Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Rootkit via False Flash Player Update


  • This topic is locked This topic is locked
20 replies to this topic

#1 CommanderButter

CommanderButter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 July 2012 - 01:42 PM

Hi, on my Vista laptop, I have recently received a rootkit through a fake flash player update. Not only do I get redirects whenever the internet decides to work, but also the flash updater window has appeared on occasion and begun to install more things without permission. Of course, I have cancelled those false windows and attempted to uninstall flash altogether. Now I am just getting redirects/slow internet and need some help removing it because I am personally a malware noob. The main redirect is something along the lines of delivery.jemacpv

Also note I must complete everything from a flash drive at the moment because none of the updates or downloads are working on the infected computer.

Here is a DDS log from safe mode with networking. The attached GMER log had to be done in safe mode with networking, and it successfully completed on a second attempt. The first attempt in safe mode it blue screened and shut down.

THE GMER log was too big to attach. Want me to host it some other way? This post is from an non-infected computer. Thanks in advance!

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.0.0
Run by Administrator at 10:45:07 on 2012-07-06
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1014.537 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120120060057.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Home Theater SchSvr] "c:\program files\common files\intervideo\schsvr\SchSvr.exe"
mRun: [WINCINEMAMGR] "c:\program files\intervideo\common\bin\WinCinemaMgr.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\administrator\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{75D01C27-54BE-4974-9808-82F972008DFF} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{A6F27415-AF57-4A73-8A57-651C616295B1} : DhcpNameServer = 192.168.0.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\mnlhe2w0.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\administrator\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\administrator\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\administrator\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-12-13 464176]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-12-13 64880]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-12-13 165680]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-12-13 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-12-13 150856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-13 338176]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-1-14 13224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-1 21504]
S2 gupdate1c90ef58af10f00;Google Update Service (gupdate1c90ef58af10f00);c:\program files\google\update\GoogleUpdate.exe [2008-9-4 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-27 95200]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 214904]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 214904]
S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-12-13 166288]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-5-3 158856]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-1-14 4408616]
S2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-1-14 112936]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-13 57600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-9-4 133104]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-13 180816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-13 59456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-13 87656]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-5 113120]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-8-4 33808]
S3 TDEIO;TDEIO;c:\windows\system32\sysprep\TdeIo.sys [2007-8-9 16512]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-1-14 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
2012-07-05 19:24:32 -------- d-----w- c:\program files\ESET
2012-06-30 03:26:17 -------- d-----w- c:\program files\Steam
2012-06-25 06:15:41 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-25 06:15:41 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-23 09:15:19 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-23 09:13:45 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-23 09:13:45 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-17 18:26:31 205984 ----a-w- c:\programdata\microsoft\vbexpress\10.0\1033\ResourceCache.dll
2012-06-17 03:46:05 -------- d-----w- c:\users\administrator\appdata\local\SmallBasic
2012-06-17 03:41:42 923416 ----a-r- c:\users\administrator\appdata\roaming\microsoft\installer\{7aaa27e4-cdb3-49c0-aa2d-41827c001ba3}\StartMenuIcon.exe
2012-06-17 03:41:24 -------- d-----w- c:\program files\Microsoft
2012-06-17 03:13:32 -------- d-----w- c:\users\administrator\appdata\roaming\.minecraft
2012-06-16 14:22:24 -------- d-----w- c:\program files\Dropbox
2012-06-13 17:03:54 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 17:03:54 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 17:03:54 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 17:03:25 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 17:03:21 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-06-07 03:31:59 -------- d-----w- c:\users\administrator\appdata\local\Deployment
2012-06-07 03:03:10 -------- d-----w- c:\windows\system32\xlive
2012-06-07 03:03:00 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2012-06-07 03:02:06 -------- d-----w- c:\program files\Microsoft XNA
2012-06-07 02:50:39 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-06-07 02:50:09 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-06-07 02:45:55 -------- d-----w- c:\windows\system32\RsFx
2012-06-07 02:42:15 -------- d-----w- c:\windows\system32\1033
2012-06-07 02:32:34 -------- d-----w- c:\program files\Microsoft SQL Server
2012-06-07 02:32:05 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-06-07 02:32:04 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-06-07 02:30:58 190656 ----a-w- c:\programdata\microsoft\vcsexpress\10.0\1033\ResourceCache.dll
2012-06-07 02:25:01 -------- d-----w- c:\program files\Microsoft Help Viewer
2012-06-07 02:25:00 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
.
==================== Find3M ====================
.
2012-07-04 15:50:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-04 15:50:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-11 04:31:54 2303488 ----a-w- c:\windows\system32\python27.dll
.
============= FINISH: 10:48:18.31 ===============

Attached Files


Edited by CommanderButter, 06 July 2012 - 02:03 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:07 AM

Posted 06 July 2012 - 03:56 PM

hi,

Please run the following:

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Boot Menu:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Choose your language settings, and then click Next.
  • Click Repair your computer.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CommanderButter

CommanderButter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 July 2012 - 04:20 PM

You may notice a few other programs I used from a previous thread in the am I infected section that didn't work due to the download. Thanks for your help thus far!

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 06-07-2012 03
Ran by SYSTEM at 06-07-2012 16:13:43
Running from F:\
Windows Vista ™ Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [894248 2007-06-22] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [174872 2007-03-21] (Intel Corporation)
HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM\...\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [106496 2005-09-27] (InterVideo Inc.)
HKLM\...\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [266240 2005-09-27] (InterVideo Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [166424 2008-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-02-11] (Intel Corporation)
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1318816 2011-11-22] (McAfee, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKU\Administrator\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
HKU\Administrator\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\Administrator\...\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-03-06] (Google Inc.)
HKU\Administrator\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [1242448 2012-06-29] (Valve Corporation)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] ()
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] ()
HKU\Matt (Absoltastic)\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
HKU\Matt (Absoltastic)\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

================================ Services (Whitelisted) ==================

2 ASLDRService; C:\Program Files\ATK Hotkey\ASLDRSrv.exe [94208 2007-02-05] ()
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
2 FlipShare Service; "C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe" [439616 2008-11-13] ()
2 gupdate1c90ef58af10f00; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2008-09-04] (Google Inc.)
2 McAfee SiteAdvisor Service; "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe" [95200 2012-01-13] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [361976 2011-10-18] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166288 2011-12-06] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [160608 2011-12-06] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [150856 2011-12-06] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
3 odserv; "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [440696 2011-07-20] (Microsoft Corporation)
3 ose; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [145184 2006-10-26] (Microsoft Corporation)
2 pinger; C:\TOSHIBA\IVP\ISM\pinger.exe [136816 2007-01-25] ()
2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-05-03] (Skype Technologies)
2 TabletServicePen; C:\Windows\system32\Pen_Tablet.exe [4408616 2009-07-15] (Wacom Technology, Corp.)
2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 WTouchService; C:\Program Files\WTouch\WTouchService.exe [112936 2009-07-15] (Wacom Technology, Corp.)
2 FileZilla Server; "C:\Program Files\FileZilla Server\FileZilla Server.exe" [x]
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
4 NetMsmqActivator; "c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [x]
4 NetPipeActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpPortSharing; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]
4 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
2 Swupdtmr; c:\TOSHIBA\IVP\swupdate\swupdtmr.exe [x]

========================== Drivers (Whitelisted) =============

3 avcgbdr; C:\Windows\System32\drivers\avcgbdr.sys [125568 2005-09-25] (Adaptec, Inc.)
3 avcgbfl; C:\Windows\System32\Drivers\avcgbfl.sys [19712 2005-07-28] (Adaptec, Inc)
3 cfwids; C:\Windows\System32\drivers\cfwids.sys [57600 2011-10-15] (McAfee, Inc.)
3 CoachUsb; C:\Windows\System32\DRIVERS\CoachUsb.sys [46368 2003-04-18] (Accapella Ltd.)
3 CoachVc; C:\Windows\System32\DRIVERS\CoachVc.sys [46048 2003-01-24] (Accapella Ltd.)
3 DSDrv4; \??\C:\PROGRA~1\DScaler\DSDrv4.sys [8801 2005-12-18] ()
3 Iviaspi; C:\Windows\System32\drivers\iviaspi.sys [10752 2003-12-25] (InterVideo, Inc.)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121256 2011-10-15] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180816 2011-10-15] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59456 2011-10-15] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [338176 2011-10-15] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464176 2011-10-15] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64880 2011-10-15] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2011-10-15] (McAfee, Inc.)
1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [165680 2011-10-15] (McAfee, Inc.)
3 MSHUSBVideo; C:\Windows\System32\Drivers\nx6000.sys [33808 2008-08-04] (Microsoft Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2006-12-14] (ATK0100)
4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [239336 2009-03-30] (Microsoft Corporation)
3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtnicxp.sys [51200 2008-03-31] (Realtek Semiconductor Corporation )
3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [347648 2009-06-10] (Realtek Semiconductor Corporation )
3 sscdbus; C:\Windows\System32\DRIVERS\sscdbus.sys [58352 2005-08-17] (MCCI)
3 sscdmdfl; C:\Windows\System32\DRIVERS\sscdmdfl.sys [8272 2005-08-17] (MCCI)
3 sscdmdm; C:\Windows\System32\DRIVERS\sscdmdm.sys [93872 2005-08-17] (MCCI)
3 TDEIO; \??\C:\WINDOWS\SYSTEM32\SYSPREP\tdeio.sys [16512 2006-09-19] ()
3 WacomVTHid; C:\Windows\System32\DRIVERS\WacomVTHid.sys [13224 2009-05-20] (Wacom Technology)
3 xnacc; C:\Windows\System32\DRIVERS\xnacc.sys [521216 2008-01-18] (Microsoft Corporation)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 ManyCam; C:\Windows\System32\DRIVERS\ManyCam.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-06 10:31 - 2012-07-06 10:31 - 01006144 ____A C:\Users\Administrator\Desktop\ark.txt
2012-07-06 08:08 - 2012-07-06 08:08 - 00000000 ____D C:\Users\Administrator\Desktop\gmer
2012-07-06 08:06 - 2012-07-06 07:33 - 00294216 ____A C:\Users\Administrator\Desktop\gmer.zip
2012-07-06 07:49 - 2012-07-06 07:49 - 00014719 ____A C:\Users\Administrator\Desktop\dds.txt
2012-07-06 07:49 - 2012-07-06 07:49 - 00011176 ____A C:\Users\Administrator\Desktop\attach.txt
2012-07-06 07:44 - 2012-07-06 07:44 - 00000488 ____A C:\Users\Administrator\Desktop\defogger_disable.log
2012-07-06 07:44 - 2012-07-06 07:44 - 00000000 ____A C:\Users\Administrator\defogger_reenable
2012-07-06 07:43 - 2012-07-06 07:34 - 00302592 ____A C:\Users\Administrator\Desktop\zwsp53we.exe
2012-07-06 07:43 - 2012-07-06 07:33 - 00607260 ____R (Swearware) C:\Users\Administrator\Desktop\dds.scr
2012-07-06 07:43 - 2012-07-06 07:18 - 00050477 ____A C:\Users\Administrator\Desktop\Defogger.exe
2012-07-05 11:24 - 2012-07-05 11:24 - 00000000 ____D C:\Program Files\ESET
2012-07-05 11:19 - 2012-07-05 11:19 - 00001622 ____A C:\Users\Administrator\Desktop\aswMBR.txt
2012-07-05 11:19 - 2012-07-05 11:19 - 00000512 ____A C:\Users\Administrator\Desktop\MBR.dat
2012-07-05 11:13 - 2012-07-05 10:32 - 02135640 ____A (Kaspersky Lab ZAO) C:\Users\Administrator\Desktop\tdsskiller.exe
2012-07-03 21:47 - 2012-07-03 22:21 - 00008192 ____A C:\Users\Administrator\Desktop\Earthbound Zero (Demiforce Hack) (U) Auto.sav
2012-07-03 19:37 - 2012-07-03 19:37 - 00000000 ____D C:\Users\Administrator\Downloads\sleepingmonster
2012-07-03 19:36 - 2012-07-03 19:37 - 02367237 ____A C:\Users\Administrator\Downloads\sleepingmonster.zip
2012-07-03 18:38 - 2012-07-03 18:40 - 00154472 ____A C:\Users\Administrator\Desktop\12 year olds.mp3.sfk
2012-07-03 18:37 - 2012-07-03 18:40 - 00176496 ____A C:\Users\Administrator\Documents\mike Take 2.sfk
2012-07-03 18:37 - 2012-07-03 18:37 - 22582820 ____A C:\Users\Administrator\Documents\mike Take 2.wav
2012-07-03 18:35 - 2012-07-03 18:40 - 00054184 ____A C:\Users\Administrator\Documents\nasty matt Take 2.sfk
2012-07-03 18:35 - 2012-07-03 18:35 - 06927280 ____A C:\Users\Administrator\Documents\nasty matt Take 2.wav
2012-07-03 18:33 - 2012-07-03 18:40 - 00188016 ____A C:\Users\Administrator\Documents\nasty dfgiot Take 2.sfk
2012-07-03 18:33 - 2012-07-03 18:33 - 24057676 ____A C:\Users\Administrator\Documents\nasty dfgiot Take 2.wav
2012-07-03 18:28 - 2012-07-03 18:40 - 00190864 ____A C:\Users\Administrator\Documents\nasty dfgiot.wma.sfk
2012-07-03 18:28 - 2012-07-03 18:40 - 00178128 ____A C:\Users\Administrator\Documents\mike.wma.sfk
2012-07-03 18:28 - 2012-07-03 18:40 - 00047376 ____A C:\Users\Administrator\Documents\nasty matt.wma.sfk
2012-07-03 18:28 - 2012-07-03 18:40 - 00016320 ____A C:\Users\Administrator\Documents\nasty scoutz.wma.sfk
2012-07-03 18:27 - 2012-07-03 18:28 - 00023888 ____A C:\Users\Administrator\Documents\matador.wma.sfk
2012-07-03 18:26 - 2012-07-03 18:28 - 00157776 ____A C:\Users\Administrator\Documents\12 yo.wma.sfk
2012-07-03 18:26 - 2012-07-03 18:28 - 00070416 ____A C:\Users\Administrator\Documents\12 ypo2.wma.sfk
2012-07-03 18:26 - 2012-07-03 18:28 - 00041472 ____A C:\Users\Administrator\Documents\12 byo 3.wma.sfk
2012-07-03 18:26 - 2012-07-03 18:28 - 00033536 ____A C:\Users\Administrator\Documents\12 yo 5.wma.sfk
2012-07-03 18:26 - 2012-07-03 18:28 - 00008016 ____A C:\Users\Administrator\Documents\12 yo 4.wma.sfk
2012-07-03 18:24 - 2012-07-03 18:24 - 00224989 ____A C:\Users\Administrator\Documents\matador.wma
2012-07-03 18:23 - 2012-07-03 18:23 - 00431529 ____A C:\Users\Administrator\Documents\nasty matt.wma
2012-07-03 18:22 - 2012-07-03 18:22 - 01576479 ____A C:\Users\Administrator\Documents\mike.wma
2012-07-03 18:20 - 2012-07-03 18:20 - 01688729 ____A C:\Users\Administrator\Documents\nasty dfgiot.wma
2012-07-03 18:16 - 2012-07-03 18:16 - 00157639 ____A C:\Users\Administrator\Documents\nasty scoutz.wma
2012-07-03 18:15 - 2012-07-03 18:15 - 00310299 ____A C:\Users\Administrator\Documents\12 yo 5.wma
2012-07-03 18:15 - 2012-07-03 18:15 - 00090289 ____A C:\Users\Administrator\Documents\12 yo 4.wma
2012-07-03 18:14 - 2012-07-03 18:14 - 00638069 ____A C:\Users\Administrator\Documents\12 ypo2.wma
2012-07-03 18:14 - 2012-07-03 18:14 - 00382139 ____A C:\Users\Administrator\Documents\12 byo 3.wma
2012-07-03 18:12 - 2012-07-03 18:12 - 01401369 ____A C:\Users\Administrator\Documents\12 yo.wma
2012-07-03 15:20 - 2012-07-03 15:20 - 00022856 ____A C:\Users\Administrator\Documents\lmfinsl.vf
2012-07-03 11:45 - 2012-07-03 13:27 - 342019115 ____A C:\Users\Administrator\Desktop\weegee finale.wmv
2012-07-03 10:42 - 2012-07-06 08:08 - 00001706 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2012-07-03 10:41 - 2012-07-04 08:48 - 00000000 ____D C:\Users\Administrator\Desktop\june 2012
2012-07-02 21:20 - 2012-07-02 22:37 - 00361928 ____A C:\Users\Administrator\Desktop\00159.MTS.sfk1
2012-07-02 21:20 - 2012-07-02 22:37 - 00361928 ____A C:\Users\Administrator\Desktop\00159.MTS.sfk0
2012-07-02 20:16 - 2012-07-02 22:37 - 00018056 ____A C:\Users\Administrator\Documents\thiscalling.vf
2012-07-02 20:16 - 2012-07-02 20:16 - 00017688 ____A C:\Users\Administrator\Documents\thiscalling.vf.bak
2012-07-02 18:29 - 2012-07-02 20:16 - 00433248 ____A C:\Users\Administrator\Desktop\00160.MTS.sfk1
2012-07-02 18:29 - 2012-07-02 20:16 - 00433248 ____A C:\Users\Administrator\Desktop\00160.MTS.sfk0
2012-07-02 11:34 - 2012-07-02 12:33 - 00155008 ____A C:\Users\Administrator\Downloads\20 A Messenger From Behind ~Battle With the Colossus~.mp3.sfk
2012-07-02 11:25 - 2012-07-02 12:33 - 00096904 ____A C:\Users\Administrator\Downloads\145- Earthbound - Giygas_ Intimidation.mp3.sfk
2012-07-01 10:20 - 2012-07-01 11:26 - 169000001 ____A C:\Users\Administrator\Desktop\final bootage.wmv
2012-06-29 23:23 - 2012-06-29 23:23 - 03524967 ____A C:\Users\Administrator\Documents\summer jams final.pdn
2012-06-29 19:26 - 2012-07-04 10:25 - 00000000 ____D C:\Program Files\Steam
2012-06-29 19:26 - 2012-06-29 19:26 - 00000757 ____A C:\Users\Public\Desktop\Steam.lnk
2012-06-29 19:19 - 2012-06-29 19:19 - 01606656 ____A C:\Users\Administrator\Downloads\SteamInstall.msi
2012-06-28 14:33 - 2012-06-28 14:34 - 31148472 ____A C:\Users\Administrator\Downloads\itsawindylife-1.0-win32.zip
2012-06-25 18:35 - 2012-06-25 18:35 - 00000000 ____D C:\Users\Administrator\Downloads\rawksd
2012-06-25 18:34 - 2012-06-25 18:34 - 06812575 ____A C:\Users\Administrator\Downloads\rawksd.zip
2012-06-25 18:28 - 2012-06-28 11:12 - 00000000 ____D C:\Users\Administrator\Downloads\rawk3b4
2012-06-25 18:26 - 2012-06-25 18:27 - 06774405 ____A C:\Users\Administrator\Downloads\rawk3b4.zip
2012-06-23 01:15 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-23 01:15 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-23 01:15 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-23 01:15 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-23 01:13 - 2012-06-02 12:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-23 01:13 - 2012-06-02 12:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-20 22:17 - 2012-06-20 22:17 - 00123086 ____A C:\Users\Administrator\Downloads\custsql-ipw11.eigbox.net.sql.zip
2012-06-20 22:05 - 2012-06-20 22:05 - 00067161 ____A C:\Users\Administrator\Downloads\joomla-to-wordpress-migrator.1.7.1.zip
2012-06-20 19:04 - 2012-06-20 19:04 - 00000000 ____D C:\Users\Administrator\Desktop\BACKUP SITE
2012-06-19 20:01 - 2012-07-03 11:28 - 00000000 ____D C:\Users\Administrator\Desktop\Weegee Area 4 Voice
2012-06-19 19:29 - 2012-06-19 19:29 - 00049152 ____A ( ) C:\Users\Administrator\Downloads\Luigi's Mansion Calc.exe
2012-06-16 19:46 - 2012-06-16 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\SmallBasic
2012-06-16 19:13 - 2012-06-29 20:00 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\.minecraft
2012-06-16 06:22 - 2012-06-16 06:22 - 00000000 ____D C:\Program Files\Dropbox
2012-06-16 01:07 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-16 01:07 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-16 01:07 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-16 01:07 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-16 01:07 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-16 01:07 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-16 01:07 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-16 01:07 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-16 01:07 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-16 01:07 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-16 01:07 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-16 01:07 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-16 01:07 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-16 01:07 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 10:07 - 2012-06-13 10:18 - 00000000 ____D C:\Users\Administrator\Downloads\bgb
2012-06-13 10:07 - 2012-06-13 10:08 - 00000000 ____D C:\Users\Administrator\Downloads\lsdj3_1_9_demo
2012-06-13 10:06 - 2012-06-13 10:06 - 00230868 ____A C:\Users\Administrator\Downloads\lsdj3_1_9_demo.zip
2012-06-13 10:05 - 2012-06-13 10:06 - 00377322 ____A C:\Users\Administrator\Downloads\bgb.zip
2012-06-13 09:03 - 2012-05-15 11:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 09:03 - 2012-05-01 06:03 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 09:03 - 2012-04-23 08:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 09:03 - 2012-04-23 08:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 09:03 - 2012-04-23 08:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-09 12:34 - 2012-06-28 12:18 - 00000000 ____D C:\Users\Administrator\Downloads\notronpaul
2012-06-09 11:38 - 2012-06-09 11:38 - 00000000 ____D C:\Users\Default\Documents\Visual Studio 2010
2012-06-09 11:38 - 2012-06-09 11:38 - 00000000 ____D C:\Users\Default User\Documents\Visual Studio 2010
2012-06-06 19:31 - 2012-06-06 19:32 - 00000000 ____D C:\Users\Administrator\AppData\Local\Deployment
2012-06-06 19:03 - 2012-06-06 19:03 - 00000000 ____D C:\Windows\System32\xlive
2012-06-06 19:03 - 2012-06-06 19:03 - 00000000 ____D C:\Program Files\Microsoft Games for Windows - LIVE
2012-06-06 19:02 - 2012-06-06 19:02 - 00000000 ____D C:\Program Files\Microsoft XNA
2012-06-06 18:50 - 2009-07-22 19:08 - 00079896 ____A (Microsoft Corporation) C:\Windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-06-06 18:50 - 2009-07-22 19:08 - 00050200 ____A (Microsoft Corporation) C:\Windows\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-06-06 18:45 - 2012-06-06 18:45 - 00000000 ____D C:\Windows\System32\RsFx
2012-06-06 18:42 - 2012-06-06 18:42 - 00000000 ____D C:\Windows\System32\1033
2012-06-06 18:42 - 2012-06-06 18:42 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 9.0
2012-06-06 18:32 - 2012-06-06 18:46 - 00000000 ____D C:\Program Files\Microsoft SQL Server
2012-06-06 18:32 - 2012-06-06 18:32 - 00000000 ____D C:\Program Files\Microsoft Synchronization Services
2012-06-06 18:32 - 2012-06-06 18:32 - 00000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition
2012-06-06 18:30 - 2012-06-16 19:25 - 00000000 ____D C:\Users\Administrator\Documents\Visual Studio 2010
2012-06-06 18:25 - 2012-06-17 10:19 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 10.0
2012-06-06 18:25 - 2012-06-06 18:25 - 00000000 ____D C:\Program Files\Microsoft SDKs
2012-06-06 18:25 - 2012-06-06 18:25 - 00000000 ____D C:\Program Files\Microsoft Help Viewer


============ 3 Months Modified Files ========================

2012-07-06 10:31 - 2012-07-06 10:31 - 01006144 ____A C:\Users\Administrator\Desktop\ark.txt
2012-07-06 08:08 - 2012-07-03 10:42 - 00001706 ____A C:\Users\Public\Desktop\McAfee Total Protection.lnk
2012-07-06 07:58 - 2009-06-30 19:56 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-06 07:58 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-06 07:58 - 2006-11-02 04:45 - 00003552 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-06 07:58 - 2006-11-02 04:45 - 00003552 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-06 07:49 - 2012-07-06 07:49 - 00014719 ____A C:\Users\Administrator\Desktop\dds.txt
2012-07-06 07:49 - 2012-07-06 07:49 - 00011176 ____A C:\Users\Administrator\Desktop\attach.txt
2012-07-06 07:44 - 2012-07-06 07:44 - 00000488 ____A C:\Users\Administrator\Desktop\defogger_disable.log
2012-07-06 07:44 - 2012-07-06 07:44 - 00000000 ____A C:\Users\Administrator\defogger_reenable
2012-07-06 07:44 - 2006-11-02 02:33 - 00849478 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-06 07:34 - 2012-07-06 07:43 - 00302592 ____A C:\Users\Administrator\Desktop\zwsp53we.exe
2012-07-06 07:33 - 2012-07-06 08:06 - 00294216 ____A C:\Users\Administrator\Desktop\gmer.zip
2012-07-06 07:33 - 2012-07-06 07:43 - 00607260 ____R (Swearware) C:\Users\Administrator\Desktop\dds.scr
2012-07-06 07:18 - 2012-07-06 07:43 - 00050477 ____A C:\Users\Administrator\Desktop\Defogger.exe
2012-07-05 12:27 - 2006-11-02 04:58 - 00032570 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-05 11:19 - 2012-07-05 11:19 - 00001622 ____A C:\Users\Administrator\Desktop\aswMBR.txt
2012-07-05 11:19 - 2012-07-05 11:19 - 00000512 ____A C:\Users\Administrator\Desktop\MBR.dat
2012-07-05 10:32 - 2012-07-05 11:13 - 02135640 ____A (Kaspersky Lab ZAO) C:\Users\Administrator\Desktop\tdsskiller.exe
2012-07-04 18:07 - 2007-08-09 14:38 - 00236500 ____A C:\Windows\PFRO.log
2012-07-04 16:20 - 2010-02-01 14:53 - 00001356 ____A C:\Users\Administrator\AppData\Local\d3d9caps.dat
2012-07-04 10:33 - 2007-10-05 01:31 - 02017230 ____A C:\Windows\WindowsUpdate.log
2012-07-04 09:51 - 2012-03-06 17:40 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-111444003-3479115210-1291438600-500UA.job
2012-07-04 09:47 - 2009-06-30 19:56 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-04 07:50 - 2012-04-14 04:56 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-04 07:50 - 2011-05-28 14:07 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-03 22:21 - 2012-07-03 21:47 - 00008192 ____A C:\Users\Administrator\Desktop\Earthbound Zero (Demiforce Hack) (U) Auto.sav
2012-07-03 19:37 - 2012-07-03 19:36 - 02367237 ____A C:\Users\Administrator\Downloads\sleepingmonster.zip
2012-07-03 18:40 - 2012-07-03 18:38 - 00154472 ____A C:\Users\Administrator\Desktop\12 year olds.mp3.sfk
2012-07-03 18:40 - 2012-07-03 18:37 - 00176496 ____A C:\Users\Administrator\Documents\mike Take 2.sfk
2012-07-03 18:40 - 2012-07-03 18:35 - 00054184 ____A C:\Users\Administrator\Documents\nasty matt Take 2.sfk
2012-07-03 18:40 - 2012-07-03 18:33 - 00188016 ____A C:\Users\Administrator\Documents\nasty dfgiot Take 2.sfk
2012-07-03 18:40 - 2012-07-03 18:28 - 00190864 ____A C:\Users\Administrator\Documents\nasty dfgiot.wma.sfk
2012-07-03 18:40 - 2012-07-03 18:28 - 00178128 ____A C:\Users\Administrator\Documents\mike.wma.sfk
2012-07-03 18:40 - 2012-07-03 18:28 - 00047376 ____A C:\Users\Administrator\Documents\nasty matt.wma.sfk
2012-07-03 18:40 - 2012-07-03 18:28 - 00016320 ____A C:\Users\Administrator\Documents\nasty scoutz.wma.sfk
2012-07-03 18:37 - 2012-07-03 18:37 - 22582820 ____A C:\Users\Administrator\Documents\mike Take 2.wav
2012-07-03 18:35 - 2012-07-03 18:35 - 06927280 ____A C:\Users\Administrator\Documents\nasty matt Take 2.wav
2012-07-03 18:33 - 2012-07-03 18:33 - 24057676 ____A C:\Users\Administrator\Documents\nasty dfgiot Take 2.wav
2012-07-03 18:28 - 2012-07-03 18:27 - 00023888 ____A C:\Users\Administrator\Documents\matador.wma.sfk
2012-07-03 18:28 - 2012-07-03 18:26 - 00157776 ____A C:\Users\Administrator\Documents\12 yo.wma.sfk
2012-07-03 18:28 - 2012-07-03 18:26 - 00070416 ____A C:\Users\Administrator\Documents\12 ypo2.wma.sfk
2012-07-03 18:28 - 2012-07-03 18:26 - 00041472 ____A C:\Users\Administrator\Documents\12 byo 3.wma.sfk
2012-07-03 18:28 - 2012-07-03 18:26 - 00033536 ____A C:\Users\Administrator\Documents\12 yo 5.wma.sfk
2012-07-03 18:28 - 2012-07-03 18:26 - 00008016 ____A C:\Users\Administrator\Documents\12 yo 4.wma.sfk
2012-07-03 18:24 - 2012-07-03 18:24 - 00224989 ____A C:\Users\Administrator\Documents\matador.wma
2012-07-03 18:23 - 2012-07-03 18:23 - 00431529 ____A C:\Users\Administrator\Documents\nasty matt.wma
2012-07-03 18:22 - 2012-07-03 18:22 - 01576479 ____A C:\Users\Administrator\Documents\mike.wma
2012-07-03 18:20 - 2012-07-03 18:20 - 01688729 ____A C:\Users\Administrator\Documents\nasty dfgiot.wma
2012-07-03 18:16 - 2012-07-03 18:16 - 00157639 ____A C:\Users\Administrator\Documents\nasty scoutz.wma
2012-07-03 18:15 - 2012-07-03 18:15 - 00310299 ____A C:\Users\Administrator\Documents\12 yo 5.wma
2012-07-03 18:15 - 2012-07-03 18:15 - 00090289 ____A C:\Users\Administrator\Documents\12 yo 4.wma
2012-07-03 18:14 - 2012-07-03 18:14 - 00638069 ____A C:\Users\Administrator\Documents\12 ypo2.wma
2012-07-03 18:14 - 2012-07-03 18:14 - 00382139 ____A C:\Users\Administrator\Documents\12 byo 3.wma
2012-07-03 18:12 - 2012-07-03 18:12 - 01401369 ____A C:\Users\Administrator\Documents\12 yo.wma
2012-07-03 15:20 - 2012-07-03 15:20 - 00022856 ____A C:\Users\Administrator\Documents\lmfinsl.vf
2012-07-03 13:27 - 2012-07-03 11:45 - 342019115 ____A C:\Users\Administrator\Desktop\weegee finale.wmv
2012-07-03 11:51 - 2012-03-06 17:40 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-111444003-3479115210-1291438600-500Core.job
2012-07-02 22:37 - 2012-07-02 21:20 - 00361928 ____A C:\Users\Administrator\Desktop\00159.MTS.sfk1
2012-07-02 22:37 - 2012-07-02 21:20 - 00361928 ____A C:\Users\Administrator\Desktop\00159.MTS.sfk0
2012-07-02 22:37 - 2012-07-02 20:16 - 00018056 ____A C:\Users\Administrator\Documents\thiscalling.vf
2012-07-02 20:16 - 2012-07-02 20:16 - 00017688 ____A C:\Users\Administrator\Documents\thiscalling.vf.bak
2012-07-02 20:16 - 2012-07-02 18:29 - 00433248 ____A C:\Users\Administrator\Desktop\00160.MTS.sfk1
2012-07-02 20:16 - 2012-07-02 18:29 - 00433248 ____A C:\Users\Administrator\Desktop\00160.MTS.sfk0
2012-07-02 12:33 - 2012-07-02 11:34 - 00155008 ____A C:\Users\Administrator\Downloads\20 A Messenger From Behind ~Battle With the Colossus~.mp3.sfk
2012-07-02 12:33 - 2012-07-02 11:25 - 00096904 ____A C:\Users\Administrator\Downloads\145- Earthbound - Giygas_ Intimidation.mp3.sfk
2012-07-02 10:55 - 2009-11-28 20:13 - 00072192 ____A C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-01 12:58 - 2012-03-06 17:52 - 00002093 ____A C:\Users\Administrator\Desktop\Google Chrome.lnk
2012-07-01 11:26 - 2012-07-01 10:20 - 169000001 ____A C:\Users\Administrator\Desktop\final bootage.wmv
2012-06-29 23:23 - 2012-06-29 23:23 - 03524967 ____A C:\Users\Administrator\Documents\summer jams final.pdn
2012-06-29 19:26 - 2012-06-29 19:26 - 00000757 ____A C:\Users\Public\Desktop\Steam.lnk
2012-06-29 19:19 - 2012-06-29 19:19 - 01606656 ____A C:\Users\Administrator\Downloads\SteamInstall.msi
2012-06-28 14:34 - 2012-06-28 14:33 - 31148472 ____A C:\Users\Administrator\Downloads\itsawindylife-1.0-win32.zip
2012-06-27 14:51 - 2012-05-14 11:51 - 00025288 ____A C:\Users\Administrator\Documents\aitc 2012.vf
2012-06-25 18:34 - 2012-06-25 18:34 - 06812575 ____A C:\Users\Administrator\Downloads\rawksd.zip
2012-06-25 18:27 - 2012-06-25 18:26 - 06774405 ____A C:\Users\Administrator\Downloads\rawk3b4.zip
2012-06-24 17:16 - 2012-05-30 12:46 - 00002337 ____A C:\Users\Public\Desktop\Skype.lnk
2012-06-20 22:17 - 2012-06-20 22:17 - 00123086 ____A C:\Users\Administrator\Downloads\custsql-ipw11.eigbox.net.sql.zip
2012-06-20 22:05 - 2012-06-20 22:05 - 00067161 ____A C:\Users\Administrator\Downloads\joomla-to-wordpress-migrator.1.7.1.zip
2012-06-19 19:29 - 2012-06-19 19:29 - 00049152 ____A ( ) C:\Users\Administrator\Downloads\Luigi's Mansion Calc.exe
2012-06-16 06:22 - 2011-01-19 16:48 - 00000954 ____A C:\Users\Administrator\Desktop\Dropbox.lnk
2012-06-16 02:05 - 2006-11-02 04:44 - 00446416 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-16 01:16 - 2006-11-02 02:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-13 10:06 - 2012-06-13 10:06 - 00230868 ____A C:\Users\Administrator\Downloads\lsdj3_1_9_demo.zip
2012-06-13 10:06 - 2012-06-13 10:05 - 00377322 ____A C:\Users\Administrator\Downloads\bgb.zip
2012-06-08 19:46 - 2011-05-31 19:42 - 00001801 ____A C:\INSTALL.LOG
2012-06-07 21:51 - 2009-10-24 17:50 - 00140864 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-06 17:45 - 2009-11-02 16:31 - 00000486 ____A C:\Windows\demdata.txt
2012-06-05 14:23 - 2012-06-05 14:23 - 00002437 ____A C:\Users\Administrator\Desktop\18. Sweden.mid
2012-06-03 10:14 - 2012-06-03 10:14 - 00002269 ____A C:\Users\Administrator\.recently-used.xbel
2012-06-02 14:19 - 2012-06-23 01:15 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 01:15 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 01:15 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:12 - 2012-06-23 01:15 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 12:19 - 2012-06-23 01:13 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:12 - 2012-06-23 01:13 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 08:57 - 2012-05-30 19:29 - 00000111 ____A C:\Users\Administrator\Desktop\Ebproj.bat
2012-05-21 17:40 - 2012-05-21 17:38 - 00000086 ____A C:\Users\Administrator\Desktop\jhack.bat
2012-05-20 19:00 - 2012-05-20 19:00 - 00000777 ____A C:\Users\Matt (Absoltastic)\Desktop\Map Editor.lnk
2012-05-20 19:00 - 2012-05-20 19:00 - 00000725 ____A C:\Users\Administrator\Desktop\Map Editor.lnk
2012-05-20 18:23 - 2012-05-14 11:51 - 00026800 ____A C:\Users\Administrator\Documents\aitc 2012.vf.bak
2012-05-19 12:02 - 2012-05-19 11:58 - 00068450 ____A C:\Windows\ebsavestate.pl
2012-05-19 12:02 - 2012-05-19 11:58 - 00006514 ____A C:\Windows\ebsavestate.ini
2012-05-18 08:04 - 2012-01-28 21:45 - 00000076 ____A C:\Windows\hw.ini
2012-05-18 07:42 - 2012-05-18 07:42 - 00000860 ____A C:\Users\Matt (Absoltastic)\Desktop\Patch Manager.lnk
2012-05-18 07:42 - 2012-05-18 07:42 - 00000808 ____A C:\Users\Administrator\Desktop\Patch Manager.lnk
2012-05-17 15:11 - 2012-06-16 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-16 01:07 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-16 01:07 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-16 01:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-16 01:07 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-16 01:07 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-16 01:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-16 01:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-16 01:07 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-16 01:07 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-16 01:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-16 01:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-16 01:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-16 01:07 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 11:51 - 2012-06-13 09:03 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-14 14:34 - 2012-05-14 14:05 - 00072328 ____A C:\Users\Administrator\Documents\thundurus.vf
2012-05-13 18:40 - 2012-05-13 18:40 - 00001635 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-05-13 17:17 - 2012-05-13 17:17 - 00017544 ____A C:\Users\Administrator\Documents\longlevelup.vf
2012-05-12 07:51 - 2012-05-12 07:51 - 00012683 ____A C:\Users\Administrator\Documents\aitc truffle.odt
2012-05-11 20:36 - 2012-05-11 20:04 - 00663880 ____A C:\Users\Administrator\Documents\tfg gcea.vf
2012-05-07 03:26 - 2012-05-07 03:26 - 00002082 ____A C:\Users\Administrator\Desktop\PaintTool SAI.lnk
2012-05-03 19:30 - 2007-12-25 06:56 - 00133264 ____A C:\Users\Matt (Absoltastic)\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-02 19:08 - 2012-05-02 19:08 - 00016327 ____A C:\Users\Administrator\Documents\jarno smeets.odt
2012-05-01 06:03 - 2012-06-13 09:03 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-29 10:59 - 2010-12-27 11:21 - 00212524 ___AH C:\Windows\System32\mlfcache.dat
2012-04-23 08:00 - 2012-06-13 09:03 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 08:00 - 2012-06-13 09:03 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 08:00 - 2012-06-13 09:03 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-19 18:07 - 2012-04-19 18:07 - 00053152 ____A C:\Users\Administrator\Documents\ester.vf
2012-04-19 14:46 - 2012-04-19 14:46 - 00000168 ____A C:\Users\Administrator\Documents\sudbloop.txt
2012-04-16 17:56 - 2012-04-16 17:56 - 00000873 ____A C:\Users\Public\Desktop\GIMP 2.lnk
2012-04-15 11:31 - 2012-04-15 11:31 - 00009318 ____A C:\Users\Administrator\Documents\time stream of conscience.odt
2012-04-14 19:46 - 2006-11-02 04:49 - 00061550 ____A C:\Windows\setupact.log
2012-04-12 16:55 - 2012-04-11 16:51 - 00107296 ____A C:\Users\Administrator\Documents\catapult.vf
2012-04-11 19:40 - 2012-04-09 19:54 - 00066288 ____A C:\Users\Administrator\Documents\roboprezz.vf
2012-04-10 20:31 - 2012-04-10 20:31 - 02303488 ____A (Python Software Foundation) C:\Windows\System32\python27.dll


ZeroAccess:
C:\Windows\Installer
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\@
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\L
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\n
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\L\00000004.@
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\L\201d3dde
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\00000004.@
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\00000008.@
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\000000cb.@
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\80000000.@
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\80000032.@

ZeroAccess:
C:\Users\Administrator\AppData\Local
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\@
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\L
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\n
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\L\00000004.@
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\00000004.@
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\00000008.@
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\000000cb.@
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\80000000.@
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\80000032.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 33%
Total physical RAM: 1014.63 MB
Available physical RAM: 673.47 MB
Total Pagefile: 876.18 MB
Available Pagefile: 750.43 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (SQ004525V02) (Fixed) (Total:73.06 GB) (Free:6.55 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.33 GB) NTFS
4 Drive f: (BULLDOG) (Removable) (Total:3.72 GB) (Free:3.24 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 1099 KB
Disk 1 Online 3822 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 73 GB 1501 MB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C SQ004525V02 NTFS Partition 73 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F BULLDOG FAT32 Removable 3818 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-06 08:16

======================= End Of Log ==========================

Edited by CommanderButter, 06 July 2012 - 04:21 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:07 AM

Posted 06 July 2012 - 04:35 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee}
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CommanderButter

CommanderButter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 July 2012 - 10:14 PM

Alright! It seems after combofix my browser has returned to its former glory with no redirects thus far, but McAfee is still having issues updating, though real-time scanning actually turns on now. In ComboFix, I got numerous Access Denied's about admin privileges, to be more precise as soon as the admin window opened, stage 38, and after deleting files before the log making, but otherwise it seemed to have run its course through the system without issue. After FarBar, my desktop icons became huge for some reason, but ComboFix managed to fix that. Is there anything I can do to ensure this doesn't happen again? Also, is there anything evident that can help McAfee Total Protection update again? Here are the requested logs.

FARBAR:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 06-07-2012 03
Ran by SYSTEM at 2012-07-06 17:04:59 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
C:\Windows\Installer\{98f1a014-7f02-6400-f9a4-fa147a793bee} moved successfully.
C:\Users\Administrator\AppData\Local\{98f1a014-7f02-6400-f9a4-fa147a793bee} moved successfully.

==== End of Fixlog ====

COMBOFIX:

ComboFix 12-07-06.02 - Administrator 07/06/2012 20:34:36.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1014.265 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\58357AB769.sys
c:\windows\assembly\GAC\Desktop.ini
c:\windows\security\Database\tmp.edb
c:\windows\system32\office.exe
c:\windows\system32\tempdir
c:\windows\system32\tempdir\tinypdf.chm
c:\windows\system32\tempdir\tinypdf.dll
c:\windows\system32\tempdir\tinypdf1.dll
c:\windows\system32\tempdir\tinypdf2.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 01:59 . 2012-07-07 01:59 -------- d-----w- c:\users\Matt (Absoltastic)\AppData\Local\temp
2012-07-07 01:59 . 2012-07-07 02:04 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-07 00:13 . 2012-07-07 00:13 -------- d-----w- C:\FRST
2012-07-05 19:24 . 2012-07-05 19:24 -------- d-----w- c:\program files\ESET
2012-06-30 03:26 . 2012-07-07 01:18 -------- d-----w- c:\program files\Steam
2012-06-25 06:15 . 2012-06-25 06:15 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-25 06:15 . 2012-06-25 06:15 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-23 09:15 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-23 09:15 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-23 09:15 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-23 09:15 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-23 09:13 . 2012-06-02 20:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-23 09:13 . 2012-06-02 20:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-17 03:46 . 2012-06-17 03:46 -------- d-----w- c:\users\Administrator\AppData\Local\SmallBasic
2012-06-17 03:41 . 2012-06-17 03:41 923416 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{7AAA27E4-CDB3-49C0-AA2D-41827C001BA3}\StartMenuIcon.exe
2012-06-17 03:41 . 2012-06-17 03:41 -------- d-----w- c:\program files\Microsoft
2012-06-17 03:13 . 2012-06-30 04:00 -------- d-----w- c:\users\Administrator\AppData\Roaming\.minecraft
2012-06-16 14:22 . 2012-06-16 14:22 -------- d-----w- c:\program files\Dropbox
2012-06-13 17:03 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 17:03 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 17:03 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 17:03 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 17:03 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-06-07 03:31 . 2012-06-07 03:32 -------- d-----w- c:\users\Administrator\AppData\Local\Deployment
2012-06-07 03:03 . 2012-06-07 03:03 -------- d-----w- c:\windows\system32\xlive
2012-06-07 03:03 . 2012-06-07 03:03 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2012-06-07 03:02 . 2012-06-07 03:02 -------- d-----w- c:\program files\Microsoft XNA
2012-06-07 02:50 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-06-07 02:50 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-06-07 02:45 . 2012-06-07 02:45 -------- d-----w- c:\windows\system32\RsFx
2012-06-07 02:42 . 2012-06-07 02:42 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2012-06-07 02:42 . 2012-06-07 02:42 -------- d-----w- c:\windows\system32\1033
2012-06-07 02:32 . 2012-06-07 02:46 -------- d-----w- c:\program files\Microsoft SQL Server
2012-06-07 02:32 . 2012-06-07 02:32 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-06-07 02:32 . 2012-06-07 02:32 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-06-07 02:25 . 2012-06-07 02:25 -------- d-----w- c:\program files\Microsoft Help Viewer
2012-06-07 02:25 . 2012-06-17 18:19 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2012-06-07 02:25 . 2012-06-07 02:25 -------- d-----w- c:\program files\Microsoft SDKs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-04 15:50 . 2012-04-14 12:56 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-04 15:50 . 2011-05-28 22:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-30 09:14 . 2012-06-07 02:30 190656 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2012-06-30 09:09 . 2012-06-17 18:26 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2012-04-11 04:31 . 2012-04-11 04:31 2303488 ----a-w- c:\windows\system32\python27.dll
2012-06-25 06:15 . 2012-02-20 01:32 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-12-14 02:49 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Steam"="c:\program files\Steam\Steam.exe" [2012-06-30 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-23 894248]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NDSTray.exe"="NDSTray.exe" [BU]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-09-27 106496]
"WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2005-09-27 266240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2008-08-04 21:22 160800 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-05 01:19]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-05 01:19]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-111444003-3479115210-1291438600-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-07 01:40]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-111444003-3479115210-1291438600-500UA.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-07 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - (no file)
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
MSConfigStartUp-nmctxth - c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
MSConfigStartUp-Performance Center - c:\program files\Ascentive\Performance Center\APCMain.exe
AddRemove-Neopets - c:\program files\Neopets\uninst.exe
AddRemove-_{E1A63F75-1F72-4450-980D-434496FFC646} - c:\program files\Corel\Corel Painter Essentials 4\MSILauncher {E1A63F75-1F72-4450-980D-434496FFC646}
AddRemove-{2C08D7E7-9EE1-4A08-AFE0-745F02DCD6A4}_is1 - c:\users\Administrator\Pokemon Online\unins000.exe
AddRemove-UnityWebPlayer - c:\users\Administrator\AppData\Local\Unity\WebPlayer\Uninstall.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}"=hex:51,66,7a,6c,4c,1d,3b,1b,58,a1,a8,
16,e7,ed,27,06,92,52,0e,34,ba,8e,ac,79
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,3b,1b,21,81,16,
e7,69,9b,45,03,a3,33,c9,b7,2d,92,19,1e
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,3b,1b,6f,c1,f9,
a5,56,95,bb,5c,a0,e5,5f,fe,cd,4e,f9,12
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,3b,1b,8f,81,97,
1e,e4,9f,32,00,a4,75,27,15,79,2f,ac,ae
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,3b,1b,b0,ca,a1,
65,72,25,12,03,aa,85,3c,57,f4,58,1e,2c
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,3b,1b,74,cb,23,
88,31,1b,d4,07,92,c4,0e,3a,72,4c,2f,db
"{B164E929-A1B6-4A06-B104-2CD0E90A88FF}"=hex:51,66,7a,6c,4c,1d,3b,1b,39,f6,77,
a9,85,f6,6d,07,ad,0c,73,8e,ed,4e,c4,e2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,3b,1b,54,1f,db,
c3,76,f3,30,0e,a0,7c,c3,7b,c5,81,c4,b4
"{E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53}"=hex:51,66,7a,6c,4c,1d,3b,1b,50,e1,ed,
f8,ca,ac,c5,0f,a6,50,26,12,a3,a7,b7,4e
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:4a,29,67,ca,bb,f1,cc,01
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,4a,4c,4a,88,de,f2,46,9d,71,27,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,4a,4c,4a,88,de,f2,46,9d,71,27,\
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.agif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\photoviewer.dll"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\WMPlayer.exe"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="MPEGFile"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wmplayer.exe"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wmplayer.exe"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ram\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wmplayer.exe"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\IExplore.exe"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"
.
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3384)
c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WTouch\WTouchService.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\ATK Hotkey\ASLDRSrv.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\windows\system32\mfevtps.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\Pen_Tablet.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\WTouch\WTouchUser.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\ATK Hotkey\Hcontrol.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\Pen_Tablet.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RtHDVCpl.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\RacAgent.exe
.
**************************************************************************
.
Completion time: 2012-07-06 21:23:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 02:21
.
Pre-Run: 5,715,947,520 bytes free
Post-Run: 6,141,906,944 bytes free
.
- - End Of File - - 254E723DC5D97866EC3652FDBDE06D1F

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:07 AM

Posted 06 July 2012 - 10:35 PM

Hi,

You may have to uninstall then reinstall McAfee, use their removal tool to remove it completely, then start with a fresh installation, see if that resolves the issue

Download and run the McAfee Removal Tool
Instructions can be found here
http://service.mcafee.com/FAQDocument.aspx?id=TS100507


we have a couple more scans to do to make certain you are clean, then I'll have some recommendations for you

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

RegLock::
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Internet Explorer\Approved Extensions]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.agif\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ram\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swf\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtm\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
[HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CommanderButter

CommanderButter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 07 July 2012 - 05:09 PM

I am just about to reinstall McAfee, and here are the logs. Combofix did the same admin thing as last time. The passview program was added myself once when I forgot some passwords.

COMBOFIX
----------------------------
ComboFix 12-07-07.04 - Administrator 07/07/2012 12:07:53.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1014.236 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 17:27 . 2012-07-07 17:31 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-07 17:27 . 2012-07-07 17:27 -------- d-----w- c:\users\Matt (Absoltastic)\AppData\Local\temp
2012-07-07 17:27 . 2012-07-07 17:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-07 00:13 . 2012-07-07 00:13 -------- d-----w- C:\FRST
2012-07-05 19:24 . 2012-07-05 19:24 -------- d-----w- c:\program files\ESET
2012-06-30 03:26 . 2012-07-07 17:00 -------- d-----w- c:\program files\Steam
2012-06-25 06:15 . 2012-06-25 06:15 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-25 06:15 . 2012-06-25 06:15 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-17 18:26 . 2012-06-30 09:09 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2012-06-17 03:46 . 2012-06-17 03:46 -------- d-----w- c:\users\Administrator\AppData\Local\SmallBasic
2012-06-17 03:41 . 2012-06-17 03:41 923416 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{7AAA27E4-CDB3-49C0-AA2D-41827C001BA3}\StartMenuIcon.exe
2012-06-17 03:41 . 2012-06-17 03:41 -------- d-----w- c:\program files\Microsoft
2012-06-17 03:13 . 2012-06-30 04:00 -------- d-----w- c:\users\Administrator\AppData\Roaming\.minecraft
2012-06-16 14:22 . 2012-06-16 14:22 -------- d-----w- c:\program files\Dropbox
2012-06-13 17:03 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 17:03 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 17:03 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 17:03 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-04 15:50 . 2012-04-14 12:56 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-04 15:50 . 2011-05-28 22:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-30 09:14 . 2012-06-07 02:30 190656 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2012-06-18 08:14 . 2012-07-07 16:30 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E89C9CAC-C62D-4629-ACA6-28BC4F85F62B}\mpengine.dll
2012-06-02 22:19 . 2012-06-23 09:15 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 09:15 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 09:14 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 09:14 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 09:15 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 09:15 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 09:14 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-23 09:13 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12 . 2012-06-23 09:13 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 17:25 . 2009-10-02 21:04 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-17 22:35 . 2012-06-16 09:07 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 19:51 . 2012-06-13 17:03 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 04:31 . 2012-04-11 04:31 2303488 ----a-w- c:\windows\system32\python27.dll
2012-06-25 06:15 . 2012-02-20 01:32 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Steam"="c:\program files\Steam\Steam.exe" [2012-06-30 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-23 894248]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"NDSTray.exe"="NDSTray.exe" [BU]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-09-27 106496]
"WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2005-09-27 266240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2008-08-04 21:22 160800 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
R2 0094441341677188mcinstcleanup;McAfee Application Installer Cleanup (0094441341677188);c:\users\ADMINI~1\AppData\Local\Temp\009444~1.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-05 01:19]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-05 01:19]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-111444003-3479115210-1291438600-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-07 01:40]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-111444003-3479115210-1291438600-500UA.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-07 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1240)
c:\users\Administrator\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WTouch\WTouchService.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\ATK Hotkey\ASLDRSrv.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\Pen_Tablet.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\WTouch\WTouchUser.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\ATK Hotkey\Hcontrol.exe
c:\windows\system32\Pen_Tablet.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RtHDVCpl.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WerCon.exe
.
**************************************************************************
.
Completion time: 2012-07-07 12:43:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 17:41
ComboFix2.txt 2012-07-07 02:23
.
Pre-Run: 5,946,339,328 bytes free
Post-Run: 5,841,104,896 bytes free
.
- - End Of File - - B41B1E3558A55D05DCD332A1C2C954AE

MBAM
------------------------
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.07.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: MATTSPC [administrator]

7/7/2012 12:47:39 PM
mbam-log-2012-07-07 (12-47-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228331
Time elapsed: 17 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET
------------------

C:\FRST\Quarantine\{98f1a014-7f02-6400-f9a4-fa147a793bee}\n Win32/Sirefef.EV trojan
C:\FRST\Quarantine\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
C:\FRST\Quarantine\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\80000032.@ a variant of Win32/Sirefef.FD trojan
C:\FRST\Quarantine\{98f1a014-7f02-6400-f9a4-fa147a793bee}\{98f1a014-7f02-6400-f9a4-fa147a793bee}\n Win32/Sirefef.EV trojan
C:\FRST\Quarantine\{98f1a014-7f02-6400-f9a4-fa147a793bee}\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
C:\FRST\Quarantine\{98f1a014-7f02-6400-f9a4-fa147a793bee}\{98f1a014-7f02-6400-f9a4-fa147a793bee}\U\80000032.@ a variant of Win32/Sirefef.FD trojan
C:\Users\Administrator\Desktop\a trillion random hings\operapassview.zip Win32/PSWTool.OperaPassView application
C:\Users\Administrator\Desktop\a trillion random hings\operapassview\OperaPassView.exe Win32/PSWTool.OperaPassView application

Edited by CommanderButter, 07 July 2012 - 05:10 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:07 AM

Posted 07 July 2012 - 05:19 PM

ok, everything else is already in quarantine so we don't have to be concerned.

Let's have a look and see if there are any concerns with those permissions, please run the following:

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\WINDOWS).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply

NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Please advise if there are any other issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 CommanderButter

CommanderButter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 07 July 2012 - 10:25 PM

It seems McAfee keeps saying it is not able to install any of its components, but I feel like that may be due to the recent antivirus installations. Here is the Junction log. The internet is now working great, though, and it did manage to download the latest version before saying it could not complete installation.


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..
Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0b33a0edf38dc425e7920fafa1219de3_a44d332a-a682-4e28-9da5-754e7bac965b: Access is denied.


.

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.



Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{feee8c13-c881-11e1-90f4-001d60f22ad4}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{feee8c1f-c881-11e1-90f4-001d60f22ad4}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.


\\?\c:\\Users\All Users: SYMBOLIC LINK
Print Name : C:\ProgramData
Substitute Name: \??\C:\ProgramData

\\?\c:\\Users\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default

\\?\c:\\Users\Administrator\Application Data: JUNCTION
Print Name : C:\Users\Administrator\AppData\Roaming
Substitute Name: C:\Users\Administrator\AppData\Roaming

\\?\c:\\Users\Administrator\Cookies: JUNCTION
Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Administrator\Local Settings: JUNCTION
Print Name : C:\Users\Administrator\AppData\Local
Substitute Name: C:\Users\Administrator\AppData\Local

\\?\c:\\Users\Administrator\My Documents: JUNCTION
Print Name : C:\Users\Administrator\Documents
Substitute Name: C:\Users\Administrator\Documents

\\?\c:\\Users\Administrator\NetHood: JUNCTION
Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Administrator\PrintHood: JUNCTION
Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Administrator\Recent: JUNCTION
Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Administrator\SendTo: JUNCTION
Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Administrator\Start Menu: JUNCTION
Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Administrator\Templates: JUNCTION
Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Administrator\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Administrator\AppData\Local
Substitute Name: C:\Users\Administrator\AppData\Local

\\?\c:\\Users\Administrator\AppData\Local\History: JUNCTION
Print Name : C:\Users\Administrator\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Administrator\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Administrator\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files



...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\Users\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\Users\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\Users\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates



.
Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\0b33a0edf38dc425e7920fafa1219de3_a44d332a-a682-4e28-9da5-754e7bac965b: Access is denied.


..

...

...

..\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\Matt (Absoltastic)\Application Data: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Roaming
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Roaming

\\?\c:\\Users\Matt (Absoltastic)\Cookies: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Matt (Absoltastic)\Local Settings: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Local
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Local

\\?\c:\\Users\Matt (Absoltastic)\My Documents: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\Documents
Substitute Name: C:\Users\Matt (Absoltastic)\Documents

\\?\c:\\Users\Matt (Absoltastic)\NetHood: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Matt (Absoltastic)\PrintHood: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Matt (Absoltastic)\Recent: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Matt (Absoltastic)\SendTo: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Matt (Absoltastic)\Start Menu: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Matt (Absoltastic)\Templates: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Matt (Absoltastic)\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Local
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Local

\\?\c:\\Users\Matt (Absoltastic)\AppData\Local\History: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Matt (Absoltastic)\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Matt (Absoltastic)\AppData\Local\Microsoft\Windows\Temporary Internet Files

.
Failed to open \\?\c:\\Users\Matt (Absoltastic)\AppData\Local\Microsoft\CardSpace\CardSpace.db: Access is denied.



Failed to open \\?\c:\\Users\Matt (Absoltastic)\AppData\Local\Microsoft\CardSpace\CardSpace.db.shadow: Access is denied.




...

...

...

...

.\\?\c:\\Users\Matt (Absoltastic)\Documents\My Music: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\Music
Substitute Name: C:\Users\Matt (Absoltastic)\Music

\\?\c:\\Users\Matt (Absoltastic)\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\Pictures
Substitute Name: C:\Users\Matt (Absoltastic)\Pictures

\\?\c:\\Users\Matt (Absoltastic)\Documents\My Videos: JUNCTION
Print Name : C:\Users\Matt (Absoltastic)\Videos
Substitute Name: C:\Users\Matt (Absoltastic)\Videos

..

...

.\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos

..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

EDIT: As of right now, I am updating Adobe Reader. I figured out a problem, too. Reader can't complete because it is trying to install to E drive. Any way I can change that? FURTHER EDIT: I found in the registry that my pictures was in E for some reason. Changed it back to %USERPROFILE%\Pictures and trying again in a second

Edited by CommanderButter, 07 July 2012 - 10:51 PM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:07 AM

Posted 08 July 2012 - 08:41 AM

Please run the following:
  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:


c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0b33a0edf38dc425e7920fafa1219de3_a44d332a-a682-4e28-9da5-754e7bac965b
c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{feee8c13-c881-11e1-90f4-001d60f22ad4}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{feee8c1f-c881-11e1-90f4-001d60f22ad4}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\0b33a0edf38dc425e7920fafa1219de3_a44d332a-a682-4e28-9da5-754e7bac965b
c:\\Users\Matt (Absoltastic)\AppData\Local\Microsoft\CardSpace\CardSpace.db
c:\\Users\Matt (Absoltastic)\AppData\Local\Microsoft\CardSpace\CardSpace.db.shadow
c:\\Windows\System32\LogFiles\WMI\RtBackup



  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.


NEXT



Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CommanderButter

CommanderButter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 09 July 2012 - 07:56 AM

Thanks so much for the help so far! I am currently out of town for a couple days, so please don't shut down the topic.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:07 AM

Posted 09 July 2012 - 10:27 AM

no problem, I'll leave the thread open

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CommanderButter

CommanderButter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 11 July 2012 - 12:51 AM

I have returned! Thank you so much. I had some problems running OTL when it reached a certain application usage log with some sort of error when I ran it, but that was far into the scan after the custom sectors and restore, I believe. Here are the logs.

GrantPerms by Farbar
Ran by Administrator (administrator) at 2012-07-08 11:11:06

===============================================
\\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0b33a0edf38dc425e7920fafa1219de3_a44d332a-a682-4e28-9da5-754e7bac965b

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{feee8c13-c881-11e1-90f4-001d60f22ad4}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{feee8c1f-c881-11e1-90f4-001d60f22ad4}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
\\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\0b33a0edf38dc425e7920fafa1219de3_a44d332a-a682-4e28-9da5-754e7bac965b

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Users\Matt (Absoltastic)\AppData\Local\Microsoft\CardSpace\CardSpace.db

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Users\Matt (Absoltastic)\AppData\Local\Microsoft\CardSpace\CardSpace.db.shadow

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Windows\System32\LogFiles\WMI\RtBackup

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


-----------------------

OTL logfile created on: 7/10/2012 11:39:48 PM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Administrator\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.48 Mb Total Physical Memory | 97.78 Mb Available Physical Memory | 9.64% Memory free
2.24 Gb Paging File | 0.85 Gb Available in Paging File | 38.10% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 73.06 Gb Total Space | 5.64 Gb Free Space | 7.71% Space Free | Partition Type: NTFS

Computer Name: MATTSPC | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/08 11:09:42 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
PRC - [2012/06/29 22:28:06 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2012/05/25 17:13:56 | 000,151,912 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2012/05/25 17:07:30 | 000,161,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2012/05/25 17:07:04 | 000,166,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2012/04/04 00:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2009/07/15 11:13:06 | 003,662,632 | ---- | M] (Wacom Technology, Corp.) -- C:\Program Files\WTouch\WTouchUser.exe
PRC - [2009/07/15 11:13:04 | 000,393,512 | ---- | M] (Wacom Technology, Corp.) -- C:\Windows\System32\WTablet\Pen_TabletUser.exe
PRC - [2009/07/15 11:13:04 | 000,112,936 | ---- | M] (Wacom Technology, Corp.) -- C:\Program Files\WTouch\WTouchService.exe
PRC - [2009/07/15 11:13:02 | 004,408,616 | ---- | M] (Wacom Technology, Corp.) -- C:\Windows\System32\Pen_Tablet.exe
PRC - [2009/04/11 01:28:11 | 001,143,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wercon.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/11/13 13:17:38 | 000,439,616 | ---- | M] () -- C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
PRC - [2008/08/04 16:22:18 | 000,164,896 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2007/07/26 18:20:02 | 000,077,824 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2007/07/20 22:45:16 | 001,372,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2007/07/06 13:06:52 | 004,669,440 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/06/19 17:28:32 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
PRC - [2007/04/24 18:00:10 | 000,225,280 | ---- | M] (ATK0100) -- C:\Program Files\ATK Hotkey\HControl.exe
PRC - [2007/03/22 19:09:28 | 002,420,736 | ---- | M] () -- C:\Program Files\ATK Hotkey\ATKOSD.exe
PRC - [2007/03/21 15:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 15:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/02/05 20:13:14 | 000,094,208 | ---- | M] () -- C:\Program Files\ATK Hotkey\ASLDRSrv.exe
PRC - [2007/01/25 19:50:26 | 000,063,096 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2007/01/25 19:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2006/11/14 22:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 18:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/05/25 20:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2005/09/27 06:00:38 | 000,106,496 | ---- | M] (InterVideo Inc.) -- C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
PRC - [2005/09/27 04:47:50 | 000,266,240 | ---- | M] (InterVideo Inc.) -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/29 22:29:48 | 020,313,384 | ---- | M] () -- C:\Program Files\Steam\bin\libcef.dll
MOD - [2012/06/29 22:29:47 | 001,099,576 | ---- | M] () -- C:\Program Files\Steam\bin\avcodec-53.dll
MOD - [2012/06/29 22:29:47 | 000,895,312 | ---- | M] () -- C:\Program Files\Steam\bin\chromehtml.dll
MOD - [2012/06/29 22:29:47 | 000,190,776 | ---- | M] () -- C:\Program Files\Steam\bin\avformat-53.dll
MOD - [2012/06/29 22:29:47 | 000,123,192 | ---- | M] () -- C:\Program Files\Steam\bin\avutil-51.dll
MOD - [2012/01/08 08:41:12 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - File not found [Auto | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\009444~1.EXE -- (0094441341677188mcinstcleanup) McAfee Application Installer Cleanup (0094441341677188)
SRV - [2012/06/25 01:15:42 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/05/25 17:13:56 | 000,151,912 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2012/05/25 17:07:30 | 000,161,664 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2012/05/25 17:07:04 | 000,166,320 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2012/05/03 08:31:10 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/04/04 00:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/03/16 10:42:06 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/07/15 11:13:04 | 000,112,936 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\Program Files\WTouch\WTouchService.exe -- (WTouchService)
SRV - [2009/07/15 11:13:02 | 004,408,616 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\Windows\System32\Pen_Tablet.exe -- (TabletServicePen)
SRV - [2008/11/13 13:17:38 | 000,439,616 | ---- | M] () [Auto | Running] -- C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2008/08/04 16:22:18 | 000,164,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/07/26 18:20:02 | 000,077,824 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2007/03/21 15:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/02/05 20:13:14 | 000,094,208 | ---- | M] () [Auto | Running] -- C:\Program Files\ATK Hotkey\ASLDRSrv.exe -- (ASLDRService)
SRV - [2007/01/25 19:50:26 | 000,063,096 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/01/25 19:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/11/14 22:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 18:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/05/25 20:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ManyCam.sys -- (ManyCam)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/02/22 13:29:46 | 000,464,304 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2012/02/22 13:29:46 | 000,340,920 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2012/02/22 13:29:46 | 000,180,848 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2012/02/22 13:29:46 | 000,169,608 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2012/02/22 13:29:46 | 000,121,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2012/02/22 13:29:46 | 000,087,656 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2012/02/22 13:29:46 | 000,064,912 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2012/02/22 13:29:46 | 000,059,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2012/02/22 13:29:46 | 000,057,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2009/06/10 06:52:58 | 000,347,648 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2009/05/20 17:14:32 | 000,013,224 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WacomVTHid.sys -- (WacomVTHid)
DRV - [2009/05/20 14:54:06 | 000,013,736 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wacomvhid.sys -- (wacomvhid)
DRV - [2009/04/10 23:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/03/30 03:09:28 | 000,239,336 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\RsFx0103.sys -- (RsFx0103)
DRV - [2009/01/30 16:29:50 | 000,015,656 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wacmoumonitor.sys -- (wacmoumonitor)
DRV - [2008/08/04 16:22:18 | 000,033,808 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nx6000.sys -- (MSHUSBVideo)
DRV - [2008/03/31 05:41:06 | 000,051,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2007/07/30 13:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/26 18:18:04 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2007/02/24 16:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/02/16 14:12:36 | 000,011,312 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wacommousefilter.sys -- (wacommousefilter)
DRV - [2007/02/15 19:11:28 | 000,011,440 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WacomVKHid.sys -- (WacomVKHid)
DRV - [2007/01/23 18:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/12/14 17:11:58 | 000,007,680 | ---- | M] (ATK0100) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ATKACPI.sys -- (MTsensor)
DRV - [2006/11/28 17:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/09 16:32:28 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/11/09 16:31:46 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)
DRV - [2006/10/18 13:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/09/27 22:06:56 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/09/19 12:46:00 | 000,016,512 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\TdeIo.sys -- (TDEIO)
DRV - [2005/12/18 20:42:12 | 000,008,801 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\DScaler\DSDrv4.sys -- (DSDrv4)
DRV - [2005/09/26 00:08:10 | 000,125,568 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\avcgbdr.sys -- (avcgbdr)
DRV - [2005/08/17 08:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2005/08/17 07:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 07:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/07/28 03:28:10 | 000,019,712 | ---- | M] (Adaptec, Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\avcgbfl.sys -- (avcgbfl)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {AA92D095-C753-4DB4-AD56-D7D271A28035}
IE - HKLM\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50-ie-aim-chromesbox-en-us
IE - HKLM\..\SearchScopes\{AA92D095-C753-4DB4-AD56-D7D271A28035}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage};
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2304157


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found
IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50-ie-aim-chromesbox-en-us
IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\..\SearchScopes\{AA92D095-C753-4DB4-AD56-D7D271A28035}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage};&rlz=1I7TSHB_en
IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2304157
IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={searchTerms}
IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: properties@darktrojan.net:6
FF - prefs.js..extensions.enabledItems: smarterwiki@wikiatic.com:4.3.7
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: netvideohunter@netvideohunter.com:1.7
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}:7.0
FF - prefs.js..extensions.enabledItems: {4ED1F68A-5463-4931-9384-8FFF5ED91D92}:3.4.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\Administrator\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Administrator\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Administrator\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Administrator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/05 22:16:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2012/07/07 23:51:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/07 11:17:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/07 22:57:01 | 000,000,000 | ---D | M]

[2009/11/28 20:55:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2012/07/03 21:42:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\extensions
[2010/10/16 08:46:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/05/22 14:16:49 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/12/08 07:03:41 | 000,000,000 | ---D | M] ("NetVideoHunter") -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\extensions\netvideohunter@netvideohunter.com
[2012/01/05 07:26:33 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\extensions\screencaptureelite@plugin
[2010/01/09 10:37:19 | 000,001,227 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\searchplugins\facebook.xml
[2009/12/22 19:58:09 | 000,001,831 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\searchplugins\jellyneo-item-database-search.xml
[2010/07/14 20:56:07 | 000,002,321 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\searchplugins\smogon.xml
[2009/12/24 15:17:50 | 000,001,713 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mnlhe2w0.default\searchplugins\youtube-video-search.xml
[2011/12/08 07:02:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/07 23:51:37 | 000,000,000 | ---D | M] (McAfee ScriptScan for Firefox) -- C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE
[2012/07/03 21:42:03 | 000,340,684 | ---- | M] () (No name found) -- C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MNLHE2W0.DEFAULT\EXTENSIONS\{A7C6CF7F-112C-4500-A7EA-39801A327E5F}.XPI
[2012/06/25 01:16:04 | 000,097,400 | ---- | M] () (No name found) -- C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MNLHE2W0.DEFAULT\EXTENSIONS\PROPERTIES@DARKTROJAN.NET.XPI
[2012/06/25 01:15:44 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/06/01 00:58:00 | 000,611,224 | ---- | M] (Oracle Corporation) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/06/25 01:15:37 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/10/10 15:18:39 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
[2012/06/25 01:15:37 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Administrator\AppData\Local\Google\Chrome\Application\20.0.1132.47\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Administrator\AppData\Local\Google\Chrome\Application\20.0.1132.47\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Administrator\AppData\Local\Google\Chrome\Application\20.0.1132.47\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 7.0.0.144 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 7 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll
CHR - plugin: downloadUpdater (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
CHR - plugin: downloadUpdater2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\Administrator\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\Administrator\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\Administrator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Facebook Plugin (Enabled) = C:\Users\Administrator\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~1\mcafee\msc\npmcsn~1.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: SiteAdvisor = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\

O1 HOSTS File: ([2012/07/07 12:30:18 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20120707235012.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - Reg Error: Value error. File not found
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - Reg Error: Value error. File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O3 - HKU\S-1-5-21-111444003-3479115210-1291438600-500\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Home Theater SchSvr] C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe (InterVideo Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [WINCINEMAMGR] C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-18..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-21-111444003-3479115210-1291438600-500..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-111444003-3479115210-1291438600-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-111444003-3479115210-1291438600-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-111444003-3479115210-1291438600-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{75D01C27-54BE-4974-9808-82F972008DFF}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A6F27415-AF57-4A73-8A57-651C616295B1}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest - No CLSID value found
O18 - Protocol\Handler\sacore - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\application/x-mfe-ipt - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/07/08 11:10:12 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\GrantPerms
[2012/07/08 11:09:37 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2012/07/07 23:50:11 | 000,009,608 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeclnk.sys
[2012/07/07 23:50:01 | 000,340,920 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfefirek.sys
[2012/07/07 23:50:01 | 000,180,848 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys
[2012/07/07 23:50:01 | 000,169,608 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfewfpk.sys
[2012/07/07 23:50:01 | 000,087,656 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdet.sys
[2012/07/07 23:50:01 | 000,064,912 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfenlfk.sys
[2012/07/07 23:50:01 | 000,059,456 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys
[2012/07/07 23:50:00 | 000,057,600 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\cfwids.sys
[2012/07/07 23:49:53 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2012/07/07 23:49:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Mcafee
[2012/07/07 23:49:36 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2012/07/07 23:35:27 | 000,151,912 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
[2012/07/07 23:35:15 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012/07/07 22:56:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2012/07/07 22:56:06 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2012/07/07 18:21:49 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Junction
[2012/07/07 17:21:09 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/07/07 17:14:11 | 004,285,248 | ---- | C] (McAfee, Inc.) -- C:\Users\Administrator\Desktop\McAfeeSetup.exe
[2012/07/07 13:10:45 | 002,322,184 | ---- | C] (ESET) -- C:\Users\Administrator\Desktop\esetsmartinstaller_enu.exe
[2012/07/07 12:46:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Malwarebytes
[2012/07/07 12:46:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/07/07 12:43:20 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\temp
[2012/07/07 12:30:37 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/07/07 12:02:07 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/07/07 10:59:32 | 003,178,400 | ---- | C] (McAfee, Inc.) -- C:\Users\Administrator\Desktop\MCPR.exe
[2012/07/07 10:56:15 | 010,063,024 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Administrator\Desktop\mbam-setup (1).exe
[2012/07/06 20:27:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/07/06 20:27:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/07/06 20:27:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/07/06 20:27:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/06 20:24:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/07/06 20:11:53 | 004,574,136 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
[2012/07/06 19:13:30 | 000,000,000 | ---D | C] -- C:\FRST
[2012/07/06 11:08:49 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\gmer
[2012/07/06 10:43:51 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
[2012/07/05 14:24:32 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/07/05 14:13:30 | 002,135,640 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2012/07/03 13:41:12 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\june 2012
[2012/06/29 22:26:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012/06/29 22:26:17 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2012/06/20 22:04:09 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\BACKUP SITE
[2012/06/19 23:01:26 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Weegee Area 4 Voice
[2012/06/16 22:46:05 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\SmallBasic
[2012/06/16 22:41:36 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Small Basic
[2012/06/16 22:41:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2012/06/16 22:13:32 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\.minecraft
[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/10 23:51:18 | 000,000,940 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-111444003-3479115210-1291438600-500UA.job
[2012/07/10 23:47:40 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/10 23:26:51 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/10 23:25:25 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/10 23:25:24 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/10 23:25:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/10 23:25:09 | 1064,558,592 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/08 11:10:14 | 000,456,948 | ---- | M] () -- C:\Users\Administrator\Desktop\GrantPerms.exe
[2012/07/08 11:09:42 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2012/07/08 11:09:28 | 000,450,985 | ---- | M] () -- C:\Users\Administrator\Desktop\GrantPerms.zip
[2012/07/07 23:18:10 | 003,178,400 | ---- | M] (McAfee, Inc.) -- C:\Users\Administrator\Desktop\MCPR.exe
[2012/07/07 22:57:02 | 000,001,863 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2012/07/07 19:03:59 | 000,706,830 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/07/07 19:03:59 | 000,144,140 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/07/07 18:21:49 | 000,150,392 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Windows\junction.exe
[2012/07/07 18:20:50 | 000,079,623 | ---- | M] () -- C:\Users\Administrator\Desktop\Junction.zip
[2012/07/07 17:14:12 | 004,285,248 | ---- | M] (McAfee, Inc.) -- C:\Users\Administrator\Desktop\McAfeeSetup.exe
[2012/07/07 14:56:11 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-111444003-3479115210-1291438600-500Core.job
[2012/07/07 13:11:00 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Administrator\Desktop\esetsmartinstaller_enu.exe
[2012/07/07 12:30:18 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/07/07 11:59:36 | 004,574,136 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
[2012/07/07 00:30:22 | 010,063,024 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Administrator\Desktop\mbam-setup (1).exe
[2012/07/06 10:44:05 | 000,000,000 | ---- | M] () -- C:\Users\Administrator\defogger_reenable
[2012/07/06 10:34:00 | 000,302,592 | ---- | M] () -- C:\Users\Administrator\Desktop\zwsp53we.exe
[2012/07/06 10:33:44 | 000,294,216 | ---- | M] () -- C:\Users\Administrator\Desktop\gmer.zip
[2012/07/06 10:33:00 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
[2012/07/06 10:18:10 | 000,050,477 | ---- | M] () -- C:\Users\Administrator\Desktop\Defogger.exe
[2012/07/05 14:19:25 | 000,000,512 | ---- | M] () -- C:\Users\Administrator\Desktop\MBR.dat
[2012/07/05 13:32:29 | 002,135,640 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2012/07/04 19:20:52 | 000,001,356 | ---- | M] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat
[2012/07/04 01:21:40 | 000,008,192 | ---- | M] () -- C:\Users\Administrator\Desktop\Earthbound Zero (Demiforce Hack) (U) Auto.sav
[2012/07/03 21:40:58 | 000,190,864 | ---- | M] () -- C:\Users\Administrator\Documents\nasty dfgiot.wma.sfk
[2012/07/03 21:40:58 | 000,188,016 | ---- | M] () -- C:\Users\Administrator\Documents\nasty dfgiot Take 2.sfk
[2012/07/03 21:40:58 | 000,178,128 | ---- | M] () -- C:\Users\Administrator\Documents\mike.wma.sfk
[2012/07/03 21:40:58 | 000,176,496 | ---- | M] () -- C:\Users\Administrator\Documents\mike Take 2.sfk
[2012/07/03 21:40:58 | 000,154,472 | ---- | M] () -- C:\Users\Administrator\Desktop\12 year olds.mp3.sfk
[2012/07/03 21:40:58 | 000,054,184 | ---- | M] () -- C:\Users\Administrator\Documents\nasty matt Take 2.sfk
[2012/07/03 21:40:58 | 000,047,376 | ---- | M] () -- C:\Users\Administrator\Documents\nasty matt.wma.sfk
[2012/07/03 21:40:58 | 000,016,320 | ---- | M] () -- C:\Users\Administrator\Documents\nasty scoutz.wma.sfk
[2012/07/03 21:40:53 | 004,126,552 | ---- | M] () -- C:\Users\Administrator\Desktop\nasty scouts song final mixxy.mp3
[2012/07/03 21:37:42 | 022,582,820 | ---- | M] () -- C:\Users\Administrator\Documents\mike Take 2.wav
[2012/07/03 21:35:20 | 006,927,280 | ---- | M] () -- C:\Users\Administrator\Documents\nasty matt Take 2.wav
[2012/07/03 21:33:59 | 024,057,676 | ---- | M] () -- C:\Users\Administrator\Documents\nasty dfgiot Take 2.wav
[2012/07/03 21:28:20 | 000,157,776 | ---- | M] () -- C:\Users\Administrator\Documents\12 yo.wma.sfk
[2012/07/03 21:28:20 | 000,070,416 | ---- | M] () -- C:\Users\Administrator\Documents\12 ypo2.wma.sfk
[2012/07/03 21:28:20 | 000,041,472 | ---- | M] () -- C:\Users\Administrator\Documents\12 byo 3.wma.sfk
[2012/07/03 21:28:20 | 000,033,536 | ---- | M] () -- C:\Users\Administrator\Documents\12 yo 5.wma.sfk
[2012/07/03 21:28:20 | 000,023,888 | ---- | M] () -- C:\Users\Administrator\Documents\matador.wma.sfk
[2012/07/03 21:28:20 | 000,008,016 | ---- | M] () -- C:\Users\Administrator\Documents\12 yo 4.wma.sfk
[2012/07/03 21:28:15 | 003,342,607 | ---- | M] () -- C:\Users\Administrator\Desktop\12 year olds.mp3
[2012/07/03 21:24:38 | 000,224,989 | ---- | M] () -- C:\Users\Administrator\Documents\matador.wma
[2012/07/03 21:23:12 | 000,431,529 | ---- | M] () -- C:\Users\Administrator\Documents\nasty matt.wma
[2012/07/03 21:22:33 | 001,576,479 | ---- | M] () -- C:\Users\Administrator\Documents\mike.wma
[2012/07/03 21:20:08 | 001,688,729 | ---- | M] () -- C:\Users\Administrator\Documents\nasty dfgiot.wma
[2012/07/03 21:16:54 | 000,157,639 | ---- | M] () -- C:\Users\Administrator\Documents\nasty scoutz.wma
[2012/07/03 21:15:46 | 000,310,299 | ---- | M] () -- C:\Users\Administrator\Documents\12 yo 5.wma
[2012/07/03 21:15:07 | 000,090,289 | ---- | M] () -- C:\Users\Administrator\Documents\12 yo 4.wma
[2012/07/03 21:14:48 | 000,382,139 | ---- | M] () -- C:\Users\Administrator\Documents\12 byo 3.wma
[2012/07/03 21:14:13 | 000,638,069 | ---- | M] () -- C:\Users\Administrator\Documents\12 ypo2.wma
[2012/07/03 21:12:59 | 001,401,369 | ---- | M] () -- C:\Users\Administrator\Documents\12 yo.wma
[2012/07/03 18:20:43 | 000,022,856 | ---- | M] () -- C:\Users\Administrator\Documents\lmfinsl.vf
[2012/07/03 16:27:56 | 342,019,115 | ---- | M] () -- C:\Users\Administrator\Desktop\weegee finale.wmv
[2012/07/03 01:37:18 | 000,361,928 | ---- | M] () -- C:\Users\Administrator\Desktop\00159.MTS.sfk1
[2012/07/03 01:37:18 | 000,361,928 | ---- | M] () -- C:\Users\Administrator\Desktop\00159.MTS.sfk0
[2012/07/03 01:37:14 | 000,018,056 | ---- | M] () -- C:\Users\Administrator\Documents\thiscalling.vf
[2012/07/03 00:11:17 | 000,001,543 | ---- | M] () -- C:\Users\Administrator\Documents\american.png
[2012/07/02 23:16:21 | 000,433,248 | ---- | M] () -- C:\Users\Administrator\Desktop\00160.MTS.sfk1
[2012/07/02 23:16:21 | 000,433,248 | ---- | M] () -- C:\Users\Administrator\Desktop\00160.MTS.sfk0
[2012/07/02 23:16:11 | 000,017,688 | ---- | M] () -- C:\Users\Administrator\Documents\thiscalling.vf.bak
[2012/07/02 13:55:28 | 000,072,192 | ---- | M] () -- C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/07/01 15:58:06 | 000,002,093 | ---- | M] () -- C:\Users\Administrator\Desktop\Google Chrome.lnk
[2012/07/01 15:58:06 | 000,002,055 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/07/01 14:36:29 | 000,058,187 | ---- | M] () -- C:\Users\Administrator\Documents\dark collins.png
[2012/07/01 14:26:40 | 169,000,001 | ---- | M] () -- C:\Users\Administrator\Desktop\final bootage.wmv
[2012/06/30 02:24:02 | 001,286,147 | ---- | M] () -- C:\Users\Administrator\Documents\summer jams final.png
[2012/06/30 02:23:52 | 003,524,967 | ---- | M] () -- C:\Users\Administrator\Documents\summer jams final.pdn
[2012/06/30 02:12:57 | 000,044,045 | ---- | M] () -- C:\Users\Administrator\Documents\sal.jpg
[2012/06/30 02:12:00 | 000,087,129 | ---- | M] () -- C:\Users\Administrator\Documents\summer jams big.jpg
[2012/06/30 02:09:26 | 000,054,390 | ---- | M] () -- C:\Users\Administrator\Documents\summer jams.jpg
[2012/06/30 01:38:19 | 000,075,337 | ---- | M] () -- C:\Users\Administrator\Documents\beach thing.jpg
[2012/06/29 22:26:48 | 000,000,757 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2012/06/27 17:51:29 | 000,025,288 | ---- | M] () -- C:\Users\Administrator\Documents\aitc 2012.vf
[2012/06/25 00:45:28 | 000,048,095 | ---- | M] () -- C:\Users\Administrator\Documents\ACT OMG.jpg
[2012/06/24 20:16:40 | 000,002,337 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/06/18 01:43:23 | 000,010,441 | ---- | M] () -- C:\Users\Administrator\Documents\yolocover.jpg
[2012/06/18 01:39:29 | 000,004,485 | ---- | M] () -- C:\Users\Administrator\Documents\yolo.jpg
[2012/06/16 05:05:59 | 000,446,416 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/06/12 00:42:37 | 000,013,417 | ---- | M] () -- C:\Users\Administrator\Documents\dagron.jpg
[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/08 11:09:04 | 000,450,985 | ---- | C] () -- C:\Users\Administrator\Desktop\GrantPerms.zip
[2012/07/07 22:57:02 | 000,001,863 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2012/07/07 22:57:01 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012/07/07 18:20:43 | 000,079,623 | ---- | C] () -- C:\Users\Administrator\Desktop\Junction.zip
[2012/07/06 20:27:53 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/07/06 20:27:53 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/07/06 20:27:53 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/07/06 20:27:53 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/07/06 20:27:53 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/07/06 20:14:44 | 1064,558,592 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/06 11:06:06 | 000,294,216 | ---- | C] () -- C:\Users\Administrator\Desktop\gmer.zip
[2012/07/06 10:44:05 | 000,000,000 | ---- | C] () -- C:\Users\Administrator\defogger_reenable
[2012/07/06 10:43:51 | 000,302,592 | ---- | C] () -- C:\Users\Administrator\Desktop\zwsp53we.exe
[2012/07/06 10:43:51 | 000,050,477 | ---- | C] () -- C:\Users\Administrator\Desktop\Defogger.exe
[2012/07/05 14:19:25 | 000,000,512 | ---- | C] () -- C:\Users\Administrator\Desktop\MBR.dat
[2012/07/04 00:47:51 | 000,008,192 | ---- | C] () -- C:\Users\Administrator\Desktop\Earthbound Zero (Demiforce Hack) (U) Auto.sav
[2012/07/03 21:40:42 | 004,126,552 | ---- | C] () -- C:\Users\Administrator\Desktop\nasty scouts song final mixxy.mp3
[2012/07/03 21:38:56 | 000,154,472 | ---- | C] () -- C:\Users\Administrator\Desktop\12 year olds.mp3.sfk
[2012/07/03 21:37:42 | 000,176,496 | ---- | C] () -- C:\Users\Administrator\Documents\mike Take 2.sfk
[2012/07/03 21:37:39 | 022,582,820 | ---- | C] () -- C:\Users\Administrator\Documents\mike Take 2.wav
[2012/07/03 21:35:20 | 000,054,184 | ---- | C] () -- C:\Users\Administrator\Documents\nasty matt Take 2.sfk
[2012/07/03 21:35:19 | 006,927,280 | ---- | C] () -- C:\Users\Administrator\Documents\nasty matt Take 2.wav
[2012/07/03 21:33:59 | 000,188,016 | ---- | C] () -- C:\Users\Administrator\Documents\nasty dfgiot Take 2.sfk
[2012/07/03 21:33:54 | 024,057,676 | ---- | C] () -- C:\Users\Administrator\Documents\nasty dfgiot Take 2.wav
[2012/07/03 21:28:40 | 000,190,864 | ---- | C] () -- C:\Users\Administrator\Documents\nasty dfgiot.wma.sfk
[2012/07/03 21:28:36 | 000,016,320 | ---- | C] () -- C:\Users\Administrator\Documents\nasty scoutz.wma.sfk
[2012/07/03 21:28:30 | 000,178,128 | ---- | C] () -- C:\Users\Administrator\Documents\mike.wma.sfk
[2012/07/03 21:28:22 | 000,047,376 | ---- | C] () -- C:\Users\Administrator\Documents\nasty matt.wma.sfk
[2012/07/03 21:28:09 | 003,342,607 | ---- | C] () -- C:\Users\Administrator\Desktop\12 year olds.mp3
[2012/07/03 21:27:13 | 000,023,888 | ---- | C] () -- C:\Users\Administrator\Documents\matador.wma.sfk
[2012/07/03 21:26:37 | 000,033,536 | ---- | C] () -- C:\Users\Administrator\Documents\12 yo 5.wma.sfk
[2012/07/03 21:26:33 | 000,008,016 | ---- | C] () -- C:\Users\Administrator\Documents\12 yo 4.wma.sfk
[2012/07/03 21:26:18 | 000,041,472 | ---- | C] () -- C:\Users\Administrator\Documents\12 byo 3.wma.sfk
[2012/07/03 21:26:11 | 000,070,416 | ---- | C] () -- C:\Users\Administrator\Documents\12 ypo2.wma.sfk
[2012/07/03 21:26:02 | 000,157,776 | ---- | C] () -- C:\Users\Administrator\Documents\12 yo.wma.sfk
[2012/07/03 21:24:38 | 000,224,989 | ---- | C] () -- C:\Users\Administrator\Documents\matador.wma
[2012/07/03 21:23:11 | 000,431,529 | ---- | C] () -- C:\Users\Administrator\Documents\nasty matt.wma
[2012/07/03 21:22:33 | 001,576,479 | ---- | C] () -- C:\Users\Administrator\Documents\mike.wma
[2012/07/03 21:20:08 | 001,688,729 | ---- | C] () -- C:\Users\Administrator\Documents\nasty dfgiot.wma
[2012/07/03 21:16:53 | 000,157,639 | ---- | C] () -- C:\Users\Administrator\Documents\nasty scoutz.wma
[2012/07/03 21:15:46 | 000,310,299 | ---- | C] () -- C:\Users\Administrator\Documents\12 yo 5.wma
[2012/07/03 21:15:07 | 000,090,289 | ---- | C] () -- C:\Users\Administrator\Documents\12 yo 4.wma
[2012/07/03 21:14:48 | 000,382,139 | ---- | C] () -- C:\Users\Administrator\Documents\12 byo 3.wma
[2012/07/03 21:14:13 | 000,638,069 | ---- | C] () -- C:\Users\Administrator\Documents\12 ypo2.wma
[2012/07/03 21:12:59 | 001,401,369 | ---- | C] () -- C:\Users\Administrator\Documents\12 yo.wma
[2012/07/03 18:20:43 | 000,022,856 | ---- | C] () -- C:\Users\Administrator\Documents\lmfinsl.vf
[2012/07/03 14:45:19 | 342,019,115 | ---- | C] () -- C:\Users\Administrator\Desktop\weegee finale.wmv
[2012/07/03 00:20:58 | 000,361,928 | ---- | C] () -- C:\Users\Administrator\Desktop\00159.MTS.sfk1
[2012/07/03 00:20:34 | 000,361,928 | ---- | C] () -- C:\Users\Administrator\Desktop\00159.MTS.sfk0
[2012/07/03 00:11:17 | 000,001,543 | ---- | C] () -- C:\Users\Administrator\Documents\american.png
[2012/07/02 23:16:11 | 000,018,056 | ---- | C] () -- C:\Users\Administrator\Documents\thiscalling.vf
[2012/07/02 23:16:11 | 000,017,688 | ---- | C] () -- C:\Users\Administrator\Documents\thiscalling.vf.bak
[2012/07/02 21:29:32 | 000,433,248 | ---- | C] () -- C:\Users\Administrator\Desktop\00160.MTS.sfk1
[2012/07/02 21:29:15 | 000,433,248 | ---- | C] () -- C:\Users\Administrator\Desktop\00160.MTS.sfk0
[2012/07/01 14:36:29 | 000,058,187 | ---- | C] () -- C:\Users\Administrator\Documents\dark collins.png
[2012/07/01 13:20:49 | 169,000,001 | ---- | C] () -- C:\Users\Administrator\Desktop\final bootage.wmv
[2012/06/30 02:24:01 | 001,286,147 | ---- | C] () -- C:\Users\Administrator\Documents\summer jams final.png
[2012/06/30 02:23:51 | 003,524,967 | ---- | C] () -- C:\Users\Administrator\Documents\summer jams final.pdn
[2012/06/30 02:12:57 | 000,044,045 | ---- | C] () -- C:\Users\Administrator\Documents\sal.jpg
[2012/06/30 02:12:00 | 000,087,129 | ---- | C] () -- C:\Users\Administrator\Documents\summer jams big.jpg
[2012/06/30 02:09:26 | 000,054,390 | ---- | C] () -- C:\Users\Administrator\Documents\summer jams.jpg
[2012/06/30 01:38:14 | 000,075,337 | ---- | C] () -- C:\Users\Administrator\Documents\beach thing.jpg
[2012/06/29 22:26:48 | 000,000,757 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2012/06/25 00:45:28 | 000,048,095 | ---- | C] () -- C:\Users\Administrator\Documents\ACT OMG.jpg
[2012/06/18 01:42:50 | 000,010,441 | ---- | C] () -- C:\Users\Administrator\Documents\yolocover.jpg
[2012/06/18 01:39:28 | 000,004,485 | ---- | C] () -- C:\Users\Administrator\Documents\yolo.jpg
[2012/06/12 00:42:37 | 000,013,417 | ---- | C] () -- C:\Users\Administrator\Documents\dagron.jpg
[2012/06/03 13:14:30 | 000,002,269 | ---- | C] () -- C:\Users\Administrator\.recently-used.xbel
[2012/05/19 14:58:15 | 000,006,514 | ---- | C] () -- C:\Windows\ebsavestate.ini
[2012/05/18 11:07:15 | 000,009,025 | ---- | C] () -- C:\Users\Administrator\IPS.EXE
[2012/01/29 00:45:22 | 000,000,076 | ---- | C] () -- C:\Windows\hw.ini
[2011/11/10 07:36:38 | 000,000,378 | ---- | C] () -- C:\Users\Administrator\Music - Shortcut.lnk
[2011/11/10 07:36:10 | 000,000,390 | ---- | C] () -- C:\Users\Administrator\Documents - Shortcut.lnk
[2011/09/14 22:04:17 | 000,221,730 | ---- | C] () -- C:\Users\Administrator\kevin parker.odp
[2011/05/03 21:44:40 | 001,503,232 | ---- | C] () -- C:\Windows\System32\ptj.exe
[2011/05/03 21:44:40 | 001,103,360 | ---- | C] () -- C:\Windows\System32\cidfont.dll
[2011/05/03 21:44:39 | 004,369,408 | ---- | C] () -- C:\Windows\System32\pdftk.exe
[2011/03/15 22:40:18 | 000,002,792 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\wklnhst.dat
[2010/12/27 14:21:51 | 000,212,524 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2010/12/24 20:55:54 | 000,000,000 | ---- | C] () -- C:\Windows\ToDisc.INI
[2010/07/15 23:26:18 | 000,000,084 | ---- | C] () -- C:\Windows\netdet.ini
[2010/07/15 23:22:31 | 000,118,272 | ---- | C] () -- C:\Windows\System32\vzcontextmenu.dll
[2010/07/15 23:22:28 | 000,073,728 | ---- | C] () -- C:\Windows\System32\DetectDxQT.dll
[2010/06/09 19:58:29 | 000,000,091 | ---- | C] () -- C:\Users\Administrator\AppData\Local\Temppenciltemp.png
[2010/02/01 17:53:58 | 000,001,356 | ---- | C] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat
[2009/11/28 23:13:05 | 000,072,192 | ---- | C] () -- C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/08 17:08:57 | 008,673,792 | ---- | C] () -- C:\ProgramData\atscie.msi
[2008/05/17 15:50:34 | 000,000,952 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys

========== LOP Check ==========

[2012/06/29 23:00:48 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\.minecraft
[2009/12/29 23:22:48 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\acccore
[2011/07/10 21:00:22 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Autodesk
[2012/02/22 18:40:44 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Blender Foundation
[2012/07/07 17:40:02 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Dropbox
[2010/06/13 13:53:51 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Facebook
[2012/06/21 00:35:33 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\FileZilla
[2011/04/06 06:26:33 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\fltk.org
[2012/06/03 13:13:14 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\gtk-2.0
[2012/05/20 21:43:52 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Helios
[2010/08/11 16:52:13 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\ImgBurn
[2012/02/22 18:36:14 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\inkscape
[2009/11/30 22:25:35 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Intervideo
[2009/12/20 21:47:45 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\IObit
[2011/03/26 14:33:43 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\IrfanView
[2010/03/13 19:35:53 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\ManyCam
[2009/11/28 23:25:54 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\NCH Swift Sound
[2009/12/30 16:09:39 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Neopets Toolbar
[2009/11/29 20:01:04 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\OpenOffice.org
[2011/05/20 12:59:14 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Opera
[2011/06/16 23:44:14 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\PACE Anti-Piracy
[2009/11/28 22:07:35 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Publish Providers
[2009/11/28 22:45:47 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Sony
[2012/05/09 21:58:19 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\SYSTEMAX Software Development
[2011/03/15 22:40:36 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Template
[2010/03/13 15:00:20 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\TOSHIBA
[2011/06/17 00:02:56 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Unity
[2010/01/15 07:21:17 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\WTouch
[2008/03/23 11:41:45 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\acccore
[2008/01/21 15:17:49 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\Acoustica
[2008/01/20 15:03:50 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\fretsonfire
[2009/09/05 21:45:19 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\ImgBurn
[2008/03/06 16:54:43 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\Intervideo
[2009/06/30 17:32:02 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\IObit
[2009/03/20 19:08:59 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\ManyCam
[2009/11/14 23:49:08 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\NCH Swift Sound
[2008/11/16 22:54:55 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\OpenOffice.org
[2008/01/04 20:20:40 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\PeerNetworking
[2007/12/25 11:39:13 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\PlayFirst
[2008/08/18 12:35:51 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\Publish Providers
[2009/11/18 23:21:49 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\REAPER
[2009/06/30 22:47:30 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\Sony
[2010/03/16 10:53:57 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\Template
[2008/07/16 19:22:24 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\TOSHIBA
[2009/01/04 17:03:33 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\uTorrent
[2008/06/21 21:25:22 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\Video DVD Maker FREE
[2007/12/25 11:38:23 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\WildTangent
[2007/12/25 12:34:50 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\WinBatch
[2010/01/23 18:01:27 | 000,000,000 | ---D | M] -- C:\Users\Matt (Absoltastic)\AppData\Roaming\WTouch
[2012/07/08 00:09:24 | 000,032,570 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< >

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 22:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2007/12/25 13:50:58 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[2007/12/25 13:50:57 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\erdnt\cache\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 21:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2006/11/02 04:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2008/01/19 02:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: SERVICES.EXE >
[2008/01/19 02:33:28 | 000,279,040 | ---- | M] (Microsoft Corporation) MD5=2B336AB6286D6C81FA02CBAB914E3C6C -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2006/11/02 04:45:40 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=329CF3C97CE4C19375C8ABCABAE258B0 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2009/04/11 01:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\erdnt\cache\services.exe
[2009/04/11 01:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\System32\services.exe
[2009/04/11 01:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

< MD5 for: SVCHOST.EXE >
[2006/11/02 04:45:47 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=10DA15933D582D2FEDCF705EFE394B09 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe
[2008/01/19 02:33:32 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\erdnt\cache\svchost.exe
[2008/01/19 02:33:32 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/19 02:33:32 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/01/19 02:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\erdnt\cache\userinit.exe
[2008/01/19 02:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/19 02:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2006/11/02 04:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\erdnt\cache\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2006/11/02 04:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2008/01/19 02:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< %systemroot%\*. /rp /s >

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: TOSHIBA MK8037GSX
Partitions: 2
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 1.00GB
Starting Offset: 1048576
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 73.00GB
Starting Offset: 1573912576
Hidden sectors: 0


========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> C:\Users\Administrator\Documents\17.mp4:TOC.WMV
@Alternate Data Stream - 487 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 1175 bytes -> C:\Users\Administrator\AppData\Local\v6RLADYwm7y:UNoheTiXj2OAL4ZiM12IlNL
@Alternate Data Stream - 1169 bytes -> C:\ProgramData\Microsoft:m3aDYy9adwE5NrhotNL1S56mJrL8
@Alternate Data Stream - 1137 bytes -> C:\ProgramData\Microsoft:1Hd1yaiNikJ1fTfISpdaQPXq
@Alternate Data Stream - 1113 bytes -> C:\ProgramData\Microsoft:BXh81wPeDoTPIdTIV010GeE1

< End of report >

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:07 AM

Posted 11 July 2012 - 10:33 AM

Please run the following:


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
    O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
    O3 - HKU\S-1-5-21-111444003-3479115210-1291438600-500\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    @Alternate Data Stream - 64 bytes -> C:\Users\Administrator\Documents\17.mp4:TOC.WMV
    @Alternate Data Stream - 487 bytes -> C:\ProgramData\TEMP:05EE1EEF
    @Alternate Data Stream - 1175 bytes -> C:\Users\Administrator\AppData\Local\v6RLADYwm7y:UNoheTiXj2OAL4ZiM12IlNL
    @Alternate Data Stream - 1169 bytes -> C:\ProgramData\Microsoft:m3aDYy9adwE5NrhotNL1S56mJrL8
    @Alternate Data Stream - 1137 bytes -> C:\ProgramData\Microsoft:1Hd1yaiNikJ1fTfISpdaQPXq
    @Alternate Data Stream - 1113 bytes -> C:\ProgramData\Microsoft:BXh81wPeDoTPIdTIV010GeE1
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log

NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CommanderButter

CommanderButter
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 11 July 2012 - 01:10 PM

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ not found.
Registry value HKEY_USERS\S-1-5-21-111444003-3479115210-1291438600-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
ADS C:\Users\Administrator\Documents\17.mp4:TOC.WMV deleted successfully.
ADS C:\ProgramData\TEMP:05EE1EEF deleted successfully.
ADS C:\Users\Administrator\AppData\Local\v6RLADYwm7y:UNoheTiXj2OAL4ZiM12IlNL deleted successfully.
ADS C:\ProgramData\Microsoft:m3aDYy9adwE5NrhotNL1S56mJrL8 deleted successfully.
ADS C:\ProgramData\Microsoft:1Hd1yaiNikJ1fTfISpdaQPXq deleted successfully.
ADS C:\ProgramData\Microsoft:BXh81wPeDoTPIdTIV010GeE1 deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Administrator\Desktop\cmd.bat deleted successfully.
C:\Users\Administrator\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 114224076 bytes
->Temporary Internet Files folder emptied: 1700958 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 77811914 bytes
->Google Chrome cache emptied: 594288 bytes
->Opera cache emptied: 5858990 bytes
->Flash cache emptied: 378851 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Matt (Absoltastic)
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2042687 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 45572809 bytes
->Google Chrome cache emptied: 9141634 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 14384 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 413171 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 532228 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 246.00 mb


OTL by OldTimer - Version 3.2.53.1 log created on 07112012_105034

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...




It is running just fine now, but McAfee is still not installing completely, getting the same incomplete install error. Thanks so much for everything so far!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users