trojan.generic and trojan.obfuscated.gx problem

View previous topic View next topic Go down

trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Sun 12 Sep 2010, 1:22 am

Hello,
Please be patient with me as I am only slightly computer literate.

Yesterday my MCAFEE stated it quarantined 2 trojan horses. Ever since then my Interenet Explorer keeps locking up, I got a few pop up messages: rundll32.exe is infected / ytbb.exe is infected / and mccpsexe is infected (I'm not 100% sure on the last one).

What do I do. This is a computer that I am using for work and I dont want to lose anything. How do I save everything without saving the infected stuff and how do I get rid of them?

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by Sneakyone on Sun 12 Sep 2010, 10:38 am

Hi.

Please boot into Safe Mode with Networking by rebooting the computer, then rapidly tapping the F8 button until it asks you what mode you would like to boot into.

Once you are at this screen please choose Safe Mode with Networking and run this:

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.sys
    %systemroot%\system32\drivers\*.dll
    %systemroot%\system32\drivers\*.ini
    %systemroot%\system32\drivers\*.exe
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.
    %appdata%\*.*
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    disk.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    usbstor.sys
    /md5stop
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time


Note: in the event that OTL fails to run, please use alternate download links to try again:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Tue 14 Sep 2010, 8:56 am

ok, I cant boot into any mode. Safe or otherwise. It stops at mcpvdrv.sys, then reboots back to the beginning. I ran spyware doctor, in safemode, to get rid of the trojans. And since then it wont boot in any mode. I know mcpvdrv is a McAfee component, beyond that, not sure what to do. I have important stuff on the drive I want to save if I can, but I cant get it off the disk manually(my XP copy will let me do a repair, but I cant put anything on disk, because I have no floppy on this computer.


Thanks in advance.



Sneakyone wrote:Hi.

Please boot into Safe Mode with Networking by rebooting the computer, then rapidly tapping the F8 button until it asks you what mode you would like to boot into.

Once you are at this screen please choose Safe Mode with Networking and run this:

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.sys
    %systemroot%\system32\drivers\*.dll
    %systemroot%\system32\drivers\*.ini
    %systemroot%\system32\drivers\*.exe
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.
    %appdata%\*.*
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    disk.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    usbstor.sys
    /md5stop
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time


Note: in the event that OTL fails to run, please use alternate download links to try again:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by Sneakyone on Tue 14 Sep 2010, 1:24 pm

Hi.

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Step 1: you need to get the appropriate burning software for this task.

Download ISOBurner
  • This will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic.
  • See the instructions page for more info.
Step 2: download the OTLPE REATOGO Windows Recovery Environment.
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\_OTL\MovedFiles
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Wed 15 Sep 2010, 1:12 am

Whenever I try the link to OTLPE I receive a 404 error message. Do you have an alternative link?

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Wed 15 Sep 2010, 7:26 am

We got it, will post here when we get it.

I say we, because I am her husband, and know a bit more about computers than she does.

