Jump to content

Welcome to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in.
Create an Account Login to Account

Firefox search redirects to my-search-now.com [Solved]


  • This topic is locked This topic is locked

#1
dannwebb

dannwebb

    New Member

  • Member
  • Pip
  • 7 posts
Hello,

I've spent a lot of time reading here, so I hope I've done this right.

My Firefox (not my other installed browsers) redirects to my-search-now.com when performing a google search.

I'm behind a corporate firewall, running Trend Officescan. Trend blocks the site from loading, and throws an error stating that it has done so. Each time this occurs, there is an extra slash at the end of the reported URL followed by a very long string of seemingly random characters.

I have tried the following: SpyBot Search & Destroy, Ad-aware, HJT, Malwarebytes, CWShredder, TDSSKiller, SpywareBlaster. None of these identify it as a problem.

I've run OTL according to the instructions in the user guide with these settings:
1. Standard Registry = All
2. LOP and Purity checked

I have also edited the following:
1. my name in the the file paths has been changed to "myusername"
2. my domain has been changed to "mycorporatedomain"
3. browser home pages have been changed to "myhomepage"

Hoping that's all ok, and I am appreciated of any help that can be offered. Pasted OTL.txt follows .....

---------------------------------------------
OTL logfile created on: 20/02/2012 1:12:21 PM - Run 3
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Documents and Settings\myusername\Desktop\utils
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.95 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 74.26% Memory free
3.80 Gb Paging File | 3.44 Gb Available in Paging File | 90.69% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 96.44 Gb Free Space | 64.71% Space Free | Partition Type: NTFS
Drive U: | 1900.00 Gb Total Space | 211.64 Gb Free Space | 11.14% Space Free | Partition Type: NTFS
Drive W: | 232.88 Gb Total Space | 199.37 Gb Free Space | 85.61% Space Free | Partition Type: NTFS
Drive X: | 79.45 Gb Total Space | 40.86 Gb Free Space | 51.43% Space Free | Partition Type: NTFS
Drive Y: | 79.45 Gb Total Space | 40.86 Gb Free Space | 51.43% Space Free | Partition Type: NTFS
Drive Z: | 1855.46 Gb Total Space | 411.30 Gb Free Space | 22.17% Space Free | Partition Type: NTFS

Computer Name: IT11298 | User Name: myusername | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\myusername\Desktop\utils\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)
PRC - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (Xmarks.com)
PRC - C:\Program Files\Fuji Medical System\Synapse\Workstation\SynapseUpdateManager.exe (FUJIFILM Medical Systems U.S.A., Inc.)
PRC - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (Trend Micro Inc.)
PRC - C:\Program Files\Lenovo\Mouse Suite\PELMICED.EXE (Primax Electronics Ltd.)
PRC - C:\Program Files\Lenovo\Mouse Suite\ico.exe (Primax Electronics Ltd.)
PRC - C:\Program Files\Lenovo\Mouse Suite\FSRremoS.EXE ()
PRC - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files\Intel\AMT\LMS.exe (Intel Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\RealVNC\VNC4\winvnc4.exe (RealVNC Ltd.)


========== Modules (No Company Name) ==========

MOD - C:\Documents and Settings\myusername\Local Settings\Application Data\lanCommsTray\compatUserPath.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Lenovo\Mouse Suite\FSRremoS.EXE ()


========== Win32 Services (SafeList) ==========

SRV - (Hpnmpppm) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SRV - (tmlisten) -- C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe (Trend Micro Inc.)
SRV - (ntrtscan) -- C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe (Trend Micro Inc.)
SRV - (TMBMServer) -- C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe ()
SRV - (SynapseUpdateSvc) -- C:\Program Files\Fuji Medical System\Synapse\Workstation\SynapseUpdateManager.exe (FUJIFILM Medical Systems U.S.A., Inc.)
SRV - (SwitchBoard) -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (TmPfw) -- C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe (Trend Micro Inc.)
SRV - (TmProxy) -- C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (Trend Micro Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (UNS) Intel® -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) Intel® -- C:\Program Files\Intel\AMT\LMS.exe (Intel Corporation)
SRV - (WinVNC4) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe (RealVNC Ltd.)
SRV - (IDriverT) -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)


========== Driver Services (SafeList) ==========

DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()
DRV - (TmFilter) -- C:\Program Files\Trend Micro\OfficeScan Client\tmxpflt.sys (Trend Micro Inc.)
DRV - (TmPreFilter) -- C:\Program Files\Trend Micro\OfficeScan Client\tmpreflt.sys (Trend Micro Inc.)
DRV - (VSApiNt) -- C:\Program Files\Trend Micro\OfficeScan Client\VsapiNT.sys (Trend Micro Inc.)
DRV - (HssDrv) -- C:\WINDOWS\system32\drivers\HssDrv.sys (AnchorFree Inc.)
DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.)
DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys (Trend Micro Inc.)
DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (ctxusbm) -- C:\WINDOWS\system32\drivers\ctxusbm.sys (Citrix Systems, Inc.)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (pelusblf) -- C:\WINDOWS\system32\drivers\pelusblf.sys (TPMX Electronics Ltd.)
DRV - (pelmouse) -- C:\WINDOWS\system32\drivers\PELMOUSE.SYS (TPMX Electronics Ltd.)
DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation )
DRV - (e1kexpress) Intel® -- C:\WINDOWS\system32\drivers\e1k5132.sys (Intel Corporation)
DRV - (IFXTPM) -- C:\WINDOWS\system32\drivers\ifxtpm.sys (Infineon Technologies AG)
DRV - (HECI) Intel® -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)
DRV - (SFAUDIO) -- C:\WINDOWS\system32\drivers\sfaudio.sys (Sonic Focus, Inc)
DRV - (HPKBCCID) -- C:\WINDOWS\system32\drivers\HPKBCCID.sys (Hewlett-Packard Company)
DRV - (pelps2m) -- C:\WINDOWS\system32\drivers\PELPS2M.SYS (Primax Electronics Ltd.)
DRV - (USBCCID) -- C:\WINDOWS\system32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (DHEAPDMP) -- C:\WINDOWS\system32\drivers\dheapdmp.sys (Microsoft Corporation)
DRV - (STC2DFU) -- C:\WINDOWS\system32\drivers\Stc2Dfu.sys (SCM Microsystems Inc.)
DRV - (PalmUSBD) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys (Palm, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myhomepage
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myhomepage
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myhomepage
IE - HKCU\..\URLSearchHook: {3D31A26E-04D4-4B45-AFD4-DA4E1AE4AF1B} - C:\Program Files\Fuji Medical System\Synapse\Workstation\FujiFld.dll (FUJIFILM Medical Systems U.S.A., Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.myhomepage"
FF - prefs.js..extensions.enabledItems: aardvark@rob.brown:3.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.9
FF - prefs.js..extensions.enabledItems: abhere2@moztw.org:3.6.20101102
FF - prefs.js..extensions.enabledItems: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}:1.0.1
FF - prefs.js..extensions.enabledItems: {53c4d698-0a74-873e-7946-7d19bb035667}:2.6
FF - prefs.js..extensions.enabledItems: colorsuckr@paul.burgess:0.1
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.6.2.1
FF - prefs.js..extensions.enabledItems: {34c51bf3-5fb2-4799-8cca-d5b8567cf7ef}:1.3
FF - prefs.js..extensions.enabledItems: {45d8ff86-d909-11db-9705-005056c00008}:1.0.5
FF - prefs.js..extensions.enabledItems: {723AAF16-AF1F-4404-A5D7-0BFE39766605}:0.3.4
FF - prefs.js..extensions.enabledItems: {a0faa0a4-f1a7-4098-9a74-21efc3a92372}:6.0.0
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.8
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {5362CD9D-AC69-43e5-8E7D-92EDE5CEF304}:0.8.1
FF - prefs.js..extensions.enabledItems: {B9C8BE50-7105-4ec6-8FB4-4935C0671648}:0.5.995
FF - prefs.js..extensions.enabledItems: goParentFolder@alice:2.5
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.11
FF - prefs.js..extensions.enabledItems: {aff87fa2-a58e-4edd-b852-0a20203c1e17}:0.8
FF - prefs.js..extensions.enabledItems: {3f0da09b-c1ab-40c5-8d7f-53f475ac3fe8}:0.10.3
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: linkalert.conlan@addons.mozilla.com:1.0.2
FF - prefs.js..extensions.enabledItems: {1dbc4a33-ea62-4330-966c-7bdad3455322}:1.0.6.10
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:5.0.6
FF - prefs.js..extensions.enabledItems: showParentFolder@alice:1.8
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.6
FF - prefs.js..extensions.enabledItems: testpilot@labs.mozilla.com:1.1.3
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:4.0.2
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.2.2
FF - prefs.js..extensions.enabledItems: {6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}:0.9.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {340c2bbc-ce74-4362-90b5-7c26312808ef}:1.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: gaurangnshah@gmail.com:1.3.2
FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:6.0
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19.1
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:5.0.1
FF - prefs.js..extensions.enabledItems: {582195F5-92E7-40a0-A127-DB71295901D7}:0.6.4.1
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.95
FF - prefs.js..extensions.enabledItems: add-to-searchbox@maltekraus.de:2.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..network.proxy.http: "wwwproxy.unimelb.edu.au"
FF - prefs.js..network.proxy.http_port: 8000

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2011/02/01 15:27:42 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Musicnotes.com/Musicnotes Viewer,version=1.17.4: C:\Program Files\Musicnotes\npmusicn.dll (Musicnotes, Inc.)
FF - HKLM\Software\MozillaPlugins\@Sibelius.com/Scorch Plugin,version=5.2.5.48: C:\Program Files\Musicnotes\npsibelius.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}: C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2010/12/02 13:25:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.5.2\extensions\\Components: C:\Program Files\Flock\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.5.2\extensions\\Plugins: C:\Program Files\Flock\plugins [2012/01/27 12:27:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Components: C:\Program Files\Flock\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Plugins: C:\Program Files\Flock\plugins [2012/01/27 12:27:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.2\extensions\\Components: C:\Program Files\Flock\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.2\extensions\\Plugins: C:\Program Files\Flock\plugins [2012/01/27 12:27:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/20 11:14:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/15 13:14:52 | 000,000,000 | ---D | M]

[2012/02/16 09:56:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Extensions
[2009/10/27 17:00:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b}
[2012/02/20 11:53:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions
[2012/02/16 09:59:43 | 000,000,000 | ---D | M] (Auto Copy) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
[2012/02/16 09:59:43 | 000,000,000 | ---D | M] (Remove It Permanently) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{1dbc4a33-ea62-4330-966c-7bdad3455322}
[2012/02/16 09:59:43 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2012/02/16 09:59:42 | 000,000,000 | ---D | M] (OperaView) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{87f54a61-c9b3-4138-a38a-33c31770bb9e}
[2012/02/16 09:59:42 | 000,000,000 | ---D | M] (BugMeNot) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
[2012/02/16 09:59:42 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2012/02/16 09:59:42 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2012/02/16 09:59:41 | 000,000,000 | ---D | M] (IE View Lite) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{FDD8ECF0-451A-414D-8C8F-7B7F78B0ECD3}
[2012/02/16 09:59:41 | 000,000,000 | ---D | M] (Mouse Gestures Redox) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}
[2012/02/16 09:59:41 | 000,000,000 | ---D | M] (LO-FI) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\{lofi-0.1}
[2012/02/16 09:59:50 | 000,000,000 | ---D | M] (ColorSuckr) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\colorsuckr@paul.burgess
[2012/02/16 09:59:49 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2012/02/16 09:59:47 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\foxmarks@kei.com
[2012/02/16 09:59:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\gohome
[2012/02/16 09:59:47 | 000,000,000 | ---D | M] ("Go Parent Folder") -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\goParentFolder@alice
[2012/02/16 09:59:46 | 000,000,000 | ---D | M] ("Link Alert") -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\linkalert.conlan@addons.mozilla.com
[2012/02/16 09:59:46 | 000,000,000 | ---D | M] (Personas) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\personas@christopher.beard
[2012/02/16 09:59:45 | 000,000,000 | ---D | M] (Cooliris) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\piclens@cooliris.com
[2012/02/16 09:59:44 | 000,000,000 | ---D | M] ("Show Parent Folder") -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\showParentFolder@alice
[2012/02/16 09:59:43 | 000,000,000 | ---D | M] (SphereGnome) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\SphereGnome
[2012/02/20 11:51:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\staged
[2012/02/16 09:59:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\tabbin
[2012/02/16 09:59:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\extensions\temp
[2005/09/15 10:19:13 | 000,000,377 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\alistapart.gif
[2005/11/22 09:43:27 | 000,000,657 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\alistapart.png
[2009/07/31 10:11:31 | 000,001,718 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\alistapart.src
[2008/03/14 10:05:25 | 000,001,672 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\amazondotcom.xml
[2012/02/13 09:49:12 | 000,002,371 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\blekko-https.xml
[2007/03/13 14:06:15 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\BracebridgePL.png
[2009/07/31 10:11:32 | 000,001,829 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\BracebridgePL.src
[2010/06/04 15:48:24 | 000,002,220 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\cheaprivercom.xml
[2011/10/04 09:15:29 | 000,001,698 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\compact-oxford-english-dict.xml
[2011/09/09 10:09:39 | 000,001,293 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\creativecommons-1.xml
[2007/03/14 12:59:18 | 000,001,293 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\creativecommons.xml
[2011/09/09 10:09:39 | 000,001,920 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\dogpile-1.xml
[2007/03/14 12:59:18 | 000,001,920 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\dogpile.xml
[2011/07/04 18:26:30 | 000,000,762 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\Dorlands.xml
[2011/09/26 14:18:48 | 000,001,982 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\duckduckgo-ssl.xml
[2007/03/13 14:45:38 | 000,000,189 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\firefoxsearch.gif
[2010/12/02 09:07:03 | 000,001,038 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\firefoxsearch.src
[2011/09/09 10:09:40 | 000,002,114 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\google-1.xml
[2008/06/02 10:18:50 | 000,002,180 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\google-maps.xml
[2007/03/14 12:59:19 | 000,002,114 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\google.xml
[2011/09/09 10:09:40 | 000,001,026 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\googlesearchmash-1.xml
[2008/03/03 09:25:33 | 000,001,026 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\googlesearchmash.xml
[2008/06/25 10:13:47 | 000,000,908 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\imdb.xml
[2010/10/04 15:00:17 | 000,002,550 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\isbn-lookup.xml
[2010/06/15 11:50:36 | 000,002,484 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\ixquick.xml
[2011/10/10 12:23:24 | 000,001,327 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\library-catalogue-by-author.xml
[2012/02/20 08:58:39 | 000,001,291 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\library-catalogue-by-title.xml
[2011/09/09 10:09:40 | 000,001,364 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\medicspl-1.xml
[2007/03/14 12:59:19 | 000,001,364 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\medicspl.xml
[2008/06/02 10:18:52 | 000,001,130 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\oald.xml
[2006/09/01 13:27:05 | 000,001,370 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\omd.gif
[2009/07/31 10:11:33 | 000,002,729 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\omd.src
[2006/08/24 15:17:22 | 000,000,547 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookAll.png
[2009/07/31 10:11:33 | 000,001,509 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookAll.src
[2012/02/13 09:49:09 | 000,001,498 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookAll.xml
[2006/03/22 09:43:07 | 000,000,534 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookDef.png
[2009/08/03 16:16:00 | 000,001,479 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookDef.src
[2012/02/13 09:49:10 | 000,001,468 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookDef.xml
[2006/09/12 13:55:41 | 000,000,533 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookTran.png
[2009/07/31 10:11:32 | 000,001,483 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookTran.src
[2012/02/13 09:49:10 | 000,001,472 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\OneLookTran.xml
[2012/02/13 09:49:11 | 000,002,091 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\quotations-book---search.xml
[2011/09/09 10:09:41 | 000,001,071 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\standardistas-1.xml
[2007/03/14 12:59:21 | 000,001,071 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\standardistas.xml
[2012/02/13 09:49:11 | 000,001,593 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\the-book-depository.xml
[2012/02/13 09:49:11 | 000,001,084 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\thesauruscom.xml
[2010/10/22 15:20:29 | 000,001,709 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\trove.xml
[2008/02/05 16:02:00 | 000,001,068 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\wikipedia-english.xml
[2006/11/08 13:21:07 | 000,000,739 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\wikipedia_google.png
[2009/07/31 10:11:33 | 000,001,826 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\searchplugins\wikipedia_google.src
[2012/02/16 09:58:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{02450954-CDD9-410F-B1DA-DB804E18C671}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{45D8FF86-D909-11DB-9705-005056C00008}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{46551EC9-40F0-4E47-8E18-8E5CF550CFB8}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{582195F5-92E7-40A0-A127-DB71295901D7}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{6D96BB5E-1175-4EBF-8AB5-5F56F1C79F65}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{A0FAA0A4-F1A7-4098-9A74-21EFC3A92372}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{A7C6CF7F-112C-4500-A7EA-39801A327E5F}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{AFF87FA2-A58E-4EDD-B852-0A20203C1E17}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{B22E157D-283C-498F-9554-C3A80E841E91}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\{DC572301-7619-498C-A57D-39143191B318}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\ABHERE2@MOZTW.ORG.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\ACCESSIBILITY@JUICYSTUDIO.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\COMPATIBILITY@ADDONS.MOZILLA.ORG.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\COPY-PURE-TEXT@KASHIIF-GMAIL.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\HACKTHEWEB@INSTANTFOX.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\INSPECTOR@MOZILLA.ORG.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\myusername\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\974FLS0H.DEFAULT\EXTENSIONS\STATUS4EVAR@CALIGONSTUDIOS.COM.XPI
[2012/02/20 11:14:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/10/12 16:33:32 | 000,124,344 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CCMSDK.dll
[2010/10/12 16:37:06 | 000,070,592 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
[2010/10/12 16:35:42 | 000,091,576 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
[2010/10/12 16:34:56 | 000,022,464 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
[2010/10/29 12:50:39 | 000,101,768 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2010/10/29 12:50:22 | 000,064,392 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2010/03/27 18:06:04 | 000,067,032 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npContribute.dll
[2011/05/04 05:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/10/28 14:06:48 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2010/10/12 18:16:54 | 000,484,768 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
[2010/03/31 10:09:22 | 010,437,264 | ---- | M] (PDFTron Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\PDFNetC.dll
[2010/04/08 12:36:02 | 000,107,760 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\ScorchPDFWrapper.dll
[2010/10/12 16:37:02 | 000,024,000 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
[2012/02/09 04:12:58 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/09 04:12:58 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.11\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.11\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.11\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
CHR - plugin: Musicnotes (Enabled) = C:\Program Files\Musicnotes\npmusicn.dll
CHR - plugin: ScorchPlugin (Enabled) = C:\Program Files\Musicnotes\npsibelius.dll
CHR - plugin: VLC Multimedia Plug-in (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Web Developer = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bfbameneiokkgbdmiekhjnmfkcnldhhm\0.3.1_0\
CHR - Extension: Google Search = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: Glossy Blue = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nheaocaplknjkpcnbadlgfpdfjaabiml\1.0_0\
CHR - Extension: Gmail = C:\Documents and Settings\myusername\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/01/27 11:59:09 | 000,441,010 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15161 more lines...
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
O2 - BHO: (no name) - {1BD0BEFE-F697-4eee-B7E1-76B849A5CB84} - No CLSID value found.
O2 - BHO: (Synapse BHO Class) - {33414365-E6C7-460d-880A-A163BD69E84D} - C:\Program Files\Fuji Medical System\Synapse\Workstation\FujiFld.dll (FUJIFILM Medical Systems U.S.A., Inc.)
O2 - BHO: (Google Analytics Opt-out Browser Add-on) - {75EF13CE-B59E-41ba-8A5A-A944031BD8B4} - C:\Program Files\Google\Google Analytics Opt-Out\gaoptout.dll (Google, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (IE Developer Toolbar BHO) - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
O3 - HKLM\..\Toolbar: (Athens Toolbar) - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll (Eduserv Technologies Limited)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Athens Toolbar) - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll (Eduserv Technologies Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\Program Files\Lenovo\Mouse Suite\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [compatUserPath] C:\Documents and Settings\myusername\Local Settings\Application Data\lanCommsTray\compatUserPath.dll ()
O4 - HKCU..\Run: [Xmarks] C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (Xmarks.com)
O4 - Startup: C:\Documents and Settings\myusername\Start Menu\Programs\Startup\PowerReg Scheduler.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 157
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTaskGrouping = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoTrayNotify = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} https://rchav:4343/o...ll/WinNTChk.cab (ObjWinNTCheck Class)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} https://rchav:4343/o...stall/setup.cab (OfficeScan Corp Edition Web-Deployment SetupCtrl Class)
O16 - DPF: {1FBD11EF-1260-11D1-87A7-444553540001} http://rch-synapse (Synapse)
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} https://rchav:4343/o...root/AtxEnc.cab (Encrypt Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1239245532500 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.100.33 172.16.100.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mycorporatedomain
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CE58FBE9-0429-4227-B9D8-68B33FDA66D1}: DhcpNameServer = 172.16.100.33 172.16.100.24
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\myusername\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\myusername\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Documents and Settings\myusername\Application Data\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/27 11:57:20 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/06/03 11:18:52 | 000,000,000 | ---- | M] () - W:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##it13275#d\Shell - "" = AutoRun
O33 - MountPoints2\##it13275#d\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##it13275#d\Shell\AutoRun\command - "" = Y:\Roxio.exe cmd.exe /c setup.bat
O33 - MountPoints2\{88daf7b6-27e2-11df-a5b3-0026553d3c89}\Shell - "" = AutoRun
O33 - MountPoints2\{88daf7b6-27e2-11df-a5b3-0026553d3c89}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{88daf7b6-27e2-11df-a5b3-0026553d3c89}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{88daf7b7-27e2-11df-a5b3-0026553d3c89}\Shell\AutoRun\command - "" = POPAJ///mornarje.exe
O33 - MountPoints2\{88daf7b7-27e2-11df-a5b3-0026553d3c89}\Shell\open\command - "" = POPAJ///mornarje.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/16 13:12:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\myusername\Desktop\opeansans
[2012/02/16 09:34:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\myusername\My Documents\firefoxProfile20120216
[2012/02/13 14:19:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\myusername\Application Data\Malwarebytes
[2012/02/13 14:19:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/13 14:19:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/02/13 14:19:01 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/02/13 14:19:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/02/13 10:23:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/02/13 10:23:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2012/02/13 10:23:04 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2012/02/09 08:26:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\myusername\Local Settings\Application Data\lanCommsTray
[2012/01/27 15:59:54 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2012/01/27 15:58:02 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2012/01/27 15:58:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
[2012/01/27 15:58:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2012/01/27 14:55:13 | 000,000,000 | ---D | C] -- C:\Program Files\AutoRuns
[2012/01/27 11:50:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/01/27 11:50:21 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/01/27 11:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/01/25 15:48:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\myusername\Start Menu\Programs\HiJackThis
[2012/01/25 15:40:28 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2012/01/24 10:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\myusername\My Documents\EndNote
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\myusername\*.tmp files -> C:\Documents and Settings\myusername\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/20 12:45:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/20 12:29:00 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2100782434-1583570100-1912232085-25644UA.job
[2012/02/20 11:10:58 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\myusername\Desktop\Word 2007.lnk
[2012/02/20 09:29:00 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2100782434-1583570100-1912232085-25644Core.job
[2012/02/20 08:55:45 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/20 08:54:39 | 000,017,646 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2012/02/20 08:53:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/20 08:52:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/17 19:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-DOMAIN-myusername.job
[2012/02/17 15:58:58 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/02/17 15:58:47 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/02/17 15:58:47 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/02/17 09:15:30 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\myusername\Desktop\Firefox.lnk
[2012/02/17 09:01:16 | 003,654,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/16 14:30:42 | 000,002,306 | ---- | M] () -- C:\Documents and Settings\myusername\Desktop\Google Chrome.lnk
[2012/02/16 14:30:42 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/02/16 13:29:46 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\myusername\Desktop\Publisher 2007.lnk
[2012/02/16 10:01:12 | 000,000,748 | ---- | M] () -- C:\Documents and Settings\myusername\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to firefox.exe.lnk
[2012/02/14 15:37:03 | 002,879,036 | ---- | M] () -- C:\Documents and Settings\myusername\My Documents\SalaryPackagingMealCardANZ.pdf
[2012/02/14 15:02:33 | 000,502,222 | ---- | M] () -- C:\Documents and Settings\myusername\My Documents\SalaryPackagingHolidayClaim.pdf
[2012/02/14 12:03:16 | 001,928,678 | ---- | M] () -- C:\Documents and Settings\myusername\My Documents\bookmarks20121402.html
[2012/02/14 11:19:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/13 11:02:25 | 000,244,979 | ---- | M] () -- C:\Documents and Settings\myusername\Desktop\gmail-manager-0.6.4.1.4-tomondev.xpi
[2012/02/06 08:32:41 | 000,006,512 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/01/27 15:59:52 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2012/01/27 15:59:52 | 000,016,432 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2012/01/27 14:30:59 | 000,002,124 | -H-- | M] () -- C:\Documents and Settings\myusername\My Documents\Default.rdp
[2012/01/27 11:59:09 | 000,441,010 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2012/01/27 11:59:09 | 000,441,010 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/01/25 16:00:14 | 000,000,195 | RHS- | M] () -- C:\boot.ini
[2012/01/24 08:58:03 | 000,007,620 | RHS- | M] () -- C:\Documents and Settings\myusername\ntuser.pol
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\myusername\*.tmp files -> C:\Documents and Settings\myusername\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/16 15:31:26 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\myusername\Desktop\Firefox.lnk
[2012/02/16 09:58:01 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/02/14 12:03:16 | 001,928,678 | ---- | C] () -- C:\Documents and Settings\myusername\My Documents\bookmarks20121402.html
[2012/02/13 11:02:24 | 000,244,979 | ---- | C] () -- C:\Documents and Settings\myusername\Desktop\gmail-manager-0.6.4.1.4-tomondev.xpi
[2012/01/30 15:59:02 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/01/30 15:59:02 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/01/27 17:01:12 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2012/01/27 15:58:18 | 000,000,486 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/11/15 21:16:11 | 000,355,032 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/10/11 09:06:24 | 000,000,658 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2011/09/22 16:39:30 | 000,000,265 | ---- | C] () -- C:\WINDOWS\xvport.ini
[2011/06/27 16:43:47 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\myusername\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/06 11:34:36 | 000,000,048 | ---- | C] () -- C:\WINDOWS\FileNamesinQueue.ini
[2010/12/02 14:42:40 | 000,077,120 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/11/04 10:55:56 | 000,001,363 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2010/04/29 16:46:37 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2010/04/15 17:50:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2010/02/01 15:25:59 | 000,011,264 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2009/11/18 16:06:24 | 000,000,091 | ---- | C] () -- C:\WINDOWS\webshots.ini
[2009/10/30 10:30:31 | 000,036,939 | ---- | C] () -- C:\WINDOWS\System32\insrepim.exe
[2009/10/28 15:41:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QUICKI~1.INI
[2009/10/28 13:14:11 | 000,000,503 | R--- | C] () -- C:\WINDOWS\DYMOLS.DAT
[2009/10/27 16:59:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/10/27 14:30:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/20 14:20:07 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/04/14 12:41:57 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2009/04/14 12:41:28 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
[2009/04/14 11:34:05 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2009/04/14 11:22:09 | 000,000,395 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/14 10:24:37 | 000,017,646 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2009/04/09 18:26:59 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/04/09 18:25:53 | 003,654,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/09 15:59:47 | 002,026,604 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2009/04/09 15:59:46 | 000,442,964 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2009/04/09 15:59:46 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v5016.dll
[2009/04/09 13:12:12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/04/09 13:07:54 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/10/12 17:35:56 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Instx64.exe
[2004/08/04 02:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 15:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 23:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 23:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 23:00:00 | 000,447,020 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 23:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 23:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 23:00:00 | 000,072,404 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 23:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 23:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 23:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 23:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2009/11/18 16:04:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\agi
[2010/12/13 09:04:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2011/05/06 11:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DataViz
[2011/09/16 12:46:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\hssff
[2011/09/20 15:05:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
[2009/04/14 11:08:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2010/12/02 14:11:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2011/11/17 11:04:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2012/02/13 10:56:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/09/05 12:52:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thomson.ResearchSoft.Installers
[2009/11/23 11:20:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2011/11/16 10:08:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/12/02 14:28:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2012/01/10 15:03:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1
[2011/07/07 12:54:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\com.springbox.mobilizer
[2012/01/10 10:41:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Console
[2011/10/07 15:44:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Dropbox
[2012/01/24 09:38:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\EndNote
[2012/01/27 12:27:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Flock
[2009/10/28 14:06:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Foxit
[2011/07/26 16:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Gmail Backup
[2009/04/09 13:32:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\gtopala
[2010/12/14 09:06:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\ICAClient
[2009/11/23 17:06:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\IrfanView
[2010/01/14 16:02:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Launchy
[2009/10/28 15:27:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Leadertech
[2009/11/30 10:40:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\MusE
[2011/04/19 17:50:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\MySQL
[2011/10/25 14:58:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Notepad++
[2009/11/17 14:45:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\OpenOffice.org
[2011/04/15 16:55:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Opera
[2011/09/22 13:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\Qualcomm
[2012/01/16 10:30:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\myusername\Application Data\UBitMenu
[2012/02/17 15:58:58 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job


========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >
  • 0

Advertisement


#2
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hello dannwebb and welcome to GeeksToGo :)

I'm GLeobas and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
  • Please do not try to fix anything without being asked
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
  • I am currently reviewing your logs.

  • 0

#3
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Is this a business/institution computer?
If it is, are you the domain administrator? If you are not, have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist)?

I ask for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for lawsuits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

  • 0

#4
dannwebb

dannwebb

    New Member

  • Member
  • Pip
  • 7 posts
Thank you for your response. I appreciate your concerns, and that you spelled them out so clearly for me. I apologise for not elaborating more on my situation in the first instance.

Is this a business/institution computer?
If it is, are you the domain administrator? If you are not, have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist)?


This is a non-profit organisation. I am the local administrator for a section where I control and maintain 24 PCs, and seek help from the network administrator when necessary (he has around 5000 PCS and multiple servers to manage; I try not to bother him too much). The network security manager has given me these rights and permissions. The machines I administer are under various levels of lock-down via network group policy.

The particular machine in question here is under no lock-down. Its data is backed up nightly, and I perform manual backups before making any changes to the system.

If I approached the network security manager about this issue I know exactly what will happen (I've worked here for 15 years, and known him just as long): he will pass the job to one of his minions, who will listen to what I've already tried and won't be interested in doing anything further to clean this machine. He/she will simply suggest a rebuild with the SOE and be done with it.

I'm in web development; I run a plethora of applications/tools/utilities with many specific configurations. A rebuild will be a nightmare for me; it will take days to bring the machine back to its current status. It's just got to be easier to locate the source of this browser redirect and clean it! I've invested a lot of time in it already, and am not yet prepared to give up. The IT answer for everything is "rebuild", but I think that's a case of "when the only tool you have is a hammer, everything looks like a nail". It's drastic. I prefer to find out the where/what/how of this thing and sort it out at the source.

I have access to a new, spare, almost identical machine. If I absolutely have to, I can spend days setting it up as a replacement for the machine in question here, and call in IT to do a rebuild on the "broken" one. I just would much prefer a fix than an annihilation. Law suits aren't an issue; we're not in America (and litigation is not common here).

I can't tell you how much I'll apreciate any help or hints you are prepared to offer me. I'm at my wits end with this thing. I've never been unable to clean anything before. Usually a combination of AutoRuns and HijackThis helps me track it down, but this one is defeating me.

thanks.

Edited by dannwebb, 21 February 2012 - 06:57 PM.

  • 0

#5
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
I will proceed with your topic but if something goes wrong, I warned you.

Please, keep the computer isolated as much as possible during the cleanup to prevent spreading any possible infection.

# Step 1 #

Please go to: VirusTotal
Posted Image
  • Click the Choose File button and search for the following file (one by one):

    C:\Documents and Settings\myusername\Local Settings\Application Data\lanCommsTray\compatUserPath.dll

  • Click Open > Scan It!.
  • Please be patient while the file is scanned.
  • Copy and past the Link (URL) with the results.

# Step 2 #

Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Commands
    [CREATERESTOREPOINT]
    
    :OTL
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myhomepage
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myhomepage
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myhomepage
    FF - prefs.js..browser.startup.homepage: "http://www.myhomepage"
    
    :Commands
    [Reboot]
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


# Step 3 #

  • Open OTL.exe
  • Click in the button Posted Image
  • Now on the Box Extra Registry, click in Use safe list
  • Next, click in the button Posted Image
  • It will be generated a log with a name Extras.txt. Post this log.

# Step 4 #

Download aswMBR.exe ( 1.8mB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#6
dannwebb

dannwebb

    New Member

  • Member
  • Pip
  • 7 posts
Hi GLeobas,

Thanks so much for continuing with this .. I've followed your instructions carefully, results all posted below.
cheers,
sunny.

# Step 1 #

VirusTotal result
https://www.virustot...sis/1330037031/

# Step 2 #

OTL movedfiles log
(I edited homepage URL)

========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Prefs.js: "http://myhomepage" removed from browser.startup.homepage
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.32.0 log created on 02242012_095710

# Step 3 #

OTL extras log
(I edited my username, a server name, and a domain name)

OTL Extras logfile created on: 24/02/2012 10:04:08 AM - Run 4
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Documents and Settings\myusername\Desktop\utils
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.95 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 75.54% Memory free
3.80 Gb Paging File | 3.50 Gb Available in Paging File | 92.09% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 96.41 Gb Free Space | 64.69% Space Free | Partition Type: NTFS
Drive U: | 1900.00 Gb Total Space | 204.93 Gb Free Space | 10.79% Space Free | Partition Type: NTFS
Drive W: | 232.88 Gb Total Space | 199.23 Gb Free Space | 85.55% Space Free | Partition Type: NTFS
Drive X: | 79.45 Gb Total Space | 40.93 Gb Free Space | 51.51% Space Free | Partition Type: NTFS
Drive Y: | 79.45 Gb Total Space | 40.93 Gb Free Space | 51.51% Space Free | Partition Type: NTFS
Drive Z: | 1855.46 Gb Total Space | 418.53 Gb Free Space | 22.56% Space Free | Partition Type: NTFS

Computer Name: IT11298 | User Name: myusername | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.js [@ = jsfile] -- C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe (Macromedia, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
jsfile [open] -- "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Print_Directory_Listing] -- Printdir.bat "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntivirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
"61708:TCP" = 61708:TCP:*:Enabled:Trend Micro OfficeScan Listener

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Documents and Settings\myusername\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\myusername\Application

Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\FlashGet\flashget.exe" = C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple

Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{102B83E4-6345-428C-995E-84D9DA26AE34}" = Palm VersaMail™
"{10ABE49D-343A-463E-9753-C4C5A05ECEF9}" = Sibelius Scorch (Firefox, Opera, Netscape only)
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1666FA7C-CB5F-11D6-A78C-00B0D079AF64}" = Java 2 Runtime Environment, SE v1.4.1_01
"{17F69B4B-1D9D-4FC2-A4E0-298B620056B6}" = Eudora
"{194B2FE0-2B17-4DF2-A532-213FDFC87FB9}" = Documents To Go
"{199C20D6-10D3-4210-B361-4760209F56AE}" = Citrix online plug-in (Web)
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{22FC7536-BE5C-4E88-8069-C24689D34EC5}" = Snagit 10.0.1
"{23040A25-F16F-41FA-84EA-49CF011C08DA}" = Synapse Dat file v2
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 26
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3ECCB578-504E-4F7A-A8B4-CF4F3B939B44}" = Citrix online plug-in (USB)
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B95A5F1-EF59-4B08-BED8-C891C46121B3}_is1" = Mercurial 2.0
"{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Creator Business
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{678094A1-6250-476B-9AFF-4376E48F135C}" = Citrix online plug-in (DV)
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{7148F0A8-6813-11D6-A77B-00B0D0142040}" = Java 2 Runtime Environment, SE v1.4.2_04
"{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{7527C022-BF9B-4EBE-9332-75F3170B4749}" = Horizon 7.3
"{777AD08E-B32A-4456-AFE1-094DBECEB268}" = Intel® Network Connections 13.5.32.0
"{78897DE2-640B-45D0-AA03-AC2DB9D95A7A}" = MySQL Workbench 5.0 OSS
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7EFA9E45-BC04-4613-B88F-079B01C9F862}" = HP USB Smart Card Keyboard
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{82EF29B1-9B60-4142-A155-0599216DD053}" = LightScribe System Software
"{84513125-0BC7-46F8-BE1E-309263B79AE2}" = Xmarks Thumbnails for IE
"{86B3F2D6-AC2B-0014-8AE1-F2F77F781B0C}" = EndNote X4
"{86B3F2D6-AC2B-0015-8AE1-F2F77F781B0C}" = EndNote X5
"{876F1142-68F4-4541-8330-EFCF77859602}" = Synapse321_Datfile
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{8E9976D2-E563-43DE-A51F-5AEBC38D1F08}" = Ad-Aware
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007

(972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{A127C3C0-055E-38CF-B38F-1E85F8BBBFFE}" = Adobe Community Help
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{ABDA9912-5D00-11D4-BAE7-9367CA097955}" = Macromedia Dreamweaver 4
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.0
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{B1D78321-7AB1-45A7-A084-885AF75B8F3D}" = Palm Desktop
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{BDE646E8-86E0-50E1-37BC-0AEBB2185D76}" = Adobe Widget Browser
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0E8FE43-C35B-451D-B35F-D4BD056D70E7}" = Camtasia Studio 7
"{C6ACC864-52AE-44D9-8AAA-20C69AD43267}" = Microsoft Office Labs Search Commands
"{C8748FFB-1713-4e95-B3DF-4F1622D96F93}_is1" = UBitMenu UK
"{CDC08463-9303-4BF1-BF8C-E1A2ECEE3248}" = Adobe Creative Suite 5 Web Premium
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE6F9778-35DE-42D1-8C61-C5C69DCF8927}" = Google Analytics Opt-out Browser Add-on
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D36B4583-E804-406B-9D56-F97931286C5B}" = 32 Bit HP CIO Components Installer
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DBBE5C26-72B7-4E01-950D-86BDE35918ED}" = Embedded Security for HP ProtectTools Driver
"{DD51C55D-A617-479A-B01A-961F91321370}" = Synapse Workstation
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DF2035BE-5820-4965-BD97-7FAF8D4A7879}" = Microsoft_VC90_CRT_x86
"{E590A51C-4303-4A28-99DB-799FE1E25E0D}" = Xmarks for IE
"{E69BB189-4B20-46AE-93CF-59099F05FC3F}" = OutlookTools 2
"{E7081891-BC7F-43F9-9CE6-B5DD2F497156}" = Internet Explorer Developer Toolbar
"{E79734B1-B505-42E6-B6AF-65D049C503B0}" = Athens Toolbar
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator Business v10
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F5242227-2051-4158-AC42-0F2BAA3CD3D6}" = HP SetRefresh
"{FA365307-1963-4D16-BD44-113C8F037AAD}" = Citrix online plug-in (HDX)
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"7-Zip" = 7-Zip 4.65
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.3.1 Professional
"Adobe Acrobat 8 Professional_831" = Adobe Acrobat 8.3.1 - CPSID_83708
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"ATnotes_is1" = ATnotes Version 9.5
"AutoItv3" = AutoIt v3.1.1
"Belarc Advisor" = Belarc Advisor 8.2
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1" = Adobe Widget Browser
"Dheapmon" = Desktop Heap Monitor (Uninstall Only)
"Ditto_is1" = Ditto 3.15.4.0
"Eye Candy 4000" = Eye Candy 4000
"Foxit Reader" = Foxit Reader
"gmailbackup" = Gmail Backup
"GPL Ghostscript 8.70" = GPL Ghostscript 8.70
"Handmark Solitaire for Palm OS" = Handmark Solitaire for Palm OS
"HDMI" = Intel® Graphics Media Accelerator Driver
"HECI" = Intel® Management Engine Interface
"Icon Restore_is1" = Icon Restore 1.0
"IconXTractor" = IconXTractor Version 2.106
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"iecollection_is1" = Internet Explorer Collection 1.6.0.6
"IrfanView" = IrfanView (remove only)
"Java Web Start" = Java Web Start
"Karen's Directory Printer" = Karen's Directory Printer
"Lanpage 32_is1" = Lanpage 32 v3.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"MESOL" = Intel® Active Management Technology
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2000" = Microsoft SQL Server 2000
"MouseSuite98" = Mouse Suite
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"MuseScore 0.9" = MuseScore 0.9 MuseScore score typesetter
"Musicnotes Combined Installer_is1" = Musicnotes Software Suite 1.2
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"OfficeScanNT" = Trend Micro OfficeScan Client
"Opera 11.61.1250" = Opera 11.61
"PaperCut MF Client_is1" = PaperCut MF Client 10.2
"PbWrdArt.exe" = Publisher WordArt Compatibility Add-In
"Picasa 3" = Picasa 3
"Privacy Matters" = Privacy Matters Screen Saver
"PROPLUS" = Microsoft Office Professional Plus 2007
"Proxy Remote Control Master" = Proxy Remote Control Master
"RDC" = RDC
"RealVNC_is1" = VNC Free Edition 4.1.2
"ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper
"SnagIt5" = SnagIt 5
"SP42232" = HP Softpaq SP42232
"SpywareBlaster_is1" = SpywareBlaster 4.5
"ST6UNST #1" = Karen's Autorun.inf Editor
"VLC media player" = VLC media player 1.1.11
"Webshots" = Webshots!
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Adobe Reader for Palm OS" = Adobe Reader for Palm OS, 3.05
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"InstallShield_{102B83E4-6345-428C-995E-84D9DA26AE34}" = Palm VersaMail™
"JoinMe" = join.me

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 23/02/2012 6:59:16 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:16 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:16 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:16 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:17 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:18 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:18 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:18 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:18 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 23/02/2012 6:59:19 PM | Computer Name = IT11298 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 19/02/2012 5:54:21 PM | Computer Name = IT11298 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 19/02/2012 5:54:40 PM | Computer Name = IT11298 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 19/02/2012 8:30:27 PM | Computer Name = IT11298 | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/server. This indicates that the ticket used against that
server is not yet valid (in relationship to that server time). Contact your system
administrator to make sure the client and server times are in sync, and that the
KDC in realm domain is in sync with the KDC in the client realm.

Error - 20/02/2012 6:05:32 PM | Computer Name = IT11298 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 21/02/2012 5:58:34 PM | Computer Name = IT11298 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 21/02/2012 5:58:48 PM | Computer Name = IT11298 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 22/02/2012 5:21:05 PM | Computer Name = IT11298 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 23/02/2012 5:55:32 PM | Computer Name = IT11298 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 23/02/2012 5:58:35 PM | Computer Name = IT11298 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 23/02/2012 7:00:08 PM | Computer Name = IT11298 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt


< End of report >


# Step 4 #

aswMBR log
(I edited my username)

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-24 10:17:14
-----------------------------
10:17:14.796 OS Version: Windows 5.1.2600 Service Pack 3
10:17:14.796 Number of processors: 2 586 0x170A
10:17:14.796 ComputerName: IT11298 UserName: myusername
10:17:15.562 Initialize success
10:18:02.825 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16
10:18:02.825 Disk 0 Vendor: ST3160318AS HP34 Size: 152627MB BusType: 3
10:18:02.841 Disk 0 MBR read successfully
10:18:02.841 Disk 0 MBR scan
10:18:02.841 Disk 0 Windows VISTA default MBR code
10:18:02.841 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 2048
10:18:02.857 Disk 0 scanning sectors +312578048
10:18:02.935 Disk 0 scanning C:\WINDOWS\system32\drivers
10:18:09.673 Service scanning
10:18:23.025 Service TmFilter C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys **LOCKED** 32
10:18:23.197 Service TmPreFilter C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys **LOCKED** 32
10:18:24.213 Service VSApiNt C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys **LOCKED** 32
10:18:25.839 Modules scanning
10:18:29.748 Disk 0 trace - called modules:
10:18:29.764 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:18:29.779 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a793ab8]
10:18:29.779 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000071[0x8a798f18]
10:18:29.779 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-16[0x8a751d98]
10:18:29.779 Scan finished successfully
10:18:37.894 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\myusername\Desktop\MBR.dat"
10:18:37.894 The log file has been saved successfully to "C:\Documents and Settings\myusername\Desktop\aswMBR.txt"
  • 0

#7
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

Posted Image

Posted Image

When finished, it produces a log for you.
Please include the C:\ComboFix.txt in your next reply.



Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

After the run you may have internet problems or access to somethng problems. Simply reboot the computer.
  • 0

#8
dannwebb

dannwebb

    New Member

  • Member
  • Pip
  • 7 posts
Hello,

I have followed your instructions carefully again. This step was scary. I get nervous when something wants to delete dlls. But I armed myself with a restore point, a manual backup, and a lot of reading about what might happen, and forged ahead.

I had a bit of a problem disabling OfficeScan. ComboFix threw a warning that one element was still running; I looked in Services, and in Process Explorer, but couldn't find anything else to kill off.

The combo fix log is pasted below. I edited my username, my domain, and a domain server name.

I have done a few test searches, and the offending warning about a blocked website is no longer occuring. Looks like a success story to me!!

What exactly was this, and where did it live? And what exactly did ComboFix do to fix/repair the damage?

Thank you thank you so much for your help. Does it look clean to you now?

(As an aside, the best thing about this episode is that it weaned me off Google search for a while; there are some impressive alternatives.)


=========================

ComboFix 12-02-25.02 - myusername 27/02/2012 11:03:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1993.1423 [GMT 11:00]
Running from: c:\documents and settings\myusername\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {6DB014A5-2B5C-4101-BB0B-34070CFCEA92}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {BE28886F-7B36-4353-B9B1-B9F06CE4C70B}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\myusername\.uc-42e4eabe42a5e7e55a3c92a64e752ad0.myusername.it11298.tmp
c:\documents and settings\myusername\Local Settings\Application Data\assembly\tmp
c:\documents and settings\myusername\Local Settings\Application Data\lanCommsTray\compatUserPath.dll
c:\documents and settings\myusername\WINDOWS
C:\driver
c:\driver\S-1-4-89-654352344-54323413-6452342-4545\Desktop.ini
c:\windows\dasetup.log
c:\windows\system32\PowerToyReadme.htm
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))
.
.
2012-02-24 04:34 . 2012-02-24 04:34 -------- d-----w- c:\program files\NirSoft
2012-02-23 22:57 . 2012-02-23 22:57 -------- d-----w- C:\_OTL
2012-02-15 22:58 . 2012-02-20 00:14 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-02-15 22:58 . 2012-02-20 00:14 834840 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2012-02-15 00:54 . 2008-04-13 18:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-02-15 00:54 . 2008-04-13 18:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-02-13 03:19 . 2012-02-13 03:19 -------- d-----w- c:\documents and settings\myusername\Application Data\Malwarebytes
2012-02-13 03:19 . 2012-02-13 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-13 03:19 . 2012-02-13 03:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-13 03:19 . 2011-12-10 04:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-12 23:23 . 2012-02-12 23:25 -------- d-----w- c:\program files\SpywareBlaster
2012-02-08 21:26 . 2012-02-27 00:07 -------- d-----w- c:\documents and settings\myusername\Local Settings\Application Data\lanCommsTray
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-27 04:59 . 2012-01-27 06:01 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-01-27 04:59 . 2012-01-27 04:59 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-25 04:48 . 2012-01-25 04:48 388096 ----a-r- c:\documents and settings\myusername\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-05 03:16 . 2011-12-05 03:17 25 ----a-w- C:\shutdowncathystop.bat
2011-12-05 03:16 . 2011-12-05 03:17 33 ----a-w- C:\shutdowncathy.bat
2010-10-12 05:33 . 2010-10-12 05:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-10-12 07:15 . 2010-10-12 07:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-10-12 05:37 . 2010-10-12 05:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-10-12 05:35 . 2010-10-12 05:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-10-12 05:34 . 2010-10-12 05:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-10-12 05:32 . 2010-10-12 05:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-10-12 05:35 . 2010-10-12 05:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-10-12 05:34 . 2010-10-12 05:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-10-29 01:50 . 2010-10-29 01:50 101768 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2010-03-30 23:09 . 2010-03-30 23:09 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2010-04-08 01:36 . 2010-04-08 01:36 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2010-07-14 01:42 . 2010-07-14 01:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-10-12 05:37 . 2010-10-12 05:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-03-30 23:09 . 2010-03-30 23:09 10437264 ----a-w- c:\program files\opera\program\plugins\PDFNetC.dll
2010-04-08 01:36 . 2010-04-08 01:36 107760 ----a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll
2012-02-20 00:14 . 2012-02-15 22:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\myusername\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\myusername\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\myusername\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\myusername\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xmarks"="c:\program files\Xmarks\IE Extension\xmarkssync.exe" [2010-04-18 1048576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-08 1044480]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-12 172032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-12 143360]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-10-15 866592]
"Mouse Suite 98 Daemon"="c:\program files\Lenovo\Mouse Suite\ICO.EXE" [2009-11-06 98304]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]
.
c:\documents and settings\myusername\Start Menu\Programs\Startup\
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2011-7-27 13002608]
PowerReg Scheduler.exe [2011-5-2 233472]
.
[http://www.mydomain/...h/?doc_id=6336]
.
[http://www.mydomain/...m?doc_id=12577]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\documents and settings\myusername\Application Data\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-14722\Scripts\Logon\0\0]
"Script"=\\mydomainserver\netinst$\mappingsBYcomp\mapbyComp_group1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-14722\Scripts\Logon\1\0]
"Script"=\\mydomainserver\netinst$\PowerSettings\Powerconfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-14722\Scripts\Logon\2\0]
"Script"=\\mydomainserver\netinst$\Mappings\mapbygroup1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-14722\Scripts\Logon\3\0]
"Script"=\\mydomainserver\netinst$\swaudit\ezaudit.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-14722\Scripts\Logon\4\0]
"Script"=\\mydomainserver\netlogon\GPOlogon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-25644\Scripts\Logon\0\0]
"Script"=\\mydomainserver\netinst$\mappingsBYcomp\mapbyComp_group1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-25644\Scripts\Logon\1\0]
"Script"=\\mydomainserver\netinst$\FontNewRCH\RegistryCleartypeEnable.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-25644\Scripts\Logon\2\0]
"Script"=\\mydomainserver\netlogon\GPOlogon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-25644\Scripts\Logon\3\0]
"Script"=\\mydomainserver\netinst$\swaudit\ezaudit.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-25644\Scripts\Logon\4\0]
"Script"=\\mydomainserver\netinst$\PowerSettings\Powerconfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-25644\Scripts\Logon\5\0]
"Script"=\\mydomainserver\netinst$\Mappings\mapbygroup1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-37172\Scripts\Logon\0\0]
"Script"=\\mydomainserver\netinst$\PowerSettings\Powerconfig.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-37172\Scripts\Logon\1\0]
"Script"=\\mydomainserver\netinst$\swaudit\ezaudit.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2100782434-1583570100-1912232085-37172\Scripts\Logon\2\0]
"Script"=\\mydomainserver\netlogon\GPOlogon.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^myusername^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\myusername\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^myusername^Start Menu^Programs^Startup^Spoon Sandbox Manager 3.24.lnk]
path=c:\documents and settings\myusername\Start Menu\Programs\Startup\Spoon Sandbox Manager 3.24.lnk
backup=c:\windows\pss\Spoon Sandbox Manager 3.24.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^myusername^Start Menu^Programs^Startup^Spoon Sandbox Manager 3.25.lnk]
path=c:\documents and settings\myusername\Start Menu\Programs\Startup\Spoon Sandbox Manager 3.25.lnk
backup=c:\windows\pss\Spoon Sandbox Manager 3.25.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2011-08-30 03:24 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 11:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 16:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-26 20:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-10-12 06:24 304568 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FujiSynapseBridge]
2010-02-21 13:40 230784 ----a-w- c:\program files\Fuji Medical System\Synapse\Workstation\FujiSynapseBridge.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-12 13:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperCut MF Client]
2010-03-25 06:07 208896 ----a-w- c:\program files\PaperCut MF Client\pc-client.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 07:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 02:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synapse URLSearchHook Configuration]
2010-04-28 07:15 3245440 ----a-w- c:\progra~1\FUJIME~1\Synapse\WORKST~1\FujiFld.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\myusername\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"61708:TCP"= 61708:TCP:Trend Micro OfficeScan Listener
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [28/03/2008 11:14 AM 24064]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [14/07/2010 12:51 PM 65584]
R2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\Fuji Medical System\Synapse\Workstation\SynapseUpdateManager.exe [22/02/2010 12:55 AM 197120]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [26/11/2008 5:42 PM 36624]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [9/04/2009 6:01 PM 2054680]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [5/06/2008 11:58 AM 149600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [23/07/2008 12:31 PM 44800]
R3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\PELPS2M.SYS [28/10/2009 9:30 AM 19818]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [22/03/2010 9:34 AM 341584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/04/2010 3:53 PM 136176]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [26/11/2008 5:42 PM 262416]
S3 DHEAPDMP;DHEAPDMP;c:\windows\system32\drivers\dheapdmp.sys [30/04/2010 11:38 AM 17128]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [27/04/2010 3:53 PM 136176]
S3 HPKBCCID;HP Keyboard Smart Card Driver;c:\windows\system32\drivers\HPKBCCID.sys [9/04/2009 4:02 PM 46976]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [23/12/2011 7:12 AM 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [23/12/2011 7:12 AM 15232]
S3 STC2DFU;STCII DFU Adapter;c:\windows\system32\drivers\Stc2Dfu.sys [25/10/2004 1:04 AM 7796]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 1:37 PM 517096]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [28/07/2010 12:05 PM 52304]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [22/03/2010 9:34 AM 497008]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [22/11/2008 10:01 AM 689416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/08/2004 1:56 AM 14336]
S4 Hpnmpppm;Hpnmpppm; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP111
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 01:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-22 04:59]
.
2012-02-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-DOMAIN-myusername.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-12-02 16:44]
.
2012-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 06:57]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 03:21]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 03:21]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2100782434-1583570100-1912232085-25644Core.job
- c:\documents and settings\myusername\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-28 05:06]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2100782434-1583570100-1912232085-25644UA.job
- c:\documents and settings\myusername\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-28 05:06]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 172.16.100.33 172.16.100.24
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://rch-synapse
FF - ProfilePath - c:\documents and settings\myusername\Application Data\Mozilla\Firefox\Profiles\974fls0h.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo (SSL)
FF - prefs.js: browser.startup.homepage - hxxp://www.mydomain/
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-compatUserPath - c:\documents and settings\myusername\Local Settings\Application Data\lanCommsTray\compatUserPath.dll
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-MESOL - c:\windows\system32\mesoludlg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-27 11:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05BDC38E-5493-487a-A7FF-8CF2246ABC13}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Background Task Scheduler"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05BDC38E-5493-487a-A7FF-8CF2246ABC13}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="URL Shortcut PropSetStorage Mapping"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance]
"CLSID"="{942bc614-676c-464e-b384-d3202aaa02da}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07C45BB1-4A8C-4642-A1F5-237E7215FF66}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Microsoft BrowserBand"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{07C45BB1-4A8C-4642-A1F5-237E7215FF66}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1C1EDB47-CE22-4bbb-B608-77B48F83C823}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Fade Task"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1C1EDB47-CE22-4bbb-B608-77B48F83C823}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1D1F0730-0748-4b5f-81DF-865694BD07AC}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE OrderListExport"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1D1F0730-0748-4b5f-81DF-865694BD07AC}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{205D7A97-F16D-4691-86EF-F3075DCCA57D}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Menu Desk Bar"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{205D7A97-F16D-4691-86EF-F3075DCCA57D}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2183DACA-D0BF-4a31-97F7-B87618A81955}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Shared Task Scheduler"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2183DACA-D0BF-4a31-97F7-B87618A81955}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3028902F-6374-48b2-8DC6-9725E775B926}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE AutoComplete"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3028902F-6374-48b2-8DC6-9725E775B926}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{34a3d570-67d9-4265-a9ee-8c3fa3dfeccf}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="TravelLog"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{34a3d570-67d9-4265-a9ee-8c3fa3dfeccf}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3e71f26d-136f-4545-813f-35276024b705}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="XML Feed Subscribe Dialog"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3e71f26d-136f-4545-813f-35276024b705}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{43886CD5-6529-41c4-A707-7B3C92C05E68}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Navigation Bar"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{43886CD5-6529-41c4-A707-7B3C92C05E68}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{447EDBE5-0080-4036-A0BB-7B84C58C604F}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IEDataObjectWrapper"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{447EDBE5-0080-4036-A0BB-7B84C58C604F}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44C76ECD-F7FA-411c-9929-1B77BA77F524}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Menu Site"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44C76ECD-F7FA-411c-9929-1B77BA77F524}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4B78D326-D922-44f9-AF2A-07805C2A3560}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Menu Band"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4B78D326-D922-44f9-AF2A-07805C2A3560}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{528d46b3-3a4b-4b13-bf74-d9cbd7306e07}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="XML Feed Document"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{528d46b3-3a4b-4b13-bf74-d9cbd7306e07}\InProcServer32]
@="c:\\WINDOWS\\system32\\ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{528d46b3-3a4b-4b13-bf74-d9cbd7306e07}\ProgID]
@="xmlfile"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53510d24-57eb-4713-9afb-e6e60530b87e}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE RSS Feeds Tasks"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53510d24-57eb-4713-9afb-e6e60530b87e}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{553858A7-4922-4e7e-B1C1-97140C1C16EF}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Component Categories cache daemon"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{553858A7-4922-4e7e-B1C1-97140C1C16EF}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6038EF75-ABFC-4e59-AB6F-12D397F6568D}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Microsoft History AutoComplete List"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6038EF75-ABFC-4e59-AB6F-12D397F6568D}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Tracking Shell Menu"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6CF48EF8-44CD-45d2-8832-A16EA016311B}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6CF48EF8-44CD-45d2-8832-A16EA016311B}\InProcServer32]
@="c:\\WINDOWS\\system32\\ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73CFD649-CD48-4fd8-A272-2070EA56526B}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE BandProxy"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73CFD649-CD48-4fd8-A272-2070EA56526B}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{75847177-f077-4171-bd2c-a6bb2164fbd0}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Private Profile Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{75847177-f077-4171-bd2c-a6bb2164fbd0}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8E989135-2736-4767-8160-EA3613F69D24}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IEDropSourceWrapper"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8E989135-2736-4767-8160-EA3613F69D24}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9271516F-F860-4a02-8F0C-BDAF8A5D13A4}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Toolbar Extension for Executable"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9271516F-F860-4a02-8F0C-BDAF8A5D13A4}\InprocServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{942bc614-676c-464e-b384-d3202aaa02da}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="INI Property Set Storage Handler"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{942bc614-676c-464e-b384-d3202aaa02da}\InProcServer32]
@=expand:"ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE MRU AutoComplete List"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9a096bb5-9dc3-4d1c-8526-c3cbf991ea4e}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE RSS Feeds Folder"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9a096bb5-9dc3-4d1c-8526-c3cbf991ea4e}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9a096bb5-9dc3-4d1c-8526-c3cbf991ea4e}\ShellFolder]
"Attributes"=dword:a0000000
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9c7a1728-b694-427a-94a2-a1b2c60f0360}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9c7a1728-b694-427a-94a2-a1b2c60f0360}\InProcServer32]
@=expand:"%SystemRoot%\\system32\\ieframe.dll"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Microsoft Shell Folder AutoComplete List"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9FAE1230-74AC-4e33-B59C-4051BBEB0803}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Browser Thread Handshake"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9FAE1230-74AC-4e33-B59C-4051BBEB0803}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Both"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A6B222AB-A5EA-4899-B230-084657EDDC7D}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Browser Thread State"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A6B222AB-A5EA-4899-B230-084657EDDC7D}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AA0AF823-B0D0-40c7-AE77-F13B14D9FFAE}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Toolbar Extension for Bands"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AA0AF823-B0D0-40c7-AE77-F13B14D9FFAE}\InprocServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AAC2B978-266D-48ae-AA28-60A3EBB872D0}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE RSS FeedFolder Tasks"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AAC2B978-266D-48ae-AA28-60A3EBB872D0}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ACE52D03-E5CD-4b20-82FF-E71B11BEAE1D}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Shell Name Space ListView"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ACE52D03-E5CD-4b20-82FF-E71B11BEAE1D}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B31C5FAE-961F-415b-BAF0-E697A5178B94}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Microsoft Multiple AutoComplete List Container"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B31C5FAE-961F-415b-BAF0-E697A5178B94}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Microsoft Browser Architecture"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}\ShellFolder]
"Attributes"=dword:a0000050
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Shell Rebar BandSite"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C21B45B8-5D76-4575-BA27-54823098C491}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Microsoft Docking Bar Property Bag"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C21B45B8-5D76-4575-BA27-54823098C491}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]
@Class="REG_SZ"
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="PSFactoryBuffer"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
@Class="REG_SZ"
@="ieproxy.dll"
"ThreadingModel"="Both"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DC651A43-0720-4a2b-9971-BD2EF1329A3D}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Component Categories conditional cache daemon"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DC651A43-0720-4a2b-9971-BD2EF1329A3D}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Browser Application State"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E6EE9AAC-F76B-4947-8260-A9F136138E11}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Shell Band Site Menu"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E6EE9AAC-F76B-4947-8260-A9F136138E11}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ed72f0d2-b701-4c53-adc3-f2fb59946dd8}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="ProtectedModeAPI"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ed72f0d2-b701-4c53-adc3-f2fb59946dd8}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F2CF5485-4E02-4f68-819C-B92DE9277049}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="&Links"
"MenuTextPUI"="@ieframe.dll,-13138"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F2CF5485-4E02-4f68-819C-B92DE9277049}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Registry Tree Options Utility"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE User Assist"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Both"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FADE020C-B6CB-400b-B794-5A51C9A5F6D0}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Microsoft CommBand"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FADE020C-B6CB-400b-B794-5A51C9A5F6D0}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IE Custom MRU AutoCompleted List"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ffd90217-f7c2-4434-9ee1-6f1b530db20f}]
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="XML Feed Moniker"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ffd90217-f7c2-4434-9ee1-6f1b530db20f}\InProcServer32]
@="ieframe.dll"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{02BA3B52-0547-11D1-B833-00C04FC9B31F}]
@Denied: (A 2) (PowerUsers)
@Denied: (A 2) (Administrators)
@="IBrowserService"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{02BA3B52-0547-11D1-B833-00C04FC9B31F}\NumMethods]
@="33"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{02BA3B52-0547-11D1-B833-00C04FC9B31F}\ProxyStubClsid32]
@="{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{13162E4E-D40C-4A6D-8340-CCE73E87A38A}]
@Class="REG_SZ"
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="IBrowserFrame"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{13162E4E-D40C-4A6D-8340-CCE73E87A38A}\NumMethods]
@Class="REG_SZ"
@="16"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{13162E4E-D40C-4A6D-8340-CCE73E87A38A}\ProxyStubClsid32]
@Class="REG_SZ"
@="{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6312F983-7C1B-4080-98B1-98E463B5EC74}]
@Denied: (A 2) (PowerUsers)
@Denied: (A 2) (Administrators)
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6312F983-7C1B-4080-98B1-98E463B5EC74}\ProxyStubClsid32]
@="{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{66A9CB08-4802-11D2-A561-00A0C92DBFE8}]
@Denied: (A 2) (PowerUsers)
@Denied: (A 2) (Administrators)
@="ITravelLog"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{66A9CB08-4802-11D2-A561-00A0C92DBFE8}\NumMethods]
@="14"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{66A9CB08-4802-11D2-A561-00A0C92DBFE8}\ProxyStubClsid32]
@="{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{83E7A2AB-486C-466D-AF9C-652713DBBFB2}]
@Class="REG_SZ"
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="ITabBrowserService"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{83E7A2AB-486C-466D-AF9C-652713DBBFB2}\NumMethods]
@Class="REG_SZ"
@="6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{83E7A2AB-486C-466D-AF9C-652713DBBFB2}\ProxyStubClsid32]
@Class="REG_SZ"
@="{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{92549FB6-2504-4018-83C5-0A950DF000F2}]
@Class="REG_SZ"
@Denied: (A 2) (PowerUsers)
@Denied: (A 2) (Administrators)
@="ITravelLogUI"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{92549FB6-2504-4018-83C5-0A950DF000F2}\NumMethods]
@Class="REG_SZ"
@="6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{92549FB6-2504-4018-83C5-0A950DF000F2}\ProxyStubClsid32]
@Class="REG_SZ"
@="{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9BAB3405-EE3F-4040-8836-25AA9C2D408E}]
@Class="REG_SZ"
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="ITabWindow"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9BAB3405-EE3F-4040-8836-25AA9C2D408E}\NumMethods]
@Class="REG_SZ"
@="28"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9BAB3405-EE3F-4040-8836-25AA9C2D408E}\ProxyStubClsid32]
@Class="REG_SZ"
@="{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CAE57FE7-5E06-4804-A285-A985E76708CD}]
@Class="REG_SZ"
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="ITabWindowManager"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CAE57FE7-5E06-4804-A285-A985E76708CD}\NumMethods]
@Class="REG_SZ"
@="17"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CAE57FE7-5E06-4804-A285-A985E76708CD}\ProxyStubClsid32]
@Class="REG_SZ"
@="{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
.
Completion time: 2012-02-27 11:10:21
ComboFix-quarantined-files.txt 2012-02-27 00:10
.
Pre-Run: 105,951,080,448 bytes free
Post-Run: 106,408,894,464 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows" /noexecute=optin /fastdetect
.
- - End Of File - - A5119BF1476017EA74C5FA3EC30CBDB1
  • 0

#9
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Sorry for delay.

C:\shutdowncathystop.bat
C:\shutdowncathy.bat

Do you know these files?

What exactly was this, and where did it live? And what exactly did ComboFix do to fix/repair the damage?

ComboFix removed some files that were probably related to the redirection that you were facing
  • 0

#10
dannwebb

dannwebb

    New Member

  • Member
  • Pip
  • 7 posts
Yes I know those files; they are mine. There are a bunch of them. I had removed them from previous logs, but must have missed those. They are simply a scheduled remote shutdown (and a 'stop' in case I trigger it accidentally).

And yes, I realise combofix removed files, thanks.

So, do you think it looks all good now?

I want to thank you again for your help, especially considering your initial reluctance due to it not being a private machine. Your instructions were clear and easy to follow, and I appreciate your efforts.

Edited by dannwebb, 28 February 2012 - 04:45 PM.

  • 0

#11
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Disable your antivirus software
  • Acess the Eset Online Scanner website using Internet Explorer navigator.
    http://www.eset.com/...escan/index.php
  • Do the scan according the image:

    Posted Image
  • At the end, check the box "Delete Quarantined files" and click in [FINISH]
  • It will be generated a log in C:\Program Files\EsetOnlineScanner\Log.txt
    PS: If you didn't find the log.txt file in \EsetOnlineScanner\, look on \Program Files\Eset\EsetOnlineScanner\log.txt
  • Post that log.


  • 0

#12
dannwebb

dannwebb

    New Member

  • Member
  • Pip
  • 7 posts
Eset log follows.

"Sleepy" is a little automatic shutdown utility that I used about 5 years ago. I stopped using it (in favour of scheduled shutdown .bats instead) 2 years ago because Trend started reporting it as a problem.

thanks.

----------------------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17106 (vista_gdr.111024-1604)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=29c33d02a16e4943a66e719dd22ca31f
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-01 12:00:12
# local_time=2012-03-01 11:00:12 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 2251818 2251818 0 0
# compatibility_mode=8192 67108863 100 0 285 285 0 0
# scanned=229247
# found=8
# cleaned=8
# scan_time=6097
C:\download\sleepy50k_setup.exe a variant of Win32/Agent.QSH trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\download\vitalapps\sleepy50k_setup.exe a variant of Win32/Agent.QSH trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\myusername\Local Settings\Application Data\lanCommsTray\compatUserPath.dll.vir probably a variant of Win32/Sefnit.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E162CD92-4A24-4709-AD58-D5EBC866B0F1}\RP636\A0078685.dll probably a variant of Win32/Sefnit.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E162CD92-4A24-4709-AD58-D5EBC866B0F1}\RP657\A0080629.dll a variant of Win32/Sefnit.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E162CD92-4A24-4709-AD58-D5EBC866B0F1}\RP669\A0082492.dll probably a variant of Win32/Sefnit.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E162CD92-4A24-4709-AD58-D5EBC866B0F1}\RP671\A0082962.exe a variant of Win32/Agent.QSH trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E162CD92-4A24-4709-AD58-D5EBC866B0F1}\RP671\A0082963.exe a variant of Win32/Agent.QSH trojan (deleted - quarantined) 00000000000000000000000000000000 C
  • 0

#13
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the Posted Image cleanup button. It will remove all the programmes we have used plus itself.



Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe.
  • 0

#14
dannwebb

dannwebb

    New Member

  • Member
  • Pip
  • 7 posts
Thanks. I followed all these steps, and will report back if there are any problems.

Just a quick word about a couple of things...

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.


I will upgrade Java, but must keep one old version as well. It is required to run a vital application (an Integrated Library System). Our advice from the vendor is to leave this version, but that updates can just sit on top of it. I realise it's not ideal, but that situation rests with those higher up the decision-making tree than I am.

To manually create a new Restore Point
...

Now we can purge the infected ones
...


Those instructions must be for a different operating system than what I'm using. I'm on XP. However, I figured out what was being done here, and I'm sure I've done the right thing, just in a slightly different way.

Thank you for your advice on keeping clean in the future. All firewall, AV, and Windows Updates are managed and pushed from my network, so that's usually all under control. It's just that in this one particular case, user error was to blame and this thing got through.

Thanks again for the work you put in on this; your efforts are very much appreciated.

cheers!
  • 0

#15
NeonFx

NeonFx

    Malware Removal Dude

  • Expert
  • 3,792 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisement



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured