Suspected browser hacker running on ACER laptop

Solved
By BuntyMcTavish
Mar 4, 2011
Topic Status:
Not open for further replies.
  1. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    Extras.txt

    Extras.txt

    OTL Extras logfile created on: 05/03/2011 01:12:49 - Run 1
    OTL by OldTimer - Version 3.2.22.2 Folder = C:\Users\Adelle\Downloads
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6002.18005)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 38.00% Memory free
    4.00 Gb Paging File | 2.00 Gb Available in Paging File | 58.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 69.77 Gb Total Space | 24.50 Gb Free Space | 35.12% Space Free | Partition Type: NTFS
    Drive D: | 66.27 Gb Total Space | 66.15 Gb Free Space | 99.81% Space Free | Partition Type: NTFS

    Computer Name: MAXIMILLION | User Name: Adelle | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-37103013-922620923-1544370479-1000\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-37103013-922620923-1544370479-1000]
    "EnableNotifications" = 0
    "EnableNotificationsRef" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{B5738786-DCE6-4EA8-916B-72F12AFCFC7B}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{2A367DDF-A822-49A6-90DF-C5984277AFEA}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
    "{30D70EC9-E907-41C0-A858-E622721BD703}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
    "{31A6BE51-E2D7-4EA4-A336-06D4A5FA9408}" = dir=in | app=c:\windows\system32\lxeacoms.exe |
    "{3902BD75-7BED-4517-8E4A-972F8E848481}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{3E554CB8-26CF-4464-908A-E9B295FBF948}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
    "{4A1AEB95-DD02-4F65-B38D-D311A5CF3166}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{52EF9A23-F3CD-4E24-8769-DC25AEA23F12}" = protocol=17 | dir=in | app=c:\windows\system32\lxeacoms.exe |
    "{59B9AEC5-0035-4CAE-9B49-5DFB06652515}" = protocol=6 | dir=in | app=c:\program files\kontiki\kservice.exe |
    "{758ACB88-0A0E-420C-BA01-423FC3743EF8}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
    "{84841D17-5B61-490B-91ED-E17D4D747ED7}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{8DCA6201-44C8-4F09-81E4-3EB5716A100D}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
    "{8F0D6C2B-8BCA-407E-B6E4-8764A61103FD}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{AD297AF0-35E1-42CD-9583-B2D6299DE96B}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
    "{B7781F29-D92A-4D7F-9F1D-46E06BFD4728}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{BCCAC9BD-93C0-4B12-9709-19CF69F56ECB}" = protocol=17 | dir=in | app=c:\program files\kontiki\kservice.exe |
    "{C5F80F91-D758-4D49-94FF-0F3B192B4BFD}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{C760BF2A-62FA-4A33-82EB-34D570758D0D}" = protocol=6 | dir=in | app=c:\windows\system32\lxeacoms.exe |
    "{DCC97178-A277-48C3-B8B7-7E4D79E17D08}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
    "{E7875E54-4B97-40E4-A69D-8A7A40A6B5E4}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
    "{F2B0526E-F0D5-4A1B-82E4-447674763647}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
    "{FBD8B497-191E-4FFB-8166-C35AD94696F0}" = dir=in | app=c:\program files\acer\acer vcm\vc.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
    "{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
    "{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In
    "{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}" = Acer eLock Management
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}" = Safari
    "{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 24
    "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
    "{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
    "{3672B097-EA69-4bfe-B92F-29AE6D9D2B34}" = Norton Internet Security
    "{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Acer Crystal Eye webcam
    "{3C349576-B3B4-6708-F73C-DC2932065357}" = BBC iPlayer Desktop
    "{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}" = ccCommon
    "{427967BF-09F8-46D5-9275-37001CCBBA5D}" = Winbond CIR Drivers
    "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{57265292-228A-41FA-9AEC-4620CBCC2739}" = Acer eAudio Management
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
    "{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
    "{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security
    "{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
    "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
    "{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
    "{67ADE9AF-5CD9-4089-8825-55DE4B366799}" = NTI Backup NOW! 4.7
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{73FAD870-C7A8-4344-BA8F-DF8675276E91}" = BitDefender Total Security 2011
    "{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
    "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
    "{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}" = Norton Protection Center
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{A71D5E81-B967-43DB-93D7-FD31BFB95748}" = MobileMe Control Panel
    "{AA047D7C-5E7C-4878-B75C-77589151B563}" = Acer Crystal Eye webcam
    "{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
    "{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
    "{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
    "{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X
    "{AEEAE013-92F1-4515-B278-139F1A692A36}" = Acer eDataSecurity Management
    "{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer 3.72
    "{BCB4C18A-ACA6-4383-8688-E19933A705DD}" = Microsoft SOAP Toolkit 3.0
    "{BF839132-BD43-4056-ACBF-4377F4A88E2A}" = Acer ePresentation Management
    "{C06554A1-2C1E-4D20-B613-EE62C79927CC}" = Acer eNet Management
    "{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
    "{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management
    "{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
    "{D353CC51-430D-4C6F-9B7E-52003DA1E05A}" = Norton Confidential Web Protection Component
    "{D466F3D9-510C-4729-B7D4-2E70490E4CDF}" = BBC iPlayer Download Manager
    "{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
    "{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton Internet Security
    "{E5BA0430-919F-46DD-B656-0796F8A5ADFF}" = Microsoft Office Communicator 2007
    "{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
    "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "avast" = avast! Free Antivirus
    "BBC iPlayer Download Manager" = BBC iPlayer Download Manager
    "BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
    "BitDefender" = BitDefender Total Security 2011
    "CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    "CameraWindowLauncher" = Canon Utilities CameraWindow
    "CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
    "Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
    "CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
    "DPP" = Canon Utilities Digital Photo Professional 3.3
    "ENTERPRISER" = Microsoft Office Enterprise 2007
    "EOS Utility" = Canon Utilities EOS Utility
    "Google Desktop" = Google Desktop
    "GridVista" = Acer GridVista
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "HOMESTUDENTR" = Microsoft Office Home and Student 2007
    "Lexmark S300-S400 Series" = Lexmark S300-S400 Series
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "McAfee Security Scan" = McAfee Security Scan
    "Mozilla Firefox (3.6.14)" = Mozilla Firefox (3.6.14)
    "MyCamera" = Canon Utilities MyCamera
    "Original Data Security Tools" = Canon Utilities Original Data Security Tools
    "PhotoStitch" = Canon Utilities PhotoStitch
    "Picasa 3" = Picasa 3
    "Picture Style Editor" = Canon Utilities Picture Style Editor
    "RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
    "RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "TomTom HOME" = TomTom HOME 2.7.6.2056
    "ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
    "ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 24/11/2009 15:15:27 | Computer Name = Maximillion | Source = VSS | ID = 8194
    Description =

    Error - 27/11/2009 20:02:05 | Computer Name = Maximillion | Source = Microsoft-Windows-CAPI2 | ID = 131083
    Description =

    Error - 28/11/2009 13:57:55 | Computer Name = Maximillion | Source = Microsoft-Windows-CAPI2 | ID = 131083
    Description =

    Error - 28/11/2009 13:57:56 | Computer Name = Maximillion | Source = Microsoft-Windows-CAPI2 | ID = 131083
    Description =

    Error - 28/11/2009 13:59:18 | Computer Name = Maximillion | Source = Microsoft-Windows-CAPI2 | ID = 131083
    Description =

    Error - 23/12/2009 14:17:49 | Computer Name = Maximillion | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 7.0.6001.18000, time stamp
    0x47918f11, faulting module Flash10b.ocx, version 10.0.22.87, time stamp 0x4987a6c3,
    exception code 0xc0000005, fault offset 0x0015bd5e, process id 0x133c, application
    start time 0x01ca83fbda531d42.

    Error - 19/01/2010 16:33:16 | Computer Name = Maximillion | Source = Application Hang | ID = 1002
    Description = The program iexplore.exe version 7.0.6001.18000 stopped interacting
    with Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Problem Reports and Solutions control panel. Process
    ID: 132c Start Time: 01ca99460c61031f Termination Time: 23

    Error - 25/01/2010 14:55:23 | Computer Name = Maximillion | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 7.0.6001.18000, time stamp
    0x47918f11, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
    code 0xc0000005, fault offset 0x002f0363, process id 0x1354, application start time
    0x01ca9debf334c044.

    Error - 18/02/2010 15:44:14 | Computer Name = Maximillion | Source = VSS | ID = 8194
    Description =

    Error - 16/03/2010 17:54:32 | Computer Name = Maximillion | Source = Application Hang | ID = 1002
    Description = The program iexplore.exe version 7.0.6001.18000 stopped interacting
    with Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Problem Reports and Solutions control panel. Process
    ID: 1790 Start Time: 01cac552c2f7ffb8 Termination Time: 0

    [ System Events ]
    Error - 04/03/2011 20:06:48 | Computer Name = Maximillion | Source = Microsoft-Windows-Servicing | ID = 4385
    Description =

    Error - 04/03/2011 20:06:48 | Computer Name = Maximillion | Source = Microsoft-Windows-Servicing | ID = 4375
    Description =

    Error - 04/03/2011 20:06:48 | Computer Name = Maximillion | Source = Microsoft-Windows-Servicing | ID = 4385
    Description =

    Error - 04/03/2011 20:06:48 | Computer Name = Maximillion | Source = Microsoft-Windows-Servicing | ID = 4375
    Description =

    Error - 04/03/2011 20:06:48 | Computer Name = Maximillion | Source = Microsoft-Windows-Servicing | ID = 4385
    Description =

    Error - 04/03/2011 20:06:55 | Computer Name = Maximillion | Source = Service Control Manager | ID = 7034
    Description =

    Error - 04/03/2011 20:08:01 | Computer Name = Maximillion | Source = Service Control Manager | ID = 7034
    Description =

    Error - 04/03/2011 20:08:06 | Computer Name = Maximillion | Source = Service Control Manager | ID = 7030
    Description =

    Error - 04/03/2011 20:30:17 | Computer Name = Maximillion | Source = Service Control Manager | ID = 7030
    Description =

    Error - 04/03/2011 20:40:11 | Computer Name = Maximillion | Source = Service Control Manager | ID = 7030
    Description =


    < End of report >
  2. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    You can't run two AV programs at the same time, so you'll have to uninstall BitDefender for now.

    ===========================================================================

    Uninstall McAfee Security Scan, known foistware.

    ========================================================================

    Unless you willingly installed Kontiki Player....
    Go Start>Control Panel>Add\Remove ("Programs and Features" in Vista), and uninstall Sky Anytime (if present).
    Download, and run KClean.exe: http://static.sky.com/kclean/KClean.exe to remove Kontiki from your computer.
    NOTE: Kontiki is a known resource hog.

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- -- (SymAppCore)
      SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Service)
      SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/...nAxControl.CAB (Reg Error: Key error.)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [2011/03/03 05:04:16 | 000,000,000 | ---D | C] -- C:\Users\Adelle\AppData\Roaming\scb1pcxueuwkvgpcqpjhkuximvpomhw
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =======================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  3. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    Okay i've uninstalled Avast (seeing as BitDefender is now working and I paid £40 for it just this week), uninstalled McAfee and Kontiki (had no idea what this was).

    Here's the output from OTL...
    All processes killed
    ========== OTL ==========
    Service SymAppCore stopped successfully!
    Service SymAppCore deleted successfully!
    Service LiveUpdate Notice Service stopped successfully!
    Service LiveUpdate Notice Service deleted successfully!
    Service LiveUpdate Notice Ex stopped successfully!
    Service LiveUpdate Notice Ex deleted successfully!
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\Windows\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Starting removal of ActiveX control Garmin Communicator Plug-In
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\Users\Adelle\AppData\Roaming\scb1pcxueuwkvgpcqpjhkuximvpomhw folder moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Adelle
    ->Temp folder emptied: 820177 bytes
    ->Temporary Internet Files folder emptied: 524323 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 46263629 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 343 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 434 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 45.00 mb


    [EMPTYFLASH]

    User: Adelle
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.22.2 log created on 03052011_020646

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  4. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    SecurityCheck output

    SecurityCheck.exe output...

    Results of screen317's Security Check version 0.99.7
    Windows Vista Service Pack 2 (UAC is enabled)
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    BitDefender Total Security 2011
    Norton Internet Security
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 24
    Out of date Java installed!
    Adobe Flash Player
    Adobe Reader X
    Mozilla Firefox (3.6.15)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Empowering Technology eSettings Service capuserv.exe
    BitDefender BitDefender 2011 vsserv.exe
    BitDefender BitDefender 2011 bdagent.exe
    BitDefender BitDefender 2011 pchooklaunch32.exe
    BitDefender BitDefender 2011 updatesrv.exe
    BitDefender BitDefender 2011 downloader.exe
    ``````````End of Log````````````
  5. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    The Temp File Cleaner has now been run
  6. Broni

    Broni Malware Annihilator Posts: 46,169   +251

  7. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    Going to head to bed so will pick this up in the afternoon if that's ok. I started the ESET scan but it took half an hour to get 9% through so I've cancelled it just now and will start it tomorrow as well as remove those files you mentioned.

    Thanks again for all your help, it's very much appreciated.
  8. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    No problem :)
  9. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    I'm back

    Hello Broni,

    I'm back again :) I have run the Norton file removal tool and am about to do the ESET scan. Will post back with the results shortly.
  10. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    OK...............
  11. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    Results of ESET Scan

    Hello Broni - got there eventually. The ESET scan took over 4 hours to run.

    It found 2 threats and the export I took is pasted tput below as promised:

    C:\Peter\noadware.exe multiple threats
    C:\_OTL\MovedFiles\03052011_020646\C_Users\Adelle\AppData\Roaming\scb1pcxueuwkvgpcqpjhkuximvpomhw\csrss.exe a variant of Win32/Kryptik.LGE trojan
     
  12. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Delete this file manually:
    C:\Peter\noadware.exe
    Empty Recycle Bin.

    =====================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
  13. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    OTL results

    Hello Broni,

    I've deleted noadware.exe and emptied the recycle bin as requested.

    Here are the results of the OLT:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]
  14. BuntyMcTavish

    BuntyMcTavish Newcomer, in training Topic Starter Posts: 25

    Just wanted to thank you (Broni) for all your help in resolving the issues on my PC. It's looking better than it has ever done! I'm now working my way through my outdated s/w with Secunia so fingers crossed that's me on the road to recovery now.
    Thank you thank you thank you :D
  15. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Way to go!! [​IMG]
    Good luck and stay safe :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.