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Wed 15 Sep 2010, 7:42 am

OTL logfile created on: 9/14/2010 5:29:05 PM - Run
OTLPE by OldTimer - Version 3.1.41.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 282.29 Gb Free Space | 94.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 434.85 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - File not found [Auto] -- C:\WINDOWS\System32\6to4v32.dll -- (6to4)
SRV - [2010/05/20 17:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/04/15 09:45:10 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/04/14 12:29:58 | 000,170,144 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe -- (McShield)
SRV - [2010/03/18 10:57:48 | 000,020,480 | ---- | M] (AG Interactive) [Auto] -- C:\Program Files\AGI\core\4.2.0.10753\AGCoreService.exe -- (AGCoreService)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/09/23 14:33:42 | 001,141,200 | ---- | M] (PC Tools) [Auto] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/09/23 13:17:22 | 000,358,600 | ---- | M] (PC Tools) [Auto] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/06/03 02:41:40 | 000,068,528 | ---- | M] (McAfee) [On_Demand] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/02/19 00:30:20 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- C:\DOCUME~1\TINADA~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys -- (cpuz132)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/09/10 10:49:55 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/04/03 22:55:32 | 010,232,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/11/17 12:15:28 | 000,063,080 | ---- | M] (McAfee) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\McPvDrv.sys -- (McPvDrv)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/23 17:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/18 18:07:07 | 000,722,432 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ZD1211BU.sys -- (ZD1211BU(Atheros)) Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros)
DRV - [2009/02/11 12:40:40 | 005,028,352 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/12/18 23:43:54 | 000,079,248 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2008/12/18 23:43:12 | 000,063,248 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2008/12/18 23:43:06 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2008/11/12 17:58:38 | 000,145,952 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nvgts.sys -- (nvgts)
DRV - [2008/08/01 11:36:26 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/08/01 11:36:20 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/13 20:10:28 | 000,057,600 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\redbook.sys -- (redbook)
DRV - [2005/12/15 23:41:56 | 000,408,064 | R--- | M] (SMC Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SMCWGU.sys -- (SMCWGU(SMC)) SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC)
DRV - [2005/09/29 09:34:58 | 000,056,960 | ---- | M] (OrangeWare Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ousb2hub.sys -- (ousb2hub)
DRV - [2005/09/29 09:34:50 | 000,045,824 | ---- | M] (OrangeWare Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\ousbehci.sys -- (ousbehci)
DRV - [2005/07/27 18:25:28 | 000,077,056 | ---- | M] (Unibrain S.A.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ubohci.sys -- (ubohci)
DRV - [2005/07/27 18:25:28 | 000,036,352 | ---- | M] (Unibrain S.A.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\UBUMAPI.sys -- (ubumapi)
DRV - [2005/07/27 18:25:28 | 000,014,080 | ---- | M] (Unibrain S.A.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\UBSBM.sys -- (ubsbm)
DRV - [2004/12/15 15:18:32 | 000,220,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/12/15 15:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKU\Tina_DaBella_ON_C\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "egreetings.com Toolbar"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://search.imgag.com/?appid=egtb&c=&sbs=7&sc=2&f=homepage&vernum=3.2&uid=&did={c9a42d54-d5ed-4ecd-ae65-a6c98731ffcd}&q="
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:3.0
FF - prefs.js..keyword.URL: "http://search.imgag.com/?appid=egtb&c=&sbs=1&sc=&f=web&vernum=3.2&uid=&did={c9a42d54-d5ed-4ecd-ae65-a6c98731ffcd}&component=UnifiedToolbarFF&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{1650a312-02bc-40ee-977e-83f158701739}: C:\Program Files\SiteAdvisor\FF1 [2009/02/03 10:32:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\unifiedtoolbar@aginteractive.com: C:\Program Files\UnifiedToolbar\3.2\Firefox [2010/02/08 12:36:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/08/19 09:23:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/30 09:22:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/11 09:42:09 | 000,000,000 | ---D | M]

