[Levan]

Hi,

I was surfing the internet, clicked on a link from google, and it didn't go to the address listed in search. I started task manager and closed firefox as multiple popups appeared and a dialog box saying I was infected with spyware.

Ran a quick scan with Panda online, it found nothing. Updated MBAM, ran a quick scan, and it found this:

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

I've tweaked my start menu in the past, but don't ever remember changing anything as far as displaying the option to log off.

MBAM asked for a reboot to clean it. I'll post the log below.

Had an old version of OTL on my desktop. Downloaded the latest version, choosing the option to replace the old version with the new. I'll post the log below.

No other symptoms so far, but unless I tasked out of FF just in time, I should have gotten hit with something, and ESET Smart Security didn't say it blocked anything.

Please let me know what I need to do next. Thanks.



_ _ _ _ _




MBAM LOG

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5491

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/9/2011 8:59:48 PM
mbam-log-2011-01-09 (20-59-48).txt

Scan type: Quick scan
Objects scanned: 139971
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



_ _ _ _ _




OTL LOG


OTL logfile created on: 1/9/2011 10:27:58 PM - Run 2
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\default\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 249.00 Mb Available Physical Memory | 49.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 4.47 Gb Free Space | 12.01% Space Free | Partition Type: FAT32
Drive F: | 232.88 Gb Total Space | 53.98 Gb Free Space | 23.18% Space Free | Partition Type: NTFS
Drive V: | 111.75 Gb Total Space | 32.55 Gb Free Space | 29.13% Space Free | Partition Type: FAT32

Computer Name: C1384084-A | User Name: default | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/09 22:09:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\default\Desktop\OTL.exe
PRC - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/11/16 09:03:32 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/02/06 14:09:16 | 001,263,872 | ---- | M] (Matrox Graphics Inc.) -- C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
PRC - [2009/02/06 14:08:32 | 004,223,232 | ---- | M] (Matrox Graphics Inc.) -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe
PRC - [2009/02/06 14:08:28 | 000,344,832 | ---- | M] (Matrox Graphics Inc) -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
PRC - [2009/02/06 14:08:26 | 000,210,688 | ---- | M] () -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.DesktopManagement.Host.exe
PRC - [2008/04/13 19:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/13 15:02:32 | 000,156,976 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2007/07/13 15:01:40 | 000,169,264 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
PRC - [2007/04/04 08:48:42 | 000,087,560 | ---- | M] (Matrox Graphics Inc.) -- C:\WINDOWS\SYSTEM32\mgabg.exe
PRC - [2003/07/25 11:15:50 | 000,536,576 | ---- | M] (-) -- C:\Program Files\Eraser\eraser.exe
PRC - [2002/08/14 19:48:28 | 000,167,936 | ---- | M] () -- C:\WINDOWS\SYSTEM32\pctspk.exe
PRC - [2002/07/17 02:03:00 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PRC - [2002/06/12 09:46:04 | 000,025,088 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\SYSTEM32\devldr32.exe
PRC - [2002/01/29 13:33:14 | 000,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [1998/08/26 15:16:14 | 000,063,488 | ---- | M] () -- C:\SUPERFAX\PROGRAM\PICPMON.EXE


========== Modules (SafeList) ==========

MOD - [2011/01/09 22:09:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\default\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/02/06 14:01:18 | 001,486,336 | ---- | M] (Matrox Graphics Inc.) -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk.Hooks.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/11/16 09:12:54 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009/02/06 14:09:16 | 001,263,872 | ---- | M] (Matrox Graphics Inc.) [Auto | Running] -- C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe -- (Matrox Centering Service)
SRV - [2009/02/06 14:08:28 | 000,344,832 | ---- | M] (Matrox Graphics Inc) [Auto | Running] -- C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe -- (Matrox.Pdesk.ServicesHost)
SRV - [2007/07/13 15:02:32 | 000,156,976 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2007/04/04 08:48:42 | 000,087,560 | ---- | M] (Matrox Graphics Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\mgabg.exe -- (MGABGEXE)
SRV - [2005/04/19 18:05:26 | 001,210,112 | ---- | M] (Zone Labs, LLC) [On_Demand | Stopped] -- C:\WINDOWS\System32\ZONELABS\vsmon.exe -- (vsmon)
SRV - [2002/08/14 19:48:28 | 000,167,936 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\pctspk.exe -- (Pctspk)
SRV - [2002/07/17 02:03:00 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2)
SRV - [2002/01/29 13:33:14 | 000,077,824 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [1998/08/26 15:16:14 | 000,063,488 | ---- | M] () [Auto | Running] -- C:\SUPERFAX\PROGRAM\PICPMON.EXE -- (Pacific Image Comm. Fax Server)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\Pcouffin.sys -- (Pcouffin)
DRV - [2010/05/28 07:04:52 | 000,014,896 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\psi_mf.sys -- (PSI)
DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/11/16 09:06:48 | 000,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfwtdi.sys -- (epfwtdi)
DRV - [2009/11/16 09:06:44 | 000,135,048 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfw.sys -- (epfw)
DRV - [2009/11/16 09:03:36 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ehdrv.sys -- (ehdrv)
DRV - [2009/11/16 08:56:12 | 000,116,520 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\eamon.sys -- (eamon)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/19 08:10:40 | 000,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfwndis.sys -- (Epfwndis)
DRV - [2009/02/06 13:19:52 | 000,350,592 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\g400dhm.sys -- (G400DH)
DRV - [2008/04/13 13:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 13:53:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nmnt.sys -- (nm)
DRV - [2008/04/13 13:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2007/05/03 13:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mxopswd.sys -- (MXOPSWD)
DRV - [2006/08/24 13:44:14 | 000,477,696 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ZD1211BU.sys -- (ZD1211BU(ZyDAS)) ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)
DRV - [2005/04/19 18:05:14 | 000,279,880 | ---- | M] (Zone Labs, LLC) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\vsdatant.sys -- (vsdatant)
DRV - [2004/08/04 01:29:26 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/05/16 20:46:16 | 000,347,648 | R--- | M] ( ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\WlanUIG.sys -- (WlanUIG)
DRV - [2004/04/13 19:20:08 | 000,015,781 | R--- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2003/08/01 14:57:54 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys -- (pfc)
DRV - [2003/06/24 11:55:40 | 000,005,337 | ---- | M] (ALi Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\AliRtHub.sys -- (aliroothub)
DRV - [2003/06/24 11:47:06 | 000,104,088 | ---- | M] (ALi Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\AliEhci.sys -- (ALIEHCD)
DRV - [2003/03/31 12:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/03/31 12:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2003/02/03 11:09:16 | 000,013,312 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys -- (PCDCODEC)
DRV - [2003/02/03 11:09:02 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys -- (MVDCODEC)
DRV - [2003/02/03 11:08:48 | 000,102,400 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys -- (atinrvxx)
DRV - [2003/02/03 11:07:56 | 000,061,440 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinxsxx.sys -- (ATIXSAudio)
DRV - [2003/02/03 11:07:14 | 000,050,176 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys -- (ativraxx)
DRV - [2003/02/03 11:05:08 | 000,037,888 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\atintuxx.sys -- (ATITUNEP)
DRV - [2002/08/28 22:59:12 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\an983.sys -- (AN983)
DRV - [2002/08/15 11:16:52 | 000,139,073 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ptserial.sys -- (Ptserial)
DRV - [2002/08/15 11:16:20 | 000,065,343 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vvoice.sys -- (Vvoice)
DRV - [2002/08/15 11:15:42 | 000,696,462 | ---- | M] (PCTEL, INC.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vmodem.sys -- (Vmodem)
DRV - [2002/08/15 11:14:46 | 000,551,819 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vpctcom.sys -- (Vpctcom)
DRV - [2002/06/12 09:46:06 | 000,284,288 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2002/06/12 09:46:06 | 000,036,992 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2002/06/12 09:46:04 | 000,007,424 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2002/01/07 16:28:48 | 000,010,761 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\x10uif.sys -- (X10UIF)
DRV - [2001/10/24 18:16:10 | 000,036,224 | R--- | M] (LinkSys Group Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lne100v5.sys -- (LNE100) Linksys LNE100TX(v5)
DRV - [2001/09/28 13:13:30 | 000,324,747 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\g550dhm.sys -- (G550DH)
DRV - [2001/08/17 13:28:14 | 000,112,574 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ptserlp.sys -- (Ptserlp)
DRV - [2001/08/17 12:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctljystk.sys -- (ctljystk)
DRV - [2001/03/08 13:22:16 | 000,005,500 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mgabg.sys -- (mgabg)
DRV - [2000/04/17 18:32:38 | 000,005,533 | R--- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\UtilNt.sys -- (UtilNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.48.3
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/04 20:28:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/04 20:28:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2009/11/27 19:28:08 | 000,000,000 | ---D | M]

[2010/07/04 20:30:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\default\Application Data\Mozilla\Extensions
[2010/08/12 02:04:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\clqzvq0o.Default User 3\extensions
[2010/09/14 20:18:38 | 000,000,000 | ---D | M] ("BetterPrivacy") -- C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\clqzvq0o.Default User 3\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/07/04 20:28:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/08 20:51:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/11/03 21:54:52 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[1999/12/31 16:00:00 | 000,167,704 | ---- | M] (Tracker Software Products Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll

O1 HOSTS File: ([2010/06/25 07:00:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM\dla\tfswshx.dll (Sonic Solutions)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe (Matrox Graphics Inc.)
O4 - HKLM..\Run: [Matrox PowerDesk SE] C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe (Matrox Graphics Inc.)
O4 - HKLM..\Run: [MpsOnn] C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\MPSONN.EXE (CANON INC.)
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O4 - HKCU..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe (-)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\SYSTEM32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akama...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1259480903199 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...7931.8402083333 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.syste...el_4.1.66.0.cab (SysInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} http://h30155.www3.h.../qdiagh.cab?326 (QDiagHUpdateObj Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\SYSTEM\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: Win32 Classes Reg Error: Key error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Waves.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Waves.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/11/06 22:39:28 | 000,000,500 | -HS- | M] () - C:\AUTOEXEC.BAK -- [ FAT32 ]
O32 - AutoRun File - [2003/11/06 22:39:28 | 000,000,483 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2000/06/19 14:16:22 | 000,000,079 | -HS- | M] () - C:\AUTOEXEC.DOS -- [ FAT32 ]
O32 - AutoRun File - [2001/01/27 14:19:38 | 000,000,231 | -H-- | M] () - C:\AUTOEXEC.001 -- [ FAT32 ]
O33 - MountPoints2\{50d667f0-bce6-11de-8b47-0060b35a71a8}\Shell\AutoRun\command - "" = .\Encryption Tool\MaxtorEncryption.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/09 19:52:40 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2011/01/08 21:27:23 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2005/05/30 22:21:12 | 000,347,648 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\WlanUIG.sys
[2002/06/05 05:44:11 | 000,059,392 | ---- | C] ( ) -- C:\WINDOWS\System32\A3D.DLL
[1998/12/09 02:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/09 02:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/09 02:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/09 02:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/09 02:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/09 02:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/09 22:09:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\default\Desktop\OTL.exe
[2011/01/09 21:03:00 | 000,013,728 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/09 21:03:00 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/01/09 21:02:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/09 21:02:32 | 536,203,264 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/09 20:57:30 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/01/09 05:49:24 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/08 21:36:32 | 000,474,714 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/08 21:36:32 | 000,076,842 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/08 20:13:50 | 000,477,944 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/01/08 20:02:44 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/31 20:48:20 | 000,204,800 | ---- | M] () -- C:\Documents and Settings\default\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/27 20:06:56 | 000,000,282 | ---- | M] () -- C:\WINDOWS\HPQCOPY.INI
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/12 03:02:06 | 000,249,652 | ---- | M] () -- C:\Documents and Settings\default\Desktop\UCSD pdf.pdf
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/12 03:02:43 | 000,249,652 | ---- | C] () -- C:\Documents and Settings\default\Desktop\UCSD pdf.pdf
[2010/07/20 18:31:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\510A111a.INI
[2010/07/03 23:49:40 | 000,000,395 | ---- | C] () -- C:\Program Files\Aborted-install-spruceup.log
[2010/01/07 00:48:01 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\default\Application Data\PUTTY.RND
[2009/12/21 21:39:26 | 000,000,088 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2009/04/30 17:38:52 | 000,000,208 | ---- | C] () -- C:\WINDOWS\MPASS.INI
[2004/10/10 20:48:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/10/10 20:42:39 | 000,005,120 | R--- | C] () -- C:\WINDOWS\System32\HWDll.dll
[2004/05/04 19:15:50 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2004/05/04 19:15:36 | 000,026,282 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2004/05/04 19:15:29 | 000,269,312 | ---- | C] () -- C:\WINDOWS\System32\FPXIG.DLL
[2004/05/04 19:15:29 | 000,068,096 | ---- | C] () -- C:\WINDOWS\System32\IGFPX32P.DLL
[2004/05/04 19:15:29 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\JPEGACC.DLL
[2004/05/04 19:15:17 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\WELSOF32.DLL
[2004/04/05 08:11:37 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2004/02/23 00:45:25 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\IMregexp.dll
[2004/02/23 00:44:28 | 000,684,032 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6g.dll
[2003/11/15 22:14:17 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2003/11/08 21:29:37 | 000,165,888 | ---- | C] () -- C:\WINDOWS\System32\hpgt53.dll
[2003/11/08 21:18:37 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EEBAPI.dll
[2003/11/08 21:18:37 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\EEBDSCVR.dll
[2003/11/08 21:18:37 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\EBAPI.dll
[2003/11/07 00:11:21 | 000,000,351 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/11/07 00:00:10 | 000,003,878 | ---- | C] () -- C:\WINDOWS\VTruck1.ini
[2003/11/07 00:00:10 | 000,003,369 | ---- | C] () -- C:\WINDOWS\VTruck2.ini
[2003/11/07 00:00:10 | 000,001,794 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/11/07 00:00:10 | 000,001,010 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2003/11/07 00:00:10 | 000,000,391 | ---- | C] () -- C:\WINDOWS\VSTUDIO.INI
[2003/11/07 00:00:10 | 000,000,350 | ---- | C] () -- C:\WINDOWS\CDMaster.ini
[2003/11/07 00:00:10 | 000,000,310 | ---- | C] () -- C:\WINDOWS\net2fone.ini
[2003/11/07 00:00:10 | 000,000,282 | ---- | C] () -- C:\WINDOWS\HPQCOPY.INI
[2003/11/07 00:00:10 | 000,000,273 | ---- | C] () -- C:\WINDOWS\vidwiz.ini
[2003/11/07 00:00:10 | 000,000,199 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2003/11/07 00:00:10 | 000,000,191 | ---- | C] () -- C:\WINDOWS\ctsyn.ini
[2003/11/07 00:00:10 | 000,000,127 | ---- | C] () -- C:\WINDOWS\LSXMPEG2.INI
[2003/11/07 00:00:10 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2003/11/07 00:00:10 | 000,000,104 | ---- | C] () -- C:\WINDOWS\jiaompg.ini
[2003/11/07 00:00:10 | 000,000,067 | ---- | C] () -- C:\WINDOWS\athenatm.ini
[2003/11/07 00:00:10 | 000,000,059 | ---- | C] () -- C:\WINDOWS\PestPatrol.ini
[2003/11/07 00:00:10 | 000,000,047 | ---- | C] () -- C:\WINDOWS\EPSP960.ini
[2003/11/07 00:00:10 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2003/11/07 00:00:10 | 000,000,026 | ---- | C] () -- C:\WINDOWS\dswplug.ini
[2003/11/07 00:00:10 | 000,000,024 | ---- | C] () -- C:\WINDOWS\SwDrvs.ini
[2003/11/07 00:00:10 | 000,000,012 | ---- | C] () -- C:\WINDOWS\LSXDEMO.INI
[2003/11/07 00:00:10 | 000,000,011 | ---- | C] () -- C:\WINDOWS\Msdevctl.ini
[2003/11/07 00:00:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\progman.ini
[2003/11/07 00:00:09 | 000,012,484 | ---- | C] () -- C:\WINDOWS\IOS.INI
[2003/11/07 00:00:09 | 000,007,885 | ---- | C] () -- C:\WINDOWS\NETDET.INI
[2003/11/07 00:00:09 | 000,005,068 | ---- | C] () -- C:\WINDOWS\DELETEFI.INI
[2003/11/07 00:00:09 | 000,003,598 | ---- | C] () -- C:\WINDOWS\HTMLHELP.INI
[2003/11/07 00:00:09 | 000,002,180 | ---- | C] () -- C:\WINDOWS\FONTSMRT.INI
[2003/11/07 00:00:09 | 000,001,100 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/11/07 00:00:09 | 000,000,934 | ---- | C] () -- C:\WINDOWS\MRUN32.INI
[2003/11/07 00:00:09 | 000,000,787 | ---- | C] () -- C:\WINDOWS\SCANREG.INI
[2003/11/07 00:00:09 | 000,000,562 | ---- | C] () -- C:\WINDOWS\TAPE.INI
[2003/11/07 00:00:09 | 000,000,340 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2003/11/07 00:00:09 | 000,000,226 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/11/07 00:00:09 | 000,000,225 | ---- | C] () -- C:\WINDOWS\TELEPHON.INI
[2003/11/07 00:00:09 | 000,000,167 | ---- | C] () -- C:\WINDOWS\CTREC.INI
[2003/11/07 00:00:09 | 000,000,126 | ---- | C] () -- C:\WINDOWS\CTSYNWDM.INI
[2003/11/07 00:00:09 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2003/11/07 00:00:09 | 000,000,060 | ---- | C] () -- C:\WINDOWS\POWERPNT.INI
[2003/11/07 00:00:09 | 000,000,054 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2003/11/07 00:00:09 | 000,000,049 | ---- | C] () -- C:\WINDOWS\SMInfom.ini
[2003/11/07 00:00:09 | 000,000,044 | ---- | C] () -- C:\WINDOWS\BD40.INI
[2003/11/07 00:00:09 | 000,000,026 | ---- | C] () -- C:\WINDOWS\MSOFFICE.INI
[2003/11/07 00:00:09 | 000,000,015 | ---- | C] () -- C:\WINDOWS\wgedit.ini
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\UMP.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PCFRIEND.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPID.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DDM.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CTDiskID.INI
[2003/11/07 00:00:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2003/11/06 23:42:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/11/06 23:25:26 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/11/03 03:32:21 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2003/03/23 20:35:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/11/18 23:26:07 | 000,000,546 | ---- | C] () -- C:\Documents and Settings\default\Application Data\QuickBooks Templates.lnk
[2002/05/24 01:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2002/05/24 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2002/04/11 11:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
[2002/02/27 17:50:00 | 000,197,120 | ---- | C] () -- C:\WINDOWS\System32\patchw32.dll
[2002/02/13 19:13:28 | 000,002,431 | ---- | C] () -- C:\Documents and Settings\default\Application Data\dw.log
[2001/09/06 15:10:43 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2001/08/14 11:47:08 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\vxpsapi.dll
[2001/07/23 18:59:45 | 000,204,800 | ---- | C] () -- C:\Documents and Settings\default\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2001/07/23 18:58:06 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\icmfilter.dll
[2001/03/30 22:14:57 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\ntvideo.dll
[2001/03/30 22:14:57 | 000,211,456 | ---- | C] () -- C:\WINDOWS\System32\ntsound.dll
[2001/03/30 22:14:57 | 000,155,136 | ---- | C] () -- C:\WINDOWS\System32\jiaocd.dll
[2001/03/30 22:14:57 | 000,122,368 | ---- | C] () -- C:\WINDOWS\System32\jiaompeg.dll
[2001/03/30 22:14:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\System32\cddriver.dll
[2001/02/25 22:07:35 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\cdtool.dll
[2001/02/13 23:06:42 | 000,007,808 | ---- | C] () -- C:\WINDOWS\System32\dc240u.sys
[2001/02/13 23:06:40 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\SoyWeb.dll
[2001/02/13 23:06:40 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\ImgLibLead.dll
[2001/01/30 11:20:54 | 000,001,439 | ---- | C] () -- C:\Program Files\GUIDE PLUS+™ System (2).lnk
[2001/01/28 20:59:37 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\lffpx90n.dll
[2001/01/28 20:52:28 | 000,006,724 | ---- | C] () -- C:\WINDOWS\ATM.INI
[2001/01/28 20:51:39 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\Dc50ip32.dll
[2001/01/28 20:51:39 | 000,065,864 | ---- | C] () -- C:\WINDOWS\System32\Digita.sys
[2001/01/28 17:58:54 | 000,000,516 | ---- | C] () -- C:\Program Files\Acrobat Reader 4.0.lnk
[2001/01/21 00:30:13 | 000,001,439 | ---- | C] () -- C:\Program Files\GUIDE PLUS+™ System.lnk
[2001/01/08 15:46:19 | 000,000,594 | ---- | C] () -- C:\Program Files\Launch DellNet by MSN.lnk
[2001/01/08 15:43:28 | 000,000,444 | ---- | C] () -- C:\Program Files\Send and Receive a Fax.lnk
[2001/01/08 15:43:28 | 000,000,388 | ---- | C] () -- C:\Program Files\PhoneTools.lnk
[2001/01/08 15:43:24 | 000,057,344 | ---- | C] () -- C:\WINDOWS\uninstBVRP.dll
[2001/01/08 15:42:21 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\AltApi.dll
[2001/01/08 15:42:20 | 000,167,456 | ---- | C] () -- C:\WINDOWS\System32\bocof.dll
[1999/01/22 18:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/08/16 06:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[1998/01/12 08:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1995/07/31 21:15:18 | 000,000,057 | ---- | C] () -- C:\WINDOWS\FAX.INI
[1980/01/01 00:00:00 | 000,023,357 | -H-- | C] () -- C:\Program Files\FOLDER.HTT
[1980/01/01 00:00:00 | 000,001,646 | ---- | C] () -- C:\WINDOWS\MSDOS.SYS
[1980/01/01 00:00:00 | 000,000,820 | ---- | C] () -- C:\Program Files\Dell Accessories.lnk

========== LOP Check ==========

[2003/11/06 23:56:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2003/11/06 23:56:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS
[2004/10/18 06:44:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/07/16 21:52:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/07/12 23:36:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Matrox Graphics Inc
[2009/07/12 23:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Matrox
[2009/10/19 14:40:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2009/11/27 19:28:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/07/03 00:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/03 22:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tracker Software
[2010/07/25 17:17:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2003/11/06 23:59:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Digidesign
[2003/11/06 23:59:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Xequte
[2003/11/06 23:59:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\VERITAS
[2003/12/01 17:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\InterVideo
[2004/09/22 22:31:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\ApplicationHistory
[2004/10/18 06:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Aim
[2006/07/16 21:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Yahoo
[2007/03/23 20:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\ImgBurn
[2007/03/24 17:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\RipIt4Me
[2007/04/02 19:54:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Matrox
[2007/12/16 23:16:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Leadertech
[2009/11/27 19:30:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\ESET
[2009/11/30 22:32:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\AMPSoft
[2010/05/19 00:44:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\OpenOffice.org
[2010/07/03 22:13:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\default\Application Data\Tracker Software
[2011/01/09 21:03:00 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



< End of report >

[Advertisements]

Hello Levan and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within three days or your topic will be closed

Step 1

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Complete scan sometimes takes up to 3 hours to finish so please be patient.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Step 2

How is your system now? Any problems?

Step 3

Please don't forget to include these items in your reply:

• Dr.Web log

It would be helpful if you could post each log in separate post

[maliprog]

Hello Levan and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within three days or your topic will be closed

Step 1

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Complete scan sometimes takes up to 3 hours to finish so please be patient.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Step 2

How is your system now? Any problems?

Step 3

Please don't forget to include these items in your reply:

• Dr.Web log

It would be helpful if you could post each log in separate post

[Levan]

Hi maliprog,

This computer is old and slow (Pentium 3, 930 MHz, 512 RAM), and has a ton of files. I can usually get a full scan done with various AV in a few hours, but Dr. Web must be very thorough as it's taking considerably longer. The express scan alone took almost three hours to finish (nothing found so far).

I started the full scan two hours ago, and it's at maybe 5% complete, so it's going to take a day or two to finish at this rate and my cpu is at 95-100%.

Is it all right to keep my system pegged for that long?

Please let me know if I should keep the scan running, or if you'd like to try something else.

Thanks.

[maliprog]

Hi Levan,

OK, you can stop the scan now if nothing found so far. How is your system now? Any problems?

[Levan]

Hi maliprog,

Nothing found so far, so I'll stop the scan. No symptoms to report.

[maliprog]

OK. Nice to hear that. Please do one more scan with Malwarebytes and post log here for me.

[Levan]

Full scan or quick scan?

[maliprog]

Quick scan will be fine.

[Levan]

Here ya go:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5491

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/14/2011 1:48:41 AM
mbam-log-2011-01-14 (01-48-41).txt

Scan type: Quick scan
Objects scanned: 140411
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[maliprog]

Hi Levan,

You system is clean now. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update

• Click Start, click Run, type sysdm.cpl, and then press ENTER.
• Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
• Click OK button

2. Delete Temp files

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.

[Levan]

Hi maliprog,

Actually, I may not be out of the woods yet. Dr. Web did wind up finding something, so I resumed the scan. It found a trojan in program files, and one in system volume info. It asked if I wanted to move the files to it's quarantine folder, and I chose "yes".

And then this is really weird:

After Dr. Web finished the express scan, it created a log file. At some point during the full scan, it identified ITS OWN LOG FILE as a "Batch Virus". Huh?? How does an antivirus create it's own virus?

The file in question is "CureIt.log", which is in the DoctorWeb folder along with it's quarantine folder. The logfile itself isn't quarantined. I had a look at it after the express scan, and it's a list of like 50,000 files that it scanned.

Once the full scan completed, I saved the DrWeb.csv report and it's posted below.

What should I do now? I have the option of "Cure" "Rename" "Move" and "Delete". I haven't rebooted yet.


_ _ _ _ _



DrWeb csv:

RxUser.exe;C:\Program Files\Dell\Resolution Assistant\Common\bin;Trojan.Spambot.origin;Incurable.Moved.;
CureIt.log;C:\Documents and Settings\default\DoctorWeb;Probably BATCH.Virus;;
A0072144.exe;C:\System Volume Information\_restore{9BCFB3C7-53A7-4233-A42A-CA6F19ACDCAC}\RP533;Trojan.Spambot.origin;Incurable.Moved.;

[maliprog]

Hi Levan,

You should told me that you let Dr.Web finish the scan. These files are already moved by Dr.Web but if it ask you what to do then select Cure then Move file.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [CLEARALLRESTOREPOINTS]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply.

Please test your system and let me know if there is problem.

[Levan]

Hi maliprog,

No symptoms to report. Can I erase the contents of Dr Web's quarantine folder? Also, the last run of OTL deleted my firefox profile (this also happens when running TFC). I made a backup of it on my desktop before we started so I could keep my bookmarks. Is it okay to restore the firefox profile once we're done cleaning?



OTL log:


All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: All Users
->Temp folder emptied: 95 bytes


User: default
->Temporary Internet Files folder emptied: 14372609 bytes
->Java cache emptied: 795797 bytes
->FireFox cache emptied: 57907441 bytes
->Flash cache emptied: 456 bytes

User: NetworkService
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 93390 bytes
Session Manager Temp folder emptied: 0 bytes
Session Manager Tmp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 70.00 mb


[EMPTYFLASH]

User: Default User

User: All Users

User: default
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: LocalService

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.20.1 log created on 01152011_024736

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\System32\SET81FC.tmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Edited by Levan, 15 January 2011 - 06:06 PM.

[maliprog]

Hi Levan,

Can you write down the location of your Firefox profile and post it here for me? Does this happens every time you run TFC?

You system is clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used. YOu can also remove Dr.Web quarantine folder.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update

• Click Start, click Run, type sysdm.cpl, and then press ENTER.
• Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
• Click OK button

2. Delete Temp files

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.

[Levan]

Hi maliprog,

Thank so much for your help!

As for my firefox issue:

It's the first time I've noticed it from OTL. I suspect it has something to do with flushing temp files. It happens every time I run TFC. When I try to open firefox, I get the following error message:

"Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system."

However, task manager does not show firefox as already running, and rebooting does not correct the problem. Internet Explorer still works, so it isn't an internet connection problem.

My firefox profile folder is located here:

C: Documents and settings > Default > Application Data (hidden folder) > Mozilla > Firefox > Profiles

After running TFC, the profiles folder is empty (it should contain a randomly named user profile folder). I can create a new one by going to Start > Run, and typing in "firefox.exe -ProfileManager", but then I'm starting from scratch and all of my bookmarks are gone. If I backup my old profile before cleaning, I can copy that folder back into the firefox profiles folder, and firefox will now open with all my old bookmarks intact.

I just restored my profile, and opened firefox. Everything was fine. I ran TFC again, and reproduced the same problem: Firefox will not open, gives me the error message above, and the firefox profiles folder is empty again.

This only happens on my desktop, which runs XP Pro. I'm able to run TFC with no firefox issues on my vista laptop.