Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hotmail login page suggests entering code


  • This topic is locked This topic is locked
18 replies to this topic

#1 cctster

cctster

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 12 October 2012 - 02:09 PM

Hi,

A friend is worried about her laptop, and access to hotmail and security in general.

She opened up her hotmail login page and was faced with a page telling her that her account had been compromised and she should enter a code to prevent her account being shut down. She entered the code and immediately received a phone call which was an automated voice telling her to enter her e-mail address and password. At this point she became suspicious and ended the call.

She called me over and I had a look at the system unusually for a standalone laptop it was running Sophos endpoint security. It had 4 things in quarantine 3 of which looked like infections. I cleansed the infections (See log later), and as the system had Malwarebytes installed as well I downloaded and ran rkill (See log later), updated Malwarebytes and did a full scan. Malwarebytes came up with a clean, but I noticed that the Windows firewall was disabled. I enabled the firewall and restarted the system. The firewall was still up. things seemed to be working OK but she was telling me that her Hotmail page looked different. To be fair when I looked at it, it did look different to what I normally see, so I brought over a netbook and plugged it into her network and went to the same page. It appeared different on the netbook, so I can only assume that Hotmail has had a recent makeover.
Looking at the rkill log I noticed that the hosts file had some notable URLs in it some looking particularly inappropriate. So I thought I would flash them to you guys to see if there is anything untoward going on here that Sophos and Malwarebytes isn't picking up on.

As well as dds.txt I'm copying the rkill log, the mbam log and the sophos log to give you as much background as I can.
I'd be grateful for any assistance here even if it's "we think everything is clear".


Regards,

Neil Harland

===================================================================================================================

dds.txt

.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 7.0.5730.13
Run by June at 15:12:56 on 2012-10-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1270.680 [GMT 1:00]
.
AV: Sophos Anti-Virus *Enabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
SVCHOST.EXE
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Sophos\AutoUpdate\almon.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBCore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://hotmail.com/
uWindow Title = Microsoft Internet Explorer provided by Tiscali
uSearch Bar = hxxp://www.tiscali.co.uk/search/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NBCore] "c:\program files\common files\nero\nero backitup 4\NBCore.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [LaunchAp] "c:\program files\launch manager\LaunchAp.exe"
mRun: [PowerKey] "c:\program files\launch manager\PowerKey.exe"
mRun: [LManager] "c:\program files\launch manager\HotkeyApp.exe"
mRun: [CtrlVol] "c:\program files\launch manager\CtrlVol.exe"
mRun: [LMgrOSD] "c:\program files\launch manager\OSDCtrl.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [EPM-DM] c:\acer\empowering technology\epower\epm-dm.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
mRun: [NBKeyScan] "c:\program files\nero\nero backitup 4\NBKeyScan.exe"
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [NoActiveDesktopChanges] 00000000
uPolicies-explorer: NoActiveDesktopChanges = 00000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{16DBD254-30D7-43F5-AF0C-19F049E9C7B1} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B4894B5A-9451-4888-88CB-3A9CB425C2D5} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\june\application data\mozilla\firefox\profiles\ltb5c804.default\
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-4-22 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-4-22 24064]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-10-8 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-6-4 97520]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2012-4-11 232472]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2012-2-21 1543704]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]
R3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-4-30 2343]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-25 136176]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-25 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-10-12 115168]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-6-20 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-6-20 11104]
S4 mailKmd;mailKmd; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-10-09 15:24:26 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 15:24:26 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-27 19:12:40 832512 ----a-w- c:\windows\system32\wininet.dll
2012-08-27 19:12:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-08-27 19:12:36 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-08-27 19:12:34 17408 ------w- c:\windows\system32\corpol.dll
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29:20 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:06 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 15:13:55.76 ===============



rkill log

Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/12/2012 12:05:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\system32\HPZipm12.exe (PID: 160) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com

20 out of 8309 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 10/12/2012 12:07:56 PM
Execution time: 0 hours(s), 2 minute(s), and 0 seconds(s)

========================================================================================================

mbam log

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.12.02

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.13
June :: ACER-684C9A655D [administrator]

12/10/2012 09:43:06
mbam-log-2012-10-12 (09-43-06).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282862
Time elapsed: 1 hour(s), 29 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
==============================================================================================================


Sophos Log

****************** Sophos Anti-Virus Log - 12/10/2012 11:26:21 **************

20121001 192700 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121001 192816 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992483 items.
20121001 192816 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121002 174524 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992483 items.
20121002 174525 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121002 175434 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121002 175645 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992558 items.
20121002 175645 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121002 215248 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121002 215313 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992590 items.
20121002 215313 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121003 094248 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992590 items.
20121003 094249 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121003 095054 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121003 095131 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992612 items.
20121003 095131 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121003 114900 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121003 114905 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992630 items.
20121003 114905 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121003 144857 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121003 144907 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992638 items.
20121003 144907 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121003 194910 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121003 194920 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992646 items.
20121003 194920 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121005 112636 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992646 items.
20121005 112637 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121005 113547 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121005 113734 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992753 items.
20121005 113734 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121005 193315 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121005 193358 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992787 items.
20121005 193358 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121007 103716 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992787 items.
20121007 103717 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121007 104713 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121007 104802 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992826 items.
20121007 104802 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121007 194438 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121007 194503 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992832 items.
20121007 194503 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121008 132521 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992832 items.
20121008 132522 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121008 133427 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121008 133455 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992870 items.
20121008 133455 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121008 163236 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121008 163240 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992880 items.
20121008 163240 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121009 101039 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992880 items.
20121009 101040 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121009 101848 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121009 102033 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992904 items.
20121009 102034 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121009 111718 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121009 111727 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992908 items.
20121009 111728 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121009 151644 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121009 151650 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992930 items.
20121009 151650 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121011 143142 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3992930 items.
20121011 143143 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121011 143932 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121011 144103 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3993086 items.
20121011 144103 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121011 151921 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3993086 items.
20121011 151921 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121012 081057 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3993086 items.
20121012 081057 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121012 081803 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121012 081837 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3993157 items.
20121012 081837 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20121012 083403 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3993157 items.
20121012 083404 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121012 095247 File "C:\Documents and Settings\All Users\Application Data\26992420" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 095247 On-access scanner has denied access to location "C:\Documents and Settings\All Users\Application Data\26992420" for user ACER-684C9A655D\June
20121012 095247 File "C:\Documents and Settings\All Users\Application Data\~26992420" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 095247 On-access scanner has denied access to location "C:\Documents and Settings\All Users\Application Data\~26992420" for user ACER-684C9A655D\June
20121012 095248 File "C:\Documents and Settings\All Users\Application Data\~26992420r" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 095248 On-access scanner has denied access to location "C:\Documents and Settings\All Users\Application Data\~26992420r" for user ACER-684C9A655D\June
20121012 105353 File "C:\Documents and Settings\All Users\Application Data\26992420" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105353 Registry value "HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105353 Registry value "HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105353 Registry value "HKU\S-1-5-21-2133343143-1108329854-947215600-1005\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105358 File "C:\Documents and Settings\All Users\Application Data\~26992420" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105358 Registry value "HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105358 Registry value "HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105358 Registry value "HKU\S-1-5-21-2133343143-1108329854-947215600-1005\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105403 File "C:\Documents and Settings\All Users\Application Data\~26992420r" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105403 Registry value "HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105403 Registry value "HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105403 Registry value "HKU\S-1-5-21-2133343143-1108329854-947215600-1005\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures" belongs to virus/spyware 'Mal/FakeAvCn-A'.
20121012 105406 File "C:\Documents and Settings\All Users\Application Data\26992420" has been cleaned up.
20121012 105409 File "C:\Documents and Settings\All Users\Application Data\~26992420" has been cleaned up.
20121012 105413 File "C:\Documents and Settings\All Users\Application Data\~26992420r" has been cleaned up.
20121012 105413 Registry value "HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride" has been cleaned up.
20121012 105413 Registry value "HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride" has been cleaned up.
20121012 105413 Registry value "HKU\S-1-5-21-2133343143-1108329854-947215600-1005\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures" has been cleaned up.
20121012 105413 Virus/spyware 'Mal/FakeAvCn-A' has been removed.
20121012 105427 Scanning "c:\documents and settings\June\local settings\temporary internet files\Content.IE5\F4FHS93J\info[1].exe" returned SAV Interface error 0xa0040210: The file could not be accessed.
20121012 105427 Item 'HPmal/FakeAV-I' could not be redetected.
20121012 105434 Scanning "C:\Documents and Settings\All Users\Application Data\26992420" returned SAV Interface error 0xa0040210: The file could not be accessed.
20121012 105434 Item 'CXmal/FakeAV-F' could not be redetected.
20121012 105642 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3993157 items.
20121012 105643 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121012 110229 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3993157 items.
20121012 110229 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20121012 111039 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20121012 111122 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3993163 items.
20121012 111122 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
(110 items)

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:46 PM

Posted 14 October 2012 - 04:59 PM

Greetings cctster and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. May I call you Neil?


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:46 PM

Posted 14 October 2012 - 07:58 PM

Hi Neil,

Thank you for your patience.

Could you please tell me which browser(s) this happens with.

Are these entries familiar?

Microsoft Internet Explorer provided by Tiscali
www.tiscali.co.uk/search/

Those local host entries are legitimate.

Here is what I would like you to do for me please.


===================================================


GrantPerms by Farbar

--------------------

  • Download Grantperms (32 bit systems) or Grantperms64 (64 bit systems) and save it to your desktop
  • Unzip the file
  • Copy and paste the following in the edit box:

    c:\documents and settings\June\local settings\temporary internet files\Content.IE5\F4FHS93J\info[1].exe
    C:\Documents and Settings\All Users\Application Data\26992420

  • Click Unlock. When it is done click OK
  • Click List Permissions and copy/paste the results of the Perms.txt document.
  • A copy of Perms.txt will be saved in the same directory the tool is run.


===================================================


Virustotal Online Virus Scanner

--------------------

  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file, double click on it so the file name is populated, then click Scan it!

    c:\documents and settings\June\local settings\temporary internet files\Content.IE5\F4FHS93J\info[1].exe
  • Once completed, highlight the information in the address bar and copy then paste the link in your reply


    Posted Image

===================================================


Folder Contents Batch (.bat) File

--------------------

  • Press windows key Posted Image + r on your keyboard at the same time
  • Type Notepad and press enter
    Copy and paste the following into the Notepad document:

    @echo off
    dir C:\Documents and Settings\All Users\Application Data\26992420 > C:\dir.txt
    notepad C:\dir.txt
    
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input folder.bat.
  • Click Save.

    When done properly, the icon should look like this (or something similar) Posted Image on your desktop.
  • Close the Notepad.
  • Locate and double-click folder.bat on the desktop.
  • Notepad will open with some text in it. Copy and paste the contents in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Which browsers?
  • Is Tiscali familiar?
  • Perms.txt
  • VirusTotal link
  • Batch file contents

Edited by Oh My, 15 October 2012 - 09:32 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 cctster

cctster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 16 October 2012 - 03:18 PM

Hello Oh My,

Sorry it's taken a while to reply, but it took a while for me to get my hands on the laptop to run your tests. Anyway I have it at home now so hopefully this can be a more snappy conversation :)

Right, to business:

First off "Microsoft Explorer provided by Tiscali" shows up in the title bar of Internet Explorer.
I have not seen www.tiscali.co.uk/search.

I think the original incident will have taken place in Internet Explorer as this was the default browser. I tried opening up the hotmail login page in Firefox and this just looked the same as it did in IE.

I ran grantperms (32 bit) and the following was found in perms.txt:

GrantPerms by Farbar
Ran by June (administrator) at 2012-10-16 20:35:10

===============================================
ERROR: Parsing the SD of <\\?\c:\documents and settings\June\local settings\temporary internet files\Content.IE5\F4FHS93J\info[1].exe> failed with: The system cannot find the path specified.


Operating system error message: The system cannot find the path specified.
ERROR: Parsing the SD of <\\?\C:\Documents and Settings\All Users\Application Data\26992420> failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.


I opened up virustotal but could not find c:\documents and settings\June\local settings\temporary internet files\Content.IE5\F4FHS93J\info[1].exe

The temporary Internet files folder was not present.

Ran Folder.bat. It opened a notepad file withh nothing in it and a command line window was open with the following text:

"The system could not find the file specified"

So if the files were there at some point it looks like they are no longer there now.

Regards,

Neil Harland

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:46 PM

Posted 16 October 2012 - 03:25 PM

Hi Neil,

Thank you for going through all of that. It does indeed look like those file are not present which is good.

Please perform the following for me to continue to diagnose the state of the computer.


===================================================


OTL

--------------------

Please download OTL here.

  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Copy and paste the two reports in your next reply.

  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • OTL.txt
  • Extra.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 cctster

cctster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 18 October 2012 - 05:19 AM

Hi,

I've run the scan. Please find below the logs:

OTL Log

OTL logfile created on: 18/10/2012 08:13:30 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\June\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.24 Gb Total Physical Memory | 0.49 Gb Available Physical Memory | 39.82% Memory free
2.97 Gb Paging File | 2.44 Gb Available in Paging File | 82.01% Paging File free
Paging file location(s): C:\pagefile.sys 1920 2560 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.16 Gb Total Space | 1.44 Gb Free Space | 4.23% Space Free | Partition Type: FAT32
Drive D: | 14.92 Gb Total Space | 14.41 Gb Free Space | 96.57% Space Free | Partition Type: FAT32

Computer Name: ACER-684C9A655D | User Name: June | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/18 08:06:26 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\June\Desktop\OTL.exe
PRC - [2012/04/11 15:43:10 | 000,232,472 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
PRC - [2012/02/21 11:48:22 | 001,543,704 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
PRC - [2012/01/18 06:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
PRC - [2011/11/11 14:08:06 | 000,205,336 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
PRC - [2010/10/08 15:15:14 | 000,163,056 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
PRC - [2010/09/21 16:16:18 | 000,439,536 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALMon.exe
PRC - [2010/06/04 11:23:16 | 000,097,520 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
PRC - [2008/12/05 14:07:06 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008/12/05 14:07:04 | 001,590,568 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBCore.exe
PRC - [2008/12/05 14:06:42 | 000,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
PRC - [2008/04/14 01:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/01/02 10:31:28 | 000,397,312 | ---- | M] (acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\Monitor.exe
PRC - [2005/11/10 19:09:24 | 000,212,992 | ---- | M] (Acer Inc) -- C:\Acer\Empowering Technology\ePower\epm-dm.exe
PRC - [2005/11/08 10:45:52 | 000,069,632 | ---- | M] (Wistron) -- C:\Program Files\Launch Manager\HotkeyApp.exe
PRC - [2005/11/08 10:19:28 | 000,081,920 | ---- | M] () -- C:\Program Files\Launch Manager\WButton.exe
PRC - [2005/10/24 16:45:32 | 002,462,208 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admtray.exe
PRC - [2005/10/24 16:40:52 | 001,314,816 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admServ.exe
PRC - [2005/07/26 11:36:00 | 000,069,632 | ---- | M] () -- C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
PRC - [2005/07/25 13:36:40 | 000,032,768 | ---- | M] () -- C:\Program Files\Launch Manager\LaunchAp.exe
PRC - [2005/07/25 10:45:00 | 000,241,664 | ---- | M] () -- C:\Program Files\Launch Manager\OSDCtrl.exe
PRC - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2002/08/30 15:02:48 | 000,094,208 | ---- | M] () -- C:\Program Files\Launch Manager\Powerkey.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/11 14:08:18 | 007,956,504 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTGui4.dll
MOD - [2011/11/11 14:08:18 | 000,342,552 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTXml4.dll
MOD - [2011/11/11 14:08:18 | 000,128,536 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QJpeg4.dll
MOD - [2011/11/11 14:08:18 | 000,029,208 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QGif4.dll
MOD - [2011/11/11 14:08:06 | 002,145,304 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTCore4.dll
MOD - [2010/02/02 17:46:52 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2005/11/08 10:19:28 | 000,081,920 | ---- | M] () -- C:\Program Files\Launch Manager\WButton.exe
MOD - [2005/09/05 16:31:56 | 000,229,472 | ---- | M] () -- C:\Acer\Empowering Technology\NetMonitor.dll
MOD - [2005/08/24 01:24:00 | 000,010,752 | ---- | M] () -- C:\WINDOWS\system32\MSNChatHook.dll
MOD - [2005/07/26 11:36:00 | 000,069,632 | ---- | M] () -- C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
MOD - [2005/07/25 13:36:40 | 000,032,768 | ---- | M] () -- C:\Program Files\Launch Manager\LaunchAp.exe
MOD - [2005/07/25 10:45:00 | 000,241,664 | ---- | M] () -- C:\Program Files\Launch Manager\OSDCtrl.exe
MOD - [2003/12/29 20:45:08 | 000,040,960 | ---- | M] () -- C:\Acer\Empowering Technology\ServiceControl.dll
MOD - [2002/08/30 15:02:48 | 000,094,208 | ---- | M] () -- C:\Program Files\Launch Manager\Powerkey.exe


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/10/11 02:06:00 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/10/09 16:24:32 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/04/11 15:43:10 | 000,232,472 | ---- | M] (Sophos Plc) [Auto | Running] -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe -- (Sophos AutoUpdate Service)
SRV - [2012/02/21 11:48:22 | 001,543,704 | ---- | M] (Sophos Plc) [Auto | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe -- (swi_service)
SRV - [2012/01/18 06:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2010/10/08 15:15:14 | 000,163,056 | ---- | M] (Sophos Plc) [Auto | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe -- (SAVAdminService)
SRV - [2010/06/04 11:23:16 | 000,097,520 | ---- | M] (Sophos Plc) [Auto | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe -- (SAVService)
SRV - [2008/12/05 14:07:06 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008/12/05 14:06:42 | 000,081,920 | ---- | M] (Prolific Technology Inc.) [Auto | Running] -- C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe -- (PLFlash DeviceIoControl Service)
SRV - [2005/10/24 16:40:52 | 001,314,816 | ---- | M] (Avocent Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\admServ.exe -- (AWService)
SRV - [2005/03/30 16:46:56 | 000,411,920 | ---- | M] (Eastman Kodak Company) [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\Wbutton.sys -- (Wbutton)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/01/18 06:44:52 | 004,332,960 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC)
DRV - [2012/01/18 06:44:28 | 000,312,096 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2010/10/08 15:15:00 | 000,153,344 | ---- | M] (Sophos Plc) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\savonaccesscontrol.sys -- (SAVOnAccessControl)
DRV - [2010/10/08 15:15:00 | 000,024,064 | ---- | M] (Sophos Plc) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\savonaccessfilter.sys -- (SAVOnAccessFilter)
DRV - [2010/08/16 15:31:08 | 000,016,472 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pwdrvio.sys -- (pwdrvio)
DRV - [2010/08/16 15:31:06 | 000,011,104 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pwdspio.sys -- (pwdspio)
DRV - [2008/05/23 08:38:26 | 000,014,976 | ---- | M] (Sophos Plc) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\SophosBootDriver.sys -- (SophosBootDriver)
DRV - [2005/11/08 15:12:18 | 000,997,376 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/11/08 15:11:38 | 000,242,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/11/08 15:11:30 | 000,723,712 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/10/15 18:20:44 | 000,012,106 | ---- | M] (OSA Technologies) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\OsaFsLoc.sys -- (OsaFsLoc)
DRV - [2005/09/13 15:34:40 | 000,004,392 | ---- | M] (OSA Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NdisFilt.sys -- (NdisFilt)
DRV - [2005/06/30 16:58:24 | 000,007,296 | ---- | M] (OSA Technologies, An Avocent Company) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osaio.sys -- (osaio)
DRV - [2005/06/16 14:41:02 | 000,037,150 | ---- | M] (Eastman Kodak Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DcCam.sys -- (DcCam)
DRV - [2005/05/02 12:13:42 | 000,009,600 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETMNT.sys -- (NETMNT)
DRV - [2005/04/19 10:40:52 | 002,317,504 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM)
DRV - [2005/04/07 18:08:46 | 000,078,208 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd)
DRV - [2005/03/31 08:00:08 | 000,152,081 | ---- | M] (Eastman Kodak Company) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ExportIt.sys -- (Exportit)
DRV - [2005/03/31 07:47:56 | 000,070,262 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DcPtp.sys -- (DcPTP)
DRV - [2005/03/31 07:47:50 | 000,008,022 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DcLps.sys -- (DcLps)
DRV - [2005/03/31 07:47:48 | 000,038,673 | ---- | M] (Eastman Kodak Company) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DCFS2k.sys -- (DCFS2K)
DRV - [2005/03/31 07:47:42 | 000,061,564 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DcFpoint.sys -- (DcFpoint)
DRV - [2005/01/14 15:57:16 | 000,004,010 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm)
DRV - [2005/01/13 14:46:16 | 000,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)
DRV - [2005/01/10 15:47:14 | 000,449,888 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2004/12/22 01:32:12 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/12/15 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/12/02 16:36:08 | 000,070,912 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/07/19 13:10:00 | 000,004,096 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd)
DRV - [2003/12/05 18:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/04/28 11:27:06 | 000,009,867 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\HOTKEY.sys -- (Hotkey)
DRV - [2000/12/19 18:29:52 | 000,002,343 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Launch Manager\POWERKEY.SYS -- (POWERKEY)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.co.uk/search/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.co.uk/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/12 09:19:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/10/12 09:19:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\June\Application Data\Mozilla\Extensions
[2012/10/12 09:19:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/10/11 02:06:20 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/10/11 02:05:38 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/11 02:05:38 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2008/04/22 15:10:12 | 000,236,669 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 8286 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Sophos Web Content Scanner) - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc)
O4 - HKLM..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe (Acer Value Labs, Taiwan)
O4 - HKLM..\Run: [ADMTray.exe] C:\Acer\Empowering Technology\admtray.exe (Avocent Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe (Wistron)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe ()
O4 - HKLM..\Run: [EPM-DM] c:\Acer\Empowering Technology\ePower\epm-dm.exe (Acer Inc)
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe (acer Inc.)
O4 - HKLM..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe ()
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe (Wistron)
O4 - HKLM..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe ()
O4 - HKLM..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero BackItUp 4\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [PowerKey] C:\Program Files\Launch Manager\PowerKey.exe ()
O4 - HKLM..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Sophos Plc)
O4 - HKLM..\Run: [Wbutton] C:\Program Files\Launch Manager\Wbutton.exe ()
O4 - HKCU..\Run: [NBCore] C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBCore.exe (Nero AG)
O4 - HKLM..\RunOnceEx: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: NoActiveDesktopChanges = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{16DBD254-30D7-43F5-AF0C-19F049E9C7B1}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B4894B5A-9451-4888-88CB-3A9CB425C2D5}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\June\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\June\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/17 20:09:38 | 000,000,160 | ---- | M] () - D:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/18 08:13:05 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\June\Desktop\OTL.exe
[2012/10/12 15:12:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\June\My Documents\My Videos
[2012/10/12 15:12:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/10/12 15:10:22 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\June\Desktop\dds.com
[2012/10/12 09:23:17 | 001,678,240 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\June\Desktop\rkill.exe
[2012/10/12 09:23:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\June\My Documents\Downloads
[2012/10/12 09:19:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\June\Local Settings\Application Data\Mozilla
[2012/10/12 09:19:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\June\Application Data\Mozilla
[2012/10/12 09:19:27 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/10/12 09:19:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/10/12 09:19:17 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/18 08:24:04 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/10/18 08:12:24 | 000,000,342 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2012/10/18 08:10:28 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/10/18 08:08:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/18 08:08:14 | 1332,203,520 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/18 08:06:26 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\June\Desktop\OTL.exe
[2012/10/17 21:40:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/10/17 21:30:48 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/16 21:02:36 | 000,000,109 | ---- | M] () -- C:\Documents and Settings\June\Desktop\folder.bat
[2012/10/15 20:41:02 | 000,000,708 | ---- | M] () -- C:\WINDOWS\tasks\20110620_131100_Acer Laptop Auto Backup.job
[2012/10/15 19:00:02 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\RMSchedule.job
[2012/10/15 15:12:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/10/12 15:11:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\June\defogger_reenable
[2012/10/12 14:53:20 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\June\Desktop\bmxihnch.exe
[2012/10/12 14:51:58 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\June\Desktop\dds.com
[2012/10/12 14:50:24 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\June\Desktop\Defogger.exe
[2012/10/12 09:32:04 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/12 09:23:20 | 001,678,240 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\June\Desktop\rkill.exe
[2012/10/12 09:19:30 | 000,000,650 | ---- | M] () -- C:\Documents and Settings\June\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/10/12 09:19:30 | 000,000,632 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/10/11 15:54:04 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/09 16:24:26 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/10/09 16:24:26 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/10/03 20:24:58 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/16 21:02:34 | 000,000,109 | ---- | C] () -- C:\Documents and Settings\June\Desktop\folder.bat
[2012/10/16 20:33:19 | 000,456,948 | ---- | C] () -- C:\Documents and Settings\June\Desktop\GrantPerms.exe
[2012/10/12 15:11:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\June\defogger_reenable
[2012/10/12 15:10:22 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\June\Desktop\bmxihnch.exe
[2012/10/12 15:10:22 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\June\Desktop\Defogger.exe
[2012/10/12 09:32:02 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/12 09:19:29 | 000,000,650 | ---- | C] () -- C:\Documents and Settings\June\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/10/12 09:19:29 | 000,000,638 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/10/12 09:19:29 | 000,000,632 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/02/15 09:41:00 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/18 06:44:00 | 010,920,984 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2012/01/18 06:44:00 | 000,336,408 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2012/01/18 06:44:00 | 000,104,472 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2011/11/17 01:40:38 | 000,028,418 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2011/08/12 12:20:14 | 000,015,896 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2011/06/29 15:49:32 | 000,020,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/06/27 12:51:26 | 000,007,780 | -HS- | C] () -- C:\Documents and Settings\June\Local Settings\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
[2011/06/27 12:51:26 | 000,007,780 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
[2011/06/20 12:55:58 | 000,725,064 | ---- | C] () -- C:\WINDOWS\System32\pwNative.exe
[2011/06/20 12:55:57 | 000,016,472 | ---- | C] () -- C:\WINDOWS\System32\pwdrvio.sys
[2011/06/20 12:55:57 | 000,011,104 | ---- | C] () -- C:\WINDOWS\System32\pwdspio.sys
[2011/01/12 23:06:41 | 000,000,031 | ---- | C] () -- C:\WINDOWS\UKCpInfo.sys
[2006/04/30 03:31:43 | 005,242,880 | ---- | C] () -- C:\Documents and Settings\June\ntuser.bak
[2006/04/29 10:59:13 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\June\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2006/04/29 10:52:56 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:06 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >



Extra.txt

OTL Extras logfile created on: 18/10/2012 08:13:31 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\June\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.24 Gb Total Physical Memory | 0.49 Gb Available Physical Memory | 39.82% Memory free
2.97 Gb Paging File | 2.44 Gb Available in Paging File | 82.01% Paging File free
Paging file location(s): C:\pagefile.sys 1920 2560 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.16 Gb Total Space | 1.44 Gb Free Space | 4.23% Space Free | Partition Type: FAT32
Drive D: | 14.92 Gb Total Space | 14.41 Gb Free Space | 96.57% Space Free | Partition Type: FAT32

Computer Name: ACER-684C9A655D | User Name: June | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- Reg Error: Value error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"" =
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater -- ()
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- ()
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\WINDOWS\System32\FXSCLNT.exe" = C:\WINDOWS\System32\FXSCLNT.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{08610298-29AE-445B-B37D-EFBE05802967}" = LWS Pictures And Video
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{154508C0-07C5-4659-A7A0-E49968750D21}" = HLPPDOCK
"{15634701-BACE-4449-8B25-1567DA8C9FD3}" = CameraHelperMsi
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{15B70821-7893-4607-805A-BB80F3EA8279}" = Acer Empowering Technology framework
"{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{1651216E-E7AD-4250-92A1-FB8ED61391C9}" = LWS Help_main
"{172975EB-9465-4861-95B5-C7BB6D3DE62A}" = DocumentViewer
"{174A3B31-4C43-43DD-866F-73C9DB887B48}" = LWS Twitter
"{193DB24F-9A66-4896-8404-22D53EA89075}" = 1400_Help
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK
"{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}" = LWS YouTube Plugin
"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config
"{266959FA-0AEE-41D0-A88E-F1EAC10A7C14}" = 1400
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1
"{38441BE7-79B0-42B8-8297-833704F949FE}" = HLPIndex
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2
"{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot
"{4F677FC7-7AA8-412B-A957-F13CBE1C7331}" = ESSSONIC
"{51AFB69C-1C54-4C77-A888-2860F8CD3E7D}" = Paint.NET v3.31
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54C8FE84-89C4-40E8-976C-439EB0729BD6}" = CardRd81
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{65883ddf-2152-4cb7-8e13-b99194b13498}" = Nero BackItUp
"{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}" = Acer eLock Management
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}" = LWS Gallery
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71E66D3F-A009-44AB-8784-75E2819BA4BA}" = LWS Motion Detection
"{75c53f52-398b-4d66-b28a-f9ef170b3b34}" = Nero BackItUp
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
"{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}" = LWS Launcher
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{8937D274-C281-42E4-8CDB-A0B2DF979189}" = LWS Webcam Software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}" = ESSCT
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9ACB414D-9347-40B6-A453-5EFB2DB59DFA}" = Sophos Anti-Virus
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{9DAEA76B-E50F-4272-A595-0124E826553D}" = LWS WLM Plugin
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}" = ESSvpaht
"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADAC983-FDE9-42FA-8FD9-7BB324155593}" = HLPRFO
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ac9ca420-a607-4b95-b562-dc823bc6e409}" = Nero BackItUp 4 Essentials
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}" = Nero ControlCenter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C510CA36-98D6-4F07-8AFF-81E7399A075B}" = 1400Trb
"{CA60320D-6A16-49C8-A34F-84EEF4799567}" = ESSTUTOR
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBB25040-2D43-4868-930C-F08B812F2BF8}" = Acer eDataSecurity Management
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0846526-66DD-4DC9-A02C-98F9A2806812}" = Launch Manager V1.0.9.3
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D40EB009-0499-459c-A8AF-C9C110766215}" = Logitech Webcam Software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{dba84796-8503-4ff0-af57-1747dd9a166d}" = Nero Online Upgrade
"{DEE08946-40F0-4890-853E-60A6C3306041}" = Acer ePerformance Management
"{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}" = Acer eSettings Management
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E431C518-2EE2-471E-9234-BE995C36D513}" = Acer eDataSecurity Management 1.00.21
"{e8a80433-302b-4ff1-815d-fcc8eac482ff}" = Nero Installer
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EED027B7-0DB6-404B-8F45-6DFEE34A0441}" = LWS Video Mask Maker
"{f4041dce-3fe1-4e18-8a9e-9de65231ee36}" = Nero ControlCenter
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}" = LWS Facebook
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_006A1025" = SoftV90 Data Fax Modem with SmartCP
"CNXT_MODEM_PCI_VEN_8086&DEV_266D_CplEFL5k" = Soft Data Fax Modem with SmartCP
"ePresentation" = Acer ePresentation Management
"GridVista" = Acer GridVista
"HP Document Viewer" = HP Document Viewer 5.3
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Photo & Imaging" = HP Image Zone 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPExtendedCapabilities" = HP Extended Capabilities 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{15B70821-7893-4607-805A-BB80F3EA8279}" = Acer Empowering Technology framework
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"InstallShield_{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}" = Acer eLock Management
"InstallShield_{DEE08946-40F0-4890-853E-60A6C3306041}" = Acer ePerformance Management
"InstallShield_{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}" = Acer eSettings Management
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 16.0.1 (x86 en-US)" = Mozilla Firefox 16.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 17/10/2012 17:35:04 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Office 2003 (KB2598253): GDIPLUS' could not be installed. Error code
1603. Windows Installer can create logs to help troubleshoot issues with installing
software packages. Use the following link for instructions on turning on logging
support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 17/10/2012 17:36:01 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 11327
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1327.
Invalid Drive: D:\

Error - 17/10/2012 17:36:01 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Excel 2003 (KB2597086): EXCEL' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 17/10/2012 17:36:13 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 11327
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1327.
Invalid Drive: D:\

Error - 17/10/2012 17:36:13 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Word 2003 (KB2687483): WINWORD' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 17/10/2012 17:36:34 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 11327
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1327.
Invalid Drive: D:\

Error - 17/10/2012 17:36:34 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Office 2003 (KB2687323): MSCOMCTL' could not be installed. Error code
1603. Windows Installer can create logs to help troubleshoot issues with installing
software packages. Use the following link for instructions on turning on logging
support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 17/10/2012 17:36:47 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 11327
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1327.
Invalid Drive: D:\

Error - 17/10/2012 17:36:47 | Computer Name = ACER-684C9A655D | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Office 2003 (KB2584052): MSO' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 18/10/2012 03:12:30 | Computer Name = ACER-684C9A655D | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 5.10.0.116, faulting module
skype.exe, version 5.10.0.116, fault address 0x00f240bc.

[ System Events ]
Error - 17/10/2012 17:34:06 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office 2003 (KB2598361).

Error - 17/10/2012 17:34:20 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office 2003 (KB2493523).

Error - 17/10/2012 17:34:33 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office Publisher 2003 (KB2553084).

Error - 17/10/2012 17:34:52 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office 2003 (KB2687324).

Error - 17/10/2012 17:35:05 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office 2003 (KB2598253).

Error - 17/10/2012 17:36:02 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office Excel 2003 (KB2597086).

Error - 17/10/2012 17:36:13 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Word 2003 (KB2687483).

Error - 17/10/2012 17:36:34 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office 2003 (KB2687323).

Error - 17/10/2012 17:36:47 | Computer Name = ACER-684C9A655D | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Security Update for Microsoft Office 2003 (KB2584052).

Error - 18/10/2012 03:08:45 | Computer Name = ACER-684C9A655D | Source = SAVOnAccessFilter | ID = 3997749
Description = The on-access driver failed to attach to \DCFS2k, because the I/O
method is not supported.


< End of report >



Regards,

Neil

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:46 PM

Posted 18 October 2012 - 09:00 AM

Hi Neil,

I would like to clean up some stuff from the log. I am deleting what may be a legitimate Hotmail entry just to be safe. It is the 016 - DPF entry related to MSN Photo Upload Tool. This is a "Downloaded Program File" which is fine to remove because if it is needed again it will automatically be offered. Since there may be a sensitivity to Hotmail because of the current concern, I wanted to make sure you know the offer to install this tool is legitimate and the file can be downloaded again.

One of the other things I am doing is including a command to empty all the temporary folders, including browser entries. Existing temporary files may be the cause of the issue.

One point of clarification please:

so I brought over a netbook and plugged it into her network and went to the same page. It appeared different on the netbook, so I can only assume that Hotmail has had a recent makeover.

Does this mean it now looks different than it used to look on the Netbook and now looks the same as it does on your friend's computer?


===================================================


Run OTL Fix

--------------------

  • Double click on the Posted Image icon on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\Wbutton.sys -- (Wbutton)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.co.uk/search/
    FF - user.js - File not found
    O4 - HKLM..\RunOnceEx: [] File not found
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    [2011/06/27 12:51:26 | 000,007,780 | -HS- | C] () -- C:\Documents and Settings\June\Local Settings\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
    [2011/06/27 12:51:26 | 000,007,780 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
    :Commands
    [emptytemp]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • OTL.txt
  • Clarification
  • How is the computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 cctster

cctster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 18 October 2012 - 09:51 AM

Hi,

The hotmail page on the netbook had changed to what was showing up on her computer. Therefore I could only assume that the Hotmail login page had been changed recently.

Will run the OTL stuff on the laptop when I get home.

Thanks,

Neil Harland

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:46 PM

Posted 18 October 2012 - 10:03 AM

OK,

Is this the link you are using to access Hotmail and if so, does it look like the screen shot I have attached?

http://hotmail.com/
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 cctster

cctster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 18 October 2012 - 02:44 PM

Hi,

Please find below the contents of OTL.txt (or 10182012_201807.log as it was called. Couldn't find a fresh OTL.txt, so I hope this is what you are after :mellow: )

All processes killed
========== OTL ==========
Service WDICA stopped successfully!
Service WDICA deleted successfully!
Service Wbutton stopped successfully!
Service Wbutton deleted successfully!
File C:\WINDOWS\system32\drivers\Wbutton.sys not found.
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
Service PCIDump stopped successfully!
Service PCIDump deleted successfully!
Service lbrtfdc stopped successfully!
Service lbrtfdc deleted successfully!
Service Changer stopped successfully!
Service Changer deleted successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\ deleted successfully.
Starting removal of ActiveX control {4F1E5B1A-2A80-42CA-8532-2D05CB959537}
C:\WINDOWS\Downloaded Program Files\MsnPUpld.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4F1E5B1A-2A80-42CA-8532-2D05CB959537}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1E5B1A-2A80-42CA-8532-2D05CB959537}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4F1E5B1A-2A80-42CA-8532-2D05CB959537}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1E5B1A-2A80-42CA-8532-2D05CB959537}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
C:\Documents and Settings\June\Local Settings\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx moved successfully.
C:\Documents and Settings\All Users\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 666159 bytes

User: LocalService
->Temp folder emptied: 2834 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: June
->Temp folder emptied: 461984126 bytes
->Temporary Internet Files folder emptied: 74362259 bytes
->FireFox cache emptied: 63797257 bytes
->Flash cache emptied: 14316618 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2832913 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 83270420 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 239273478 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 897.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10182012_201807

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

=========================================================================================

The picture you sent of the login page is the one that we have been seeing.

=========================================================================================

The laptop seems to be responding fine at the present time.


Regards,
Neil Harland

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:46 PM

Posted 18 October 2012 - 04:23 PM

Hi Neil,

The Hotmail page is the correct one. I would like to scan her computer with Malwarebytes and ESET to see if there are any leftover entries. Please do this for me.


===================================================


Rerun Malwarebytes (MBAM)

--------------------

Temporarily disable your antivirus program.

  • Please locate your Malwarebytes icon Posted Image and launch the program
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan
Note: This process may take several hours
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    Posted Image

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • MBAM log
  • ESET log
  • Is the computer still running well?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 cctster

cctster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 20 October 2012 - 04:43 AM

Hi,

Ran Malwarebytes. Here is the log:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.19.12

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.13
June :: ACER-684C9A655D [administrator]

19/10/2012 20:39:39
mbam-log-2012-10-19 (20-39-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215965
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


============================================================================================================================================

Ran ESET Online scanner. It did not find any threats and did not present a button with 'list threats' so I was unable to produce a log for that.

=============================================================================================================================================

Computer is still running OK.

Regards,

Neil Harland

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:46 PM

Posted 20 October 2012 - 09:34 AM

Greetings Neil,

It appears all is well with your computer so therefore it is my great pleasure to proclaim to you the Good News!


===================================================


All Clean!

--------------

Your machine appears to be clean. Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Please do the following to delete OTL:

  • Delete the tools used during the disinfection:

  • Double click Posted Image on your desktop
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the Posted Image
  • Say Yes to the prompt and then allow the program to reboot your computer

----------


Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:


In addition, here are some more links you might find of interest:


I will leave this topic open for just a couple of days in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. Posted Image
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 cctster

cctster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 21 October 2012 - 05:08 PM

Hi,

Thanks for the all clear and the work you have put in on this, it is much appreciated.

Regards,

Neil Harland

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:46 PM

Posted 21 October 2012 - 05:30 PM

Hi Neil,

You are most welcome. You were a pleasure to work with.

All the best,

Gary
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users