087799-3521379142-2447425561-1007Core.job
[2012/01/07 07:36:29 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2011/10/23 20:35:59 | 000,308,096 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/10/11 20:21:51 | 000,000,152 | ---- | C] () -- C:\WINDOWS\System32\RSLSP.ini
[2010/10/14 16:42:07 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2008/09/23 22:05:29 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Gary\Local Settings\Application Data\fusioncache.dat
[2007/10/15 21:20:13 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/10/26 19:06:41 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2005/05/23 19:38:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Webspace.INI
[2005/05/23 18:42:00 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2005/05/22 10:01:47 | 000,003,137 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/05/09 16:20:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Gary\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/10 19:24:35 | 000,001,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\papycpu2.sys
[2004/11/10 19:24:35 | 000,001,856 | ---- | C] () -- C:\WINDOWS\System32\drivers\papyjoy.sys
[2004/11/10 18:29:13 | 000,000,395 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/11/06 08:01:52 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2004/10/27 17:29:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/10/26 19:33:47 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2004/10/26 17:14:11 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Gary\Application Data\PFP120JPR.{PB
[2004/10/26 17:14:11 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Gary\Application Data\PFP120JCM.{PB
[2004/10/26 17:09:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/10/26 17:06:30 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS58.DLL
[2004/10/26 16:45:52 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/10/13 00:38:55 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/10/13 00:34:57 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/10/13 00:30:58 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/10/13 00:30:56 | 000,000,384 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/10/13 00:26:46 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/10/13 00:13:04 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/10/13 00:11:14 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/10/13 00:11:10 | 000,443,334 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/10/13 00:11:10 | 000,072,496 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/10/12 23:55:46 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/03/26 16:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/09/03 08:05:08 | 000,110,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 07:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 07:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 07:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 07:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 04:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\ONETW.DRV
[2002/08/29 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2002/03/13 16:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll
[1999/01/22 12:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2011/02/20 08:57:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Encore
[2010/01/13 22:00:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Euchre
[2011/10/11 20:49:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/03/23 19:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2012/03/01 21:03:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/10/13 00:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2004/11/02 20:38:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Aim
[2009/12/11 13:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/02/12 18:36:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\com.radioio.ioDesktop.CB8A51FDBDF8B5F2BC25A3DD7F59CC4ED6D8CF65.1
[2008/12/28 12:01:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Earthlink
[2008/02/14 20:28:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\EarthLink Toolbar
[2011/03/01 21:43:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\ElevatedDiagnostics
[2011/02/20 07:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\GetRightToGo
[2012/02/14 22:15:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Hoyle Card Games
[2010/03/07 12:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Hoyle FaceCreator
[2011/02/07 20:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\ieSpell
[2004/10/28 18:29:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\JoiExpress
[2004/10/31 08:11:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Leadertech
[2011/10/11 20:47:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\NCH Swift Sound
[2010/09/23 07:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Tific
[2012/01/07 09:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\Uniblue

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

[gstrom99]

Hi. I fixed it (pretty sure, anyway)! I found a utility called Autoruns at http://technet.micro...ernals/bb963902

It looks at all scripts that run at startup. It found a bunch of "no file found" entries and two Google Update/Installers which I think were causing the slow "bootup to usable state". I unchecked the "no file found" entries and also the Google addons (hate those that install w/o your input...). This thing seems to be cured (yippie!).

80 seconds from pushing the power button to being at my internet home page. Faster than it ever was!


Is there an easy way to clean up the logs and utilities we put in?

Thanks again for all your help!

Gary

Edited by gstrom99, 04 March 2012 - 11:37 AM.

[Crag_Hack]

First I have a question - were the no file found entries toolbars for IE? Were they something else - did you take note? Also I wouldn't recommend disabling programs' autoupdate features as the updates can contain bug fixes for security holes without which you could become infected with malware. Anyways here's the final cleanup procedure:

Now that we're done scanning for and disinfecting malware it's time to clean up. Please use your computer a couple hours at least and make sure there are no remaining symptoms. If there are no symptoms proceed with the following instructions. One final step to take in disinfecting your computer is to purge all system restore points. This ensures that you will not get reinfected by files hiding in the system restore points. We will also uninstall combofix at the same time. To do this follow these instructions:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall

You can now remove all the other tools that were used to disinfect your computer by running OTL and clicking the CleanUp button.

Now that your computer is disinfected it is important to keep it that way. What follows are guidelines to keeping your computer malware-free.

You absolutely must have an antivirus program installed. This is important because the antivirus program runs in the background of the computer and prevents viruses from both infecting the computer and doing malicious things to the computer. This can prevent many infections in the first place. Just as a city without police would be chaotic so would a computer with an anti-virus program. I recommend the free programs Avira AntiVir Personal and avast! Free Anti-Virus or the paid programs Bit Defender Anti-Virus and Kaspersky Anti-Virus. Also make absolutely sure to only have one anti-virus installed as more than one can slow your computer, create software conflicts, and increase your vulnerability to viruses and malware.


It is also advised to have an anti-spyware program as well. I recommend the paid version of Malwarebytes' Anti-Malware. This program complementing your anti-virus can protect your computer from most infections out there. Make absolutely sure to only have one anti-spyware installed as more than one can slow your computer, create software conflicts, and increase your vulnerability to viruses and malware.

A program to complement your anti-virus and anti-spyware with passive protection is SpywareBlaster. SpywareBlaster is not a malware scanner or removal tool and uses no system resources except a little disk space. It does a great job of preventing malware from being installed in the first place! It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them from malicious websites. You can download it here. To use it to protect your computer install it then do the following regularly at your concenience (once a week is adequate):

• Run SpywareBlaster
• Click Updates on the left of the screen
• Click the 'Check for Updates' button and let the program update
• Click 'Protection Status' on the left of the screen
• Click 'Enable All Protection' on the bottom of the screen and SpywareBlaster will implement its protection
• Exit the program

Another important thing to have installed is a firewall to secure communications to and from your computer. The firewall prevents inbound communications from the Internet to your computer that could be malicious in nature. Some firewalls also regulate outbound communications from your computer to the Internet that could be malicious as well. Inbound communications can take advantage of security holes in software running on your computer to gain control of your computer and infect you with malware. Outbound communications can be from malware on your computer to malicious websites on the Internet, containing information about your computer usage and even your passwords. For these reasons it is essential to the security of your computer to install a firewall. Make sure to only install one firewall as any more than that would prove to be redundant - one firewall is just as effective as multiple ones. Also more than one firewall could cause software conflicts. This applies to the Windows firewall as well - if you use a third-party firewall make sure to disable the Windows firewall. I recommend ZoneAlarm Free Firewall or Comodo Firewall as free solutions or Outpost Firewall Pro as a paid solution.

Besides these measures, an equally important step to take to protect your computer from malware is to update all programs regularly and do Windows Updates as well. Windows, Java, Adobe Flash, PDF readers, and other programs have security holes in them that leave your computer vulnerable to malicious code from hackers that could infect your computer with malware when taken advantage of. For this reason it is important to always update programs when prompted. Windows Updates is enabled by default in Windows and Java, Flash, and others have auto-update programs enabled by default as well. You will not have to worry about setting up the auto-update feature for these programs unless you altered the settings to begin with. Make sure as well to never update a program via e-mail - companies will never send e-mails to update their products. In order to help you update programs you might want to download and run FileHippo.com Update Checker from here. This program will tell you which programs need to be updated. Instructions for automating Windows Updates follow:

1. Right click My Computer and select properties
2. Select the automatic updates tab
3. Select the automatic option and configure appropriately

One last thing to consider is to exercise caution when browsing the web and viewing e-mails. Try to stay away from non-reputable websites including websites for software piracy and pornography. By staying away from these websites you decrease your chances of malware infection significantly. To help you exercise caution in your browsing habits you can download and install Web of Trust into your web browser here. This program will install in your browser and color code the website you are viewing to inform you if it is safe or not; green means safe, yellow means proceed with caution, and red means danger. Viewing e-mails should also be done with caution. If you don't recognize an email as one from a known or requested source then you will be safer to avoid opening it. File attachments should be opened only with extreme caution as they can contain files that exploit security holes on your computer and infect you with malware. Never open an attachment unless you are expecting it or you verify that the sender intended to send it to you. Also make sure to scan the attachment before opening it.

You might want to use an alternate browser than Internet Explorer. Firefox and Google Chrome are excellent candidates. They are more secure than Internet Explorer and are just as functional. You can download Google Chrome here and Firefox here.

Something just as important as preventing infection by malware is to backup your data. You can read about different methods here.

Some articles you might be interested in reading to reiterate points I have addressed in this post as well as make new points follow:

• How to prevent malware by miekiemoes
• Preventing Malware and Safe Computing by Rorschach112
• PC Safety and Security--What Do I Need?
• How did I get infected in the first place?

By following these steps you should ensure that you most likely will never get infected with malware again. Good luck and safe browsing!

-Josh

[Crag_Hack]

One more thing - If you want I could take a look at your NPE log to make sure nothing critical was removed. Also you might want to run "sfc /scannow" from the command prompt to make sure all your system files are intact. Let me know if you are interested in this. Take Care.
Josh

[gstrom99]

Thanks again Josh. Looks like I got everything out that I needed. I ran the sfc scan and I guess it found nothing, since it ran and closed w/o trouble. The pc's been running all afternoon and I've tested the shutdown and reboot process several times and I can be up and at my browsers home page w/in 80-90 seconds of restart. Awsome!

I've got 555 days left on Norton, so I'll be keeping that 'til it's up.
I also run and update (weekly):
MalWarebytes
Spybot
Spywareblaster

Questionable eMail rarely ever gets in and I know not to open junk.

You can close this thread and mark it SUCCESSFUL!

Thanks a bunch!

Gary

[Crag_Hack]

My pleasure Take care Gary.
-Josh

[Crag_Hack]

Forgot to ask again... do you know what section of the Autoruns utility were the no file found entries in? I could use this information to better understand what exactly went on. Thanks.