Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirector..for some reason I think I have the new and


  • Please log in to reply

#1
wholeteam

wholeteam

    Member

  • Member
  • PipPip
  • 25 posts
Greetings G2G fellows,

I have been doing software support / IT Support for 15 years and this one here has got me scratching my head, I went through all desperate measures and used spybot, malwarebytes, hijackthis, hitmanpro etc.. a slew of malware has been removed etc, but this one thing still goes undetected but yet redirects me on any google search result. I am now attempting to paste this log again, in the middle it has a slew of unrecognized foreign characters which made it nearly impossible to paste so this time I am going to skip over the HOSTS section which had Chinese characters in it just so i can paste it in. My existing HOSTS file seemed normal had the normal spybot sites that were setup to be redirected to the 127.0.0.1 and thats it so not sure what else this thing has in this log.

Here is my log results:

OTL logfile created on: 8/17/2011 10:28:38 AM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Users\whoelteam\Downloads
An unknown product Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 54.57% Memory free
5.92 Gb Paging File | 4.48 Gb Available in Paging File | 75.62% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.05 Gb Total Space | 30.43 Gb Free Space | 10.21% Space Free | Partition Type: NTFS
Drive H: | 465.76 Gb Total Space | 0.01 Gb Free Space | 0.00% Space Free | Partition Type: NTFS
Drive I: | 931.50 Gb Total Space | 847.53 Gb Free Space | 90.98% Space Free | Partition Type: NTFS

Computer Name: WHOLETEAM-DELL2 | User Name: wholeteam | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/17 10:28:14 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\whoelteam\Downloads\OTL.exe
PRC - [2011/06/24 00:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/06/23 01:41:08 | 001,306,728 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/06/01 10:00:17 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2011/02/10 00:47:03 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:31 | 000,173,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\rdpclip.exe
PRC - [2010/10/02 16:20:00 | 004,537,280 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
PRC - [2010/09/24 13:19:08 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/09/15 12:41:16 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/26 10:52:24 | 001,234,216 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe
PRC - [2010/03/25 14:39:22 | 000,490,280 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Update\NASvc.exe
PRC - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/12/22 08:57:22 | 001,172,992 | ---- | M] (Vitalwerks LLC) -- C:\Program Files\No-IP\DUC20.exe
PRC - [2009/07/13 21:14:21 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetsrv\inetinfo.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/27 10:18:32 | 000,217,088 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2009/01/31 16:15:38 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2009/01/31 14:43:30 | 000,049,250 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/11/24 05:56:46 | 000,054,568 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/11/12 21:49:58 | 001,085,513 | ---- | M] (Linksys) -- C:\Program Files\Linksys\WMB54G\WMB54G.exe
PRC - [2007/10/05 12:22:38 | 000,283,466 | ---- | M] (C-Media) -- C:\Program Files\Linksys\WMB54G\Driver\CmFlywav.exe
PRC - [2004/12/14 03:12:02 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) -- C:\Program Files\TightVNC\WinVNC.exe


========== Modules (No Company Name) ==========

MOD - [2010/11/21 10:54:34 | 000,094,208 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2010/09/15 12:41:16 | 001,016,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2009/11/10 16:39:24 | 000,929,792 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\yui.dll
MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/06/05 14:20:15 | 000,140,800 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2007/07/03 19:33:36 | 000,106,496 | ---- | M] () -- C:\Windows\VMix.dll
MOD - [2006/09/25 13:40:36 | 000,274,490 | ---- | M] () -- C:\Program Files\Linksys\WMB54G\Driver\flac.dll
MOD - [2006/03/21 21:08:48 | 000,491,520 | ---- | M] () -- C:\Program Files\Linksys\WMB54G\cmaudiow.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (0195511313283042mcinstcleanup) McAfee Application Installer Cleanup (0195511313283042)
SRV - [2011/08/16 21:20:00 | 006,394,688 | ---- | M] (SurfRight B.V.) [Auto | Stopped] -- C:\Program Files\Hitman Pro 3.5\HitmanPro35(2).exe -- (HitmanPro35CrusaderBoot) Hitman Pro 3.5 Crusader (Boot)
SRV - [2011/08/07 13:22:01 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/06/23 15:22:58 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2011/02/10 00:47:03 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\Windows\System32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/26 02:06:49 | 000,309,760 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\ftpsvc.dll -- (ftpsvc)
SRV - [2010/11/20 08:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/20 08:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/20 08:18:03 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2010/09/24 13:19:16 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/09/24 13:19:16 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/09/24 13:19:08 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/03/25 14:39:22 | 000,490,280 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2010/02/26 04:00:36 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/12/22 08:57:22 | 001,172,992 | ---- | M] (Vitalwerks LLC) [Auto | Running] -- C:\Program Files\No-IP\DUC20.exe -- (NoIPDUCService)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:14:48 | 000,009,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\inetsrv\WMSvc.exe -- (WMSVC)
SRV - [2009/07/13 21:14:21 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) [Auto | Running] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - [2002/09/03 15:46:36 | 001,282,112 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Kaiser\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,163,400 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,064,648 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/09/14 09:16:06 | 000,108,480 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/10/26 08:54:24 | 000,025,088 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2009/09/03 17:33:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/09/03 17:33:38 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\serial.sys -- (Serial)
DRV - [2009/07/13 18:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®
DRV - [2009/03/25 01:25:24 | 000,197,680 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/05/28 18:01:00 | 000,235,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM13Vid.sys -- (OEM13Vid)
DRV - [2007/03/29 11:25:18 | 001,410,240 | ---- | M] (C-Media Electronics Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmudaxv.sys -- (cmvad)
DRV - [2007/03/05 11:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM13Vfx.sys -- (OEM13Vfx)
DRV - [2004/10/25 15:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\pcasp50.sys -- (PCASp50)
DRV - [2004/03/23 22:12:34 | 000,017,280 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\nsndis5.sys -- (NSNDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USSMB/1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 46 6E 34 01 D2 BD 89 4A 8A A2 DD 11 A0 6F B1 44 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========



FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\whoelteam\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\whoelteam\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\whoelteam\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\whoelteam\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\whoelteam\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/08/10 01:17:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/06/01 10:01:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/01 10:00:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/01 10:01:36 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{1978D798-BAC6-45F1-8C74-0A017DB9028D}: C:\Users\whoelteam\AppData\Local\{1978D798-BAC6-45F1-8C74-0A017DB9028D}\ [2011/08/14 23:42:25 | 000,000,000 | ---D | M]

[2009/12/06 23:50:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\whoelteam\AppData\Roaming\mozilla\Extensions
[2011/08/16 23:29:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\whoelteam\AppData\Roaming\mozilla\Firefox\Profiles\5iskg2hu.default\extensions
[2011/06/22 08:39:48 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\whoelteam\AppData\Roaming\mozilla\Firefox\Profiles\5iskg2hu.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/08/16 10:18:23 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Users\whoelteam\AppData\Roaming\mozilla\Firefox\Profiles\5iskg2hu.default\extensions\{7985fe35-b8d1-43d5-9bc8-cf34e726d63a}
[2011/02/26 23:22:17 | 000,001,919 | ---- | M] () -- C:\Users\whoelteam\AppData\Roaming\Mozilla\Firefox\Profiles\5iskg2hu.default\searchplugins\bing-zugo.xml
[2011/08/16 23:29:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/09 07:03:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/02/28 10:35:00 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2011/08/17 10:03:54 | 000,435,615 | R--- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110816171840.dll (McAfee, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NBAgent] C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe (Nero AG)
O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe (Constantin Kaplinsky)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Users\whoelteam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe (Vitalwerks LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - AppInit_DLLs: (C:\ProgramData\ZuneMTPZ32.dll) - C:\ProgramData\ZuneMTPZ32.dll (People Can Fly)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (bootdelete) - C:\Windows\System32\bootdelete.exe (SurfRight B.V.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/17 09:29:27 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2011/08/17 09:20:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/08/17 09:20:47 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{337BBB7E-9AC7-4C87-A3E9-70E80506704D}
[2011/08/17 09:20:30 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{F3640F0D-6A17-4973-A109-411BC6518CA5}
[2011/08/17 09:09:47 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/08/17 09:08:21 | 000,000,000 | ---D | C] -- C:\registrybackup
[2011/08/17 08:19:10 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{33B1F291-16E7-4D6B-8D97-59018B6C5CF3}
[2011/08/17 08:18:58 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{41DD4C0A-D108-426A-B2DF-9ABA25D81877}
[2011/08/16 23:37:40 | 000,058,288 | ---- | C] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll
[2011/08/16 23:20:06 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/08/16 23:20:03 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/08/16 23:09:09 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{142E3B46-CD00-474B-B2D4-ACFEA80DB2E1}
[2011/08/16 23:02:52 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{38EC1D8B-711A-4C9E-AB42-AE07E8D4AF6E}
[2011/08/16 23:02:38 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{CBB2FB88-590C-45BF-AAEB-788EBA3926D5}
[2011/08/16 21:28:19 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{8C5CBBFD-DE1F-44A9-B661-D63B7229790D}
[2011/08/16 21:00:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2011/08/16 21:00:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hitman Pro 3.5
[2011/08/16 21:00:26 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/08/16 20:02:53 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{A4FC60C6-136A-479B-8B45-ED3095B9B956}
[2011/08/16 20:02:40 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{BFF4CFF3-EA5C-4153-96B6-176A65009F30}
[2011/08/16 15:16:21 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{883428A0-E7A1-4FB2-9168-0452B5C6C23A}
[2011/08/16 13:58:57 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Roaming\Malwarebytes
[2011/08/16 13:58:51 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/08/16 13:58:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/16 13:58:44 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/08/16 13:58:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/16 13:25:23 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\Nero
[2011/08/16 12:34:03 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{3D626994-A3BA-4F79-B793-AB4D8C9F8A4A}
[2011/08/16 12:28:32 | 000,155,136 | ---- | C] (People Can Fly) -- C:\ProgramData\ZuneMTPZ32.dll
[2011/08/16 10:08:34 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{9A34AE45-E9E6-48ED-B2DD-691CF865C36E}
[2011/08/16 10:08:17 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{B705349B-8C5E-4B55-9020-D7796E56B206}
[2011/08/16 01:29:12 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\PackageAware
[2011/08/16 00:32:28 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{090B33A6-5A80-418C-9991-ACEACFAF1FC9}
[2011/08/15 16:42:43 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{B24F19EC-A443-40D3-AE87-4966EE991236}
[2011/08/15 15:15:22 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{C5C07D01-4623-4145-BC31-29C4EEC3CA70}
[2011/08/15 15:15:08 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{8F2DFBF9-1979-4D44-BF5F-83C24A986CB8}
[2011/08/15 15:01:13 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{9CD6C905-F755-4F2C-AA23-098CACAA360B}
[2011/08/15 14:24:25 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{4E4280C3-CE53-47BC-A064-43A68C2635A7}
[2011/08/15 14:24:08 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{C4129BFC-C14F-48C6-8CF8-B25D8A3D9785}
[2011/08/15 13:34:24 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{75416CA0-DB20-4FE7-A24B-6D1163E5444C}
[2011/08/15 12:56:55 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/08/15 12:55:33 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/08/14 23:42:24 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{1978D798-BAC6-45F1-8C74-0A017DB9028D}
[2011/08/14 20:09:46 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/08/14 19:40:15 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\Documents\DVDFab
[2011/08/14 19:40:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDFab 8 Qt
[2011/08/14 19:39:39 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab 8 Qt
[2011/08/14 19:28:10 | 000,000,000 | ---D | C] -- C:\DVDFabDecrypter_Temp
[2011/08/14 19:28:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDFab Decrypter
[2011/08/14 19:27:58 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab Decrypter
[2011/08/14 19:23:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Aimersoft
[2011/08/14 19:22:40 | 000,000,000 | ---D | C] -- C:\Program Files\Aimersoft
[2011/08/14 18:24:45 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\Documents\DVD Creator
[2011/08/14 13:34:11 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\Documents\NeroVision
[2011/08/11 09:54:28 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{700C9AC6-AAC6-4B31-8BEA-28680E298121}
[2011/08/11 09:54:11 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{1C2C2639-422C-4F42-B0B6-939F7FE6FD64}
[2011/08/11 09:53:26 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Roaming\Nero
[2011/08/11 03:01:38 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2011/08/10 07:36:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero
[2011/08/10 07:35:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2011/08/10 07:35:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero
[2011/08/10 07:35:50 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2011/08/10 07:32:51 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{331D4135-92B2-4399-A4A7-FF06C5D17D36}
[2011/08/08 18:37:08 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{1F403329-B00F-49DF-86E8-E377146AC085}
[2011/08/08 18:36:47 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{844C133F-6BB6-4995-B556-B530BA740463}
[2011/08/08 08:29:00 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{19F73B67-6CDA-4B44-8987-D3F9EE626BC6}
[2011/08/08 08:28:42 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{42A1D9F8-3585-4158-BB75-A92603184366}
[2011/08/07 13:21:57 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{07F9EDF7-7590-49FC-A575-C51F7DA74993}
[2011/08/07 13:21:31 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{AF0697C5-2F9B-43E8-86FA-772BF2A65A0D}
[2011/08/01 23:20:35 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{226819F7-97CD-4705-A6BB-F4AEDB8C57D5}
[2011/08/01 08:17:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/08/01 08:15:52 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/08/01 08:15:51 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/08/01 08:10:39 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/02/11 18:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll

========== Files - Modified Within 30 Days ==========

[2011/08/17 10:29:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1983123432-918471795-1554061222-1000UA.job
[2011/08/17 10:19:32 | 000,001,184 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/17 10:19:32 | 000,001,184 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/17 10:03:54 | 000,435,615 | R--- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/08/17 09:59:36 | 000,023,624 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2011/08/17 09:29:27 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2011/08/17 09:29:27 | 000,000,178 | ---- | M] () -- C:\Windows\System32\.crusader
[2011/08/17 09:29:27 | 000,000,140 | ---- | M] () -- C:\Windows\System32\bootdelete.lst
[2011/08/17 09:20:50 | 000,001,790 | ---- | M] () -- C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
[2011/08/17 09:19:28 | 000,000,632 | RHS- | M] () -- C:\Users\whoelteam\ntuser.pol
[2011/08/17 09:17:54 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
[2011/08/17 09:17:52 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll
[2011/08/17 09:17:51 | 000,000,326 | -HS- | M] () -- C:\Windows\tasks\GKKE.job
[2011/08/17 09:17:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/08/17 09:17:32 | 2385,162,240 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/17 09:09:48 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110817-100354.backup
[2011/08/17 04:29:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1983123432-918471795-1554061222-1000Core.job
[2011/08/16 23:37:40 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2011/08/16 23:37:33 | 002,364,912 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/08/16 23:20:06 | 000,002,983 | ---- | M] () -- C:\Users\whoelteam\Desktop\HiJackThis.lnk
[2011/08/16 21:00:27 | 000,002,010 | ---- | M] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2011/08/16 13:58:52 | 000,001,110 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/16 12:28:32 | 000,155,136 | ---- | M] (People Can Fly) -- C:\ProgramData\ZuneMTPZ32.dll
[2011/08/15 15:42:09 | 000,000,695 | ---- | M] () -- C:\Users\whoelteam\Desktop\reset.bat
[2011/08/15 12:07:25 | 000,000,000 | ---- | M] () -- C:\Windows\2864435686
[2011/08/15 10:53:01 | 270,663,073 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/08/14 19:40:00 | 000,001,017 | ---- | M] () -- C:\Users\whoelteam\Desktop\DVDFab 8 Qt.lnk
[2011/08/14 19:28:01 | 000,001,031 | ---- | M] () -- C:\Users\whoelteam\Desktop\DVDFab Decrypter.lnk
[2011/08/14 19:23:09 | 000,001,221 | ---- | M] () -- C:\Users\whoelteam\Desktop\Aimersoft DVD Creator.lnk
[2011/08/14 19:13:25 | 000,064,000 | RHS- | M] () -- C:\Windows\System32\eqossnaps.dll
[2011/08/11 10:03:31 | 000,001,312 | ---- | M] () -- C:\Users\whoelteam\Desktop\DJ.Khaled-We.The.Best.Forever-(Deluxe.Edition)-2011-[NoFS] - Shortcut.lnk
[2011/08/11 10:03:22 | 000,001,227 | ---- | M] () -- C:\Users\whoelteam\Desktop\Wu-Tang Clan - Legendary Weapons (Deluxe Edition) - Shortcut.lnk
[2011/08/10 07:44:10 | 000,002,923 | ---- | M] () -- C:\Users\Public\Desktop\Nero StartSmart 10.lnk
[2011/08/10 07:42:39 | 000,002,901 | ---- | M] () -- C:\Users\Public\Desktop\Nero Vision 10.lnk
[2011/08/10 07:40:49 | 000,002,895 | ---- | M] () -- C:\Users\Public\Desktop\Nero MediaHub 10.lnk
[2011/08/10 07:37:58 | 000,003,013 | ---- | M] () -- C:\Users\Public\Desktop\Nero BackItUp 10.lnk
[2011/08/10 07:37:19 | 000,002,915 | ---- | M] () -- C:\Users\Public\Desktop\Nero Burning ROM 10.lnk
[2011/08/01 08:17:21 | 000,001,796 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

========== Files Created - No Company Name ==========

[2011/08/17 09:29:27 | 000,000,140 | ---- | C] () -- C:\Windows\System32\bootdelete.lst
[2011/08/16 23:37:40 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2011/08/16 23:37:16 | 002,364,912 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/08/16 23:37:00 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.exe
[2011/08/16 23:20:06 | 000,002,983 | ---- | C] () -- C:\Users\whoelteam\Desktop\HiJackThis.lnk
[2011/08/16 23:20:02 | 000,000,178 | ---- | C] () -- C:\Windows\System32\.crusader
[2011/08/16 21:01:17 | 000,023,624 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2011/08/16 21:00:27 | 000,002,010 | ---- | C] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2011/08/16 13:58:52 | 000,001,110 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/16 12:30:57 | 000,001,184 | -H-- | C] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/16 12:30:57 | 000,001,184 | -H-- | C] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/15 15:42:09 | 000,000,695 | ---- | C] () -- C:\Users\whoelteam\Desktop\reset.bat
[2011/08/15 00:01:09 | 000,000,000 | ---- | C] () -- C:\Windows\2864435686
[2011/08/14 19:40:00 | 000,001,017 | ---- | C] () -- C:\Users\whoelteam\Desktop\DVDFab 8 Qt.lnk
[2011/08/14 19:28:01 | 000,001,031 | ---- | C] () -- C:\Users\whoelteam\Desktop\DVDFab Decrypter.lnk
[2011/08/14 19:23:09 | 000,001,221 | ---- | C] () -- C:\Users\whoelteam\Desktop\Aimersoft DVD Creator.lnk
[2011/08/14 19:13:28 | 000,000,326 | -HS- | C] () -- C:\Windows\tasks\GKKE.job
[2011/08/14 19:13:24 | 000,064,000 | RHS- | C] () -- C:\Windows\System32\eqossnaps.dll
[2011/08/11 10:03:31 | 000,001,312 | ---- | C] () -- C:\Users\whoelteam\Desktop\DJ.Khaled-We.The.Best.Forever-(Deluxe.Edition)-2011-[NoFS] - Shortcut.lnk
[2011/08/11 10:03:22 | 000,001,227 | ---- | C] () -- C:\Users\whoelteam\Desktop\Wu-Tang Clan - Legendary Weapons (Deluxe Edition) - Shortcut.lnk
[2011/08/10 07:44:10 | 000,002,923 | ---- | C] () -- C:\Users\Public\Desktop\Nero StartSmart 10.lnk
[2011/08/10 07:42:39 | 000,002,901 | ---- | C] () -- C:\Users\Public\Desktop\Nero Vision 10.lnk
[2011/08/10 07:40:49 | 000,002,895 | ---- | C] () -- C:\Users\Public\Desktop\Nero MediaHub 10.lnk
[2011/08/10 07:37:58 | 000,003,013 | ---- | C] () -- C:\Users\Public\Desktop\Nero BackItUp 10.lnk
[2011/08/10 07:37:19 | 000,002,915 | ---- | C] () -- C:\Users\Public\Desktop\Nero Burning ROM 10.lnk
[2011/08/01 08:17:21 | 000,001,796 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/07/14 08:44:39 | 000,036,401 | ---- | C] () -- C:\Users\whoelteam\AppData\Roaming\Comma Separated Values (Windows).ADR
[2011/06/19 01:03:43 | 000,012,092 | -HS- | C] () -- C:\ProgramData\h5j433t77k
[2011/04/20 21:39:58 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010/12/01 00:21:19 | 000,274,490 | ---- | C] () -- C:\Windows\System32\flac.dll
[2010/12/01 00:21:19 | 000,106,496 | ---- | C] () -- C:\Windows\VMix.dll
[2010/12/01 00:21:19 | 000,045,056 | ---- | C] () -- C:\Windows\System32\cmrmdrvw.dll
[2010/12/01 00:21:19 | 000,040,960 | ---- | C] () -- C:\Windows\System32\WMB54G.dll
[2010/12/01 00:21:16 | 000,491,520 | ---- | C] () -- C:\Windows\System32\cmaudiow.dll
[2010/11/04 11:07:45 | 000,000,235 | ---- | C] () -- C:\Users\whoelteam\AppData\Roaming\devices.xml
[2010/11/04 11:07:45 | 000,000,012 | ---- | C] () -- C:\Users\whoelteam\AppData\Roaming\settings.xml
[2010/10/31 16:02:14 | 000,019,558 | ---- | C] () -- C:\Windows\hpoins01.dat
[2010/10/31 16:02:14 | 000,016,606 | ---- | C] () -- C:\Windows\hpomdl01.dat
[2010/08/25 20:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 20:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 20:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 19:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/06/16 01:08:55 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2010/04/23 23:46:29 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll
[2010/01/20 16:13:03 | 000,000,000 | ---- | C] () -- C:\ProgramData\setup32.exe
[2009/12/11 12:27:03 | 000,005,632 | ---- | C] () -- C:\Users\whoelteam\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/06 23:34:37 | 000,025,640 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2009/12/03 09:27:30 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/13 18:09:19 | 000,139,824 | ---- | C] () -- C:\Windows\System32\igfcg500.bin
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2010/06/16 01:09:15 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\Canneverbe Limited
[2011/05/07 17:41:14 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\DVDVideoSoft
[2010/06/02 18:34:35 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\Facebook
[2011/08/03 15:45:44 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\FileZilla
[2011/02/26 23:23:28 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\ooVoo Details
[2010/09/14 19:09:44 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\Research In Motion
[2011/05/07 16:11:46 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\Teleca
[2010/04/25 17:48:31 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\W Photo Studio Viewer
[2010/09/16 22:12:37 | 000,000,000 | ---D | M] -- C:\Users\whoelteam\AppData\Roaming\webex
[2011/08/17 09:17:51 | 000,000,326 | -HS- | M] () -- C:\Windows\Tasks\GKKE.job
[2009/07/14 00:53:46 | 000,029,900 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >





Any help would be appreciated on this one Thanks in advance!
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
It's not all that new. I've seen most of it before.

This FF Extension: (XUL Cache) is evil.
Also there is a scheduled task with a random name C:\Windows\tasks\GKKE.job
which probably runs this dll: C:\Windows\System32\eqossnaps.dll
The other two I'm not sure are part of it but they are random names which is always a bad sign. There may also be a TDSS infection or something else hidden so we will run a few more scans to see.



Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Uninstall
Yahoo! Toolbar
Hitman Pro (Don't want it interfering)

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

Pause McAfee.

Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:OTL
[2011/08/16 10:18:23 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Users\whoelteam\AppData\Roaming\mozilla\Firefox\Profiles\5iskg2hu.default\extensions\{7985fe35-b8d1-43d5-9bc8-cf34e726d63a}
[2011/08/17 09:17:51 | 000,000,326 | -HS- | M] () -- C:\Windows\tasks\GKKE.job
[2011/08/15 12:07:25 | 000,000,000 | ---- | M] () -- C:\Windows\2864435686
[2011/08/14 19:13:25 | 000,064,000 | RHS- | M] () -- C:\Windows\System32\eqossnaps.dll
[2011/06/19 01:03:43 | 000,012,092 | -HS- | C] () -- C:\ProgramData\h5j433t77k
    
:Commands
[purity]
[Reboot]


then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

If one of the following will not run then just skip to the next one then go back and try the things that wouldn't run again after finishing the others.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

Rightclick on Malwarebytes' Anti-Malware and select Run As Administrator and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix


:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html (McAfee is particular good at removing key parts of Combofix - even tho it is not very good at finding a virus)


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply.

Open OTL again (Right click and Run As Administrator) and select the All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply. If you still have problems with the funny characters, delete them but then also attach the file.

Are you still getting redirected?

If so:
Download and Save the free Avast installer.
http://www.avast.com...ivirus-download
Download the McAfee Removal tool
http://download.mcaf...atches/MCPR.exe
(If you think you might want to reinstall McAfee later then follow the instructions here to save your license info:
http://service.mcafe...spx?id=TS100507 )
Uninstall McAfee, run the McAfee uninstall tool, reboot.
Install Avast.

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?




Ron
  • 0

#3
wholeteam

wholeteam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
ok sir u are a genius that worked like a charm, looked like we were blowing away a mosquito with a bomb!!!
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I take it we killed it? I sort of figured that the OTL script would get most of it but I like to be sure.

Where's my logs?

Ron
  • 0

#5
wholeteam

wholeteam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
in this post I have attached the logs that it found, ultimately I saw combofix do alot of the work when it killed alot of the firefox profiles under all the profiles on the computer.

Attached Files


  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Yes, CF can look in all profiles but it was the same extension that I removed.

Combofix found c:\windows\System32\autochk.exe was infected and it doesn't say it cured it:

We may need to replace the file. Either run Combofix again and check to see if the file is still infected or submit it to http://virustotal.com and see if it is clean or just go ahead and replace it with one from your other systems. Windows might even do it for us:

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. )


Also still looking for the final OTL logs:
Open OTL again (Right click and Run As Administrator) and select the All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply. If you still have problems with the funny characters, delete them but then also attach the file.

Ron
  • 0

#7
wholeteam

wholeteam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
ok that autocheck.exe checked out ok from the viraltools site. I have now attached the other files from your last instructions the SFC command gave an error at the end that some files could not be fixed.


the SFC made a log also called cbs.txt which for some reason i cant attach and its too big to paste in here

it also says it cannot repair that same file


POQ 83 starts:

POQ 83 ends.
2011-08-17 23:04:07, Info CSI 000001b8 [SR] Verify complete
2011-08-17 23:04:07, Info CSI 000001b9 [SR] Repairing 1 components
2011-08-17 23:04:07, Info CSI 000001ba [SR] Beginning Verify and Repair transaction
2011-08-17 23:04:07, Info CSI 000001bb Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe do not match actual file [l:22{11}]"autochk.exe" :
Found: {l:32 b:kdIeGGpFKmcw1RlxNZz7/qyYYSdwOQXR4u2tsCWukkY=} Expected: {l:32 b:LgNTZumhom+xXx5IVwVuateTK86Mxou0tlVgn0JNJ1Y=}
2011-08-17 23:04:07, Info CSI 000001bc [SR] Cannot repair member file [l:22{11}]"autochk.exe" of Microsoft-Windows-Autochk, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-08-17 23:04:07, Info CSI 000001bd Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe do not match actual file [l:22{11}]"autochk.exe" :
Found: {l:32 b:kdIeGGpFKmcw1RlxNZz7/qyYYSdwOQXR4u2tsCWukkY=} Expected: {l:32 b:LgNTZumhom+xXx5IVwVuateTK86Mxou0tlVgn0JNJ1Y=}
2011-08-17 23:04:07, Info CSI 000001be [SR] Cannot repair member file [l:22{11}]"autochk.exe" of Microsoft-Windows-Autochk, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-08-17 23:04:07, Info CSI 000001bf [SR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2011-08-17 23:04:07, Info CSI 000001c0 Hashes for file member \??\C:\Windows\System32\autochk.exe do not match actual file [l:22{11}]"autochk.exe" :
Found: {l:32 b:kdIeGGpFKmcw1RlxNZz7/qyYYSdwOQXR4u2tsCWukkY=} Expected: {l:32 b:LgNTZumhom+xXx5IVwVuateTK86Mxou0tlVgn0JNJ1Y=}
2011-08-17 23:04:07, Info CSI 000001c1 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe do not match actual file [l:22{11}]"autochk.exe" :
Found: {l:32 b:kdIeGGpFKmcw1RlxNZz7/qyYYSdwOQXR4u2tsCWukkY=} Expected: {l:32 b:LgNTZumhom+xXx5IVwVuateTK86Mxou0tlVgn0JNJ1Y=}
2011-08-17 23:04:07, Info CSI 000001c2 [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:22{11}]"autochk.exe"; source file in store is also corrupted
2011-08-17 23:04:07, Info CSI 000001c3 Repair results created:
POQ 84 starts:

POQ 84 ends.
2011-08-17 23:04:07, Info CSI 000001c4 [SR] Repair complete
2011-08-17 23:04:07, Info CSI 000001c5 [SR] Committing transaction
2011-08-17 23:04:07, Info CSI 000001c6 Creating NT transaction (seq 2), objectname [6]"(null)"
2011-08-17 23:04:07, Info CSI 000001c7 Created NT transaction (seq 2) result 0x00000000, handle @0x12a4
2011-08-17 23:04:07, Info CSI [email protected]/8/18:03:04:07.837 CSI perf trace:
CSIPERF:TXCOMMIT;5
2011-08-17 23:04:07, Info CSI 000001c9 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired

Attached Files


  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I think we need to replace the autochk.exe file. Can you get one from another Win 7 computer? I could send you one from mine but it's only Vista so might not work.

We can look on the sick PC with OTL to see if there is another one that might work:


Copy the next three lines:


/md5start
autochk.exe
/md5stop

Right click on OTL and Run As Administrator. Paste in the above into the Custom Scan/Fixes box and press Run Scan. Copy and paste the log in your next reply.

Ron
  • 0

#9
wholeteam

wholeteam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
ok here's the redone scan log file from OTL

OTL logfile created on: 8/18/2011 8:03:28 AM - Run 3
OTL by OldTimer - Version 3.2.26.5 Folder = C:\accessories\spyware and av
An unknown product Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 1.21 Gb Available Physical Memory | 40.80% Memory free
5.92 Gb Paging File | 3.62 Gb Available in Paging File | 61.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.05 Gb Total Space | 26.83 Gb Free Space | 9.00% Space Free | Partition Type: NTFS
Drive H: | 465.76 Gb Total Space | 0.01 Gb Free Space | 0.00% Space Free | Partition Type: NTFS

Computer Name: WHOLETEAM-DELL2 | User Name: wholeteam | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/17 10:28:14 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\accessories\spyware and av\OTL.exe
PRC - [2011/07/21 16:20:08 | 000,161,336 | ---- | M] (Google) -- C:\Users\whoelteam\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
PRC - [2011/06/24 00:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/06/23 01:41:08 | 001,306,728 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/06/01 10:00:17 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2011/02/10 00:47:03 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:00 | 000,302,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe
PRC - [2010/10/02 16:20:00 | 004,537,280 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
PRC - [2010/09/24 13:19:08 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/09/15 12:41:16 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/26 10:52:24 | 001,234,216 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe
PRC - [2010/03/25 14:39:22 | 000,490,280 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Update\NASvc.exe
PRC - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/12/22 08:57:22 | 001,172,992 | ---- | M] (Vitalwerks LLC) -- C:\Program Files\No-IP\DUC20.exe
PRC - [2009/07/13 21:14:21 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetsrv\inetinfo.exe
PRC - [2009/07/13 21:14:19 | 001,971,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\DVD Maker\DVDMaker.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/27 10:18:32 | 000,217,088 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2009/01/31 16:15:38 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2009/01/31 14:43:30 | 000,049,250 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2009/01/26 16:31:12 | 005,365,592 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/11/24 05:56:46 | 000,054,568 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/11/12 21:49:58 | 001,085,513 | ---- | M] (Linksys) -- C:\Program Files\Linksys\WMB54G\WMB54G.exe
PRC - [2007/10/05 12:22:38 | 000,283,466 | ---- | M] (C-Media) -- C:\Program Files\Linksys\WMB54G\Driver\CmFlywav.exe
PRC - [2006/12/05 13:00:28 | 000,061,516 | ---- | M] (C-Media Electronics Inc.) -- C:\Program Files\Linksys\WMB54G\Driver\cmas2ds.exe
PRC - [2006/04/21 17:18:26 | 014,651,392 | ---- | M] (Macromedia, Inc.) -- C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
PRC - [2005/08/24 23:21:58 | 016,175,104 | ---- | M] (Macromedia Inc.) -- C:\Program Files\Macromedia\Fireworks 8\Fireworks.exe
PRC - [2004/12/14 03:12:02 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) -- C:\Program Files\TightVNC\WinVNC.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/17 20:40:44 | 006,277,280 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2010/09/15 12:41:16 | 001,016,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2009/11/10 16:39:24 | 000,929,792 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\yui.dll
MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/06/05 14:20:15 | 000,140,800 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2009/02/14 06:04:38 | 000,756,040 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL
MOD - [2008/10/26 06:42:14 | 000,065,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
MOD - [2008/06/19 18:35:36 | 000,333,288 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy\sqlite3.dll
MOD - [2008/03/05 10:34:32 | 000,795,520 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy\Plugins\Fennel.dll
MOD - [2008/03/04 15:52:00 | 000,790,392 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy\Plugins\Chai.dll
MOD - [2008/02/26 12:04:40 | 000,717,176 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy\Plugins\Mate.dll
MOD - [2007/12/24 02:05:00 | 000,121,344 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy\Plugins\TCPIPAddress.dll
MOD - [2007/07/03 19:33:36 | 000,106,496 | ---- | M] () -- C:\Windows\VMix.dll
MOD - [2006/10/27 16:35:18 | 000,436,512 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
MOD - [2006/09/25 13:40:36 | 000,274,490 | ---- | M] () -- C:\Program Files\Linksys\WMB54G\Driver\flac.dll
MOD - [2006/03/21 21:08:48 | 000,491,520 | ---- | M] () -- C:\Program Files\Linksys\WMB54G\cmaudiow.dll
MOD - [2005/12/20 00:41:38 | 000,131,072 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\libcurl.dll
MOD - [2005/08/30 16:32:04 | 000,106,496 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\Configuration\JSExtensions\DWfile.dll
MOD - [2005/08/30 16:32:02 | 000,192,512 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\NetIOFTP.dll
MOD - [2005/08/30 16:28:48 | 000,528,384 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\Workspace.dll
MOD - [2005/08/30 16:28:20 | 000,114,688 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\Configuration\JSExtensions\MM.dll
MOD - [2005/08/30 16:28:12 | 000,106,496 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\Configuration\JSExtensions\SWFFile.dll
MOD - [2005/08/30 16:27:14 | 000,073,728 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\NetIO.dll
MOD - [2005/08/30 16:26:42 | 000,126,976 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\CoreTypes.dll
MOD - [2005/08/30 16:23:26 | 000,843,776 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\libeay32.dll
MOD - [2005/08/30 16:23:26 | 000,159,744 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\ssleay32.dll
MOD - [2005/08/30 16:19:42 | 001,052,672 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\Configuration\flash player\FlashPlayerW.dll
MOD - [2005/08/30 16:13:28 | 000,015,360 | ---- | M] () -- C:\Program Files\Macromedia\Dreamweaver 8\Configuration\JSExtensions\DWEMLaunch.dll
MOD - [2005/08/24 22:54:04 | 000,106,496 | ---- | M] () -- C:\Program Files\Macromedia\Fireworks 8\giflib.dll
MOD - [2005/08/24 22:53:24 | 000,335,872 | ---- | M] () -- C:\Program Files\Macromedia\Fireworks 8\jslib.dll
MOD - [2005/08/24 22:53:06 | 000,106,496 | ---- | M] () -- C:\Program Files\Macromedia\Fireworks 8\python.dll
MOD - [2005/08/24 22:53:00 | 000,118,784 | ---- | M] () -- C:\Program Files\Macromedia\Fireworks 8\libpng.dll
MOD - [2005/08/24 22:52:56 | 000,069,632 | ---- | M] () -- C:\Program Files\Macromedia\Fireworks 8\zlib.dll
MOD - [2005/08/24 22:50:50 | 000,040,960 | ---- | M] () -- C:\Program Files\Macromedia\Fireworks 8\SN.dll
MOD - [2005/08/24 22:50:28 | 001,638,400 | ---- | M] () -- C:\Program Files\Macromedia\Fireworks 8\Plug-Ins\authplay.dll
MOD - [2001/11/09 01:44:06 | 004,558,910 | ---- | M] () -- C:\Program Files\Macromedia\Fireworks 8\Plug-Ins\gsdll32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (0195511313283042mcinstcleanup) McAfee Application Installer Cleanup (0195511313283042)
SRV - [2011/08/07 13:22:01 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/06/23 15:22:58 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2011/02/10 00:47:03 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\Windows\System32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/26 02:06:49 | 000,309,760 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\ftpsvc.dll -- (ftpsvc)
SRV - [2010/11/20 08:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/20 08:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/20 08:18:03 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2010/09/24 13:19:16 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/09/24 13:19:16 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/09/24 13:19:08 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/03/25 14:39:22 | 000,490,280 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2010/02/26 04:00:36 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/12/22 08:57:22 | 001,172,992 | ---- | M] (Vitalwerks LLC) [Auto | Running] -- C:\Program Files\No-IP\DUC20.exe -- (NoIPDUCService)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:14:48 | 000,009,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\inetsrv\WMSvc.exe -- (WMSVC)
SRV - [2009/07/13 21:14:21 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2003/08/01 19:28:24 | 000,474,624 | ---- | M] (Constantin Kaplinsky) [Auto | Running] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - [2002/09/03 15:46:36 | 001,282,112 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Kaiser\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,163,400 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,064,648 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/09/14 09:16:06 | 000,108,480 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/10/26 08:54:24 | 000,025,088 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2009/09/03 17:33:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/09/03 17:33:38 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\serial.sys -- (Serial)
DRV - [2009/07/13 18:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®
DRV - [2009/03/25 01:25:24 | 000,197,680 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/05/28 18:01:00 | 000,235,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM13Vid.sys -- (OEM13Vid)
DRV - [2007/03/29 11:25:18 | 001,410,240 | ---- | M] (C-Media Electronics Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmudaxv.sys -- (cmvad)
DRV - [2007/03/05 11:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM13Vfx.sys -- (OEM13Vfx)
DRV - [2004/10/25 15:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\pcasp50.sys -- (PCASp50)
DRV - [2004/03/23 22:12:34 | 000,017,280 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\nsndis5.sys -- (NSNDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USSMB/1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 46 6E 34 01 D2 BD 89 4A 8A A2 DD 11 A0 6F B1 44 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========



FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\whoelteam\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\whoelteam\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\whoelteam\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\whoelteam\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\whoelteam\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/08/10 01:17:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/06/01 10:01:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/01 10:00:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/01 10:01:36 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{1978D798-BAC6-45F1-8C74-0A017DB9028D}: C:\Users\whoelteam\AppData\Local\{1978D798-BAC6-45F1-8C74-0A017DB9028D}\ [2011/08/14 23:42:25 | 000,000,000 | ---D | M]

[2009/12/06 23:50:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\whoelteam\AppData\Roaming\mozilla\Extensions
[2011/08/17 20:20:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\whoelteam\AppData\Roaming\mozilla\Firefox\Profiles\5iskg2hu.default\extensions
[2011/06/22 08:39:48 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\whoelteam\AppData\Roaming\mozilla\Firefox\Profiles\5iskg2hu.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/02/26 23:22:17 | 000,001,919 | ---- | M] () -- C:\Users\whoelteam\AppData\Roaming\Mozilla\Firefox\Profiles\5iskg2hu.default\searchplugins\bing-zugo.xml
[2011/08/16 23:29:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/09 07:03:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/02/28 10:35:00 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2011/08/17 19:58:01 | 000,435,637 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15020 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110816171840.dll (McAfee, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NBAgent] C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe (Nero AG)
O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\TightVNC\WinVNC.exe (Constantin Kaplinsky)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Users\whoelteam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe (Vitalwerks LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/17 19:55:34 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{E5FE896F-8125-4093-AF44-25F32D5138B4}
[2011/08/17 19:55:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/08/17 19:55:03 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{095EDC25-E39E-4A88-845E-EBA7E0197D10}
[2011/08/17 19:37:10 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/08/17 19:14:14 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\temp
[2011/08/17 14:13:15 | 000,518,144 | R--- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/08/17 14:13:15 | 000,406,528 | R--- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/08/17 14:13:15 | 000,060,416 | R--- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/08/17 13:54:36 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{176CDC81-CB37-447F-B0DA-3009B1DD95EF}
[2011/08/17 13:54:22 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{1F0E639A-96F6-44B5-8459-28CB6B9FD38E}
[2011/08/17 13:51:15 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/08/17 13:47:46 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{AA4A63AE-5541-4F83-800F-9E3454D5A0D8}
[2011/08/17 13:47:29 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{1A39977E-C50B-4CCC-8A8D-A54F1C13B749}
[2011/08/17 13:43:39 | 000,058,288 | ---- | C] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll
[2011/08/17 09:20:47 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{337BBB7E-9AC7-4C87-A3E9-70E80506704D}
[2011/08/17 09:20:30 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{F3640F0D-6A17-4973-A109-411BC6518CA5}
[2011/08/17 09:09:47 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/08/17 09:08:21 | 000,000,000 | ---D | C] -- C:\registrybackup
[2011/08/17 08:19:10 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{33B1F291-16E7-4D6B-8D97-59018B6C5CF3}
[2011/08/17 08:18:58 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{41DD4C0A-D108-426A-B2DF-9ABA25D81877}
[2011/08/16 23:20:06 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/08/16 23:20:03 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/08/16 23:09:09 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{142E3B46-CD00-474B-B2D4-ACFEA80DB2E1}
[2011/08/16 23:02:52 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{38EC1D8B-711A-4C9E-AB42-AE07E8D4AF6E}
[2011/08/16 23:02:38 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{CBB2FB88-590C-45BF-AAEB-788EBA3926D5}
[2011/08/16 21:28:19 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{8C5CBBFD-DE1F-44A9-B661-D63B7229790D}
[2011/08/16 21:00:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2011/08/16 21:00:26 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/08/16 20:02:53 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{A4FC60C6-136A-479B-8B45-ED3095B9B956}
[2011/08/16 20:02:40 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{BFF4CFF3-EA5C-4153-96B6-176A65009F30}
[2011/08/16 15:16:21 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{883428A0-E7A1-4FB2-9168-0452B5C6C23A}
[2011/08/16 13:58:57 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Roaming\Malwarebytes
[2011/08/16 13:58:51 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/08/16 13:58:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/16 13:58:44 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/08/16 13:58:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/16 13:25:23 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\Nero
[2011/08/16 12:34:03 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{3D626994-A3BA-4F79-B793-AB4D8C9F8A4A}
[2011/08/16 10:08:34 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{9A34AE45-E9E6-48ED-B2DD-691CF865C36E}
[2011/08/16 10:08:17 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{B705349B-8C5E-4B55-9020-D7796E56B206}
[2011/08/16 01:29:12 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\PackageAware
[2011/08/16 00:32:28 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{090B33A6-5A80-418C-9991-ACEACFAF1FC9}
[2011/08/15 16:42:43 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{B24F19EC-A443-40D3-AE87-4966EE991236}
[2011/08/15 15:15:22 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{C5C07D01-4623-4145-BC31-29C4EEC3CA70}
[2011/08/15 15:15:08 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{8F2DFBF9-1979-4D44-BF5F-83C24A986CB8}
[2011/08/15 15:01:13 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{9CD6C905-F755-4F2C-AA23-098CACAA360B}
[2011/08/15 14:37:36 | 000,197,680 | ---- | C] (Alps Electric Co., Ltd.) -- C:\Windows\System32\drivers\Apfiltr.sys
[2011/08/15 14:24:25 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{4E4280C3-CE53-47BC-A064-43A68C2635A7}
[2011/08/15 14:24:08 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{C4129BFC-C14F-48C6-8CF8-B25D8A3D9785}
[2011/08/15 13:34:24 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{75416CA0-DB20-4FE7-A24B-6D1163E5444C}
[2011/08/14 23:42:24 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{1978D798-BAC6-45F1-8C74-0A017DB9028D}
[2011/08/14 20:09:46 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/08/14 19:40:15 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\Documents\DVDFab
[2011/08/14 19:40:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDFab 8 Qt
[2011/08/14 19:39:39 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab 8 Qt
[2011/08/14 19:28:10 | 000,000,000 | ---D | C] -- C:\DVDFabDecrypter_Temp
[2011/08/14 19:28:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDFab Decrypter
[2011/08/14 19:27:58 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab Decrypter
[2011/08/14 19:23:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Aimersoft
[2011/08/14 19:22:40 | 000,000,000 | ---D | C] -- C:\Program Files\Aimersoft
[2011/08/14 18:24:45 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\Documents\DVD Creator
[2011/08/14 13:34:11 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\Documents\NeroVision
[2011/08/11 09:54:28 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{700C9AC6-AAC6-4B31-8BEA-28680E298121}
[2011/08/11 09:54:11 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{1C2C2639-422C-4F42-B0B6-939F7FE6FD64}
[2011/08/11 09:53:26 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Roaming\Nero
[2011/08/11 03:01:38 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2011/08/10 07:36:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Nero
[2011/08/10 07:35:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2011/08/10 07:35:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero
[2011/08/10 07:35:50 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2011/08/10 07:32:51 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{331D4135-92B2-4399-A4A7-FF06C5D17D36}
[2011/08/10 03:07:27 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/08/10 03:07:26 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/08/10 03:07:26 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/08/10 03:07:26 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/08/10 03:07:24 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/08/09 23:12:15 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll
[2011/08/09 23:11:50 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll
[2011/08/09 23:11:25 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_40.dll
[2011/08/09 23:11:01 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_35.dll
[2011/08/09 23:10:36 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_34.dll
[2011/08/09 23:10:11 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll
[2011/08/09 22:10:40 | 003,912,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/08/09 22:10:39 | 003,967,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/08/09 22:10:22 | 000,271,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
[2011/08/09 22:10:22 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2011/08/09 22:10:22 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
[2011/08/09 22:10:22 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
[2011/08/09 22:10:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
[2011/08/09 22:10:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
[2011/08/09 22:10:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
[2011/08/09 22:10:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
[2011/08/09 22:10:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
[2011/08/09 22:10:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
[2011/08/09 22:10:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
[2011/08/09 22:10:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
[2011/08/09 22:10:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
[2011/08/09 22:10:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
[2011/08/09 22:10:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
[2011/08/09 22:10:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
[2011/08/09 22:10:20 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
[2011/08/09 22:10:20 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
[2011/08/09 22:10:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
[2011/08/09 22:10:19 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
[2011/08/09 22:10:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
[2011/08/09 22:10:14 | 000,319,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\odbcjt32.dll
[2011/08/09 22:10:14 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\odbctrac.dll
[2011/08/09 22:10:14 | 000,122,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\odbccp32.dll
[2011/08/09 22:10:14 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\odbccu32.dll
[2011/08/09 22:10:14 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\odbccr32.dll
[2011/08/08 18:37:08 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{1F403329-B00F-49DF-86E8-E377146AC085}
[2011/08/08 18:36:47 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{844C133F-6BB6-4995-B556-B530BA740463}
[2011/08/08 08:29:00 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{19F73B67-6CDA-4B44-8987-D3F9EE626BC6}
[2011/08/08 08:28:42 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{42A1D9F8-3585-4158-BB75-A92603184366}
[2011/08/07 13:21:57 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{07F9EDF7-7590-49FC-A575-C51F7DA74993}
[2011/08/07 13:21:31 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{AF0697C5-2F9B-43E8-86FA-772BF2A65A0D}
[2011/08/01 23:20:35 | 000,000,000 | ---D | C] -- C:\Users\whoelteam\AppData\Local\{226819F7-97CD-4705-A6BB-F4AEDB8C57D5}
[2011/08/01 08:17:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/08/01 08:15:52 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/08/01 08:15:51 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/08/01 08:10:39 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/02/11 18:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll

========== Files - Modified Within 30 Days ==========

[2011/08/18 07:54:24 | 000,001,184 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/18 07:54:24 | 000,001,184 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/18 07:29:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1983123432-918471795-1554061222-1000UA.job
[2011/08/18 04:36:39 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1983123432-918471795-1554061222-1000Core.job
[2011/08/17 21:56:48 | 002,249,650 | ---- | M] () -- C:\Users\whoelteam\Documents\Mad Resume Pt 2.jpg
[2011/08/17 21:55:33 | 003,478,840 | ---- | M] () -- C:\Users\whoelteam\Documents\Mad Resume.jpg
[2011/08/17 21:30:21 | 000,000,632 | RHS- | M] () -- C:\Users\whoelteam\ntuser.pol
[2011/08/17 20:40:44 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/08/17 19:58:01 | 000,435,637 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/08/17 19:56:13 | 000,023,624 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2011/08/17 19:55:19 | 000,001,790 | ---- | M] () -- C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
[2011/08/17 19:53:52 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll
[2011/08/17 19:53:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/08/17 19:53:38 | 2385,162,240 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/17 19:32:22 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110817-195801.backup
[2011/08/17 09:29:27 | 000,000,178 | ---- | M] () -- C:\Windows\System32\.crusader
[2011/08/17 09:09:48 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110817-100354.backup
[2011/08/16 23:37:40 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2011/08/16 23:37:33 | 002,364,912 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/08/16 23:20:06 | 000,002,983 | ---- | M] () -- C:\Users\whoelteam\Desktop\HiJackThis.lnk
[2011/08/16 13:58:52 | 000,001,110 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/15 15:42:09 | 000,000,695 | ---- | M] () -- C:\Users\whoelteam\Desktop\reset.bat
[2011/08/15 10:53:01 | 270,663,073 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/08/14 19:40:00 | 000,001,017 | ---- | M] () -- C:\Users\whoelteam\Desktop\DVDFab 8 Qt.lnk
[2011/08/14 19:28:01 | 000,001,031 | ---- | M] () -- C:\Users\whoelteam\Desktop\DVDFab Decrypter.lnk
[2011/08/14 19:23:09 | 000,001,221 | ---- | M] () -- C:\Users\whoelteam\Desktop\Aimersoft DVD Creator.lnk
[2011/08/11 10:03:31 | 000,001,312 | ---- | M] () -- C:\Users\whoelteam\Desktop\DJ.Khaled-We.The.Best.Forever-(Deluxe.Edition)-2011-[NoFS] - Shortcut.lnk
[2011/08/11 10:03:22 | 000,001,227 | ---- | M] () -- C:\Users\whoelteam\Desktop\Wu-Tang Clan - Legendary Weapons (Deluxe Edition) - Shortcut.lnk
[2011/08/10 07:44:10 | 000,002,923 | ---- | M] () -- C:\Users\Public\Desktop\Nero StartSmart 10.lnk
[2011/08/10 07:42:39 | 000,002,901 | ---- | M] () -- C:\Users\Public\Desktop\Nero Vision 10.lnk
[2011/08/10 07:40:49 | 000,002,895 | ---- | M] () -- C:\Users\Public\Desktop\Nero MediaHub 10.lnk
[2011/08/10 07:37:58 | 000,003,013 | ---- | M] () -- C:\Users\Public\Desktop\Nero BackItUp 10.lnk
[2011/08/10 07:37:19 | 000,002,915 | ---- | M] () -- C:\Users\Public\Desktop\Nero Burning ROM 10.lnk
[2011/08/01 08:17:21 | 000,001,796 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/07/21 22:54:43 | 001,797,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/07/21 22:47:24 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/07/21 22:46:48 | 000,065,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/07/21 22:44:36 | 002,382,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/07/21 22:43:07 | 000,176,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll

========== Files Created - No Company Name ==========

[2011/08/17 21:56:44 | 002,249,650 | ---- | C] () -- C:\Users\whoelteam\Documents\Mad Resume Pt 2.jpg
[2011/08/17 21:55:28 | 003,478,840 | ---- | C] () -- C:\Users\whoelteam\Documents\Mad Resume.jpg
[2011/08/17 14:13:15 | 000,256,000 | R--- | C] () -- C:\Windows\PEV.exe
[2011/08/17 14:13:15 | 000,208,896 | R--- | C] () -- C:\Windows\MBR.exe
[2011/08/17 14:13:15 | 000,098,816 | R--- | C] () -- C:\Windows\sed.exe
[2011/08/17 14:13:15 | 000,080,412 | R--- | C] () -- C:\Windows\grep.exe
[2011/08/17 14:13:15 | 000,068,096 | R--- | C] () -- C:\Windows\zip.exe
[2011/08/16 23:37:40 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2011/08/16 23:37:16 | 002,364,912 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/08/16 23:20:06 | 000,002,983 | ---- | C] () -- C:\Users\whoelteam\Desktop\HiJackThis.lnk
[2011/08/16 23:20:02 | 000,000,178 | ---- | C] () -- C:\Windows\System32\.crusader
[2011/08/16 21:01:17 | 000,023,624 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2011/08/16 13:58:52 | 000,001,110 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/16 12:30:57 | 000,001,184 | -H-- | C] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/16 12:30:57 | 000,001,184 | -H-- | C] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/15 15:42:09 | 000,000,695 | ---- | C] () -- C:\Users\whoelteam\Desktop\reset.bat
[2011/08/14 19:40:00 | 000,001,017 | ---- | C] () -- C:\Users\whoelteam\Desktop\DVDFab 8 Qt.lnk
[2011/08/14 19:28:01 | 000,001,031 | ---- | C] () -- C:\Users\whoelteam\Desktop\DVDFab Decrypter.lnk
[2011/08/14 19:23:09 | 000,001,221 | ---- | C] () -- C:\Users\whoelteam\Desktop\Aimersoft DVD Creator.lnk
[2011/08/11 10:03:31 | 000,001,312 | ---- | C] () -- C:\Users\whoelteam\Desktop\DJ.Khaled-We.The.Best.Forever-(Deluxe.Edition)-2011-[NoFS] - Shortcut.lnk
[2011/08/11 10:03:22 | 000,001,227 | ---- | C] () -- C:\Users\whoelteam\Desktop\Wu-Tang Clan - Legendary Weapons (Deluxe Edition) - Shortcut.lnk
[2011/08/10 07:44:10 | 000,002,923 | ---- | C] () -- C:\Users\Public\Desktop\Nero StartSmart 10.lnk
[2011/08/10 07:42:39 | 000,002,901 | ---- | C] () -- C:\Users\Public\Desktop\Nero Vision 10.lnk
[2011/08/10 07:40:49 | 000,002,895 | ---- | C] () -- C:\Users\Public\Desktop\Nero MediaHub 10.lnk
[2011/08/10 07:37:58 | 000,003,013 | ---- | C] () -- C:\Users\Public\Desktop\Nero BackItUp 10.lnk
[2011/08/10 07:37:19 | 000,002,915 | ---- | C] () -- C:\Users\Public\Desktop\Nero Burning ROM 10.lnk
[2011/08/01 08:17:21 | 000,001,796 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/07/14 08:44:39 | 000,036,401 | ---- | C] () -- C:\Users\whoelteam\AppData\Roaming\Comma Separated Values (Windows).ADR
[2011/04/20 21:39:58 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010/12/01 00:21:19 | 000,274,490 | ---- | C] () -- C:\Windows\System32\flac.dll
[2010/12/01 00:21:19 | 000,106,496 | ---- | C] () -- C:\Windows\VMix.dll
[2010/12/01 00:21:19 | 000,045,056 | ---- | C] () -- C:\Windows\System32\cmrmdrvw.dll
[2010/12/01 00:21:19 | 000,040,960 | ---- | C] () -- C:\Windows\System32\WMB54G.dll
[2010/12/01 00:21:16 | 000,491,520 | ---- | C] () -- C:\Windows\System32\cmaudiow.dll
[2010/11/04 11:07:45 | 000,000,235 | ---- | C] () -- C:\Users\whoelteam\AppData\Roaming\devices.xml
[2010/11/04 11:07:45 | 000,000,012 | ---- | C] () -- C:\Users\whoelteam\AppData\Roaming\settings.xml
[2010/10/31 16:02:14 | 000,019,558 | ---- | C] () -- C:\Windows\hpoins01.dat
[2010/10/31 16:02:14 | 000,016,606 | ---- | C] () -- C:\Windows\hpomdl01.dat
[2010/08/25 20:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 20:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 20:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 19:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/06/16 01:08:55 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2010/04/23 23:46:29 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll
[2010/01/20 16:13:03 | 000,000,000 | ---- | C] () -- C:\ProgramData\setup32.exe
[2009/12/11 12:27:03 | 000,005,632 | ---- | C] () -- C:\Users\whoelteam\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/06 23:34:37 | 000,025,640 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2009/12/03 09:27:30 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/13 18:09:19 | 000,139,824 | ---- | C] () -- C:\Windows\System32\igfcg500.bin
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Custom Scans ==========



< MD5 for: AUTOCHK.EXE >
[2009/07/13 21:14:12 | 000,668,160 | ---- | M] (Microsoft Corporation) MD5=16EE641CACB3BC9B1B4F8BAA0B51C098 -- C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860\autochk.exe
[2008/04/14 08:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\I386\AUTOCHK.EXE
[2008/04/13 13:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\Windows.old\Program Files\Dell\DBRM\osmedia\I386\AUTOCHK.EXE
[2008/04/14 05:42:14 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\Windows.old\Windows\system32\autochk.exe
[2008/04/14 05:42:14 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\Windows.old\Windows\system32\dllcache\autochk.exe
[2010/11/20 08:16:54 | 000,668,160 | ---- | M] (Microsoft Corporation) MD5=C36A292AFAD475C9280E0FBED989CD73 -- C:\Windows\System32\autochk.exe
[2010/11/20 08:16:54 | 000,668,160 | ---- | M] (Microsoft Corporation) MD5=C36A292AFAD475C9280E0FBED989CD73 -- C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe

< End of report >

Attached Files

  • Attached File  OTL2.Txt   117.33KB   24 downloads

  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Sorry for the delay. We were off island today and just got back.

I'd try this one:

C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860\autochk.exe

(Right click on it and select Properties and see what version number it has. It should be 6. something.)

All of the others are XP files.

See if you can copy it to C:\Windows\System32\autochk.exe and overwrite the old one. If it's in use we can use OTL:

:files
C:\WINDOWS\System32\drivers\autochk.exe|C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860\autochk.exe /replace

Copy the above then right click on OTL and Run As Administrator then paste it into the Custom Scans/Fixes box and hit Run Fix. Then run Combofix and see if it still complains about the file being infected.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP