Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help finding MITM Trojan please!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 5th, 2013, 11:24 pm

oops. Here's the extras.txt

OTL Extras logfile created on: 2013-04-04 12:19:24 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\richardhod\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16521)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

7.75 Gb Total Physical Memory | 5.65 Gb Available Physical Memory | 72.92% Memory free
15.49 Gb Paging File | 12.75 Gb Available in Paging File | 82.27% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.97 Gb Total Space | 254.75 Gb Free Space | 56.24% Space Free | Partition Type: NTFS

Computer Name: HOD17ACER | User Name: richardhod | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2107948035-1365278439-778997172-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{B71B6F8C-74D0-4484-A112-8D45AA38D82C}" = lport=2869 | protocol=6 | dir=in | app=system |
"{E8873936-A3DE-4618-964B-724676831466}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03AB406B-5F06-46E7-B015-6F2707A1EB98}" = protocol=17 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{0A5EC9E3-BAC1-4807-AC3D-FC1D06D0A027}" = protocol=6 | dir=in | app=c:\program files (x86)\newtech infosystems\nti backup now 5\backupsvc.exe |
"{1C0050AE-99EB-44C5-B7E2-27809C48930D}" = protocol=17 | dir=in | app=c:\windows\syswow64\muzapp.exe |
"{1CF0E0FB-EA4E-472B-9004-DE2FD56AA038}" = dir=in | app=c:\program files (x86)\windows live\messenger\wlcsdk.exe |
"{37395427-CA99-484D-8A64-96F960DBF540}" = dir=in | app=c:\program files (x86)\janetter2\bin\janettersrv.exe |
"{37D23602-E69A-4F4F-8466-47B1B8BDE3DE}" = protocol=17 | dir=in | app=c:\users\richardhod\appdata\roaming\dropbox\bin\dropbox.exe |
"{3AE01A3C-B791-4E59-A3FA-158C35C0723B}" = protocol=17 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{4D24CE6B-AC18-408C-A553-4B04E590676B}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{66AA3783-9CCF-4ACE-A791-0AFAD73DA55D}" = dir=in | app=c:\program files (x86)\windows live\sync\windowslivesync.exe |
"{6AE917FE-E552-4C72-A81B-1C09183A8F18}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{726727DF-F496-4441-92EF-C6CB009C0F88}" = protocol=6 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{77BDFB90-7622-486E-AF41-3A1F2B742EC4}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{86FE6C79-CCC7-4DFA-BA5E-551D8EB0D35A}" = protocol=6 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{8B292D7B-FE91-420B-9A85-ED94CE50190D}" = protocol=17 | dir=in | app=c:\program files (x86)\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{90C3202B-334B-45B6-845C-8611675421DB}" = protocol=6 | dir=in | app=c:\windows\syswow64\muzapp.exe |
"{B184DB29-1616-4EDC-8B66-9A20B153E464}" = protocol=6 | dir=in | app=c:\program files (x86)\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{BB946326-3A92-4984-BEFC-907D797A7F1D}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{BC9BC118-410A-418C-B63A-D89585E98C4F}" = protocol=17 | dir=in | app=c:\program files (x86)\newtech infosystems\nti backup now 5\backupsvc.exe |
"{C4C3E3E7-3043-426C-A8B9-218DA976925E}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{D7B1BB63-24E6-4957-AD0E-CFF15E82BBA6}" = dir=in | app=c:\program files (x86)\cyberlink\powerdvd9\powerdvd9.exe |
"{ED4B4AA3-6238-4838-8090-AADCE8A6E796}" = protocol=6 | dir=in | app=c:\users\richardhod\appdata\roaming\dropbox\bin\dropbox.exe |
"{F99C700E-5159-467F-9937-2AADD1CA039A}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"TCP Query User{3C1A3C63-D0D4-4944-A660-224499374677}C:\users\richardhod\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\richardhod\appdata\roaming\spotify\spotify.exe |
"TCP Query User{63C27F45-F19F-45FA-A951-67415E55BFE2}C:\users\richardhod\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\richardhod\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{AEFEE17D-97B9-4765-B229-21DF1A5BDB01}C:\users\richardhod\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\richardhod\appdata\roaming\spotify\spotify.exe |
"UDP Query User{CC6940B0-BA46-4E8E-B636-D014D999AAEA}C:\users\richardhod\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\richardhod\appdata\roaming\dropbox\bin\dropbox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F557316-CFC0-41BD-AFF7-8BC49CE444D7}" = Shredder
"{443A416C-BD21-9746-78C4-8139DFAA18B7}" = AMD Media Foundation Decoders
"{49DADDE6-41A1-5A2B-C518-0EBE12261352}" = AMD Catalyst Install Manager
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{7E9984FD-DF5D-D0D9-E552-7872964F00CC}" = ccc-utility64
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A84DB02B-9C2B-4272-9D2D-A80E00A56513}" = Broadcom Gigabit NetLink Controller
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{E0DB5A61-87B0-EA67-BFA5-374E1AAD22A2}" = AMD Fuel
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = Acer Crystal Eye Webcam
"{0D7CD0D9-4A88-4A63-8F91-3F4E8F371768}" = MyWinLocker
"{0E33EC53-22CE-426C-A88B-2AAC231BAC85}" = Catalyst Control Center - Branding
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java(TM) 6 Update 32
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 9
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{35FE995E-5A31-D005-0303-8D9FBBD4B67B}" = Catalyst Control Center Graphics Previews Common
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3DB0448D-AD82-4923-B305-D001E521A964}" = Acer ePower Management
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{468D22C0-8080-11E2-B86E-B8AC6F98CCE3}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.1
"{533B3480-EAB6-44DD-B2E4-715E958210E0}" = TweetDeck
"{5AF4B3C4-C393-48D7-AC7E-8E7615579548}" = Adobe AIR
"{6030FCD7-8F1A-427D-AF05-8DD1A2EA2ABA}" = Alcor Micro USB Card Reader
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{72B776E5-4530-4C4B-9453-751DF87D9D93}" = Backup Manager Basic
"{738BF5C3-AF7B-4BB0-B7EF-E505EFC756BE}" = MyWinLocker Suite
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{7E5FFC5E-5A7F-864A-2E0D-0B234ED7B14F}" = Catalyst Control Center InstallProxy
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82AF3E91-57E1-4754-84D0-40A46E2479AB}" = OpenOffice.org 3.3
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{987B04C4-B5AC-4AD6-A7E9-8D681085B850}" = AMD USB Filter Driver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-FFFF-7B44-A91000000001}" = Adobe Reader 9.5.1 MUI
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B829E117-D072-41EA-9606-9826A38D34C1}" = Sophos Virus Removal Tool
"{C025595B-A217-7317-65D8-CE7D304FCD30}" = AMD VISION Engine Control Center
"{C2695E83-CF1D-43D1-84FE-B3BEC561012A}" = Shredder
"{C496ED25-F3EC-0CBC-37DB-B31C6E6592C9}" = Application Profiles
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Norton Online Backup
"{D4E16961-E6FA-4689-AD09-3DB7E5770167}" = Catalyst Control Center InstallProxy
"{D5AFB7E8-D81F-F57F-4D43-EC95E49425FE}" = Catalyst Control Center Localization All
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DDAFC46A-90E2-11E2-B700-984BE15F174E}" = Evernote v. 4.6.4
"{E0B19DF7-B1C7-4937-82C4-0E4B1E346965}" = eBay Worldwide
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{EE171732-BEB4-4576-887D-CB62727F01CA}" = Acer Updater
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F76C09F9-C367-6FB9-4965-A26211D094FC}" = CCC Help English
"4F6D5E84-5826-4394-9F40-3A9A19165651_is1" = Pandora Service
"7-Zip" = 7-Zip 9.22beta
"Acer Game Console" = Acer Game Console
"Acer Registration" = Acer Registration
"Acer Screensaver" = Acer ScreenSaver
"Acer Welcome Center" = Welcome Center
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Afterburner" = MSI Afterburner 2.1.0
"avast" = avast! Free Antivirus
"Catan Online Welt" = Catan Online World
"ESET Online Scanner" = ESET Online Scanner v3
"ExpatShield" = Expat Shield 2.25
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HyperCam 2" = HyperCam 2
"Identity Card" = Identity Card
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = Acer Crystal Eye Webcam
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{6030FCD7-8F1A-427D-AF05-8DD1A2EA2ABA}" = Alcor Micro USB Card Reader
"InstallShield_{72B776E5-4530-4C4B-9453-751DF87D9D93}" = Acer Backup Manager
"InstallShield_{738BF5C3-AF7B-4BB0-B7EF-E505EFC756BE}" = MyWinLocker Suite
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
"IrfanView" = IrfanView (remove only)
"ISO Workshop_is1" = ISO Workshop 3.7
"Janetter2_is1" = Janetter 4.0.2.0
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
"Mozilla Thunderbird 17.0.3 (x86 en-US)" = Mozilla Thunderbird 17.0.3 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Portal" = Portal
"RiseofNationsExpansionTrial 1.0" = Rise of Nations Thrones and Patriots Trial Version
"Scrivener 1250" = Scrivener
"The KMPlayer" = The KMPlayer (remove only)
"Tweaking.com - Registry Backup" = Tweaking.com - Registry Backup
"VLC media player" = VLC media player 2.0.5
"WildTangent acer Master Uninstall" = Acer Games
"WinLiveSuite_Wave3" = Windows Live Essentials
"WT078749" = Bejeweled 2 Deluxe
"WT078774" = Zuma Deluxe
"WT078953" = Blackhawk Striker 2
"WT078961" = Bob the Builder Can-Do-Zoo
"WT079017" = Faerie Solitaire
"WT079021" = FATE - The Traitor Soul
"WT079065" = Jewel Quest Solitaire 3
"WT079097" = Monopoly
"WT079101" = Mystery P.I. - Lost in Los Angeles
"WT079105" = Penguins!
"WT079109" = Plants vs. Zombies
"WT079113" = Polar Bowler
"WT079117" = Polar Golfer
"WT079149" = Scrabble Plus
"WT079153" = The Price is Right
"WT079173" = Virtual Villagers - A New Home
"WT079179" = Yahtzee
"WT079193" = Build-a-lot 2
"WT079218" = Escape Rosecliff Island
"WT079643" = Virtual Families

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2107948035-1365278439-778997172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"MyFreeCodec" = MyFreeCodec
"Spotify" = Spotify

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2013-03-08 4:26:14 AM | Computer Name = hod17acer | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe".
Dependent
Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 2013-03-08 4:26:14 AM | Computer Name = hod17acer | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe".
Dependent
Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 2013-03-08 5:51:28 AM | Computer Name = hod17acer | Source = System Restore | ID = 8193
Description =

Error - 2013-03-08 5:53:08 AM | Computer Name = hod17acer | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 2013-03-08 12:32:25 PM | Computer Name = hod17acer | Source = System Restore | ID = 8193
Description =

Error - 2013-03-08 12:32:29 PM | Computer Name = hod17acer | Source = System Restore | ID = 8193
Description =

Error - 2013-03-09 4:19:06 AM | Computer Name = hod17acer | Source = Desktop Window Manager | ID = 9020
Description = The Desktop Window Manager has encountered a fatal error (0x8007000e)

Error - 2013-03-09 7:28:40 AM | Computer Name = hod17acer | Source = Application Error | ID = 1000
Description = Faulting application name: plugin-container.exe, version: 12.0.0.4493,
time stamp: 0x4f920759 Faulting module name: NPSWF32_11_5_502_149.dll_unloaded,
version: 0.0.0.0, time stamp: 0x510c7969 Exception code: 0xc0000005 Fault offset:
0x5ba2b724 Faulting process id: 0x1890 Faulting application start time: 0x01ce1cb8e96d0736
Faulting
application path: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe Faulting
module path: NPSWF32_11_5_502_149.dll Report Id: 7db96e24-88ac-11e2-b911-206a8a441344

Error - 2013-03-09 10:58:56 AM | Computer Name = hod17acer | Source = System Restore | ID = 8193
Description =

Error - 2013-03-10 4:00:45 AM | Computer Name = hod17acer | Source = System Restore | ID = 8193
Description =

[ System Events ]
Error - 2013-03-28 11:00:11 PM | Computer Name = hod17acer | Source = Service Control Manager | ID = 7001
Description = The HomeGroup Provider service depends on the Function Discovery Provider
Host service which failed to start because of the following error: %%1068

Error - 2013-03-28 11:00:12 PM | Computer Name = hod17acer | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 2013-03-28 11:00:12 PM | Computer Name = hod17acer | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 2013-03-28 11:00:12 PM | Computer Name = hod17acer | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 2013-03-28 11:00:12 PM | Computer Name = hod17acer | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 2013-03-29 3:56:30 PM | Computer Name = hod17acer | Source = DCOM | ID = 10005
Description =

Error - 2013-03-29 3:57:40 PM | Computer Name = hod17acer | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description = WLAN Extensibility Module has failed to start. Module Path: C:\windows\system32\athExt.dll
Error
Code: 126

Error - 2013-03-29 3:57:55 PM | Computer Name = hod17acer | Source = SNMP | ID = 16713180
Description = The SNMP Service encountered an error while accessing the registry
key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

Error - 2013-03-30 2:31:31 PM | Computer Name = hod17acer | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description = WLAN Extensibility Module has failed to start. Module Path: C:\windows\system32\athExt.dll
Error
Code: 126

Error - 2013-03-30 2:31:45 PM | Computer Name = hod17acer | Source = SNMP | ID = 16713180
Description = The SNMP Service encountered an error while accessing the registry
key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.


< End of report >
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm
Advertisement
Register to Remove

Re: Need help finding MITM Trojan please!

Unread postby Gary R » April 6th, 2013, 1:00 am

That looks OK as well.

I just need to see the e-set log now, post it as soon as you've run the scan please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21861
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 6th, 2013, 9:27 am

and from new install eset.txt. Seems I didnt run it last time properly after all, my error. Found a few things.

thanks!

C:\Users\richardhod\AppData\Local\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_HC2Setup_exe.exe a variant of Win32/InstallCore.D application
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_KMPlayer_EN_3_1_0_0_R2_exe.exe a variant of Win32/InstallCore.D application
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_setupscreenhunterfree_exe.exe a variant of Win32/InstallCore.D application
C:\Users\richardhod\AppData\Local\Temp\is1598539481\1421666529_Setup.DAT multiple threats
C:\Users\richardhod\Downloads\cbsidlm-tr1_9-Risk_II-ORG2-10618168.exe multiple threats
C:\Users\richardhod\Downloads\cnet2_HC2Setup_exe.exe a variant of Win32/InstallCore.D application
C:\Users\richardhod\Downloads\cnet2_jing_setup_exe.exe a variant of Win32/InstallCore.D application
C:\Users\richardhod\Downloads\cnet2_KMPlayer_EN_3_1_0_0_R2_exe.exe a variant of Win32/InstallCore.D application
C:\Users\richardhod\Downloads\cnet2_setupscreenhunterfree_exe.exe a variant of Win32/InstallCore.D application
C:\Users\richardhod\Downloads\KMPlayer_EN_3.1.0.0_R2.exe multiple threats
C:\Users\richardhod\Downloads\PhotoPosPro_SetUp.exe Win32/Toolbar.Zugo application
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby Gary R » April 6th, 2013, 10:28 am

OK, let's take care of what we've found in the scans we've run so far ....

First

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Java(TM) 6 Update 32
Java 7 Update 9


Old versions of Java can be exploited, if you need to have Java installed it is essential you use the latest version.

When they've both been uninstalled re-boot your computer.

Very few sites need Java to be installed, and most people can happily browse the Internet without it. Java is often exploited and used as a vector to infect peple's machines. There are more zero day exploits for Java than any other program I know. Personally I recommend people not to install it unless they have a very real need for it. If you do, then to minimise any threats install the latest version ... JDK 7 Update 17 (JDK or JRE).

Next

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:OTL
O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 10.9.2)
O33 - MountPoints2\{176c6a80-2f7b-11e2-8358-206a8a441344}\Shell - "" = AutoRun
O33 - MountPoints2\{176c6a80-2f7b-11e2-8358-206a8a441344}\Shell\AutoRun\command - "" = H:\StartClickFreeBackup.exe
O33 - MountPoints2\{176c6a9e-2f7b-11e2-8358-206a8a441344}\Shell - "" = AutoRun
O33 - MountPoints2\{176c6a9e-2f7b-11e2-8358-206a8a441344}\Shell\AutoRun\command - "" = F:\StartClickFreeBackup.exe
O33 - MountPoints2\{176c6ab2-2f7b-11e2-8358-206a8a441344}\Shell - "" = AutoRun
O33 - MountPoints2\{176c6ab2-2f7b-11e2-8358-206a8a441344}\Shell\AutoRun\command - "" = F:\StartClickFreeBackup.exe
[2013-04-01 22:52:09 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\uTorrent
[2012-01-05 02:44:09 | 000,003,292 | ---- | M] () -- C:\windows\SysNative\tasks\{7E5095F1-C390-4735-B5D6-DD1A64DFAD1D}

:Files
C:\Program Files (x86)\uTorrent
C:\Users\richardhod\AppData\Local\Temp\AskSLib.dll
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_HC2Setup_exe.exe
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_KMPlayer_EN_3_1_0_0_R2_exe.exe
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_setupscreenhunterfree_exe.exe
C:\Users\richardhod\AppData\Local\Temp\is1598539481\1421666529_Setup.DAT 
C:\Users\richardhod\Downloads\cbsidlm-tr1_9-Risk_II-ORG2-10618168.exe 
C:\Users\richardhod\Downloads\cnet2_HC2Setup_exe.exe
C:\Users\richardhod\Downloads\cnet2_jing_setup_exe.exe
C:\Users\richardhod\Downloads\cnet2_KMPlayer_EN_3_1_0_0_R2_exe.exe
C:\Users\richardhod\Downloads\cnet2_setupscreenhunterfree_exe.exe
C:\Users\richardhod\Downloads\KMPlayer_EN_3.1.0.0_R2.exe
C:\Users\richardhod\Downloads\PhotoPosPro_SetUp.exe
ipconfig /flushdns /c

:Commands
[emptytemp]
[resethosts]
[createrestorepoint]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21861
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 6th, 2013, 1:13 pm

Also removed JavaFX 2.1.1
Running OTL
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 6th, 2013, 1:50 pm

OTL rebooted then opened the log automagically. Seems to work.
Thank you again...
Slight cockup in that I forgot the reboot between java removal and OTL running, but reckoned if I tell you here and it really matters I'll run OTL again.

Here's the fix log:

All processes killed
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{176c6a80-2f7b-11e2-8358-206a8a441344}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{176c6a80-2f7b-11e2-8358-206a8a441344}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{176c6a80-2f7b-11e2-8358-206a8a441344}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{176c6a80-2f7b-11e2-8358-206a8a441344}\ not found.
File H:\StartClickFreeBackup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{176c6a9e-2f7b-11e2-8358-206a8a441344}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{176c6a9e-2f7b-11e2-8358-206a8a441344}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{176c6a9e-2f7b-11e2-8358-206a8a441344}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{176c6a9e-2f7b-11e2-8358-206a8a441344}\ not found.
File F:\StartClickFreeBackup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{176c6ab2-2f7b-11e2-8358-206a8a441344}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{176c6ab2-2f7b-11e2-8358-206a8a441344}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{176c6ab2-2f7b-11e2-8358-206a8a441344}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{176c6ab2-2f7b-11e2-8358-206a8a441344}\ not found.
File F:\StartClickFreeBackup.exe not found.
C:\Users\richardhod\AppData\Roaming\uTorrent\share folder moved successfully.
C:\Users\richardhod\AppData\Roaming\uTorrent\ie folder moved successfully.
C:\Users\richardhod\AppData\Roaming\uTorrent\dlimagecache folder moved successfully.
C:\Users\richardhod\AppData\Roaming\uTorrent\Cache folder moved successfully.
C:\Users\richardhod\AppData\Roaming\uTorrent\apps folder moved successfully.
C:\Users\richardhod\AppData\Roaming\uTorrent folder moved successfully.
C:\Windows\SysNative\Tasks\{7E5095F1-C390-4735-B5D6-DD1A64DFAD1D} moved successfully.
========== FILES ==========
C:\Program Files (x86)\uTorrent folder moved successfully.
C:\Users\richardhod\AppData\Local\Temp\AskSLib.dll moved successfully.
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_HC2Setup_exe.exe moved successfully.
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_KMPlayer_EN_3_1_0_0_R2_exe.exe moved successfully.
C:\Users\richardhod\AppData\Local\Temp\ICReinstall\cnet2_setupscreenhunterfree_exe.exe moved successfully.
C:\Users\richardhod\AppData\Local\Temp\is1598539481\1421666529_Setup.DAT moved successfully.
C:\Users\richardhod\Downloads\cbsidlm-tr1_9-Risk_II-ORG2-10618168.exe moved successfully.
C:\Users\richardhod\Downloads\cnet2_HC2Setup_exe.exe moved successfully.
C:\Users\richardhod\Downloads\cnet2_jing_setup_exe.exe moved successfully.
C:\Users\richardhod\Downloads\cnet2_KMPlayer_EN_3_1_0_0_R2_exe.exe moved successfully.
C:\Users\richardhod\Downloads\cnet2_setupscreenhunterfree_exe.exe moved successfully.
C:\Users\richardhod\Downloads\KMPlayer_EN_3.1.0.0_R2.exe moved successfully.
C:\Users\richardhod\Downloads\PhotoPosPro_SetUp.exe moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\richardhod\Desktop\cmd.bat deleted successfully.
C:\Users\richardhod\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 57616 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: richardhod
->Temp folder emptied: 904106697 bytes
->Temporary Internet Files folder emptied: 204410587 bytes
->Java cache emptied: 30086456 bytes
->FireFox cache emptied: 463052951 bytes
->Google Chrome cache emptied: 731450053 bytes
->Flash cache emptied: 175777 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 220298715 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 126677587 bytes
RecycleBin emptied: 218462396 bytes

Total Files Cleaned = 2,764.00 mb

C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 04062013_181637

Files\Folders moved on Reboot...
C:\Users\richardhod\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\richardhod\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\windows\temp\dsiwmis.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby Gary R » April 9th, 2013, 10:09 am

Sorry to be so late getting back to you, I didn't get a notification that you'd replied. We've just had a server move, and it seems that created a few problems with the e-mails that I wasn't aware of.

As far as I can see your machine is now clear of any signs of any infection.

To be honest I've not seen any signs of a MITM trojan at any point in our investigation of your machine, and I'd be interested to know on what evidence your bank was making the claim that you were infected. I strongly suspect it was based on some kind of heuristic detection, which really is no basis to make a decision upon.

I don't believe there's anything further we can really do to "prove" your machine is clean, the only other thing you might consider is to reset your modem/router, just in case any alterations have been made to that. Most routers now come either with a reset button on the front, or a small button on the back of the machine that is accessed using a straightened out paper clip or something similar.

All that's really left to do now is to remove the programs we've been using on your machine ...

First let's clear out OTL and the files and folders it created. This will also remove TDSSKiller and GMER.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

Please delete ... MBRScan.exe and the dump file it created.

Next

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Tweaking.com Registry Backup


As far as I can see, your computer looks clear of infection.

Are you noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21861
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 9th, 2013, 7:37 pm

Thank you Gary! I had my suspicions that they were full of it. Bottom level support, but they're adamant. So, even when your idiot alarms are ringing, the doubt means that beause you're not sure it's time to search. And HijackThis just wasn't cutting it any more 8)

If I can learn more, and even volunteer a bit once good enough, LMK. I'll nose round the site, but in case you guys have an obvious M to RTF

Thanks again, you've been great.
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby Gary R » April 10th, 2013, 1:44 am

You're welcome, glad I could reassure you that your computer does not appear to be infected. :)

If you want to train to help others, we do run a course, details of which can be found .... here.

It's fairly time consuming, but it is very thorough, and covers pretty much all the things we've dealt with on your machine and a whole lot of other stuff too. If you do decide to enrol, I'll no doubt be seeing more of you. :)

As your problems now appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21861
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware