Forum Home |  MWR University |  New to the Board? |  IRC Chatroom |  Who Runs This Site? |  ASAP Members |  Microsoft MVP Members |  Downloads |  Good & Bad P2P Programs |  Our Rules

MalWare Removal Forum

Malware Removal University - Teaching people how to support those with infected computers - Teaching them to never give up untill your computer is clean and secure.

Tutorials (etc.) : Boot to Safe Mode - Safely - What to do if your Computer's running slowly
It is currently Sun 19 May, 2013 4:06 am

View unanswered posts | View active topics


Board index » Malware Removal » Malware Removal

All times are UTC [ DST ]

Forum rules


Please read > >THIS ANNOUNCEMENT< < before posting your NEW topic about your problem.

Please do NOT reply to your topic until a staff member has responded as they are looking for topics that have ZERO replies.

Paste your logs into your post. DO NOT USE ATTACHMENTS! Logs posted as attachments will be ignored and the topic will be closed.

If no expert has replied after 3 days, and you still require assistance, please post in our 72 hour bump room > > CLICK HERE < < Please do NOT reply to your own topic in an attempt to "bump" it. Bumped topics will be closed, requiring you to start again from the beginning.

If you are being helped and you haven't replied to your helper within 3 days of their last post, your topic will be closed as inactive. If that happens, you will need to start a new topic when you have the time available to promptly complete all instructions.

If your topic has been closed due to inactivity, do NOT request that your topic be reopened - we do NOT reopen topics unless they have been closed in error - you will need to start a NEW topic with NEW DDS logs. Do NOT attempt to start a new topic with a post that is essentially a reply to your closed topic.



Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 2
  [ 19 posts ]  Go to page 1, 2  Next
  Previous topic | First unread post | Next topic 
Author Message
rbd
 Post subject: Email hijacked
New postPosted: Fri 03 Feb, 2012 12:06 pm 
Offline
Regular Member

Joined: Fri 04 Nov, 2011 3:05 am
Posts: 29
Hello

A few months ago I had an issue with some virus found by my AV: it was associated with an application (already pre-installed on my laptop) wanting to automatically install a new version. I bought my laptop few years ago and never had any such issue.
Long story short, I removed that application and problem gone. Must have been a false positive, I thought.
Three days ago I found out that my email account had been hacked, with spam received by all my contacts. Quite a shock, as I keep my password safe.
I suspect the two things are related and wonder whether a keylogger or other malware is the cause. My AV finds nothing to report, but I appreciate some malware can go un-detected.
At times the start-up seems rather slow too, sometimes keeping the CPU busy for around a minute longer than usual.

Can you please help?
Attached below are my DDS & Attach reports, plus the MGA report to save us both some time in posting replies.

Thanks.

============================

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Administrator at 21:39:33 on 2012-02-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.154 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Alwil Software\Avast5\defs\12020202\Sf.bin
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.kookoa.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Preload] c:\windows\RUNXMLPL.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [eLockMonitor] c:\acer\empowering technology\elock\monitor\LaunchMonitor.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan ... stubie.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 http://www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\60vq4buk.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-11-17 28552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-1 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-2 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-2 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-20 44768]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.SYS [2007-5-14 508288]
.
=============== Created Last 30 ================
.
2012-01-31 19:20:42 -------- d-----w- c:\program files\Veetle
2012-01-29 18:44:25 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2012-01-29 12:56:31 215920 ----a-w- c:\windows\system32\muweb.dll
2012-01-29 12:56:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-01-29 12:56:30 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-01-29 11:45:08 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Microsoft Help
2012-01-26 22:50:02 -------- d-----w- c:\program files\Windows Media Connect 2
2012-01-26 22:47:19 -------- d-----w- c:\windows\system32\LogFiles
2012-01-21 19:02:45 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-01-21 12:27:49 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
.
==================== Find3M ====================
.
2011-12-02 19:00:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-10 05:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 03:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 21:43:15.49 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 26/09/2007 14:14:56
System Uptime: 02/02/2012 20:26:55 (1 hours ago)
.
Motherboard: Acer | | Dallen
Processor: Intel(R) Celeron(R) M CPU 520 @ 1.60GHz | U2E1 | 1599/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 35 GiB total, 18.572 GiB free.
D: is FIXED (FAT32) - 35 GiB total, 35.061 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP614: 26/01/2012 19:34:00 - System Checkpoint
RP615: 26/01/2012 22:45:36 - Software Distribution Service 3.0
RP616: 26/01/2012 23:49:54 - Software Distribution Service 3.0
RP617: 28/01/2012 15:37:22 - System Checkpoint
RP618: 29/01/2012 11:44:04 - Installed Microsoft Office Enterprise 2007
RP619: 29/01/2012 11:55:22 - Printer Driver Send To Microsoft OneNote Driver Installed
RP620: 29/01/2012 11:59:09 - Removed Spelling Dictionaries Support For Adobe Reader 8
RP621: 29/01/2012 18:21:18 - Software Distribution Service 3.0
RP622: 29/01/2012 18:24:52 - Software Distribution Service 3.0
RP623: 30/01/2012 20:40:02 - Removed Microsoft Office Enterprise 2007
RP624: 01/02/2012 22:20:55 - System Checkpoint
.
==== Installed Programs ======================
.
Acer eLock Management
Acer Empowering Technology
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer ScreenSaver
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2)
Adobe Shockwave Player 11.6
avast! Free Antivirus
Broadcom Gigabit Integrated Controller
BroadJump Client Foundation
CutePDF Writer 2.7
Filzip 3.06
getPlus(R)_ocx
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 30
Launch Manager
LightScribe 1.4.142.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 10.0 (x86 en-GB)
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NTI Shadow
Panda ActiveScan 2.0
PowerDVD
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Skype™ 4.2
Spybot - Search & Destroy
SpywareBlaster 4.5
swMSM
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Trust WB-1400T Webcam
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veetle TV
vShare Plugin
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
27/01/2012 08:30:56, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl
26/01/2012 22:50:41, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Media Player 11.
26/01/2012 16:51:55, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 0016D35CCC31 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================



Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-VW3P7-YHQQ6-C7RYM
Windows Product Key Hash: ZcgwvstIxQC+DhtQDO8/GmF+gus=
Windows Product ID: 76487-OEM-2211906-00100
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {B7AE6AF0-EB7E-46B2-84B6-C7F9954740A6}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{B7AE6AF0-EB7E-46B2-84B6-C7F9954740A6}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-C7RYM</PKey><PID>76487-OEM-2211906-00100</PID><PIDType>2</PIDType><SID>S-1-5-21-1808491901-1178147021-2521828933</SID><SYSTEM><Manufacturer>Acer </Manufacturer><Model>Extensa 5210 </Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>V1.03 </Version><SMBIOSVersion major="2" minor="4"/><Date>20070427000000.000000+000</Date><SLPBIOS>AcerSystem ,AcerSystem </SLPBIOS></BIOS><HWID>0F4F3E07018400DA</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Acer Inc.</name><model>AcerSystem</model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 16FC0:Acer Incorporated|8D74:HITACHI, Ltd|8D74:HITACHI, Ltd|8D74:HITACHI, Ltd
Marker string from OEMBIOS.DAT: AcerSystem ,AcerSystem

OEM Activation 2.0 Data-->
N/A

Top
 Profile E-mail  
 
pgmigg
 Post subject: Re: Email hijacked
New postPosted: Fri 03 Feb, 2012 4:25 pm 
Offline
MRU Honors Graduate
MRU Honors Graduate
User avatar

Joined: Tue 08 Jul, 2008 6:25 pm
Posts: 1677
Location: GMT-05:00
Hello rbd,

Welcome to the forum! :)

My name is pgmigg and I'll be helping you with any malware problems.

Currently I am working under the guidance of the MRU teachers and everything I post to you, must first be approved by them.
This additional review process can add some extra time to my responses, but I will post back with instructions for you as soon as possible.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!" :cheers:
    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your log and will return, as soon as possible, with additional instructions. In the meantime...
Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.
_________________

Top
 Profile E-mail  
 
rbd
 Post subject: Re: Email hijacked
New postPosted: Fri 03 Feb, 2012 5:32 pm 
Offline
Regular Member

Joined: Fri 04 Nov, 2011 3:05 am
Posts: 29
Hi pgmigg,

Thanks for responding so quickly.

No problem for the additional time in receiving your replies.
I look forward to receiving your first instructions.

Thanks,

rbd

Top
 Profile E-mail  
 
pgmigg
 Post subject: Re: Email hijacked
New postPosted: Sat 04 Feb, 2012 8:05 pm 
Offline
MRU Honors Graduate
MRU Honors Graduate
User avatar

Joined: Tue 08 Jul, 2008 6:25 pm
Posts: 1677
Location: GMT-05:00
Hello rbd,

Thank you for your patience... :)

For safety reason (to have a good registry to restore if needed), I will ask you to create a System Restore Point (SRP) before most of my instructions sets...

Step 0.
Create a Restore Point

Because we are going to be making changes to your computer, it is advisable to create a new System Restore Point.
If you are not sure whether the System Restore feature is turned on and active, let's check, before we go any further.

Turn ON System Restore

If you know System Restore is ON and active, proceed to "Create a New System Restore Point." Otherwise...
  1. Click Start, then right-click My Computer, then click Properties from the menu.
  2. In the System Properties dialog box, click the System Restore tab.
  3. Uncheck the Turn off System Restore check box, if checked.
  4. Click OK. After a few moments, the System Properties dialog box closes.
Note: If the System Restore function was NOT active by turning it ON, a restore point was automatically created.
You do not have perform the "Create a New System Restore Point" step.

Create a New System Restore Point.

  1. Click Start, select All Programs -> Accessories -> System Tools, then press System Restore.
  2. At the Welcome screen select Create a restore point and then press Next.
  3. In the description box, type a name to describe this restore point.
      System Restore automatically adds (to your description) the current date and time.
  4. Click Create to finish creating this restore point.
  5. Click Close to exit System Restore.
Unless you use some other method to create system restore points, it is advisable to leave this feature ON and active.

If you have successfully created a System Restore Point, we can proceed.
STOP! If you have NOT successfully created a System Restore Point... STOP! do not go any further!
Please post back so we can determine why it was unsuccessful.

Step 1.
Spybot S&D Teatimer

From your log i can see this that you are running a Spybot S&D Teatimer. This might interfere with fixes we are about to do so we need to disable it.

Disable Spybot's TeaTimer. This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new versions starting from 1.5, please click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Step 2.
Add/Remove Programs
I need you to uninstall some programs from your computer.
  1. Click Start -> Run.
  2. Copy and paste the value below, into the open text entry box:
    appwiz.cpl
  3. Click the OK. It takes a few seconds for the program list to be populated.
  4. Locate the following program(s):
    Java Auto Updater
    Java(TM) 6 Update 30
    vShare Plugin
  5. Press the "Remove" or "Change/Remove" button to uninstall the program.
    Carefully read any prompts...
    Some uninstallers prompt in a way to trick you into keeping the program, sometimes, preventing them from being uninstalled again!
    Don't worry if you can not find all programs from the list - some may not have an uninstall feature or may have been removed in previous steps.
  6. Repeat steps 4 - 5 for each program in the list.
  7. When finished, close/exit Add/Remove Programs.

Step 3.
OTL - Download
Please download OTL.exe by Old Timer and save it to your Desktop.

OTL Scan
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Double-click on OTL.exe to run it.
  2. Under Output, ensure that Standard Output is selected.
  3. Click the Scan All Users checkbox.
    Leave the remaining selections to the default settings.
  4. Click on Run Scan at the top left hand corner.
  5. When done, two Notepad files will open.
    • OTL.txt <-- Will be opened, maximized
    • Extras.txt <-- Will be minimized on task bar.
  6. Please post the contents of both OTL.txt and Extras.txt files in your next reply.

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of OTL.txt log file
  3. Contents of Extras.txt log file
  4. Do you see any changes in computer behavior?

Thanks,
pgmigg
_________________

Top
 Profile E-mail  
 
rbd
 Post subject: Re: Email hijacked
New postPosted: Sun 05 Feb, 2012 8:20 pm 
Offline
Regular Member

Joined: Fri 04 Nov, 2011 3:05 am
Posts: 29
Hello pgmigg,

Thanks for your instructions, which were easy to follow. :)

Before I go on, may I ask: should you find any malware on my laptop, I would really appreciate if you could please tell me (if it is possible to find it out, of course):
- when it got installed
- when it became active for the first time
It's quite important for me, to have an idea of when the hijacking of my email might have started and how.


In response to your requests:

A.Executing your instructions

Step 0: I created a RP without any problems.

Step 1: I disabled Spybot's TeaTimer. Note: I had no questions from my firewall, nor did any promtps come up when I un-ticked the TeaTimer box.

Step 2:
- Java Auto Updater was not present.
- Java 6 Update 30 removed. Note: during the process, after removal of Update 30 the removal window started removing Update 24 as well (I got this from the window's changed title). Strange, as this wasn't listed in the programs.
- vShare Plugin removed. Note: at the end IExplorer opened on a page saying "Sorry to see you going" (or something like this).
(NOTE: I forgot to reboot after Step 1. I realized it after Step 2 and did it then. A silly mistake, sorry! I hope it's not a problem. I'll be super-careful from now on) :oops:

Step 3: OTL Scan
Done with no problems.
(Note: when I run it, an Avast message asked me if I wanted to open it in a sandbox, but I chose to open it normally. Same happened 3-4 times when I used DDS. I'm reporting it just to let you know, in case it might affect future instructions)

B,C - OTL logs: pasted below.


D - Change in performance:
I've tried to be as active as I could, opening programs, opening web pages, restarting the system.
Overall, I couldn't appreciate any difference. No episodes of slow startup so far, although these had been happening occasionally.


Just a few questions after what I did.
1) I always use my laptop from a user account. I only use the Administrator account to install/update/remove programs. On the user account the TeaTimer is still on: is it ok or should I disable it from all user accounts too?
With Spybot TeaTimer disabled, is it still ok to use the Internet as I do normally or should I limit my usage in any way?
2) vShare: should I not have this in future? It allows me to watch some online TV streamings which would be impossible to watch otherwise.

=========================

OTL log
OTL logfile created on: 05/02/2012 17:47:29 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

502.11 Mb Total Physical Memory | 186.92 Mb Available Physical Memory | 37.23% Memory free
1.20 Gb Paging File | 0.91 Gb Available in Paging File | 75.81% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.56 Gb Total Space | 18.63 Gb Free Space | 53.89% Space Free | Partition Type: NTFS
Drive D: | 35.07 Gb Total Space | 35.06 Gb Free Space | 99.98% Space Free | Partition Type: FAT32

Computer Name: ACER-47CBE8A5ED | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/05 17:40:07 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/11/28 18:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/11/28 18:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/16 03:07:22 | 000,208,896 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\Administrator\Local Settings\Temp\RtkBtMnt.exe
PRC - [2007/06/14 20:40:04 | 000,850,704 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2007/05/24 11:18:06 | 000,475,136 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
PRC - [2007/03/21 20:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 20:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/03/02 10:25:08 | 000,208,896 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
PRC - [2007/03/01 17:21:52 | 000,024,576 | ---- | M] ( ) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
PRC - [2006/11/03 10:01:16 | 000,319,488 | ---- | M] (PixArt Imaging Incorporation) -- C:\WINDOWS\PixArt\PAC207\Monitor.exe
PRC - [2006/06/01 13:40:54 | 000,413,696 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/05 12:41:54 | 001,689,088 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\12020502\algo.dll
MOD - [2012/01/12 22:39:49 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_14988f0c\mscorlib.dll
MOD - [2012/01/12 22:39:44 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_c7e30332\system.drawing.dll
MOD - [2012/01/12 22:39:37 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_789cbe4a\system.xml.dll
MOD - [2012/01/12 22:39:31 | 003,035,136 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_02bdc9aa\system.windows.forms.dll
MOD - [2012/01/12 22:39:19 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_ab168611\system.dll
MOD - [2012/01/12 22:39:04 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2012/01/12 22:39:02 | 001,269,760 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
MOD - [2012/01/12 22:38:58 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2007/07/12 22:33:58 | 000,087,552 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
MOD - [2007/06/16 03:05:20 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2007/06/16 03:05:20 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2007/06/16 03:05:20 | 000,126,976 | ---- | M] () -- c:\windows\assembly\gac\system.serviceprocess\1.0.5000.0__b03f5f7f11d50a3a\system.serviceprocess.dll
MOD - [2007/06/16 03:05:18 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2007/06/14 20:40:06 | 000,057,344 | ---- | M] () -- C:\Program Files\Launch Manager\PowerUtl.dll
MOD - [2007/05/24 11:18:06 | 000,475,136 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
MOD - [2007/04/06 00:56:30 | 000,356,352 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\it41.dll
MOD - [2006/01/12 08:33:34 | 000,212,992 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\imagefile.dll
MOD - [2005/10/20 16:20:24 | 000,208,896 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\DialogDLL.dll
MOD - [2005/10/11 12:18:54 | 000,028,672 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\SysHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
SRV - [2011/11/28 18:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/03/21 20:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2007/03/01 17:21:52 | 000,024,576 | ---- | M] ( ) [Auto | Running] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)


========== Driver Services (SafeList) ==========

DRV - [2011/11/28 17:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/28 17:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/28 17:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/28 17:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/28 17:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/11/28 17:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/11/28 17:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2007/05/31 03:04:56 | 004,424,192 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/05/14 09:26:10 | 000,508,288 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PFC027.SYS -- (PAC207)
DRV - [2007/03/29 10:27:42 | 000,014,544 | ---- | M] (EnTech Taiwan) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\TVicPort.sys -- (tvicport)
DRV - [2007/03/29 10:27:40 | 000,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\int15.sys -- (int15)
DRV - [2007/03/29 10:27:40 | 000,006,080 | ---- | M] (Zeal SoftStudio) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zntport.sys -- (zntport)
DRV - [2007/02/16 22:46:00 | 000,160,256 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/01/24 21:44:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/12/22 18:56:44 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/22 18:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/22 18:55:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/10/12 22:28:42 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/01/13 13:46:16 | 000,069,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.kookoa.org/
IE - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll File not found
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.19: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/02 21:18:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/30 20:48:01 | 000,000,000 | ---D | M]

[2011/04/13 16:48:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/12/24 14:22:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/02 21:18:39 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/08/31 10:38:58 | 000,082,944 | ---- | M] (vShare.tv ) -- C:\Program Files\mozilla firefox\plugins\npvsharetvplg.dll
[2010/01/01 08:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 08:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 08:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 08:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 08:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/02/01 22:36:02 | 000,442,583 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 http://www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 http://www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 http://www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 http://www.032439.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 http://www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 http://www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 http://www.10sek.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 http://www.123topsearch.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 http://www.132.com
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 http://www.136136.net
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 127.0.0.1 http://www.163ns.com
O1 - Hosts: 15212 more lines...
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\..\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.
O3 - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe (Acer Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe ()
O4 - HKLM..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe File not found
O4 - HKLM..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe ()
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Preload] C:\WINDOWS\RunXMLPL.exe (Wistron Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe (Acer Inc.)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/ ... ontrol.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://active.macromedia.com/director/cabs/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/ ... ontrol.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} http://download.microsoft.com/download/ ... ontrol.cab (Microsoft Genuine Advantage Self Support Tool)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan ... stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\ACERTX.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\ACERTX.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/05 17:39:53 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/02/05 16:36:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\CyberLink PowerDVD
[2012/02/02 21:57:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\PC security articles
[2012/02/02 17:26:46 | 002,654,048 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Administrator\Desktop\ccsetup315_slim.exe
[2012/01/31 19:20:42 | 000,000,000 | ---D | C] -- C:\Program Files\Veetle
[2012/01/29 18:44:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2012/01/29 12:56:30 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2012/01/29 12:56:30 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2012/01/29 11:45:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Help
[2012/01/26 22:50:28 | 000,016,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2012/01/26 22:50:02 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2012/01/26 22:47:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2012/01/26 22:47:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2012/01/21 19:02:45 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2012/01/21 12:27:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp
[2012/01/21 12:26:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2012/01/21 12:24:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2007/09/26 13:20:42 | 000,016,384 | ---- | C] ( ) -- C:\WINDOWS\System32\ClearEvent.exe
[2007/09/26 13:17:17 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.Shell32.dll
[2007/09/26 13:17:17 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\SysMonitor.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/05 17:40:07 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/02/05 17:24:06 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/05 17:23:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/05 17:23:29 | 526,569,472 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/05 16:18:54 | 000,000,041 | ---- | M] () -- C:\WINDOWS\Filzip.ini
[2012/02/04 21:26:38 | 000,157,738 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Instructions 1.pdf
[2012/02/04 16:14:42 | 000,230,432 | ---- | M] () -- C:\PA207.DAT
[2012/02/02 17:26:48 | 002,654,048 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Administrator\Desktop\ccsetup315_slim.exe
[2012/02/02 17:22:24 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.msi
[2012/02/01 22:36:02 | 000,442,583 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/01/30 20:54:50 | 000,329,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/27 08:30:37 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/01/27 08:30:37 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/01/26 23:51:34 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/26 23:00:24 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/01/26 22:47:24 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/01/25 19:00:16 | 000,442,497 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120201-223602.backup
[2012/01/18 23:46:10 | 000,441,684 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120125-190016.backup
[2012/01/12 22:36:49 | 000,443,144 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/12 22:36:49 | 000,072,370 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/12 22:32:40 | 002,002,529 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2012/01/12 20:52:30 | 000,441,534 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120118-234609.backup
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/04 21:26:33 | 000,157,738 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Instructions 1.pdf
[2012/02/02 17:22:23 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.msi
[2012/01/26 22:47:24 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2012/01/21 12:25:52 | 000,002,315 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/11/17 21:30:58 | 000,112,572 | ---- | C] () -- C:\WINDOWS\System32\Autorun.ini
[2011/04/13 16:47:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/11/19 18:45:05 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/09 15:45:00 | 000,000,466 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/13 13:35:15 | 000,000,736 | ---- | C] () -- C:\WINDOWS\DigimaxMaster.INI
[2010/03/28 17:20:39 | 000,589,824 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/03/28 17:20:39 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/03/28 17:20:39 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\vidccleaner.exe
[2010/02/24 21:17:38 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\Filzip.ini
[2009/09/12 15:31:46 | 000,000,029 | ---- | C] () -- C:\WINDOWS\CDMKR32.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2009/05/02 13:29:35 | 000,000,056 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsidmv.dat
[2008/09/13 18:22:47 | 000,000,041 | ---- | C] () -- C:\WINDOWS\Filzip.ini
[2008/05/24 17:49:36 | 000,000,314 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2008/02/16 12:28:36 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/02/06 23:24:30 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2008/02/06 23:24:30 | 000,003,460 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2007/11/24 13:10:00 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2007/11/04 15:48:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/03 13:46:05 | 000,663,552 | ---- | C] () -- C:\WINDOWS\System32\libeay32_1-1-0_DDR.dll
[2007/11/03 13:46:05 | 000,532,594 | ---- | C] () -- C:\WINDOWS\System32\xerces-c_1_40_0_DDR.dll
[2007/11/03 13:46:05 | 000,524,377 | ---- | C] () -- C:\WINDOWS\System32\stlport_4_0_0_DDR.dll
[2007/11/03 13:46:05 | 000,307,329 | ---- | C] () -- C:\WINDOWS\System32\BJBase_2-2-2_DDR.dll
[2007/11/03 13:46:05 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32_1-1-0_DDR.dll
[2007/11/02 22:26:39 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2007/09/26 13:21:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\int15.sys
[2007/09/26 13:21:15 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\int15_64.sys
[2007/09/26 13:19:35 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\NATTraversal.dll
[2007/09/26 13:17:17 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\ScrollBarLib.dll
[2007/06/27 20:46:24 | 000,000,039 | ---- | C] () -- C:\WINDOWS\PreLaunch.ini
[2007/06/16 03:36:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/06/16 03:35:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/06/16 03:28:48 | 000,443,144 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2007/06/16 03:28:48 | 000,072,370 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2007/06/16 03:23:16 | 000,329,888 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/06/16 03:02:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2007/06/16 03:02:00 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2007/06/16 03:02:00 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2007/06/16 03:02:00 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2006/11/02 08:27:46 | 000,000,518 | ---- | C] () -- C:\WINDOWS\System32\SP207.ini
[2006/08/29 01:30:04 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2006/08/01 22:02:32 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2006/03/10 21:18:16 | 000,036,404 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/17 20:22:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/17 20:19:56 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/05 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/05 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/05 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/05 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/05 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/05 03:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/05 03:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/05 03:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/05 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/05/14 20:04:36 | 000,049,152 | ---- | C] () -- C:\WINDOWS\XMLaunch.exe
[2003/11/24 22:55:48 | 000,743,424 | ---- | C] () -- C:\WINDOWS\libxml2.dll
[2003/11/24 22:55:32 | 000,872,448 | ---- | C] () -- C:\WINDOWS\iconv.dll
[2002/09/13 20:41:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/13 20:41:26 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/12/26 22:12:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 05:46:38 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 22:33:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 04:04:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

===========================
Extras log

OTL Extras logfile created on: 05/02/2012 17:47:29 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

502.11 Mb Total Physical Memory | 186.92 Mb Available Physical Memory | 37.23% Memory free
1.20 Gb Paging File | 0.91 Gb Available in Paging File | 75.81% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.56 Gb Total Space | 18.63 Gb Free Space | 53.89% Space Free | Partition Type: NTFS
Drive D: | 35.07 Gb Total Space | 35.06 Gb Free Space | 99.98% Space Free | Partition Type: FAT32

Computer Name: ACER-47CBE8A5ED | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Veetle\Player\VeetleNet.exe" = C:\Program Files\Veetle\Player\VeetleNet.exe:*:Enabled:VeetleNet -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Veetle\Player\VeetleNet.exe" = C:\Program Files\Veetle\Player\VeetleNet.exe:*:Disabled:VeetleNet -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}" = Acer eLock Management
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F2C8256-2773-46C7-9ABA-3E39C24ABB51}" = Acer eSettings Management
"{30837A37-8F9F-4817-8B52-C501B67DC3BE}" = Trust WB-1400T Webcam
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{67ADE9AF-5CD9-4089-8825-55DE4B366799}" = NTI Backup NOW! 4.7
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6F7EA6CA-79F4-44A0-A370-8E82BB16534A}" = NTI Shadow
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BF839132-BD43-4056-ACBF-4377F4A88E2A}" = Acer ePresentation Management
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{DB780B85-B4B5-4864-A49C-9B706B169C93}" = TIPCI
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"avast" = avast! Free Antivirus
"BroadJump Client Foundation" = BroadJump Client Foundation
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
"CutePDF Writer Installation" = CutePDF Writer 2.7
"Filzip 3.0.6.93_is1" = Filzip 3.06
"getPlus(R)_ocx" = getPlus(R)_ocx
"GridVista" = Acer GridVista
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{30837A37-8F9F-4817-8B52-C501B67DC3BE}" = Trust WB-1400T Webcam
"InstallShield_{DB780B85-B4B5-4864-A49C-9B706B169C93}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"LManager" = Launch Manager
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 10.0 (x86 en-GB)" = Mozilla Firefox 10.0 (x86 en-GB)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SpywareBlaster_is1" = SpywareBlaster 4.5
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Veetle TV" = Veetle TV
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 16/05/2010 05:51:25 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 16/05/2010 05:51:26 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 16/05/2010 05:51:26 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 17/05/2010 12:56:22 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 17/05/2010 17:27:43 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 22/05/2010 03:29:04 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 25/05/2010 17:01:57 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 25/05/2010 17:05:41 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 16/06/2010 13:59:06 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

Error - 19/06/2010 04:18:40 | Computer Name = ACER-47CBE8A5ED | Source = avast! | ID = 33554522
Description =

[ Application Events ]
Error - 27/01/2012 14:10:36 | Computer Name = ACER-47CBE8A5ED | Source = Application Error | ID = 1000
Description = Faulting application acer.empowering.framework.launcher.exe, version
2.3.4000.0, faulting module kernel32.dll, version 5.1.2600.5781, fault address
0x00012afb.

Error - 27/01/2012 18:43:01 | Computer Name = ACER-47CBE8A5ED | Source = CardSpace 3.0.0.0 | ID = 327937
Description = An error occurrred while accessing the card collection. An invalid
file path was specified. Additional Information: at System.Environment.GetStackTrace(Exception
e, Boolean needFileInfo) at System.Environment.get_StackTrace() at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException
ie) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception
e) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception
e) at Microsoft.InfoCards.FileDataSource.ValidateDirectoryAccess() at Microsoft.InfoCards.FileDataSource.CreateDirAndFiles()

at Microsoft.InfoCards.FileDataSource.OnLoad() at Microsoft.InfoCards.StoreConnection.Load()

at Microsoft.InfoCards.StoreConnection.GetConnection(WindowsIdentity identity,
Boolean allowCreate) at Microsoft.InfoCards.StoreConnection.CreateConnection()

at Microsoft.InfoCards.ClientUIRequest.OnInitializeAsUser() at Microsoft.InfoCards.Request.Initialize()

at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle
monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)

at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle,
IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error - 27/01/2012 18:43:01 | Computer Name = ACER-47CBE8A5ED | Source = CardSpace 3.0.0.0 | ID = 327937
Description = An error occurrred while accessing the card collection. Failed to
open store. Additional Information: at System.Environment.GetStackTrace(Exception
e, Boolean needFileInfo) at System.Environment.get_StackTrace() at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException
ie) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception
e) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception
e) at Microsoft.InfoCards.StoreConnection.GetConnection(WindowsIdentity identity,
Boolean allowCreate) at Microsoft.InfoCards.StoreConnection.GetConnection()
at Microsoft.InfoCards.GetUserPreferenceRequest.OnProcess() at Microsoft.InfoCards.Request.ProcessRequest()

at Microsoft.InfoCards.Request.DoProcessRequest(String& extendedMessage) at
Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle,
IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error - 30/01/2012 18:04:25 | Computer Name = ACER-47CBE8A5ED | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00010cbd.

[ System Events ]
Error - 04/02/2012 08:52:41 | Computer Name = ACER-47CBE8A5ED | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.2 for the Network Card with network
address 0016D35CCC31 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 04/02/2012 12:09:58 | Computer Name = ACER-47CBE8A5ED | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl

Error - 04/02/2012 16:53:08 | Computer Name = ACER-47CBE8A5ED | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl

Error - 05/02/2012 08:34:43 | Computer Name = ACER-47CBE8A5ED | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl

Error - 05/02/2012 08:44:37 | Computer Name = ACER-47CBE8A5ED | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.2 for the Network Card with network
address 0016D35CCC31 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 05/02/2012 09:41:32 | Computer Name = ACER-47CBE8A5ED | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl

Error - 05/02/2012 09:51:48 | Computer Name = ACER-47CBE8A5ED | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl

Error - 05/02/2012 09:59:51 | Computer Name = ACER-47CBE8A5ED | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl

Error - 05/02/2012 12:31:16 | Computer Name = ACER-47CBE8A5ED | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl

Error - 05/02/2012 13:23:59 | Computer Name = ACER-47CBE8A5ED | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl


< End of report >

Top
 Profile E-mail  
 
pgmigg
 Post subject: Re: Email hijacked
New postPosted: Mon 06 Feb, 2012 4:25 pm 
Offline
MRU Honors Graduate
MRU Honors Graduate
User avatar

Joined: Tue 08 Jul, 2008 6:25 pm
Posts: 1677
Location: GMT-05:00
Hello rbd,

Thank you for your patience... :)
Quote:
1) I always use my laptop from a user account. I only use the Administrator account to install/update/remove programs. On the user account the TeaTimer is still on: is it ok or should I disable it from all user accounts too?
With Spybot TeaTimer disabled, is it still ok to use the Internet as I do normally or should I limit my usage in any way?
The Spybot TeaTimer disabling is temporary action - for the time during we try to clean you PC. Because you need to use Administrator account all the time of cleaning, it is enough to disable TeaTimer for this account only.
Quote:
2) vShare: should I not have this in future? It allows me to watch some online TV streamings which would be impossible to watch otherwise.
Unfortunately the vShare is not safety product - it can caused redirection of home and search pages...
I hope you can find another software for your TV streaming.

Step 0.
Firstly I would like you to do the following:
  • Change your email Password.
  • Change your Secret Question & Answer.
  • Change your alternative email.

Step 1.
Create a New System Restore Point.

  1. Click Start, select All Programs -> Accessories -> System Tools, then press System Restore.
  2. At the Welcome screen select Create a restore point and then press Next.
  3. In the description box, type a name to describe this restore point.
      System Restore automatically adds (to your description) the current date and time.
  4. Click Create to finish creating this restore point.
  5. Click Close to exit System Restore.
Unless you use some other method to create system restore points, it is advisable to leave this feature ON and active.

If you have successfully created a System Restore Point, we can proceed.
STOP! If you have NOT successfully created a System Restore Point... STOP! do not go any further!
Please post back so we can determine why it was unsuccessful.

Step 2.
OTL - Run Fix Script
You should still have OTL on your desktop.
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Double-click on OTL.exe to run it.
  2. Copy and Paste the following code into the Image text box. Do not include the word Code
    Code:
    :OTL
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
    O3 - HKU\S-1-5-21-1808491901-1178147021-2521828933-500\..\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.

    :Files
    C:\Program Files\mozilla firefox\plugins\npvsharetvplg.dll
    C:\WINDOWS\System32\*.tmp
    C:\WINDOWS\*.tmp
    @C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

    :Commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]

  3. Click under the Custom Scan/Fixes box and paste the copied text.
  4. Click the Run Fix button. If prompted... click OK.
  5. OTL may ask to reboot the machine. Please do so if asked.
  6. When the scan completes, Notepad will open with the scan results located in C:\_OTL\Moved Files\MMDDYYY_HHMMSS.log.
  7. Please post the contents of report in your next reply.

Step 3.
ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

  1. Firstly please Disable any Antivirus you have active, as shown in This topic.
  2. Note: Don't forget to re-enable it after the scan.
  3. Next please click on the following link to open a new window to ESET online scannner
  4. Then click on: Image
    Quote:
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  5. Select the option YES, I accept the Terms of Use then click on: Image
  6. When prompted allow the Add-On/Active X to install.
  7. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  8. Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  9. Now click on: Image
  10. The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  11. When completed the Online Scan will begin automatically.
  12. Do not touch either the mouse or keyboard during the scan otherwise it may stall.
  13. When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  14. Now click on: Image
  15. Use notepad to open the log file located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  16. Copy and paste that log as a reply to this topic.

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of C:\_OTL\Moved Files\MMDDYYY_HHMMSS.log file after OTL fix
  3. Contents of scan results from C:\Program Files\ESET\EsetOnlineScanner\log.txt file.
  4. Do you see any changes in computer behavior?

Thanks,
pgmigg

Top
 Profile E-mail  
 
rbd
 Post subject: Re: Email hijacked
New postPosted: Mon 06 Feb, 2012 5:28 pm 
Offline
Regular Member

Joined: Fri 04 Nov, 2011 3:05 am
Posts: 29
Hello pgmigg,

vShare: I will not install it any more, then. Safety comes first.

I read your latest instructions. Before I execute them, I need to ask you something about the ESET Scan

Quote:
12. Do not touch either the mouse or keyboard during the scan otherwise it may stall.

My laptop has a screensaver which starts off after 10' of inactivity. It was already set up when I bought it. It's part of the pre-installed Acer applications. I never felt the need to change it.
Do I need to turn it off? I think it might start off during the scan and then I won't be able to know when the scan is complete or has stalled...

Thanks,
rbd

Top
 Profile E-mail  
 
rbd
 Post subject: Re: Email hijacked
New postPosted: Mon 06 Feb, 2012 6:13 pm 
Offline
Regular Member

Joined: Fri 04 Nov, 2011 3:05 am
Posts: 29
Hello pgmigg,

Two further questions regarding your instruction about disabling my AV.

Q.1)
Quote:
Firstly please Disable any Antivirus you have active, as shown in This topic.

My AV is Avast. The instructions in the topic you quoted are different from the version I have.
The instructions in that topic are basically aimed a 2 things:
a) Disable avast! self-defense module
b) Stop On-Access protection

I have found a) by opening the program user interface -that's ok.
For b), I can't fina any "Stop On-Access protection". If I right-click on the system tray's avast icon I found an option "avast shields control" which has then the following options:
- all shields are on [this is greyed out]
- disable for 10'
- disable for 1hr
- disable until computer restarted
- disable permanently
Would these be what I am supposed to look for? If so, presumably I should "disable permanently"?

Q.2) With the AV disabled, is it still safe to go over the web and open the ESET page?

Sorry if my questions sounds trivial, but given that I'll be disabling the antivirus I'd rather make no mistakes. ;)


Thanks,
rbd

Top
 Profile E-mail  
 
pgmigg
 Post subject: Re: Email hijacked
New postPosted: Mon 06 Feb, 2012 6:17 pm 
Offline
MRU Honors Graduate
MRU Honors Graduate
User avatar

Joined: Tue 08 Jul, 2008 6:25 pm
Posts: 1677
Location: GMT-05:00
Hello rbd,
Quote:
My laptop has a screensaver which starts off after 10' of inactivity. It was already set up when I bought it.
It's part of the pre-installed Acer applications. I never felt the need to change it.
Do I need to turn it off? I think it might start off during the scan and then I won't be able to know when the scan is complete or has stalled...
Good question! :)
If it is easy for you, please turn it off. After the treatment will be finished you can turn it on back.

Thanks,
pgmigg

Top
 Profile E-mail  
 
rbd
 Post subject: Re: Email hijacked
New postPosted: Mon 06 Feb, 2012 6:30 pm 
Offline
Regular Member

Joined: Fri 04 Nov, 2011 3:05 am
Posts: 29
Hello pgmigg,

Thank for your reply.
Please see also my other questions 2 posts above, in regard to disabling my AV.

(Just writing this reminder now in case you haven't received a notification for my other post.)

Thanks,
rbd

Top
 Profile E-mail  
 
pgmigg
 Post subject: Re: Email hijacked
New postPosted: Mon 06 Feb, 2012 7:47 pm 
Offline
MRU Honors Graduate
MRU Honors Graduate
User avatar

Joined: Tue 08 Jul, 2008 6:25 pm
Posts: 1677
Location: GMT-05:00
Hello rbd,
Quote:
Please see also my other questions 2 posts above, in regard to disabling my AV.
Sorry for some inconvenience - it was some kind of time joke... ;)
Quote:
Q.1) Would these be what I am supposed to look for? If so, presumably I should "disable permanently"?
Please select disable until computer restarted and restart computer after ESET run.
Quote:
Q.2) With the AV disabled, is it still safe to go over the web and open the ESET page?
Yes, it is save. Be assured, any links I give are safe.

Thanks,
pgmigg

Top
 Profile E-mail  
 
rbd
 Post subject: Re: Email hijacked
New postPosted: Tue 07 Feb, 2012 8:02 pm 
Offline
Regular Member

Joined: Fri 04 Nov, 2011 3:05 am
Posts: 29
Hello pgmigg,

I followed your instructions.

Step 0: email account
I did change the security info for my email after I found out about the hacking, from another computer. Since then, I haven't logged in to my email from my laptop until you're done with the cleaning.

Step 1: new restore point.
Done, no problems.

Step 2: OTL
Completed, but in a strange way. When I pressed "Run Fix", it seemed to do its job in less than a minute: at the bottom it was saying "Processing complete" and the green progress bar was complete (as if the task was complete). However, the program remained like that for ages, and the processor seemed like doing absolutely nothing. After almost 2 hrs, I decided to press CTRL+ALT+DEL: the Task Manager had only some 20-25 processes, none of them using the CPU at all. I closed the Task Manager and a message appeared telling me to reboot (maybe the message was hidden by the OTL program window?).
Perhaps this will be normal to you, but I thought I'd let you know anyway.

I carried on with the next step the day after (today).

Step 3: ESET
Disabled the screensaver first, then Avast.
ESET Scan done, no problems.
Then re-enabled Avast and restarted.


Both reports pasted below.


As I disabled Avast, I remembered of something happened a few times in the past: when I was turning the system on and logging from one user-account, the avast icon was showing that the real-time protection was turned off. I was then turning it on. I couldn't figure out why it happened, although it looked supsicious to me.

Observations:
Not much difference from before in my computer's behaviour. Perhaps it runs a little smoother. But the occasional slow startups have not occurred so far.

Thanks,

rbd

==============
OTL report

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
Registry value HKEY_USERS\S-1-5-21-1808491901-1178147021-2521828933-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{043C5167-00BB-4324-AF7E-62013FAEDACF} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
========== FILES ==========
C:\Program Files\mozilla firefox\plugins\npvsharetvplg.dll moved successfully.
C:\WINDOWS\System32\CONFIG.TMP moved successfully.
C:\WINDOWS\System32\d3d9caps.tmp moved successfully.
C:\WINDOWS\003155_.tmp moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 3172061 bytes
->Temporary Internet Files folder emptied: 21683319 bytes
->Java cache emptied: 33041 bytes
->FireFox cache emptied: 50181774 bytes
->Flash cache emptied: 593 bytes

User: All Users

User: Dana
->Temp folder emptied: 803140 bytes
->Temporary Internet Files folder emptied: 327974 bytes
->Java cache emptied: 50419 bytes
->FireFox cache emptied: 54635860 bytes
->Flash cache emptied: 508 bytes

User: Default User
->Temp folder emptied: 208896 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56475 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 37450 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Pier.ACER-47CBE8A5ED.000
->Temp folder emptied: 856520 bytes
->Temporary Internet Files folder emptied: 561813 bytes
->Java cache emptied: 1275859 bytes
->FireFox cache emptied: 129677316 bytes
->Flash cache emptied: 6328 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 180729 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 90475588 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 338.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 02062012_200948

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_9a8.dat not found!

Registry entries deleted on Reboot...

=====================
ESET Scan report

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ebbb463c3124c94c9b69533f3b1269bb
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-07 04:03:36
# local_time=2012-02-07 04:03:36 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 51571745 51571745 0 0
# compatibility_mode=8192 67108863 100 0 218 218 0 0
# scanned=59484
# found=0
# cleaned=0
# scan_time=2454

Top
 Profile E-mail  
 
pgmigg
 Post subject: Re: Email hijacked
New postPosted: Wed 08 Feb, 2012 4:37 pm 
Offline
MRU Honors Graduate
MRU Honors Graduate
User avatar

Joined: Tue 08 Jul, 2008 6:25 pm
Posts: 1677
Location: GMT-05:00
Hello rbd,

Good job! :)

Your latest set of logs appear to be clean! :cheers:
This is my general post for when your logs show no more signs of malware.
Before I give you instructions how to keep your computer clean and secure, you need to make a few additional steps.

Step 1.
Latest Java Installation Needed!

Attention: Print these instructions or copy them. You will be closing your browser!!

DOWNLOAD LATEST VERSION
  1. Get the latest version (7u2) of Java Runtime Environment (JRE)... © Sun Microsystems, Inc.
  2. Click the "Download JRE" button to the right.
  3. Check "Accept License Agreement "
  4. Locate the entry for Windows x86 Offline and click on the associated file name, save the file to your desktop.

INSTALL Java
  1. Close all open applications (standard), especially your browser.
  2. From desktop please double-click on jre-7u2-windows-x86.exe to install the newest version.
  3. Follow the on-screen directions. When installation is completed successfully, reboot your computer normally.
  4. Once the computer has been restarted, you can delete the "downloaded" installation file from your desktop.

OPTIONAL:
To prevent some unnecessary JAVA components from running when you boot your computer each time...
  1. Go to Control Panel and click on the JAVA icon.
  2. Press the Update tab and UNCHECK "Check for Updates Automatically". (You can check for updates manually.)
      Reply "Never Check" to the warning prompt.
  3. Now press the Advanced tab. Press the [+] to expand the "Miscellaneous" options.
  4. UNCHECK "Java Quick Starter".
  5. Press Apply and OK, then close the Java Control Panel and exit Control Panel.

Step 2.
OTL - Run Fix Script
You should still have OTL on your desktop.
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Double-click on OTL.exe to run it.
  2. Copy and Paste the following code into the Image
    text box. Do not include the word Code
    Code:
    :Commands
    [EMPTYTEMP]
    [CLEARALLRESTOREPOINTS]

  3. Click under the Custom Scan/Fixes box and paste the copied text.
  4. Click the Run Fix button. If prompted... click OK.
  5. OTL may ask to reboot the machine. Please do so if asked.

Step 3.
OTL-Cleanup
  1. Double-click on OTL.exe to run it.
  2. Press the CleanUp button.
  3. When done, you will be prompted to reboot your system to finish file removal, please select OK to reboot your computer.


Then please don't forget to enable all your defense software!

Finally, please click HERE
to find a short guide to staying safer online.

Please don't hesitate to ask any additional questions.

Stay Safe! ;)
pgmigg

Top
 Profile E-mail  
 
rbd
 Post subject: Re: Email hijacked
New postPosted: Thu 09 Feb, 2012 12:47 am 
Offline
Regular Member

Joined: Fri 04 Nov, 2011 3:05 am
Posts: 29
Hello pgmigg,

That's great news! Fantastic!!! :cheers:
Thank you very much for your help. I had no doubts you'd succeed.

I followed once more your instructions - no problems.
(Interesting, I had never been offered Java Version 7 by the updater! :? )
Then I re-enabled Spybot's TeaTimer.

I do have a few questions to ask you, some related to the link in your previous post (which I have read it but need time to "absorb"it).


1) No restore points are now present. Should I not create one now, just in case?
In future, should I delete RP's to make space on disk? How often? How best to do it?

2) What kind of malware was on my computer? Do you know when it became active?
Was it the means for "stealing" my email's password? if not, how was it stolen?

3)Java: in future, when I update it manually, should I directly install the latest version (i.e. would this automatically remove the previous one)? or should I download the new version as offline installer, then remove the previous one, then install the new one? I read the instructions with the different scenarios, but it seems a little confusing)

4) ESET Online scanner: if I ever need it in future, is it safe to run it with the "Remove found threats" option on?

5) How best to clean all the temporary files & folders? I always do it manually :roll: , based on what I read are these files & folders. I think I read recently (but never used) of "Disk Cleanup" in Windows and "CCleaner": are any of these good?

6) Spybot: is it good to keep it? I read that the TeaTimer is particularly useful. You guys advise Malwarebytes. Should I still stick with Spybot since I know it already?

7) Among the firewalls advised in your link, is any of them an easy-to-understand-and-use one? I know the XP one only protects me on the incoming traffic, but I am also aware of how powerful a firewall could be and in the past I didn't want to install something that I wouldn't understand how to set up properly. Basically is there one which has proper instructions on how to set it up?


I have more questions, but will probably ask them in other forums of this website, as they are not strictly related to my malware issue, nor I want to take any more of your time: someone else will need it as I type, for sure.


Thanks again for your precious help!

Regards,

rbd

Top
 Profile E-mail  
 
pgmigg
 Post subject: Re: Email hijacked
New postPosted: Thu 09 Feb, 2012 8:07 pm 
Offline
MRU Honors Graduate
MRU Honors Graduate
User avatar

Joined: Tue 08 Jul, 2008 6:25 pm
Posts: 1677
Location: GMT-05:00
Hello rbd,

Thank you for your great questions! :)
Quote:
1) No restore points are now present. Should I not create one now, just in case?
In future, should I delete RP's to make space on disk? How often? How best to do it?
It looks like you forget to run the Step 2 from the previous set of instructions. Otherwise, there should be one clean restore point, because the command "CLEARALLRESTOREPOINTS" must create it.
If you still have the OTL on your Desktop, you need to run steps 2 and 3 now, otherwise please do the following:

Create a New System Restore Point.
  1. Click Start, select All Programs -> Accessories -> System Tools, then press System Restore.
  2. At the Welcome screen select Create a restore point and then press Next.
  3. In the description box, type a name to describe this restore point - right now I can recommend the name 'All Clean'.
      System Restore automatically adds (to your description) the current date and time.
  4. Click Create to finish creating this restore point.
  5. Click Close to exit System Restore.
Unless you use some other method to create system restore points, it is advisable to leave this feature ON and active.

From time to time you can clean the old RPs by the following:

Deleting all but the most recent System Restore Points
  1. Click Start -> Run and type cleanmgr in the opened box. Then press OK.
  2. Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other
    boxes if you wish but they are not required.
  3. Select the More Options tab under System Restore and press Clean up.... Then and say Yes to the prompt.
  4. Press OK and Yes to confirm.
Quote:
2) What kind of malware was on my computer? Do you know when it became active?
Was it the means for "stealing" my email's password? if not, how was it stolen?
It is very hard to answer and not so important to know exactly was it was and where you got it.
In your particular case, I guess something may came from vShare toolbar...
Quote:
3)Java: in future, when I update it manually, should I directly install the latest version (i.e. would this automatically remove the previous one)?
or should I download the new version as offline installer, then remove the previous one, then install the new one? I read the instructions with the different
scenarios, but it seems a little confusing)
The best practice is to download the latest version, uninstall the previous one, and install the new one.
I think it is not so hard to check Java updates once a month.
Quote:
4) ESET Online scanner: if I ever need it in future, is it safe to run it with the "Remove found threats" option on?
No, it is not the good practice. Online scanners give a lot of false positive detections, so it's not a good idea to run the scan with the "Remove found threats" option on. Something legit stuff could easily be removed and you need to show scan results to any professional helper who could interpreted it properly and gave you advise what to do.
Quote:
5) How best to clean all the temporary files & folders? I always do it manually :roll: , based on what I read are these files & folders.
I think I read recently (but never used) of "Disk Cleanup" in Windows and "CCleaner": are any of these good?
Please see my answer to question 1.
The CCLeaner is a good option too, but not forget to check their updates which are very often.
Quote:
6) Spybot: is it good to keep it? I read that the TeaTimer is particularly useful. You guys advise Malwarebytes. Should I still stick with Spybot
since I know it already?
How many people - so many opinions! ;)
I prefer to use Malwarebytes...
Quote:
7) Among the firewalls advised in your link, is any of them an easy-to-understand-and-use one? I know the XP one only protects me on the incoming
traffic, but I am also aware of how powerful a firewall could be and in the past I didn't want to install something that I wouldn't understand how to set up
properly. Basically is there one which has proper instructions on how to set it up?
Regarding your doubts about firewall, I can say that we don't recommend to use the built-in Windows XP firewall, because it did not block outgoing connections. This means that any malware on your computer is free to
"phone home" for more instructions. Simply put, the Windows XP internal firewall was a very basic. So it explained why for Windows XP should be installed one third party firewall.
The Online Armor Firewall is good and easy to set and use for example...

Stay Safe! ;)
pgmigg

Top
 Profile E-mail  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 2
  [ 19 posts ]  Go to page 1, 2  Next

Board index » Malware Removal » Malware Removal

All times are UTC [ DST ]

Who is online

Users browsing this forum: No registered users and 8 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.

Member site: Alliance of Security Analysis Professionals | UNITE Against Malware

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group