Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Sun 10 Oct 2010, 2:30 pm

Hello! After McAfee performed some updates this morning, my dad's computer stopped connecting to the internet properly under his user account. Firefox said the proxy settings weren't allowing a connection, yet certain webpages, such as Bank of America and Gmail, did open up. The internet worked fine under the Guest user account. Also, McAfee refused to turn on Real Scanning and kept saying the computer was at risk. We uninstalled and reinstalled McAfee and this seemed to solve that problem (McAfee seems to be running properly now). We uninstalled and reinstalled Firefox as well.

After researching and fiddling all day with the proxy settings, we managed to get the internet working again under his user account. However, I also ran Malwarebytes on his computer and it found 2 Trojan.Agent things, 1 hijack.shell, and 1 hijack.SearchPage thing, which were then quarantined and removed. This is my reason for posting. I want to make sure that whatever was harming the computer is really gone. I updated his computer's Java, Adobe Reader, and performed all the necessary Windows updates. I have posted the OLT log below.

Thank you for your time and any help you can provide!

P.S: I changed the computer's name on the OLT log so I'd be allowed to post this here. I hope that doesn't change anything.

---------------------------------------------

OTL logfile created on: 10/9/2010 10:42:39 PM - Run 2
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Wilfredo\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

479.00 Mb Total Physical Memory | 165.00 Mb Available Physical Memory | 34.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 1000 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.00 Gb Total Space | 11.01 Gb Free Space | 15.51% Space Free | Partition Type: NTFS
Drive D: | 3.52 Gb Total Space | 1.06 Gb Free Space | 30.16% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GATEWAY
Current User Name: Wilfredo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/10/09 21:53:32 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wilfredo\Desktop\OTL.com
PRC - [2010/09/10 21:59:12 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/08/24 14:57:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2010/08/24 14:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2010/08/24 14:57:38 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2008/09/14 21:40:04 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/09 10:19:14 | 000,204,800 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
PRC - [2004/05/26 20:57:24 | 000,139,264 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\shwicon2k.exe
PRC - [2004/03/26 15:20:28 | 000,098,304 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


========== Modules (SafeList) ==========

MOD - [2010/10/09 21:53:32 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wilfredo\Desktop\OTL.com
MOD - [2010/07/14 13:30:14 | 000,018,688 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2004/03/26 15:20:22 | 000,066,048 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/01 15:52:56 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - [2010/08/24 14:57:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/08/24 14:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/08/24 14:57:38 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/04/15 09:45:10 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008/09/14 21:40:04 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)


========== Driver Services (SafeList) ==========

DRV - [2010/08/24 14:57:38 | 000,386,712 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/08/24 14:57:38 | 000,312,904 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/08/24 14:57:38 | 000,152,992 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/08/24 14:57:38 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/08/24 14:57:38 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/08/24 14:57:38 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/08/24 14:57:38 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/08/24 14:57:38 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/08/24 14:57:38 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/08/24 14:57:38 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/04/13 20:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/09/20 17:10:43 | 000,018,816 | ---- | M] (RIF) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dvd43llh.sys -- (dvd43llh)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/07 19:16:45 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2008/04/07 19:16:45 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/02/11 22:46:00 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/08/04 01:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/24 13:16:44 | 000,029,856 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EMCfilt.sys -- (EMCFILT)
DRV - [2004/03/26 15:15:40 | 000,180,000 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2003/09/26 08:26:54 | 000,272,128 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camchal.sys -- (CAMCHALA)
DRV - [2003/09/26 08:25:06 | 000,291,712 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camcaud.sys -- (CAMCAUD)
DRV - [2003/06/30 11:11:52 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/05/01 06:42:08 | 000,030,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\strmdisp.sys -- (StreamDispatcher)
DRV - [2003/05/01 06:40:56 | 000,165,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2003/05/01 06:38:56 | 000,622,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/05/01 06:37:46 | 001,107,200 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/18 01:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 01:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 01:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 01:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 01:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/18 00:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/18 00:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/18 00:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/18 00:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/18 00:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/18 00:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/18 00:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/18 00:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/18 00:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/18 00:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 16:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Local Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Local Page Restore = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {ca0849e8-2c76-42ae-9abe-34e14d337acf}:1.93
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.3.1
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: {d84a846d-f7cb-4187-a408-b171020e8940}:1.2.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:3.76
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.6.1
FF - prefs.js..extensions.enabledItems: radiobar@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2
FF - prefs.js..extensions.enabledItems: 5
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: {340c2bbc-ce74-4362-90b5-7c26312808ef}:1.5
FF - prefs.js..extensions.enabledItems: {0b457cAA-602d-484a-8fe7-c1d894a011ba}:0.85
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.2
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.3.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76
FF - prefs.js..extensions.enabledItems: {285da7e0-729d-11db-9fe1-0800200c9a66}:2.20091201
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\firefox\
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/10/09 21:41:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/09 20:20:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/09 20:58:32 | 000,000,000 | ---D | M]

[2010/03/25 14:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Extensions
[2010/03/25 14:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/10/09 21:49:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions
[2010/09/26 14:57:29 | 000,000,000 | ---D | M] (FireShot) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2009/12/31 13:21:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/09/26 14:57:35 | 000,000,000 | ---D | M] (RSS Ticker) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{1f91cde0-c040-11da-a94d-0800200c9a66}
[2010/04/29 18:23:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/12 10:07:53 | 000,000,000 | ---D | M] (Tinseltown) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}
[2010/10/06 19:08:58 | 000,000,000 | ---D | M] (Firefox Sync) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
[2010/07/05 17:27:40 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/09/26 14:57:42 | 000,000,000 | ---D | M] (Personas Rotator) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{6e73f6b7-b9ab-44b8-b744-6393e3c2e351}
[2010/10/09 20:43:34 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/02/25 20:39:52 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/01/19 22:10:23 | 000,000,000 | ---D | M] (MushroomKingdom) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{BF32D2C8-9C75-404b-ACF4-880DB4679236}
[2010/08/15 16:34:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{ca0849e8-2c76-42ae-9abe-34e14d337acf}
[2008/10/12 14:18:28 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2010/08/18 19:19:03 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/03 20:50:16 | 000,000,000 | ---D | M] (Navigational Sounds) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{d84a846d-f7cb-4187-a408-b171020e8940}
[2010/10/02 09:21:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\es-es@dictionaries.addons.mozilla.org
[2010/03/06 17:16:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\firefox@tvunetworks.com
[2010/09/26 14:57:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\foxyproxy@eric.h.jung
[2010/09/22 19:18:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\info@priceblink.com
[2009/03/08 01:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\moveplayer@movenetworks.com
[2010/02/25 20:39:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\noia2_option@kk.noia
[2010/09/12 15:58:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\personas@christopher.beard
[2010/03/07 18:25:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\radiobar@toolbar
[2009/12/12 10:08:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}\chrome\mozapps\extensions
[2009/12/12 10:08:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}\chrome\mozapps\extensions\CVS
[2008/08/17 18:27:18 | 000,001,622 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\searchplugins\ask.xml
[2009/05/27 19:21:17 | 000,009,941 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\searchplugins\mywebsearch.xml
[2010/10/09 21:49:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/09 20:58:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/08/24 14:57:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/10/09 20:57:52 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/10/09 17:09:28 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2004/08/04 15:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20101009193807.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (The Weather Channel Toolbar) - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll ()
O3 - HKLM\..\Toolbar: (FireShot) - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin-0.85.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PVR Agent] C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe File not found
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data]
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/23 14:13:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 11:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{14ce674e-bf0f-11dd-ba60-0003252284d6}\Shell - "" = AutoRun
O33 - MountPoints2\{14ce674e-bf0f-11dd-ba60-0003252284d6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{14ce674e-bf0f-11dd-ba60-0003252284d6}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: mcmscsvc - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)

SafeBootNet: McMPFSvc - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SafeBootNet: mcmscsvc - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SafeBootNet: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootNet: mfefire - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SafeBootNet: mfefirek - C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
SafeBootNet: mfefirek.sys - C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
SafeBootNet: mfehidk - C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
SafeBootNet: mfehidk.sys - C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
SafeBootNet: mfevtp - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SafeBootNet: MpfService - Service

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Sun 10 Oct 2010, 2:31 pm


ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/10/09 21:10:33 | 000,576,512 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Wilfredo\Desktop\OTL.com
[2010/10/09 20:58:32 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/10/09 20:58:32 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/10/09 20:58:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/10/09 20:58:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/10/09 20:58:32 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/10/09 20:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Local Settings\Application Data\Help
[2010/10/09 20:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Application Data\Help
[2010/10/09 19:44:46 | 000,000,000 | ---D | C] -- C:\Program Files\McAfeeMOBK
[2010/10/09 19:43:43 | 000,054,776 | ---- | C] (Mozy, Inc.) -- C:\WINDOWS\System32\drivers\MOBK.sys
[2010/10/09 19:42:55 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Online Backup
[2010/10/09 19:38:04 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/10/09 19:37:25 | 000,084,072 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/10/09 19:37:24 | 000,088,544 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/10/09 19:37:24 | 000,084,264 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/10/09 19:37:23 | 000,312,904 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/10/09 19:37:23 | 000,052,104 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/10/09 19:37:22 | 000,152,992 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/10/09 19:37:21 | 000,055,840 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/10/09 19:36:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Mcafee
[2010/10/09 19:36:38 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/10/09 19:05:32 | 000,141,792 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2010/10/09 14:42:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Application Data\MSNInstaller
[2010/10/09 13:53:29 | 000,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2010/10/03 14:08:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Desktop\ToDoOutlookSync
[2010/10/03 12:47:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Desktop\Macy's American Express
[2010/10/02 15:52:24 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/10/02 15:34:12 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/10/02 15:31:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\My Documents\4Easysoft Studio
[2010/10/02 15:23:02 | 000,000,000 | ---D | C] -- C:\Program Files\4Easysoft Studio
[2010/10/02 15:16:53 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/09/26 15:09:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Application Data\FireShot
[2010/09/19 18:57:50 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2010/09/19 18:57:50 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll
[2010/09/12 20:02:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Application Data\FixCleaner
[2010/09/12 19:59:18 | 000,000,000 | ---D | C] -- C:\Program Files\FixCleaner
[2010/09/12 19:57:51 | 000,000,000 | ---D | C] -- C:\Program Files\Downloaded Installers
[2010/09/12 19:42:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Wilfredo\IECompatCache
[2010/09/12 19:25:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Local Settings\Application Data\Blockbuster
[2010/09/12 18:01:12 | 001,821,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vcredist_x86.exe
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/09 22:28:01 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/10/09 21:53:32 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wilfredo\Desktop\OTL.com
[2010/10/09 21:41:57 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/10/09 21:41:56 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2326568991-238852156-3936288368-1007.job
[2010/10/09 21:41:53 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/10/09 21:41:46 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/10/09 21:41:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/10/09 21:41:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/09 21:41:27 | 502,714,368 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/09 21:39:00 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Wilfredo\ntuser.ini
[2010/10/09 21:38:59 | 004,354,048 | ---- | M] () -- C:\Documents and Settings\Wilfredo\ntuser.dat
[2010/10/09 21:36:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/09 21:27:50 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/09 20:57:51 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/10/09 20:57:51 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/10/09 20:57:51 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/10/09 20:57:51 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/10/09 20:57:51 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/10/09 20:28:43 | 000,000,803 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/10/09 20:20:17 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/09 20:20:17 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/10/09 20:08:03 | 000,057,091 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\bookmarks-2010-10-09.json
[2010/10/09 17:14:48 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/09 17:00:07 | 000,000,404 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\Shortcut to SearsPayment2010.lnk
[2010/10/09 13:21:24 | 000,012,771 | ---- | M] () -- C:\WINDOWS\System32\4Easysoft iPhone 4G Manager.seed
[2010/10/09 10:34:36 | 000,501,514 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/10/09 10:34:36 | 000,441,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/09 10:34:36 | 000,071,258 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/06 21:44:14 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/04 18:05:55 | 000,000,102 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\AOL Radio.URL
[2010/10/03 14:04:41 | 010,156,885 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\ToDoOutlookSync.zip
[2010/10/03 03:30:00 | 000,000,400 | ---- | M] () -- C:\WINDOWS\tasks\RegFixPro Scheduled Scan.job
[2010/09/18 17:33:48 | 000,001,709 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\NetflixOrderFinal.htm
[2010/09/12 18:00:26 | 000,230,176 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\BLOCKBUSTERMovielinkInstall.exe
[2010/09/11 22:24:27 | 000,002,213 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\iPhone Configuration Utility.lnk
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/09 20:20:17 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/09 20:20:17 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/10/09 20:08:02 | 000,057,091 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\bookmarks-2010-10-09.json
[2010/10/09 19:45:36 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/10/09 17:14:48 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/09 17:00:07 | 000,000,404 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\Shortcut to SearsPayment2010.lnk
[2010/10/06 19:26:29 | 004,354,048 | ---- | C] () -- C:\Documents and Settings\Wilfredo\ntuser.dat
[2010/10/04 18:05:55 | 000,000,102 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\AOL Radio.URL
[2010/10/03 14:02:44 | 010,156,885 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\ToDoOutlookSync.zip
[2010/10/02 15:45:20 | 000,012,771 | ---- | C] () -- C:\WINDOWS\System32\4Easysoft iPhone 4G Manager.seed
[2010/09/18 17:33:43 | 000,001,709 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\NetflixOrderFinal.htm
[2010/09/12 18:00:24 | 000,230,176 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\BLOCKBUSTERMovielinkInstall.exe
[2010/09/06 11:52:39 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\TwcToolbarIe7.dll
[2010/09/06 11:52:39 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\TwcToolbarBho.dll
[2010/08/29 19:22:15 | 000,162,504 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/07/05 14:33:48 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/02/09 22:13:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/12/13 20:36:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Application Data\wklnhst.dat
[2008/10/15 18:49:03 | 000,000,105 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI
[2008/10/15 18:49:02 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2008/10/15 18:48:50 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2008/10/15 18:47:46 | 000,000,074 | ---- | C] () -- C:\WINDOWS\PMINI.ini
[2008/09/28 15:07:54 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/20 21:02:39 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Local Settings\Application Data\fusioncache.dat
[2008/09/14 21:40:16 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2008/09/14 18:28:18 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/03/27 03:10:58 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/03/23 12:53:24 | 000,001,204 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/03/23 12:53:24 | 000,000,455 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2002/05/15 11:13:20 | 000,081,920 | R--- | C] () -- C:\WINDOWS\System32\SipCal.dll
[1999/09/17 19:12:54 | 000,044,344 | ---- | C] () -- C:\WINDOWS\System32\Seqcal.sys