[2010/05/24 13:13:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/05/24 13:15:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d333evhj.default\extensions
[2010/05/24 13:15:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d333evhj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/24 13:13:37 | 000,002,050 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d333evhj.default\searchplugins\egreetingscom-toolbar.xml
[2009/11/23 13:21:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/27 17:16:24 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/08/02 09:50:29 | 000,101,768 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2010/08/02 09:50:19 | 000,064,392 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2009/11/19 18:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 18:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2010/06/10 15:38:36 | 000,002,021 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100519091931.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\Tina_DaBella_ON_C\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [andfjnbd] C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\mfwoolnuqiw.exe (Security Suites Corporation)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [MBkLogonHook] File not found
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [McPvTray] C:\Program Files\McAfee\Anti-Theft\McPvTray.exe (McAfee)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [mfhikxkt] C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\mentnuuuqiw.exe (Security Suites Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [YMailAdvisor] C:\Program Files\Yahoo!\Common\YMailAdvisor.exe (Yahoo! Inc.)
O4 - HKU\.DEFAULT..\Run: [andfjnbd] C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\mfwoolnuqiw.exe (Security Suites Corporation)
O4 - HKU\.DEFAULT..\Run: [Ktohanamisu] C:\WINDOWS\mapin320.DLL (trbarry@trbarry.com)
O4 - HKU\.DEFAULT..\Run: [mfhikxkt] C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\mentnuuuqiw.exe (Security Suites Corporation)
O4 - HKU\Tina_DaBella_ON_C..\Run: [MoneyAgent] C:\Program Files\Microsoft Money\System\Money Express.exe (Microsoft Corporation)
O4 - HKU\Tina_DaBella_ON_C..\Run: [qkwayawg] C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\dnnncxapi\xiosrwbtssd.exe File not found
O4 - HKU\Tina_DaBella_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Tina DaBella\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe File not found
O4 - Startup: C:\Documents and Settings\Tina DaBella\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Tina_DaBella_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} [You must be registered and logged in to see this link.] (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [You must be registered and logged in to see this link.] (Office Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [You must be registered and logged in to see this link.] (GpcContainer Class)
O16 - DPF: CabBuilder [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.92.226.11 24.92.226.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.127,93.188.161.217
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/03 09:43:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/12 08:07:33 | 000,000,000 | ---D | C] -- C:\test
[2010/09/11 09:47:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Yahoo
[2010/09/11 09:47:06 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
[2010/09/11 09:47:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2010/09/11 09:44:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama
[2010/09/11 09:44:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk
[2010/09/11 09:43:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/09/11 09:43:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/09/10 11:20:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/09/10 11:20:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/09/10 10:49:55 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2010/09/10 10:49:55 | 000,100,880 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2010/09/10 10:49:55 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2010/09/10 10:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\bcevrfiot
[2010/09/10 10:49:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\kcxwrmhvq
[2010/09/10 10:48:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Application Data\D79E7BE99A6B1AC96034878052C3100F
[2006/02/19 04:28:56 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\Tina DaBella\My Documents\*.tmp files -> C:\Documents and Settings\Tina DaBella\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/14 17:30:55 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/14 16:18:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/13 12:32:30 | 000,000,353 | RHS- | M] () -- C:\boot.ini
[2010/09/12 11:01:16 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/09/12 11:01:00 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Tina DaBella\NTUSER.DAT
[2010/09/12 11:01:00 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Tina DaBella\ntuser.ini
[2010/09/12 11:00:57 | 005,053,544 | -H-- | M] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\IconCache.db
[2010/09/12 08:45:33 | 000,271,638 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/09/12 08:45:28 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/09/12 08:45:01 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C9E9931F-F833-425B-B8F8-CCD122295382}.job
[2010/09/12 08:44:13 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/12 08:44:11 | 000,013,734 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/12 08:44:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/11 12:12:17 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/09/11 12:01:00 | 000,001,006 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1078081533-682003330-1004UA.job
[2010/09/11 09:43:50 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/10 18:00:08 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/10 17:58:37 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TRANSfER CLIENT LTR - Lori Webers bkg Mertson.doc
[2010/09/10 17:50:52 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TRANSfER CLIENT LTR - Lori Webers bkg Shepard.doc
[2010/09/10 17:00:03 | 000,000,404 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2010/09/10 10:49:55 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2010/09/10 10:49:55 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2010/09/10 10:49:55 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2010/09/10 10:49:54 | 000,956,416 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\198821728.exe
[2010/09/10 10:49:42 | 000,942,080 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\0866785025.exe
[2010/09/09 19:01:00 | 000,000,954 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1078081533-682003330-1004Core.job
[2010/09/09 16:02:05 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\Desktop\Google Chrome.lnk
[2010/09/09 15:21:25 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\BIO for website.doc
[2010/09/09 11:54:52 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\CLIENT - DiGiacomo PCL Corporate.doc
[2010/09/09 10:50:21 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - Letterhead.doc
[2010/09/08 16:37:42 | 000,184,173 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\Supplier Logins for CATE PATELUNAS.wks
[2010/09/08 14:50:35 | 000,184,319 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\Supplier Logins for MELINDA EATON.wks
[2010/09/08 14:45:01 | 000,182,362 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\Supplier Logins BLANK for IC.wks
[2010/09/08 14:44:30 | 000,183,656 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\Supplier Logins for LORI WEBER LEWIS.wks
[2010/09/08 14:38:54 | 000,185,256 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\Supplier Logins 1.wks
[2010/09/04 15:55:46 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - CONTRACT for Group Leader.doc
[2010/09/04 12:33:18 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - FEE Structure.doc
[2010/09/04 12:15:53 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\ADVISEMENTS - PROPER DOCUMENTAION.doc
[2010/09/04 12:03:07 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\ADVISEMENTS - AFFIDAVIT OF PARENTAL CONSENT.doc
[2010/09/04 11:48:31 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\CUSTOMER CONTRACT.doc
[2010/09/04 11:41:07 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\CUSTOMER CONTRACT FOR AIR - CAR.doc
[2010/09/03 15:26:53 | 000,032,256 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP FLYER - TC groupsdoc.doc
[2010/09/03 11:13:18 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - 2010 Candidates Profile.doc
[2010/09/03 10:20:14 | 000,032,256 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\GAIL arrest 2.doc
[2010/09/02 18:01:11 | 000,047,104 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\CLIENT - Rowell Air contract.doc
[2010/09/02 17:28:14 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\CUSTOMER CONTRACT FOR AIR ONLY.doc
[2010/09/02 17:24:30 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\ADVISEMENTS - Air Reconfirmation.doc
[2010/09/02 17:22:50 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\ADVISEMENTS - 311 CC Reconfirm for email.doc
[2010/09/02 13:38:52 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - Office numbers.doc
[2010/09/02 12:42:23 | 000,052,736 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\CRUISE TIPS.doc
[2010/09/02 09:47:43 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\~$LITICAL - AFRTC reading of constitution2.doc
[2010/09/01 17:10:32 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - CONTRACT for Customer Referral.doc
[2010/09/01 15:28:13 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\Cruise sale verbage for postcards.doc
[2010/09/01 12:12:01 | 000,102,912 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - AFRTC reading of constitution2.doc
[2010/08/28 13:52:18 | 000,036,352 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\AIRLINE - CO carryon bags.doc
[2010/08/27 11:07:31 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - New agency setup LTR.doc
[2010/08/25 12:00:44 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\CLIENT LTR - Richardson transfer of bkg.doc
[2010/08/25 09:31:21 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - AFRTC Board Member Phone #s.doc
[2010/08/25 09:15:52 | 000,102,400 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - AFRTC reading of constitution.doc
[2010/08/23 12:42:43 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\DRIVER LIST Aug 2010.doc
[2010/08/20 12:02:59 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP CRUISE - 2011 NCL BDA GRP SPECS 5Jun.doc
[2010/08/20 11:59:19 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP CRUISE - 2011 NCL NAS GRP SPECS 23Apr.doc
[2010/08/19 17:43:04 | 000,037,376 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - Bus Rally flyer for meeting.doc
[2010/08/19 15:33:27 | 000,071,680 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP CRUISE - 2011 NCL NAS Group CONTRACT 23Apr.doc
[2010/08/19 13:24:21 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP CRUISE - PIC NCL BDA 2011.doc
[2010/08/18 17:58:31 | 000,064,000 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP CRUISE - 2011 NCL BDA Group CONTRACT 5JUN.doc
[2010/08/16 17:08:50 | 000,035,840 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - Office Procedures.doc
[2010/08/16 16:20:19 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - LEAD SHEET.doc
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\Tina DaBella\My Documents\*.tmp files -> C:\Documents and Settings\Tina DaBella\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/13 12:32:30 | 000,000,353 | RHS- | C] () -- C:\boot.ini
[2010/09/10 17:58:37 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\TRANSfER CLIENT LTR - Lori Webers bkg Mertson.doc
[2010/09/10 17:50:51 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\TRANSfER CLIENT LTR - Lori Webers bkg Shepard.doc
[2010/09/10 10:49:54 | 000,956,416 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\198821728.exe
[2010/09/10 10:49:42 | 000,942,080 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\0866785025.exe
[2010/09/09 11:49:46 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\CLIENT - DiGiacomo PCL Corporate.doc
[2010/09/04 15:55:46 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - CONTRACT for Group Leader.doc
[2010/09/03 18:37:55 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\ADVISEMENTS - PROPER DOCUMENTAION.doc
[2010/09/03 11:13:18 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - 2010 Candidates Profile.doc
[2010/09/02 18:32:25 | 000,032,256 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\GAIL arrest 2.doc
[2010/09/02 18:00:25 | 000,047,104 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\CLIENT - Rowell Air contract.doc
[2010/09/02 17:24:30 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\ADVISEMENTS - Air Reconfirmation.doc
[2010/09/02 17:22:49 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\ADVISEMENTS - 311 CC Reconfirm for email.doc
[2010/09/02 09:47:43 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\~$LITICAL - AFRTC reading of constitution2.doc
[2010/09/01 15:28:13 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\Cruise sale verbage for postcards.doc
[2010/09/01 12:12:01 | 000,102,912 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - AFRTC reading of constitution2.doc
[2010/08/28 13:52:17 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\AIRLINE - CO carryon bags.doc
[2010/08/25 12:00:44 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\CLIENT LTR - Richardson transfer of bkg.doc
[2010/08/25 09:31:21 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - AFRTC Board Member Phone #s.doc
[2010/08/25 09:15:51 | 000,102,400 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - AFRTC reading of constitution.doc
[2010/08/20 11:59:19 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP CRUISE - 2011 NCL NAS GRP SPECS 23Apr.doc
[2010/08/19 17:43:03 | 000,037,376 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\POLITICS - Bus Rally flyer for meeting.doc
[2010/08/19 15:33:26 | 000,071,680 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP CRUISE - 2011 NCL NAS Group CONTRACT 23Apr.doc
[2010/08/19 14:39:07 | 000,032,256 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP FLYER - TC groupsdoc.doc
[2010/08/19 13:24:21 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\GROUP CRUISE - PIC NCL BDA 2011.doc
[2010/08/16 16:30:14 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - Office Procedures.doc
[2010/08/16 16:19:22 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - LEAD SHEET.doc
[2010/08/16 14:29:24 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\My Documents\TC - CONTRACT for Customer Referral.doc
[2010/05/24 13:11:23 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010/05/24 13:10:11 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/24 13:10:10 | 000,069,632 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2010/05/24 13:10:09 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/21 09:35:25 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2009/10/12 10:28:23 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\.javafx_ping_sent
[2009/06/12 13:56:56 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2009/05/27 09:40:36 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Application Data\setup_ldm.iss
[2009/04/27 14:47:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2009/04/01 09:26:25 | 000,072,080 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\g2mdlhlpx.exe
[2009/03/27 09:42:41 | 000,000,052 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\A_PSchedule.txt
[2009/03/26 17:44:24 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\MSVolume.dll
[2009/03/16 10:33:59 | 000,755,272 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\ProductContext7300.log
[2009/03/16 10:21:40 | 000,000,157 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2009/03/11 10:51:59 | 000,000,475 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2009/02/11 14:44:40 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Supplier logins.wdb
[2009/02/09 14:35:17 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/09 12:39:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\AutoRun.INI
[2009/02/07 17:54:55 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\fusioncache.dat
[2009/02/07 16:47:27 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2009/02/03 09:46:52 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\Tina DaBella\ntuser.dat.LOG
[2009/02/03 09:46:52 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Tina DaBella\ntuser.ini
[2009/02/03 09:46:51 | 004,718,592 | -H-- | C] () -- C:\Documents and Settings\Tina DaBella\NTUSER.DAT
[2009/02/03 09:46:13 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2009/02/03 09:46:13 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2009/02/03 09:46:13 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2009/02/03 09:45:26 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2009/02/03 09:45:26 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2009/02/03 09:45:26 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2009/02/02 22:29:32 | 000,057,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\redbook.sys
[2008/08/01 15:48:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/04/14 08:00:00 | 000,076,288 | ---- | C] () -- C:\WINDOWS\hpreclsp.dll
[2008/02/04 19:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/07/12 15:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2004/03/23 17:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/05/24 13:13:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\agi
[2010/05/24 13:18:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2009/12/02 13:07:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2010/02/08 12:42:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\AGI
[2009/03/04 19:29:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/09/10 10:48:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\D79E7BE99A6B1AC96034878052C3100F
[2010/09/12 08:46:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\Dropbox
[2009/02/17 12:43:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\GetRightToGo
[2009/02/17 11:59:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\OfficeUpdate12
[2009/02/17 11:26:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\OpenOffice.org
[2009/06/23 13:59:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\Rucicy
[2009/07/29 17:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\SiteRanker
[2009/09/17 18:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\Uniblue
[2010/08/02 09:50:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\WebEx
[2010/01/07 11:56:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\Windows Desktop Search
[2010/02/05 11:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\Windows Search
[2009/03/28 07:30:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tina DaBella\Application Data\Yrtouk
[2010/09/10 17:00:03 | 000,000,404 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure Program Check.job
[2010/05/06 03:00:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure.job
[2010/09/12 08:45:01 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{C9E9931F-F833-425B-B8F8-CCD122295382}.job

========== Purity Check ==========


< End of report >

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by Sneakyone on Thu 16 Sep 2010, 3:35 pm

Hi.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    SRV - File not found [Auto] -- C:\WINDOWS\System32\6to4v32.dll -- (6to4)
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092
    IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
    IE - HKU\Tina_DaBella_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [andfjnbd] C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\mfwoolnuqiw.exe (Security Suites Corporation)
    O4 - HKLM..\Run: [MBkLogonHook] File not found
    O4 - HKLM..\Run: [mfhikxkt] C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\mentnuuuqiw.exe (Security Suites Corporation)
    O4 - HKU\.DEFAULT..\Run: [andfjnbd] C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\mfwoolnuqiw.exe (Security Suites Corporation)
    O4 - HKU\.DEFAULT..\Run: [Ktohanamisu] C:\WINDOWS\mapin320.DLL (trbarry@trbarry.com)
    O4 - HKU\.DEFAULT..\Run: [mfhikxkt] C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\mentnuuuqiw.exe (Security Suites Corporation)
    O4 - HKU\Tina_DaBella_ON_C..\Run: [qkwayawg] C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\dnnncxapi\xiosrwbtssd.exe File not found
    [2010/09/11 09:44:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama
    [2010/09/11 09:44:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk
    [2010/09/10 10:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\bcevrfiot
    [2010/09/10 10:49:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\kcxwrmhvq
    [2010/09/10 10:48:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Application Data\D79E7BE99A6B1AC96034878052C3100F
    [2010/09/10 10:49:54 | 000,956,416 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\198821728.exe
    [2010/09/10 10:49:42 | 000,942,080 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\0866785025.exe

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=============

Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Thu 16 Sep 2010, 10:28 pm

it seems to be hanging on

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =


that command?? should there be a value there??

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by Sneakyone on Fri 17 Sep 2010, 7:28 am

Hi.

Try this one:

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    SRV - File not found [Auto] -- C:\WINDOWS\System32\6to4v32.dll -- (6to4)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [andfjnbd] C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\mfwoolnuqiw.exe (Security Suites Corporation)
    O4 - HKLM..\Run: [MBkLogonHook] File not found
    O4 - HKLM..\Run: [mfhikxkt] C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\mentnuuuqiw.exe (Security Suites Corporation)
    O4 - HKU\.DEFAULT..\Run: [andfjnbd] C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\mfwoolnuqiw.exe (Security Suites Corporation)
    O4 - HKU\.DEFAULT..\Run: [Ktohanamisu] C:\WINDOWS\mapin320.DLL (trbarry@trbarry.com)
    O4 - HKU\.DEFAULT..\Run: [mfhikxkt] C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\mentnuuuqiw.exe (Security Suites Corporation)
    O4 - HKU\Tina_DaBella_ON_C..\Run: [qkwayawg] C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\dnnncxapi\xiosrwbtssd.exe File not found
    [2010/09/11 09:44:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama
    [2010/09/11 09:44:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk
    [2010/09/10 10:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\bcevrfiot
    [2010/09/10 10:49:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\kcxwrmhvq
    [2010/09/10 10:48:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tina DaBella\Application Data\D79E7BE99A6B1AC96034878052C3100F
    [2010/09/10 10:49:54 | 000,956,416 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\198821728.exe
    [2010/09/10 10:49:42 | 000,942,080 | ---- | C] () -- C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\0866785025.exe

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Fri 17 Sep 2010, 9:29 am

========== OTL ==========
Service\Driver key 6to4 not found.
File C:\WINDOWS\System32\6to4v32.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\andfjnbd not found.
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\mfwoolnuqiw.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MBkLogonHook not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\mfhikxkt not found.
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\mentnuuuqiw.exe not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\andfjnbd not found.
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\mfwoolnuqiw.exe not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Ktohanamisu not found.
File C:\WINDOWS\mapin320.DLL not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\mfhikxkt not found.
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\mentnuuuqiw.exe not found.
Registry value HKEY_USERS\Tina_DaBella_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\qkwayawg not found.
Folder C:\Documents and Settings\NetworkService\Local Settings\Application Data\rjllpyama\ not found.
Folder C:\Documents and Settings\NetworkService\Local Settings\Application Data\yvamoxnlk\ not found.
Folder C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\bcevrfiot\ not found.
Folder C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\kcxwrmhvq\ not found.
Folder C:\Documents and Settings\Tina DaBella\Application Data\D79E7BE99A6B1AC96034878052C3100F\ not found.
File C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\198821728.exe not found.
File C:\Documents and Settings\Tina DaBella\Local Settings\Application Data\0866785025.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Tina DaBella
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

Total Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTLPE by OldTimer - Version 3.1.41.0 log created on 09172010_012703

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by Sneakyone on Fri 17 Sep 2010, 9:41 am

Hi.

Can you boot into windows normally now?


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Fri 17 Sep 2010, 9:42 am

no

but there is a file that was put on the desktop

h2rf1.tmp

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by luv2tvl on Sun 19 Sep 2010, 2:21 am

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4645

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

9/18/2010 11:21:23 AM
mbam-log-2010-09-18 (11-21-23).txt

Scan type: Quick scan
Objects scanned: 162794
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\hpreclsp.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSVolume.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

luv2tvl

Newbie Surfer
Newbie Surfer

Posts : 10
Joined : 2010-09-12
Operating System : microsoft windows xp home version 2002

View user profile

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by Sneakyone on Sun 19 Sep 2010, 5:26 am

Hi.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: trojan.generic and trojan.obfuscated.gx problem

Post by Sponsored content Today at 4:40 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum