I have a pretty tough one that I have been unable to crack and I’m hoping the experts here at GeeksToGo can help me out.
I first became aware of the situation back in June when a user notified me that her Google and Bing searches were being redirected. At that time she had been having the problem for “a while now”. I have gone through various troubleshooting steps and scans over the past several months with no success. Most of her web browsing is done using favorites so it hasn’t been a big issue for her to not have internet search capability, but it still needs to be resolved (especially for my own sanity). Other popular search engines are also not working, but I have mostly just used Bing and Google for troubleshooting.
Below is a list of steps and symptoms I have used so far to troubleshoot.
- Computer OS is Windows XP Pro SP3 and is using Vipre Business Antivirus
- Pinging www.google.com and www.bing.com resolves to 87.125.87.99 (early in the troubleshooting process it seems like that IP may have changed, but it has been the same for the past couple of months)
- I have deleted and recreated a fresh hosts file
- I have verified the registry is pointing to the correct hosts file location
- The network adapter is properly configured to use DHCP and ipconfig /all is showing the appropriate DNS servers.
- I have flushed the local DNS cache with ipconfig /flushdns
- NSLookup to Bing or Google fails to resolve (although resolves just fine from other workstations using the local DNS server)
- No proxies are being used under LAN Settings of the Internet Properties
- All temp and temporary internet files have been removed
- Didn’t recognize any strange files in the Application Data or Local Settings folders or subfolders
- I have run multiple scans with the installed Vipre AV, also Malwarebytes, TDSSKiller and ComboFix. All of which have come back CLEAN. I have also tried a few others here and there, but these four have been run multiple times. (Just for thoroughness, I have run both TDSSKiller and ComboFix after changing the executable name. You’ll notice this with JimBoFix.exe in the OTL log below.)
- It is also worth mentioning that the computer has been infected with a couple small viruses here and there since the DNS hijacking. But nothing a quick process kill, file cleanup and quick Malwarebytes scan couldn’t take care of. Subsequent scans yield nothing, yet the Google and Bing redirects still exist.
I am at my wits end with this one and am really hoping you guys may have some suggestions for me. Thanks in advance guys, I’m counting on you!
(And yes, in case you were wondering, I have changed the computer and domain names in the OTL log for privacy.)
OTL logfile created on: 11/28/2012 10:50:27 PM - Run 2
OTL by OldTimer - Version 3.2.61.5 Folder = C:\PCT
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.50 Gb Total Physical Memory | 2.53 Gb Available Physical Memory | 72.23% Memory free
5.34 Gb Paging File | 4.61 Gb Available in Paging File | 86.49% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.43 Gb Total Space | 47.92 Gb Free Space | 64.39% Space Free | Partition Type: NTFS
Drive O: | 837.25 Gb Total Space | 424.43 Gb Free Space | 50.69% Space Free | Partition Type: NTFS
Drive Q: | 837.25 Gb Total Space | 424.43 Gb Free Space | 50.69% Space Free | Partition Type: NTFS
Drive R: | 837.25 Gb Total Space | 424.43 Gb Free Space | 50.69% Space Free | Partition Type: NTFS
Computer Name: ComputerName | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
PRC - C:\PCT\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe (GFI Software)
PRC - C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe (GFI Software)
PRC - C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe (GFI Software)
PRC - C:\Program Files\SAAZOD\zRealTime\rtHlpDk.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\zRealTime\rtdrHlpDk.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\zRealTime\SAAZapsc.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\SAAZOD\SAAZWatchDog.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\SAAZDPMACTL.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\SAAZOD\SAAZScheduler.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
PRC - C:\Program Files\SAAZOD\SAAZServerPlus.exe (Zenith Infotech Ltd)
PRC - C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
PRC - C:\WINDOWS\system32\PGPserv.exe (PGP Corporation)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe (PFU LIMITED)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Symantec\Ghost\ngctw32.exe (Symantec Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
PRC - C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
PRC - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe (SonicWALL Inc.)
PRC - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe (SonicWALL Inc.)
PRC - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
========== Modules (No Company Name) ==========
MOD - C:\Program Files\GFI Software\GFIAgent\Definitions\libMachoUniv.dll ()
MOD - C:\Program Files\GFI Software\GFIAgent\Definitions\libBase64.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\01abbadafaf265d9f4ac9bbb247acb98\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\9080c8e8e7b6dfb502c1328673d636f8\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\92d58f840f549f9bd880783d43db7e3c\System.Runtime.Remoting.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll ()
MOD - C:\Program Files\GFI Software\GFIAgent\vipre.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\PfuSsConfig.dll ()
MOD - C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardPath.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\PfuSsExtention.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\PfuUpdater.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\P2IATRES.DLL ()
MOD - C:\WINDOWS\system32\preflib.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\Dell\QuickSet\dadkeyb.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\SSsltsa.dll ()
MOD - C:\Program Files\GFI Software\GFIAgent\unrar.dll ()
MOD - C:\Program Files\Dell\QuickSet\preflibcl.dll ()
MOD - C:\WINDOWS\SSDriver\fi5110\fjiplA6.dll ()
MOD - C:\WINDOWS\SSDriver\fi5110\fjipl.dll ()
MOD - C:\Program Files\PFU\ScanSnap\Driver\PfuSsImgIO.dll ()
========== Services (SafeList) ==========
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (SBAMSvc) -- C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe (GFI Software)
SRV - (SBPIMSvc) -- C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe (GFI Software)
SRV - (SAAZapsc) -- C:\Program Files\SAAZOD\zRealTime\SAAZapsc.exe (Zenith Infotech Ltd)
SRV - (SAAZappr) -- C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe (Zenith Infotech Ltd)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (SAAZWatchDog) -- C:\Program Files\SAAZOD\SAAZWatchDog.exe (Zenith Infotech Ltd)
SRV - (SAAZDPMACTL) -- C:\Program Files\SAAZOD\SAAZDPMACTL.exe (Zenith Infotech Ltd)
SRV - (SAAZRemoteSupport) -- C:\Program Files\SAAZOD\SAAZRemoteSupport.exe (Zenith Infotech Ltd)
SRV - (SAAZScheduler) -- C:\Program Files\SAAZOD\SAAZScheduler.exe (Zenith Infotech Ltd)
SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (SAAZServerPlus) -- C:\Program Files\SAAZOD\SAAZServerPlus.exe (Zenith Infotech Ltd)
SRV - (PGPserv) -- C:\WINDOWS\system32\PGPserv.exe (PGP Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (NGCLIENT) -- C:\Program Files\Symantec\Ghost\ngctw32.exe (Symantec Corporation)
SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
SRV - (tcsd_win32.exe) -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe ()
SRV - (SONICWALL_NetExtender) -- C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe (SonicWALL Inc.)
SRV - (WaveEnrollmentService) -- C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe (Wave Systems Corp.)
SRV - (TdmService) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
SRV - (SecureStorageService) -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe (Wave Systems Corp.)
SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (QuickBooksDB18) -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe (iAnywhere Solutions, Inc.)
========== Driver Services (SafeList) ==========
DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mbr) -- C:\JimBobFix3\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\catchme.sys File not found
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (SbTis) -- C:\WINDOWS\system32\drivers\sbtis.sys (Sunbelt Software, Inc.)
DRV - (SBRE) -- C:\WINDOWS\system32\drivers\SBREDrv.sys (GFI Software)
DRV - (sbapifs) -- C:\WINDOWS\system32\drivers\sbapifs.sys (GFI Software)
DRV - (sbaphd) -- C:\WINDOWS\system32\drivers\sbaphd.sys (GFI Software)
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (PGPsdkDriver) -- C:\WINDOWS\system32\drivers\PGPsdk.sys (PGP Corporation)
DRV - (PGPdisk) -- C:\WINDOWS\System32\drivers\PGPdisk.sys (PGP Corporation)
DRV - (PGPwded) -- C:\WINDOWS\System32\drivers\PGPwded.sys (PGP Corporation)
DRV - (pgpfs) -- C:\WINDOWS\system32\drivers\PGPfsfd.sys (PGP Corporation)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (ACPI) -- C:\WINDOWS\system32\drivers\acpi.sys ()
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (guardian2) -- C:\WINDOWS\system32\drivers\oz776.sys (O2Micro)
DRV - (SSLDrv) -- C:\WINDOWS\system32\drivers\SSLDrv.sys (SonicWALL Inc.)
DRV - (WavxDMgr) -- C:\WINDOWS\system32\drivers\WavxDMgr.sys (Wave Systems Corp.)
DRV - (PBADRV) -- C:\WINDOWS\system32\drivers\PBADRV.sys (Dell Inc)
DRV - (WaveFDE) -- C:\WINDOWS\system32\drivers\WaveFDE.sys (Windows ® Codename Longhorn DDK provider)
DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio)
DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio)
DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Roxio)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (APPDRV) -- C:\WINDOWS\system32\drivers\APPDRV.SYS (Dell Inc)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081028
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081028
IE - HKLM\..\SearchScopes,DefaultScope = {C9D3A52F-DA0F-497C-BFD1-3886C86FF426}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081028
IE - HKCU\..\SearchScopes,DefaultScope = {94F63E4A-09D5-43FB-8091-3E234762C3B5}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{94F63E4A-09D5-43FB-8091-3E234762C3B5}: "URL" = http://www.google.co...1I7ADFA_enUS488
IE - HKCU\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
O1 HOSTS File: ([2012/11/28 22:18:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe (GFI Software)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe (SonicWALL Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk = C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk = C:\Program Files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk = C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\PGPlsp.dll (PGP Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\PGPlsp.dll (PGP Corporation)
O15 - HKLM\..Trusted Domains: itsupport247.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: itsupport247.net ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: itsupport247.net ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: itsupport247.net ([]https in Trusted sites)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} https://vpn.domainname.com/XTSAC.cab (XTSAC Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1231531925767 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1231531921635 (MUWebControl Class)
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} https://vpn.domainname.com/NELX.cab (NELaunchCtrl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} https://securemail.a.../TWDownload.cab (TWDownloader Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: CabCCT https://ondemand.app...Ctrl_Apptix.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.80.40.15 4.2.2.1 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domainname.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2B57C707-A681-4B3A-891A-606A50F515E9}: DhcpNameServer = 10.80.40.15 4.2.2.1 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2B57C707-A681-4B3A-891A-606A50F515E9}: NameServer = 10.80.40.15,8.8.8.8
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\PGPmapih.dll) - C:\WINDOWS\system32\PGPmapih.dll (PGP Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\gemsafe: DllName - (C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll) - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012/11/28 10:55:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/11/28 10:08:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\administrator.DOMAINNAME\IECompatCache
[2012/11/28 09:03:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\WinRAR
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/11/28 22:33:40 | 000,116,711 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2012/11/28 22:33:39 | 000,116,711 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2012/11/28 22:29:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/28 22:18:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/11/28 22:06:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/11/28 21:53:02 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/28 21:53:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/28 14:31:41 | 000,001,815 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2012/11/28 10:54:26 | 000,000,355 | RHS- | M] () -- C:\boot.ini
[2012/11/28 10:48:48 | 000,514,378 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/28 10:48:48 | 000,098,722 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/28 10:44:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/28 10:43:58 | 3756,130,304 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/28 10:41:34 | 000,001,190 | ---- | M] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2012/11/28 10:39:52 | 000,006,506 | ---- | M] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\eb8f76cd-01ba-4175-8f97-43ad2979a762.crx
[2012/11/28 10:02:53 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B1EC0DE8-14E5-4B5D-AC05-C1B032978B7E}.job
[2012/11/08 08:08:04 | 000,083,912 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2012/11/08 08:08:03 | 000,092,072 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[2012/11/08 08:08:03 | 000,031,144 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2012/11/05 14:49:37 | 000,004,672 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/11/28 10:41:34 | 000,001,190 | ---- | C] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2012/11/28 09:58:41 | 3756,130,304 | -HS- | C] () -- C:\hiberfil.sys
[2012/11/28 08:51:08 | 000,006,506 | ---- | C] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\eb8f76cd-01ba-4175-8f97-43ad2979a762.crx
[2012/06/18 15:28:57 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/06/18 15:28:57 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/06/18 15:28:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/06/18 15:28:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/06/18 15:28:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/19 07:18:47 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/19 13:47:42 | 000,000,037 | ---- | C] () -- C:\WINDOWS\WEBICA.INI
[2010/12/01 10:35:06 | 000,000,161 | ---- | C] () -- C:\WINDOWS\DISPARAM.INI
[2010/11/30 10:36:05 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/11/12 11:55:07 | 000,002,161 | ---- | C] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\Practice Management.G
[2008/11/12 11:55:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\Practice Management.G.L
[2008/11/12 11:46:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\administrator.DOMAINNAME\Local Settings\Application Data\WavXMapDrive.bat
[2008/11/12 11:45:41 | 000,004,672 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
========== LOP Check ==========
[2008/11/12 14:26:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\Fujitsu
[2012/08/17 15:08:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\GFI Software
[2008/11/12 13:03:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\Leadertech
[2008/11/12 13:44:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\PFU
[2009/02/13 12:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\PGP Corporation
[2010/11/22 16:22:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\ProSystem fx Practice Management
[2008/10/28 00:08:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\Wave Systems Corp
[2012/08/17 15:08:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DOMAINNAME\Application Data\Windows Desktop Search
[2011/11/08 16:40:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/12/01 10:18:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2012/04/03 14:32:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GFI Software
[2010/12/01 14:27:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
[2012/11/28 08:09:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2008/10/28 00:03:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
[2009/02/13 12:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PGP Corporation
[2008/11/12 11:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ProSystem fx
[2012/01/24 10:28:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Raize
[2010/11/18 16:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VSoft
[2008/10/28 00:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2010/03/12 14:28:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2012/11/28 10:02:53 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{B1EC0DE8-14E5-4B5D-AC05-C1B032978B7E}.job
========== Purity Check ==========
< End of report >