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 20:11:52 | 000,357,888 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2008/04/13 20:11:52 | 000,205,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[9 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[9 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/03/23 06:02:03 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/03/23 06:02:03 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/03/23 06:02:03 | 000,851,968 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 15:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2004/08/04 15:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2004/08/04 15:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004/08/04 15:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/04 15:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004/08/04 15:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004/08/04 15:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004/08/04 15:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004/08/04 15:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004/08/04 15:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 15:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 15:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 15:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 15:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 15:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[1999/09/17 19:12:54 | 000,044,344 | ---- | M] () -- C:\WINDOWS\system32\Seqcal.sys
[2008/04/13 14:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/06/23 09:44:04 | 001,851,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[9 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 20:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 20:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 20:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 20:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 20:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 20:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 20:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 20:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 20:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 20:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 20:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 20:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 20:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 20:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 20:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2005/03/23 14:13:17 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/01/13 21:01:00 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2005/03/23 14:13:17 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 08:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 08:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2007/11/07 08:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2010/10/09 21:41:27 | 502,714,368 | -HS- | M] () -- C:\hiberfil.sys
[2007/11/07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe
[2007/11/07 08:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/11/07 08:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 08:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 08:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 08:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 08:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 08:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 08:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2005/03/23 14:13:17 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/09/14 21:32:34 | 000,000,858 | -H-- | M] () -- C:\IPH.PH
[2010/10/09 21:01:01 | 000,008,195 | ---- | M] () -- C:\JavaRa.log
[2010/05/10 21:13:20 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2009/08/09 11:29:59 | 000,002,303 | ---- | M] () -- C:\mpw_paymentaugust_confirm_thankyou093.asp
[2009/08/09 11:25:12 | 000,002,303 | ---- | M] () -- C:\mpw_payment_confirm_thankyou093.asp.htm
[2005/03/23 14:13:17 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/09/14 21:41:34 | 000,000,160 | ---- | M] () -- C:\napster.log
[2004/08/04 15:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/09/17 18:33:33 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/10/09 21:41:25 | 1048,576,000 | -HS- | M] () -- C:\pagefile.sys
[2008/09/14 21:44:15 | 000,000,090 | ---- | M] () -- C:\setup.log
[2008/09/14 21:40:29 | 000,000,191 | ---- | M] () -- C:\touchpad.log
[2008/09/14 21:29:21 | 000,000,002 | RHS- | M] () -- C:\USER
[2007/11/07 08:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 08:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/11/07 08:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

< %PROGRAMFILES%\*. >
[2010/10/02 15:23:02 | 000,000,000 | ---D | M] -- C:\Program Files\4Easysoft Studio
[2009/04/26 16:46:38 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/06/21 20:05:01 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/03/07 17:55:48 | 000,000,000 | ---D | M] -- C:\Program Files\Audible
[2010/07/05 17:27:47 | 000,000,000 | ---D | M] -- C:\Program Files\AWS
[2009/03/08 00:49:51 | 000,000,000 | ---D | M] -- C:\Program Files\BigFix
[2010/10/02 15:16:56 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2010/07/01 17:56:59 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2010/06/05 19:52:14 | 000,000,000 | ---D | M] -- C:\Program Files\ColorByNumbers
[2010/10/09 19:36:47 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/09/14 21:27:41 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2010/08/29 19:34:10 | 000,000,000 | ---D | M] -- C:\Program Files\Creative
[2010/08/29 19:18:38 | 000,000,000 | -H-D | M] -- C:\Program Files\Creative Installation Information
[2008/09/14 21:40:39 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2009/05/16 14:25:56 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2008/09/14 21:41:57 | 000,000,000 | ---D | M] -- C:\Program Files\Digital Media Reader
[2010/09/12 19:57:51 | 000,000,000 | ---D | M] -- C:\Program Files\Downloaded Installers
[2008/09/20 17:10:29 | 000,000,000 | ---D | M] -- C:\Program Files\dvd43
[2010/09/12 20:33:35 | 000,000,000 | ---D | M] -- C:\Program Files\FixCleaner
[2009/05/17 01:48:36 | 000,000,000 | ---D | M] -- C:\Program Files\Garmin
[2009/05/16 14:26:01 | 000,000,000 | ---D | M] -- C:\Program Files\Garmin GPS Plugin
[2008/09/14 21:44:37 | 000,000,000 | ---D | M] -- C:\Program Files\Gateway
[2010/10/05 18:51:01 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2010/05/30 17:02:13 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2008/09/14 21:29:48 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/10/09 17:54:46 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2009/09/14 21:11:56 | 000,000,000 | ---D | M] -- C:\Program Files\iPhone Configuration Utility
[2010/10/02 15:52:24 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/02/02 22:01:01 | 000,000,000 | ---D | M] -- C:\Program Files\IrfanView
[2010/10/02 15:55:11 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/03/07 19:48:55 | 000,000,000 | ---D | M] -- C:\Program Files\IZArc
[2010/10/09 21:00:58 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2008/09/14 21:32:23 | 000,000,000 | ---D | M] -- C:\Program Files\Learn2.com
[2010/05/10 21:13:18 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/10/09 19:44:56 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee
[2010/10/09 19:43:37 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee Online Backup
[2010/10/09 19:36:38 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee.com
[2010/10/09 19:44:51 | 000,000,000 | ---D | M] -- C:\Program Files\McAfeeMOBK
[2008/09/17 18:48:14 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2010/09/19 17:42:55 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2010/02/09 22:12:00 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2005/03/23 14:13:35 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2008/09/14 21:42:38 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Money 2005
[2010/02/09 22:11:42 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2008/09/14 21:31:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Picture It! 10
[2010/09/06 11:47:08 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2008/09/14 21:30:22 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2010/08/13 01:51:40 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/10/09 20:20:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/08/15 00:46:50 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2010/10/09 14:41:33 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2008/09/14 21:42:41 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Encarta Plus
[2005/03/23 14:08:59 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/11/24 19:16:46 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2008/09/14 21:41:34 | 000,000,000 | ---D | M] -- C:\Program Files\Napster
[2008/09/17 18:36:42 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/10/15 18:47:59 | 000,000,000 | ---D | M] -- C:\Program Files\NewSoft
[2008/10/12 14:18:32 | 000,000,000 | ---D | M] -- C:\Program Files\NOS
[2005/03/23 14:10:59 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/10/05 18:40:52 | 000,000,000 | ---D | M] -- C:\Program Files\Opera
[2010/05/11 19:59:14 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/10/02 15:37:32 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/08/15 00:46:33 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/08/19 02:38:53 | 000,000,000 | ---D | M] -- C:\Program Files\Safari
[2009/05/02 13:42:25 | 000,000,000 | ---D | M] -- C:\Program Files\SmartDraw 2009
[2008/09/14 21:40:15 | 000,000,000 | ---D | M] -- C:\Program Files\Synaptics
[2010/09/06 11:39:48 | 000,000,000 | ---D | M] -- C:\Program Files\The Weather Channel FW
[2010/09/06 11:53:01 | 000,000,000 | ---D | M] -- C:\Program Files\The Weather Channel Toolbar
[2010/03/06 17:22:20 | 000,000,000 | ---D | M] -- C:\Program Files\TVUPlayer
[2010/10/09 13:53:29 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2008/09/14 21:32:22 | 000,000,000 | ---D | M] -- C:\Program Files\Viewpoint
[2009/06/14 14:43:51 | 000,000,000 | ---D | M] -- C:\Program Files\VisualTool
[2010/03/21 18:59:44 | 000,000,000 | ---D | M] -- C:\Program Files\vso
[2010/01/03 17:23:51 | 000,000,000 | ---D | M] -- C:\Program Files\Wide Angle Software
[2008/10/12 13:37:22 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/03/11 20:52:59 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/09/17 18:36:36 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/10/04 09:21:05 | 000,000,000 | ---D | M] -- C:\Program Files\Winter Fun Pack 2004 for Windows XP
[2009/03/08 00:49:47 | 000,000,000 | ---D | M] -- C:\Program Files\WinZip
[2010/10/05 18:42:30 | 000,000,000 | ---D | M] -- C:\Program Files\wLite
[2005/03/23 14:13:35 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/10/09 17:54:46 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!

< %appdata%\*.* >
[2005/03/23 06:03:30 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Wilfredo\Application Data\desktop.ini
[2009/12/13 20:36:17 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Application Data\wklnhst.dat


< MD5 for: AGP440.SYS >
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/17 18:28:15 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008/09/17 18:28:15 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 10:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/17 18:28:15 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/09/17 18:28:15 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 09:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/09/17 18:28:15 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:disk.sys
[2008/09/17 18:28:15 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 15:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 15:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 15:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 15:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2008/09/17 18:28:15 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2004/08/04 15:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:usbstor.sys
[2008/09/17 18:28:15 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 15:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2008/04/13 15:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-10-09 21:59:05
< End of report >

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Mon 11 Oct 2010, 8:15 am

Hello.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Mon 11 Oct 2010, 10:06 am

Here is the OLT log. The program didn't seem to generate an Extras.txt log at all... I put the OLT.exe file on my desktop and it did create an OLT.txt file but no Extras.

-----------------------------------

OTL logfile created on: 10/10/2010 5:51:16 PM - Run 3
OTL by OldTimer - Version 3.2.15.0 Folder = C:\Documents and Settings\Wilfredo\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

479.00 Mb Total Physical Memory | 236.00 Mb Available Physical Memory | 49.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 1000 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.00 Gb Total Space | 11.31 Gb Free Space | 15.92% Space Free | Partition Type: NTFS
Drive D: | 3.52 Gb Total Space | 1.06 Gb Free Space | 30.16% Space Free | Partition Type: FAT32

Computer Name: GATEWAY | User Name: Wilfredo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/10 17:48:51 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wilfredo\Desktop\OTL.exe
PRC - [2010/09/10 21:59:12 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/08/24 14:57:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2010/08/24 14:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2010/08/24 14:57:38 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2008/09/14 21:40:04 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/09 10:19:14 | 000,204,800 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
PRC - [2004/05/26 20:57:24 | 000,139,264 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\shwicon2k.exe
PRC - [2004/03/26 15:20:28 | 000,098,304 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


========== Modules (SafeList) ==========

MOD - [2010/10/10 17:48:51 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wilfredo\Desktop\OTL.exe
MOD - [2010/07/14 13:30:14 | 000,018,688 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2004/03/26 15:20:22 | 000,066,048 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/01 15:52:56 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - [2010/08/24 14:57:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/08/24 14:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/08/24 14:57:38 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/04/15 09:45:10 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2008/09/14 21:40:04 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)


========== Driver Services (SafeList) ==========

DRV - [2010/08/24 14:57:38 | 000,386,712 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/08/24 14:57:38 | 000,312,904 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/08/24 14:57:38 | 000,152,992 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/08/24 14:57:38 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/08/24 14:57:38 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/08/24 14:57:38 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/08/24 14:57:38 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/08/24 14:57:38 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/08/24 14:57:38 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/08/24 14:57:38 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/04/13 20:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/09/20 17:10:43 | 000,018,816 | ---- | M] (RIF) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dvd43llh.sys -- (dvd43llh)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/07 19:16:45 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2008/04/07 19:16:45 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/02/11 22:46:00 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/08/04 01:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/24 13:16:44 | 000,029,856 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EMCfilt.sys -- (EMCFILT)
DRV - [2004/03/26 15:15:40 | 000,180,000 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2003/09/26 08:26:54 | 000,272,128 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camchal.sys -- (CAMCHALA)
DRV - [2003/09/26 08:25:06 | 000,291,712 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camcaud.sys -- (CAMCAUD)
DRV - [2003/06/30 11:11:52 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/05/01 06:42:08 | 000,030,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\strmdisp.sys -- (StreamDispatcher)
DRV - [2003/05/01 06:40:56 | 000,165,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2003/05/01 06:38:56 | 000,622,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/05/01 06:37:46 | 001,107,200 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/18 01:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 01:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 01:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 01:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 01:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/18 00:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/18 00:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/18 00:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/18 00:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/18 00:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/18 00:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/18 00:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/18 00:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/18 00:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/18 00:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 16:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Local Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Local Page Restore = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {ca0849e8-2c76-42ae-9abe-34e14d337acf}:1.93
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.3.1
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: {d84a846d-f7cb-4187-a408-b171020e8940}:1.2.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:3.76
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.6.1
FF - prefs.js..extensions.enabledItems: radiobar@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2
FF - prefs.js..extensions.enabledItems: 5
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: {340c2bbc-ce74-4362-90b5-7c26312808ef}:1.5
FF - prefs.js..extensions.enabledItems: {0b457cAA-602d-484a-8fe7-c1d894a011ba}:0.85
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.2
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.3.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76
FF - prefs.js..extensions.enabledItems: {285da7e0-729d-11db-9fe1-0800200c9a66}:2.20091201
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\firefox\
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/10/10 04:54:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/10 17:37:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/09 20:58:32 | 000,000,000 | ---D | M]

[2010/03/25 14:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Extensions
[2010/03/25 14:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/10/10 11:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions
[2010/09/26 14:57:29 | 000,000,000 | ---D | M] (FireShot) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2009/12/31 13:21:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/09/26 14:57:35 | 000,000,000 | ---D | M] (RSS Ticker) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{1f91cde0-c040-11da-a94d-0800200c9a66}
[2010/04/29 18:23:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/12 10:07:53 | 000,000,000 | ---D | M] (Tinseltown) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}
[2010/10/06 19:08:58 | 000,000,000 | ---D | M] (Firefox Sync) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
[2010/07/05 17:27:40 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/09/26 14:57:42 | 000,000,000 | ---D | M] (Personas Rotator) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{6e73f6b7-b9ab-44b8-b744-6393e3c2e351}
[2010/10/09 20:43:34 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/02/25 20:39:52 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/01/19 22:10:23 | 000,000,000 | ---D | M] (MushroomKingdom) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{BF32D2C8-9C75-404b-ACF4-880DB4679236}
[2010/08/15 16:34:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{ca0849e8-2c76-42ae-9abe-34e14d337acf}
[2008/10/12 14:18:28 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2010/08/18 19:19:03 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/03 20:50:16 | 000,000,000 | ---D | M] (Navigational Sounds) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{d84a846d-f7cb-4187-a408-b171020e8940}
[2010/10/02 09:21:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\es-es@dictionaries.addons.mozilla.org
[2010/03/06 17:16:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\firefox@tvunetworks.com
[2010/09/26 14:57:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\foxyproxy@eric.h.jung
[2010/09/22 19:18:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\info@priceblink.com
[2009/03/08 01:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\moveplayer@movenetworks.com
[2010/02/25 20:39:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\noia2_option@kk.noia
[2010/09/12 15:58:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\personas@christopher.beard
[2010/03/07 18:25:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\radiobar@toolbar
[2009/12/12 10:08:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}\chrome\mozapps\extensions
[2009/12/12 10:08:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}\chrome\mozapps\extensions\CVS
[2008/08/17 18:27:18 | 000,001,622 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\searchplugins\ask.xml
[2009/05/27 19:21:17 | 000,009,941 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\searchplugins\mywebsearch.xml
[2010/10/10 11:19:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/09 20:58:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/08/24 14:57:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/10/09 20:57:52 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/10/10 10:11:22 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2004/08/04 15:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20101009193807.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (The Weather Channel Toolbar) - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll ()
O3 - HKLM\..\Toolbar: (FireShot) - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin-0.85.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PVR Agent] C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe File not found
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data]
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/23 14:13:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 11:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{14ce674e-bf0f-11dd-ba60-0003252284d6}\Shell - "" = AutoRun
O33 - MountPoints2\{14ce674e-bf0f-11dd-ba60-0003252284d6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{14ce674e-bf0f-11dd-ba60-0003252284d6}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{dc68c34b-82c8-11dd-b9fe-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{dc68c34b-82c8-11dd-b9fe-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/10/10 17:48:36 | 000,576,512 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Wilfredo\Desktop\OTL.exe
[2010/10/09 20:58:32 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/10/09 20:58:32 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/10/09 20:58:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/10/09 20:58:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/10/09 20:58:32 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/10/09 20:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Local Settings\Application Data\Help
[2010/10/09 20:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Application Data\Help
[2010/10/09 19:44:46 | 000,000,000 | ---D | C] -- C:\Program Files\McAfeeMOBK
[2010/10/09 19:43:43 | 000,054,776 | ---- | C] (Mozy, Inc.) -- C:\WINDOWS\System32\drivers\MOBK.sys
[2010/10/09 19:42:55 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Online Backup
[2010/10/09 19:38:04 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/10/09 19:37:25 | 000,084,072 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/10/09 19:37:24 | 000,088,544 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/10/09 19:37:24 | 000,084,264 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/10/09 19:37:23 | 000,312,904 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/10/09 19:37:23 | 000,052,104 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/10/09 19:37:22 | 000,152,992 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/10/09 19:37:21 | 000,055,840 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/10/09 19:36:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Mcafee
[2010/10/09 19:36:38 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/10/09 19:05:32 | 000,141,792 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2010/10/09 14:42:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Application Data\MSNInstaller
[2010/10/09 13:53:29 | 000,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2010/10/03 14:08:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Desktop\ToDoOutlookSync
[2010/10/03 12:47:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Desktop\Macy's American Express
[2010/10/02 15:52:24 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/10/02 15:34:12 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/10/02 15:31:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\My Documents\4Easysoft Studio
[2010/10/02 15:23:02 | 000,000,000 | ---D | C] -- C:\Program Files\4Easysoft Studio
[2010/10/02 15:16:53 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/09/26 15:09:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Application Data\FireShot
[2010/09/19 18:57:50 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2010/09/19 18:57:50 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll
[2010/09/12 20:02:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Application Data\FixCleaner
[2010/09/12 19:59:18 | 000,000,000 | ---D | C] -- C:\Program Files\FixCleaner
[2010/09/12 19:57:51 | 000,000,000 | ---D | C] -- C:\Program Files\Downloaded Installers
[2010/09/12 19:42:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Wilfredo\IECompatCache
[2010/09/12 19:25:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wilfredo\Local Settings\Application Data\Blockbuster
[2010/09/12 18:01:12 | 001,821,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vcredist_x86.exe
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/10 17:48:51 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wilfredo\Desktop\OTL.exe
[2010/10/10 17:28:06 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/10/10 15:27:45 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/10/10 14:28:03 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/10/10 03:30:00 | 000,000,400 | ---- | M] () -- C:\WINDOWS\tasks\RegFixPro Scheduled Scan.job
[2010/10/09 21:41:56 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2326568991-238852156-3936288368-1007.job
[2010/10/09 21:41:53 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/10/09 21:41:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/10/09 21:41:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/09 21:41:27 | 502,714,368 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/09 21:39:00 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Wilfredo\ntuser.ini
[2010/10/09 21:38:59 | 004,354,048 | ---- | M] () -- C:\Documents and Settings\Wilfredo\ntuser.dat
[2010/10/09 21:36:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/09 21:27:50 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/09 20:57:51 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/10/09 20:57:51 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/10/09 20:57:51 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/10/09 20:57:51 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/10/09 20:57:51 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/10/09 20:28:43 | 000,000,803 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/10/09 20:20:17 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/09 20:20:17 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/10/09 20:08:03 | 000,057,091 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\bookmarks-2010-10-09.json
[2010/10/09 17:14:48 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/09 17:00:07 | 000,000,404 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\Shortcut to SearsPayment2010.lnk
[2010/10/09 13:21:24 | 000,012,771 | ---- | M] () -- C:\WINDOWS\System32\4Easysoft iPhone 4G Manager.seed
[2010/10/09 10:34:36 | 000,501,514 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/10/09 10:34:36 | 000,441,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/09 10:34:36 | 000,071,258 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/06 21:44:14 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/04 18:05:55 | 000,000,102 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\AOL Radio.URL
[2010/10/03 14:04:41 | 010,156,885 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\ToDoOutlookSync.zip
[2010/09/18 17:33:48 | 000,001,709 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\NetflixOrderFinal.htm
[2010/09/12 18:00:26 | 000,230,176 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\BLOCKBUSTERMovielinkInstall.exe
[2010/09/11 22:24:27 | 000,002,213 | ---- | M] () -- C:\Documents and Settings\Wilfredo\Desktop\iPhone Configuration Utility.lnk
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/09 20:20:17 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/09 20:20:17 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/10/09 20:08:02 | 000,057,091 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\bookmarks-2010-10-09.json
[2010/10/09 19:45:36 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/10/09 17:14:48 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/09 17:00:07 | 000,000,404 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\Shortcut to SearsPayment2010.lnk
[2010/10/06 19:26:29 | 004,354,048 | ---- | C] () -- C:\Documents and Settings\Wilfredo\ntuser.dat
[2010/10/04 18:05:55 | 000,000,102 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\AOL Radio.URL
[2010/10/03 14:02:44 | 010,156,885 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\ToDoOutlookSync.zip
[2010/10/02 15:45:20 | 000,012,771 | ---- | C] () -- C:\WINDOWS\System32\4Easysoft iPhone 4G Manager.seed
[2010/09/18 17:33:43 | 000,001,709 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\NetflixOrderFinal.htm
[2010/09/12 18:00:24 | 000,230,176 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Desktop\BLOCKBUSTERMovielinkInstall.exe
[2010/09/06 11:52:39 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\TwcToolbarIe7.dll
[2010/09/06 11:52:39 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\TwcToolbarBho.dll
[2010/08/29 19:22:15 | 000,162,504 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/07/05 14:33:48 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/02/09 22:13:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/12/13 20:36:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Application Data\wklnhst.dat
[2008/10/15 18:49:03 | 000,000,105 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI
[2008/10/15 18:49:02 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2008/10/15 18:48:50 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2008/10/15 18:47:46 | 000,000,074 | ---- | C] () -- C:\WINDOWS\PMINI.ini
[2008/09/28 15:07:54 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/20 21:02:39 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Wilfredo\Local Settings\Application Data\fusioncache.dat
[2008/09/14 21:40:16 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2008/09/14 18:28:18 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/03/27 03:10:58 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/03/23 12:53:24 | 000,001,204 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/03/23 12:53:24 | 000,000,455 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2002/05/15 11:13:20 | 000,081,920 | R--- | C] () -- C:\WINDOWS\System32\SipCal.dll
[1999/09/17 19:12:54 | 000,044,344 | ---- | C] () -- C:\WINDOWS\System32\Seqcal.sys

< End of report >

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Mon 11 Oct 2010, 10:40 am

Okay, I found an Extras.txt file but I don't know if it'll be of any help because it's an old one. You see, yesterday I scanned the computer with OLT per the instructions in the "Read this first" post using the binary (I think?) file that downloaded when I clicked the button. At that time, it DID create an Extras.txt file but then I realized the computer had Limewire installed on it. Since I figured I'd be advised to uninstall this program anyway, I went ahead and uninstalled it, deleted the old logs (OLT.txt and Extras.txt) OLT created, and ran a new OLT scan. This 2nd scan's log is the one I posted in my first post but this 2nd scan did NOT create an Extras.txt file, for some reason.

Then you said to run an OLT scan and gave me this new link to the OLT.exe file, so I did as you asked and ran a 3rd scan on the computer using this newly downloaded .exe file. This 3rd scan did not create an Extras.txt file either. I found the Extras.txt file for the very FIRST scan (when Limewire was still installed) still in the Recycle Bin and am posting it in case it is still helpful or would have yielded the same results. Nothing else was changed on the computer at all between the 1st scan and the 2nd/3rd scans except for me uninstalling Limewire. Again, this Extras log is from the 1st OLT scan, not from the most recent one I posted (the 3rd scan).

Thank you again for your help and I apologize if this old log causes any confusion or is completely useless.

---------------------------------------------------

OTL Extras logfile created on: 10/9/2010 9:54:43 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Wilfredo\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

479.00 Mb Total Physical Memory | 251.00 Mb Available Physical Memory | 52.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1000 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.00 Gb Total Space | 10.97 Gb Free Space | 15.46% Space Free | Partition Type: NTFS
Drive D: | 3.52 Gb Total Space | 1.06 Gb Free Space | 30.16% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GATEWAY
Current User Name: Wilfredo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
http [open] -- C:\PROGRA~1\WYZO\WYZO.EXE -requestPending -osint -url "%1" File not found
https [open] -- C:\PROGRA~1\WYZO\WYZO.EXE -requestPending -osint -url "%1" File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL -- File not found
"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Disabled:Ares p2p for windows -- File not found
"C:\tempLimewire\LimeWire.exe" = C:\tempLimewire\LimeWire.exe:*:Disabled:LimeWire -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\wLite\wLite.exe" = C:\Program Files\wLite\wLite.exe:*:Disabled:webcamXP -- File not found
"C:\Program Files\wLite\wService.exe" = C:\Program Files\wLite\wService.exe:*:Disabled:webcamXP Service -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Disabled:Opera Internet Browser -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger -- File not found
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{038A524F-58DB-438A-8391-8F7F0CA14B9E}" = Microsoft® Winter Fun Pack 2004 for Windows® XP
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{09A8D062-576E-4826-88BA-A89E7A7FD9AA}" = CBN Selector 3
"{11801011-D30E-4120-9A89-9A873B1D72DF}" = Canon MF5700 Series
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 21
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{2EEC2A94-7204-45C6-93BB-67EAEB19E4D6}" = Safari
"{301120E0-45A9-498C-8627-19E7E20EFA3A}" = BurnPlugin for Audible
"{301CC8D1-FE75-41ED-9B11-41F006110950}" = Garmin City Navigator North America NT 2010.10 Update
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3BF5F2B1-A6AD-4BB2-94D1-F5D5C9D6C855}" = Canon MF Update Tool
"{3F262ADC-5AD2-48E5-A586-44315E04A9E2}" = Microsoft Picture It! Library 10
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{42756145-9997-4D28-809B-8756BFD00106}" = Microsoft Picture It! Premium 10
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5BE42A03-E7B8-42A9-B1BB-FC48B03D58B8}" = Presto! PageManager 6.03
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F815C5F-D2A4-4173-B7C0-55A9D6F87E38}" = MobileMe Control Panel
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84CC9583-C2D6-42E6-A373-6FDDDA6A8BA6}" = Garmin Communicator Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{8F018A9E-56DE-4A79-A5EF-25F413F1D538}" = WeatherBug
"{90260409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Web Components
"{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 4.1
"{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}" = Creative ZEN V Series (R2)
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A607AC66-0C76-4519-9751-E12A93BF8EB2}" = Digital Media Reader
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92B6797-9C07-4E25-AD96-29087D3A2AC2}" = TouchCopy 09
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AudibleManager" = AudibleManager
"BigFix" = BigFix
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_202F161F" = SoftK56 Data Fax
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Conexant PCI Audio" = Conexant AC-Link Audio
"CopyToDVD_is1" = CopyToDVD
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"DVD43_is1" = DVD43 v4.3.1
"Google Updater" = Google Updater
"InstallShield_{A607AC66-0C76-4519-9751-E12A93BF8EB2}" = Digital Media Reader
"IrfanView" = IrfanView (remove only)
"LimeWire" = LimeWire 5.5.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2005b" = Microsoft Money 2005
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MP3 Player Recovery Tool_is1" = MP3 Player Recovery Tool
"MSC" = McAfee Total Protection
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Picasa 3" = Picasa 3
"PictureItPrem_v10" = Microsoft Picture It! Premium 10
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SysInfo" = Creative System Information
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"The Weather Channel Toolbar" = The Weather Channel Toolbar
"TVUPlayer" = TVUPlayer 2.5.2.2
"ViewpointMediaPlayer" = Viewpoint Media Player
"VisualTool" = VisualTool
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/9/2010 8:01:53 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 8:01:54 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 8:01:54 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 8:01:54 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 8:01:54 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 8:01:54 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 8:01:54 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 8:01:54 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 8:01:54 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/9/2010 9:44:41 PM | Computer Name = GATEWAY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This operation returned because the timeout period expired.

[ System Events ]
Error - 10/9/2010 8:01:13 PM | Computer Name = GATEWAY | Source = DCOM | ID = 10010
Description = The server {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A} did not register
with DCOM within the required timeout.

Error - 10/9/2010 8:17:54 PM | Computer Name = GATEWAY | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.

Error - 10/9/2010 8:17:54 PM | Computer Name = GATEWAY | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.

Error - 10/9/2010 8:17:54 PM | Computer Name = GATEWAY | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.

Error - 10/9/2010 8:17:54 PM | Computer Name = GATEWAY | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.

Error - 10/9/2010 8:17:56 PM | Computer Name = GATEWAY | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.

Error - 10/9/2010 8:17:57 PM | Computer Name = GATEWAY | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.

Error - 10/9/2010 8:18:00 PM | Computer Name = GATEWAY | Source = ipnathlp | ID = 31012
Description = The DNS proxy agent encountered an error while obtaining the local
list of name-resolution servers. Some DNS or WINS servers may be inaccessible to
clients on the local network. The data is the error code.

Error - 10/9/2010 9:42:35 PM | Computer Name = GATEWAY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
McPvDrv

Error - 10/9/2010 9:44:49 PM | Computer Name = GATEWAY | Source = DCOM | ID = 10010
Description = The server {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A} did not register
with DCOM within the required timeout.


< End of report >

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Tue 12 Oct 2010, 8:35 am

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Tue 12 Oct 2010, 10:06 am

Done!

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.

OTL by OldTimer - Version 3.2.15.0 log created on 10112010_190018

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Tue 12 Oct 2010, 10:08 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Tue 12 Oct 2010, 11:15 am

Okay, I ran the scan and the computer is restarting now. I should mention that while the scan was running McAfee popped up this warning:

Potentially Unwanted Program Blocked

Name: RemAdm-VNCView
Quarantined from: C:\Documents and Settings\Wilfredo\LocalSettings\Temp\XX4Bmb9Z.exe.part

It asked to allow or remove it and we went ahead and clicked "Remove" just in case. I've pasted the Malwarebytes log below.

-----------------------------------------


Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]



Database version: 4796

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10/11/2010 8:05:52 PM
mbam-log-2010-10-11 (20-05-52).txt

Scan type: Quick scan
Objects scanned: 172247
Time elapsed: 20 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1)
Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1)
Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\LocalPage (Hijack.SearchPage) -> Bad: (http://www.iesearch.com/)
Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Wed 13 Oct 2010, 10:28 am

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Wed 13 Oct 2010, 12:41 pm

Phew! Here's the ComboFix log. By the way, whenever I come to the GeekPolice webpage on the computer I get a message saying that Firefox stopped me from being redirected somewhere else, even after I ran ComboFix. Is that normal or is it part of the problem, I wonder? It doesn't show that warning on my other computer, which has all the same Firefox settings, I believe.

-----------------------

ComboFix 10-10-12.01 - Wilfredo 10/12/2010 20:54:42.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.206 [GMT -4:00]
Running from: c:\documents and settings\Wilfredo\Desktop\Combo-Fix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Wilfredo\Application Data\Microsoft\stor.cfg
c:\documents and settings\Wilfredo\GoToAssistDownloadHelper.exe
c:\documents and settings\Wilfredo\Local Settings\Temporary Internet Files\TestBrowser.html
c:\documents and settings\Wilfredo\System
c:\documents and settings\Wilfredo\System\win_qs8.jqx
C:\Install.exe
c:\program files\Downloaded Installers
c:\program files\VisualTool
c:\program files\VisualTool\pcre3.dll
c:\program files\VisualTool\uninstall.exe
c:\program files\VisualTool\VisualTool.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-13 00:15 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 00:15 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 00:15 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 00:14 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-11 23:00 . 2010-10-11 23:00 -------- d-----w- C:\_OTL
2010-10-10 00:58 . 2010-10-10 00:57 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-10 00:58 . 2010-10-10 00:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-10 00:58 . 2010-10-10 00:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-10 00:29 . 2010-10-10 00:29 -------- d-----w- c:\documents and settings\Wilfredo\Local Settings\Application Data\Help
2010-10-09 23:44 . 2010-10-09 23:44 -------- d-----w- c:\program files\McAfeeMOBK
2010-10-09 23:43 . 2010-04-14 00:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-10-09 23:42 . 2010-10-09 23:43 -------- d-----w- c:\program files\McAfee Online Backup
2010-10-09 23:38 . 2010-08-24 18:57 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2010-10-09 23:38 . 2010-08-24 18:57 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-09 23:37 . 2010-08-24 18:57 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-09 23:37 . 2010-08-24 18:57 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-09 23:37 . 2010-08-24 18:57 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-09 23:37 . 2010-08-24 18:57 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-09 23:37 . 2010-08-24 18:57 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-09 23:37 . 2010-08-24 18:57 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-09 23:37 . 2010-08-24 18:57 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-09 23:36 . 2010-10-09 23:39 -------- d-----w- c:\program files\Common Files\Mcafee
2010-10-09 23:36 . 2010-10-09 23:36 -------- d-----w- c:\program files\McAfee.com
2010-10-09 23:05 . 2010-08-24 18:57 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-09 21:13 . 2010-10-09 21:13 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2010-10-09 18:42 . 2010-10-09 18:43 -------- d-----w- c:\documents and settings\Wilfredo\Application Data\MSNInstaller
2010-10-09 18:24 . 2010-10-09 18:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-09 18:02 . 2010-10-09 21:25 -------- d-----w- c:\documents and settings\TEMP
2010-10-02 19:52 . 2010-10-02 19:52 -------- d-----w- c:\program files\iPod
2010-10-02 19:23 . 2010-10-02 19:23 -------- d-----w- c:\program files\4Easysoft Studio
2010-10-02 19:16 . 2010-10-02 19:16 -------- d-----w- c:\program files\Bonjour
2010-09-26 19:09 . 2010-09-26 21:50 -------- d-----w- c:\documents and settings\Wilfredo\Application Data\FireShot
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-09-19 22:57 . 2010-09-09 14:16 81920 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-09-19 22:57 . 2010-09-09 14:16 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-18 16:23 . 2010-09-18 16:23 974848 -c----w- c:\windows\system32\dllcache\mfc42u.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-24 18:57 . 2010-10-09 23:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-25 39408]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 499712]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-11 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Online Backup Status.lnk - c:\program files\McAfee Online Backup\MOBKstat.exe [2010-4-13 3045176]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/9/2010 7:37 PM 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [10/9/2010 7:43 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/9/2010 7:36 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/9/2010 7:36 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/9/2010 7:36 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [10/9/2010 7:38 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/9/2010 7:05 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/9/2010 7:37 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/9/2010 7:37 PM 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/9/2010 7:37 PM 88544]
S0 McPvDrv;McPvDrv Driver; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/5/2010 2:23 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/9/2010 7:37 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/9/2010 7:37 PM 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/23/2005 12:52 PM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-10-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-28 21:50]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-05 18:22]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-05 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = *.local;
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PVR Agent - c:\program files\V-Stream\PVR Plus\TVR\Scheduled.exe
AddRemove-VisualTool - c:\program files\VisualTool\uninstall.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1844)
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-12 21:35:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-13 01:35

Pre-Run: 17,570,967,552 bytes free
Post-Run: 21,157,556,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BFD2A1C20D12695930D78CFFB50CA510

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Thu 14 Oct 2010, 8:04 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    DDS::
    uStart Page = about:blank
    uInternet Settings,ProxyServer = http=127.0.0.1:50370

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Thu 14 Oct 2010, 9:57 am

I did as you said and ComboFix popped up a window saying there's a new ComboFix version available and asking if I want to update. Should I say yes or should I redownload and rename it again from the link you gave me...?

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Thu 14 Oct 2010, 10:22 am

Allow it to download the new update then.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Thu 14 Oct 2010, 10:47 am

ComboFix 10-10-12.03 - Wilfredo 10/13/2010 19:17:21.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.240 [GMT -4:00]
Running from: c:\documents and settings\Wilfredo\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Wilfredo\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-13 00:15 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 00:15 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 00:15 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 00:14 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-11 23:00 . 2010-10-11 23:00 -------- d-----w- C:\_OTL
2010-10-10 00:58 . 2010-10-10 00:57 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-10 00:58 . 2010-10-10 00:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-10 00:58 . 2010-10-10 00:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-10 00:29 . 2010-10-10 00:29 -------- d-----w- c:\documents and settings\Wilfredo\Local Settings\Application Data\Help
2010-10-09 23:44 . 2010-10-09 23:44 -------- d-----w- c:\program files\McAfeeMOBK
2010-10-09 23:43 . 2010-04-14 00:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-10-09 23:42 . 2010-10-09 23:43 -------- d-----w- c:\program files\McAfee Online Backup
2010-10-09 23:38 . 2010-08-24 18:57 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2010-10-09 23:38 . 2010-08-24 18:57 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-09 23:37 . 2010-08-24 18:57 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-09 23:37 . 2010-08-24 18:57 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-09 23:37 . 2010-08-24 18:57 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-09 23:37 . 2010-08-24 18:57 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-09 23:37 . 2010-08-24 18:57 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-09 23:37 . 2010-08-24 18:57 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-09 23:37 . 2010-08-24 18:57 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-09 23:36 . 2010-10-09 23:39 -------- d-----w- c:\program files\Common Files\Mcafee
2010-10-09 23:36 . 2010-10-09 23:36 -------- d-----w- c:\program files\McAfee.com
2010-10-09 23:05 . 2010-08-24 18:57 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-09 21:13 . 2010-10-09 21:13 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2010-10-09 18:42 . 2010-10-09 18:43 -------- d-----w- c:\documents and settings\Wilfredo\Application Data\MSNInstaller
2010-10-09 18:24 . 2010-10-09 18:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-09 18:02 . 2010-10-09 21:25 -------- d-----w- c:\documents and settings\TEMP
2010-10-02 19:52 . 2010-10-02 19:52 -------- d-----w- c:\program files\iPod
2010-10-02 19:23 . 2010-10-02 19:23 -------- d-----w- c:\program files\4Easysoft Studio
2010-10-02 19:16 . 2010-10-02 19:16 -------- d-----w- c:\program files\Bonjour
2010-09-26 19:09 . 2010-09-26 21:50 -------- d-----w- c:\documents and settings\Wilfredo\Application Data\FireShot
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-09-19 22:57 . 2010-09-09 14:16 81920 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-09-19 22:57 . 2010-09-09 14:16 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-18 16:23 . 2010-09-18 16:23 974848 -c----w- c:\windows\system32\dllcache\mfc42u.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-24 18:57 . 2010-10-09 23:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-25 39408]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 499712]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-11 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Online Backup Status.lnk - c:\program files\McAfee Online Backup\MOBKstat.exe [2010-4-13 3045176]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/9/2010 7:37 PM 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [10/9/2010 7:43 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/9/2010 7:36 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/9/2010 7:36 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/9/2010 7:36 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [10/9/2010 7:38 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/9/2010 7:05 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/9/2010 7:37 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/9/2010 7:37 PM 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/9/2010 7:37 PM 88544]
S0 McPvDrv;McPvDrv Driver; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/5/2010 2:23 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/9/2010 7:37 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/9/2010 7:37 PM 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/23/2005 12:52 PM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-10-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-28 21:50]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-05 18:22]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-05 18:22]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local;
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-10-13 19:41:06
ComboFix-quarantined-files.txt 2010-10-13 23:40
ComboFix2.txt 2010-10-13 01:35

Pre-Run: 21,154,734,080 bytes free
Post-Run: 21,136,134,144 bytes free

- - End Of File - - F11C82F1D2617322F5E1807A7183D1B3

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Fri 15 Oct 2010, 10:22 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Fri 15 Oct 2010, 10:51 am

I tried uninstalling ComboFix the way you said but a message popped up saying the application was not found or something. Then McAfee (which I had turned back on after running ComboFix) popped up saying a trojan was removed and it turned out to be the Combo-Fix.exe file on the desktop. Does that mean it was uninstalled by McAfee or do I still need to find a way to uninstall it...?

I'm running the ESET scan now. Thanks again for all the help!

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Fri 15 Oct 2010, 2:46 pm

I tried to run the ESET Online Scanner 4 times but it keeps getting stuck on files in the My Documents folder, for some reason. The timer keeps moving but it just stays stuck on a single file. Is that normal? The first 2 times it got stuck on really small PDF files, the 3rd time on a file called dotnetfx.exe, and the last time on one called desktop.ini. I even tried moving those files out of the My Documents folder into a new folder on the desktop but it would just get stuck on another file inside that folder.

The first scan did yield 2 threats before I stopped it after it seemed to go on forever, so I'm posting the log for that 1st incomplete scan (only got to 23%) below. Is there something else I can do or some other scanner I should use?

------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d1d538a8bd96bb489eec25a55f515d01
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-15 12:47:54
# local_time=2010-10-14 08:47:54 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777173 100 75 346786 14840190 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=30196
# found=2
# cleaned=2
# scan_time=2776
C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js Win32/Agent.RQD.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\personas@christopher.beard\defaults\preferences\prefs.js Win32/Agent.RQD.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d1d538a8bd96bb489eec25a55f515d01
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-15 01:19:43
# local_time=2010-10-14 09:19:43 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777189 100 75 349719 14843123 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=30198
# found=0
# cleaned=0
# scan_time=1749

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Fri 15 Oct 2010, 5:05 pm

After moving all the files in the My Documents folder into a new folder and making that folder be scanned last, the scan managed to get to 46% but got stuck again when it got to that PDF file (it weirds me out because it's such a small file! Only 154 kb, it says!). This time it found 4 more items.

-------------------

esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d1d538a8bd96bb489eec25a55f515d01
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-15 05:48:44
# local_time=2010-10-15 01:48:44 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777173 100 75 361376 14854780 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=90470
# found=4
# cleaned=4
# scan_time=6236
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP418\A0066753.exe a variant of

Win32/Kryptik.GYB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP419\A0066817.exe

Win32/TrojanDownloader.Agent.QGR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP422\A0067458.exe a variant of

Win32/Kryptik.HAK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP425\A0068477.exe a variant of

Win32/Kryptik.HBB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Sat 16 Oct 2010, 9:54 am

Okay good, how is the machine running now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Sat 16 Oct 2010, 10:59 am

The computer seemed to be running about the same as always (it's always been kind of slow). Does that mean it's okay now, even if it only went to 46%...? I noticed it scanned the C drive alphabetically, so what I did was put all the files in the My Documents folder that weren't a text file in a new folder and named it something starting with Z so it would be scanned last (so it scanned Program Files, Windows, and all those other folders, as far as I know). Is there any way to be sure it got all of them or that they won't return?

Also, the thing where Firefox says it prevented the page from automatically redirecting somewhere else and gives an option to Allow the redirect still pops up when I try to visit GeekPolice and yet that doesn't happen with our other computers that use Firefox. Is that related to that at all...?

Thanks again!

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Sun 17 Oct 2010, 10:59 am

Hello.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Sun 17 Oct 2010, 11:11 am

GooredFix by jpshortstuff (03.07.10.1)
Log created at 20:08 on 16/10/2010 (Wilfredo)
Firefox version 3.6.10 (en-US)

========== GooredScan ==========

Removing Orphan:
"m3ffxtbr@mywebsearch.com"="C:\Program Files\MyWebSearch\bar\firefox" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:20 10/10/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [00:58 10/10/2010]

C:\Documents and Settings\Wilfredo\Application Data\Mozilla\Firefox\Profiles\hss5gmpj.default\extensions\
[You must be registered and logged in to see this link.] [13:21 02/10/2010]
[You must be registered and logged in to see this link.] [20:49 06/03/2010]
[You must be registered and logged in to see this link.] [18:57 26/09/2010]
[You must be registered and logged in to see this link.] [23:18 22/09/2010]
[You must be registered and logged in to see this link.] [05:16 08/03/2009]
[You must be registered and logged in to see this link.] [00:39 26/02/2010]
[You must be registered and logged in to see this link.] [19:58 12/09/2010]
radiobar@toolbar [22:25 07/03/2010]
{0b457cAA-602d-484a-8fe7-c1d894a011ba} [18:57 26/09/2010]
{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [17:21 31/12/2009]
{1f91cde0-c040-11da-a94d-0800200c9a66} [18:57 26/09/2010]
{20a82645-c095-46ed-80e3-08825760534b} [22:23 29/04/2010]
{285da7e0-729d-11db-9fe1-0800200c9a66} [14:07 12/12/2009]
{340c2bbc-ce74-4362-90b5-7c26312808ef} [23:08 06/10/2010]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [21:27 05/07/2010]
{6e73f6b7-b9ab-44b8-b744-6393e3c2e351} [18:57 26/09/2010]
{73a6fe31-595d-460b-a920-fcc0f8843232} [00:43 10/10/2010]
{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} [00:39 26/02/2010]
{BF32D2C8-9C75-404b-ACF4-880DB4679236} [02:10 20/01/2010]
{ca0849e8-2c76-42ae-9abe-34e14d337acf} [20:34 15/08/2010]
{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} [18:18 12/10/2008]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [23:19 18/08/2010]
{d84a846d-f7cb-4187-a408-b171020e8940} [00:50 04/02/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [04:48 15/08/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [23:44 09/10/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:57 10/10/2010]

-=E.O.F=-

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Agustina on Tue 19 Oct 2010, 3:07 pm

Bump?

Agustina

Newbie Surfer
Newbie Surfer

Posts : 36
Joined : 2009-09-20
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Belahzur on Wed 20 Oct 2010, 10:26 am

Hello.

Download MBRCheck to your desktop.

  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.Agent, Hijack.Shell, & Hijack.SearchPage

Post by Sponsored content Today at 9:17 am


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum