Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PC Browser pop-ups and link redirects - various broswers [Closed]


  • This topic is locked This topic is locked

#1
jolces

jolces

    Member

  • Member
  • PipPip
  • 53 posts
Hi All:

I am trying to clean up a laptop for basic internet usage. Its running Windows XP. With every browser I try, IE, firefox, safari, and chrome, I keep getting pop-ups and redirects when I click on links from a search engine (say enter a search for ESPN, click on the return link in google, and it browser redirects to some other site). In addition, the page loading is very slow. Any help you be great! Thanks

OTL logfile created on: 2013/03/29 10:52:48 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = d:\data\rainmaker\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy/MM/dd

1.49 Gb Total Physical Memory | 0.78 Gb Available Physical Memory | 52.56% Memory free
4.13 Gb Paging File | 3.56 Gb Available in Paging File | 86.32% Paging File free
Paging file location(s): C:\pagefile.sys 2850 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 60.45 Gb Total Space | 32.99 Gb Free Space | 54.57% Space Free | Partition Type: NTFS
Drive D: | 32.70 Gb Total Space | 7.62 Gb Free Space | 23.30% Space Free | Partition Type: NTFS

Computer Name: 3YFK943Z | User Name: rainmaker | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/03/29 10:52:25 | 000,602,112 | ---- | M] (OldTimer Tools) -- d:\data\rainmaker\Desktop\OTL.exe
PRC - [2013/01/24 04:06:40 | 011,184,480 | ---- | M] (SugarSync, Inc.) -- C:\Program Files\SugarSync\SugarSyncManager.exe
PRC - [2012/02/22 09:05:02 | 000,650,104 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\BitTorrent\BitTorrent.exe
PRC - [2009/06/08 15:11:50 | 005,110,568 | ---- | M] (Apple Inc.) -- C:\Program Files\Safari\Safari.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/12/14 15:06:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
PRC - [2007/12/14 15:06:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
PRC - [2007/12/14 15:06:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
PRC - [2007/12/14 15:06:00 | 000,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Network Associates\Common Framework\Mctray.exe
PRC - [2007/10/16 20:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2007/10/16 20:50:00 | 000,111,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2007/10/16 20:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2007/07/25 17:16:42 | 000,073,728 | ---- | M] (DameWare Development) -- C:\WINNT\system32\DWRCST.EXE
PRC - [2007/07/25 17:16:30 | 000,222,720 | ---- | M] (DameWare Development LLC) -- C:\WINNT\system32\DWRCS.EXE
PRC - [2006/11/29 17:47:28 | 000,126,976 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
PRC - [2006/11/29 17:47:28 | 000,086,016 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
PRC - [2006/02/01 16:10:32 | 000,086,016 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [2006/02/01 16:09:46 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2005/10/06 23:18:26 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
PRC - [2005/09/15 14:57:42 | 000,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2005/09/06 16:51:08 | 000,053,248 | ---- | M] (Alexandria Software Consulting) -- c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
PRC - [2005/09/06 16:50:50 | 000,045,056 | ---- | M] (Nortel Networks) -- C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
PRC - [2005/04/27 09:53:08 | 000,090,112 | ---- | M] (IBM Corp.) -- C:\IBMTOOLS\utils\ibmprc.exe
PRC - [2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/22 20:49:56 | 000,921,600 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\yui.dll
MOD - [2009/07/17 23:21:00 | 003,883,424 | ---- | M] () -- C:\WINNT\system32\Macromed\Flash\NPSWF32.dll
MOD - [2009/06/08 15:11:32 | 000,114,688 | ---- | M] () -- C:\Program Files\Safari\objc.dll
MOD - [2009/06/08 15:01:16 | 000,062,464 | ---- | M] () -- C:\Program Files\Safari\zlib1.dll
MOD - [2009/06/08 15:01:14 | 001,234,944 | ---- | M] () -- C:\Program Files\Safari\libxml2.dll
MOD - [2009/06/08 15:01:14 | 000,319,488 | ---- | M] () -- C:\Program Files\Safari\libtidy.dll
MOD - [2008/06/20 13:41:10 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 13:41:10 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2007/12/14 15:06:00 | 000,156,992 | ---- | M] () -- C:\Program Files\Network Associates\Common Framework\naisign2.dll
MOD - [2007/12/14 15:06:00 | 000,120,128 | ---- | M] () -- C:\Program Files\Network Associates\Common Framework\naXML2_71.dll
MOD - [2006/11/30 08:50:00 | 000,149,080 | ---- | M] () -- C:\Program Files\McAfee\VirusScan Enterprise\VsEvntUI.DLL
MOD - [2006/11/06 14:00:58 | 000,651,264 | ---- | M] () -- C:\Program Files\iPass\iPassConnect\libeay32.dll
MOD - [2006/02/01 16:09:46 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
MOD - [2006/02/01 16:09:42 | 000,024,576 | ---- | M] () -- C:\WINNT\system32\tphklock.dll
MOD - [2005/12/07 02:12:00 | 000,073,728 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
MOD - [2005/12/07 02:12:00 | 000,036,864 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2005/10/06 23:18:26 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
MOD - [2005/09/06 16:50:50 | 000,077,824 | ---- | M] () -- C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIcon.DLL
MOD - [2005/04/27 09:53:10 | 000,045,056 | ---- | M] () -- C:\WINNT\system32\pwdmon.dll
MOD - [2003/02/20 16:42:34 | 001,159,289 | R--- | M] () -- c:\Program Files\Nortel Networks\TunnelGuard\jre\bin\client\jvm.dll
MOD - [2003/02/20 16:42:34 | 000,102,511 | R--- | M] () -- c:\Program Files\Nortel Networks\TunnelGuard\jre\bin\java.dll
MOD - [2003/02/20 16:42:34 | 000,057,451 | R--- | M] () -- C:\Program Files\Nortel Networks\TunnelGuard\jre\bin\net.dll
MOD - [2003/02/20 16:42:34 | 000,057,449 | R--- | M] () -- c:\Program Files\Nortel Networks\TunnelGuard\jre\bin\verify.dll
MOD - [2003/02/20 16:42:34 | 000,053,360 | R--- | M] () -- c:\Program Files\Nortel Networks\TunnelGuard\jre\bin\zip.dll
MOD - [2003/02/20 16:42:32 | 000,028,787 | R--- | M] () -- c:\Program Files\Nortel Networks\TunnelGuard\jre\bin\hpi.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINNT\system32\PsaSrv.exe -- (PsaSrv)
SRV - [2012/12/15 17:59:38 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/04/14 14:35:05 | 000,253,600 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINNT\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/12/14 15:06:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/10/16 20:50:00 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2007/10/16 20:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2007/07/25 17:16:30 | 000,222,720 | ---- | M] (DameWare Development LLC) [Auto | Running] -- C:\WINNT\system32\DWRCS.EXE -- (DWMRCS)
SRV - [2007/04/25 19:28:25 | 000,036,864 | ---- | M] ( ) [Auto | Stopped] -- C:\RBFG\YKJ\RegsetService.exe -- (CCUREGSET)
SRV - [2006/11/30 18:09:32 | 001,310,720 | ---- | M] (iPass, Inc.) [On_Demand | Stopped] -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2006/11/29 17:47:28 | 000,126,976 | ---- | M] (iPass, Inc.) [On_Demand | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe -- (iPassPeriodicUpdateApp)
SRV - [2006/11/29 17:47:28 | 000,086,016 | ---- | M] (iPass, Inc.) [Auto | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe -- (iPassPeriodicUpdateService)
SRV - [2006/07/25 14:23:30 | 002,635,480 | ---- | M] (Sygate Technologies, Inc.) [Disabled | Stopped] -- c:\Program Files\Sygate\SSA\Smc.exe -- (SmcService)
SRV - [2006/07/25 14:14:52 | 000,323,658 | ---- | M] (Sygate Technologies, Inc.) [On_Demand | Stopped] -- c:\Program Files\Sygate\SSA\Maga\Maga.exe -- (magaService)
SRV - [2006/05/09 17:37:50 | 000,835,584 | ---- | M] (Nortel Networks NA, Inc.) [On_Demand | Stopped] -- C:\Program Files\Nexxia\Extranet_serv.exe -- (ExtranetAccess)
SRV - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINNT\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2005/10/06 23:18:26 | 000,385,024 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
SRV - [2005/09/06 16:51:08 | 000,053,248 | ---- | M] (Alexandria Software Consulting) [Auto | Running] -- c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe -- (tunnelguardservice)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2009/04/25 19:16:14 | 000,021,419 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\iPassP.sys -- (iPassP)
DRV - [2007/10/16 20:50:00 | 000,171,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2007/10/16 20:50:00 | 000,072,680 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2007/10/16 20:50:00 | 000,064,168 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2007/10/16 20:50:00 | 000,051,944 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2007/10/16 20:50:00 | 000,033,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2007/10/16 20:50:00 | 000,031,784 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2007/08/09 17:33:14 | 000,013,360 | ---- | M] (Lenovo Group Limited) [Kernel | On_Demand | Stopped] -- c:\DRIVERS\T60\BIOS\tpflhlp.sys -- (tpflhlp)
DRV - [2007/03/20 16:58:30 | 000,013,184 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\psadd.sys -- (psadd)
DRV - [2007/03/20 08:01:07 | 000,099,328 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\symmpi.sys -- (Symmpi)
DRV - [2007/02/15 08:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINNT\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 08:00:00 | 000,002,944 | ---- | M] (DameWare Development, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/07/25 14:24:26 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\wg6n.sys -- (wg6n)
DRV - [2006/07/25 14:24:24 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\wg5n.sys -- (wg5n)
DRV - [2006/07/25 14:24:20 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\wg4n.sys -- (wg4n)
DRV - [2006/07/25 14:24:16 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\wg3n.sys -- (wg3n)
DRV - [2006/07/25 13:59:48 | 000,021,075 | ---- | M] (Sygate Technologies, Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\wpsdrvnt.sys -- (wpsdrvnt)
DRV - [2006/07/25 13:57:10 | 000,061,008 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\Teefer.sys -- (Teefer)
DRV - [2006/05/09 17:47:10 | 000,024,521 | ---- | M] (Nortel Networks) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\eacfilt.sys -- (Eacfilt)
DRV - [2006/05/09 17:46:42 | 000,155,216 | ---- | M] (Nortel Networks NA, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ipsecw2k.sys -- (IPSECSHM)
DRV - [2006/05/09 17:46:42 | 000,155,216 | ---- | M] (Nortel Networks NA, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\ipsecw2k.sys -- (IPSECEXT)
DRV - [2006/02/09 03:50:00 | 000,020,704 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2005/12/07 02:12:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2005/12/05 18:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\w39n51.sys -- (w39n51)
DRV - [2005/11/30 02:51:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINNT\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/11/30 02:51:00 | 000,009,343 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/04/27 10:27:34 | 000,063,616 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2005/04/27 09:15:50 | 000,006,912 | ---- | M] (IBM Corp.) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\ANCSQ.sys -- (ANCSQ)
DRV - [2004/12/15 12:04:14 | 000,069,810 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\FLMckUSB.sys -- (FLMCKUSB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit1.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT2790392
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledAddons: %7B635abd67-4fe9-1b23-4f01-e679fa7484c1%7D:2.5.1.20121012015120
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - prefs.js..extensions.enabledItems: {88c7f2aa-f93f-432c-8f0e-b7d85967a527}:3.5.0.12
FF - prefs.js..keyword.URL: "http://search.babylo...44553544200&q="

FF - user.js..browser.startup.homepage: "about:blank"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINNT\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINNT\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: d:\data\rainmaker\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: d:\data\rainmaker\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: d:\data\rainmaker\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/15 17:59:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/15 17:59:28 | 000,000,000 | ---D | M]

[2011/09/03 12:58:15 | 000,000,000 | ---D | M] (No name found) -- d:\data\rainmaker\Application Data\Mozilla\Extensions
[2012/12/15 17:50:13 | 000,000,000 | ---D | M] (No name found) -- d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0gqxbqod.default\extensions
[2012/12/15 17:45:07 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0gqxbqod.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/12/15 17:50:13 | 002,151,598 | ---- | M] () (No name found) -- d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0gqxbqod.default\extensions\[email protected]
[2012/12/15 17:59:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/15 17:59:39 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/07/01 16:08:31 | 000,002,352 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012/11/20 02:17:14 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/11/20 02:17:14 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = D:\data\rainmaker\Local Settings\Application Data\Google\Chrome\Application\26.0.1410.43\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = D:\data\rainmaker\Local Settings\Application Data\Google\Chrome\Application\26.0.1410.43\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = D:\data\rainmaker\Local Settings\Application Data\Google\Chrome\Application\26.0.1410.43\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINNT\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINNT\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
CHR - plugin: Google Update (Enabled) = d:\data\rainmaker\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: BrowserPlus (from Yahoo!) v2.9.8 (Enabled) = d:\data\rainmaker\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
CHR - Extension: BitTorrentBar = d:\data\rainmaker\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mhfdcmehmjcclgopdodkjdicohagipid\2.3.18.20_0\
CHR - Extension: Bcool = d:\data\rainmaker\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mpahijmpmegaoanabgdaibplimibaieb\1.0_0\

O1 HOSTS File: ([2002/08/29 08:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit1.dll (Conduit Ltd.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKLM\..\Toolbar: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (BitTorrentBar Toolbar) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files\BitTorrentBar\prxtbBit1.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [00winnt] c:\RBFG\6f\6f20\SETBACK.EXE ()
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [IBMPRC] C:\IBMTOOLS\utils\ibmprc.exe (IBM Corp.)
O4 - HKLM..\Run: [ieiconfix] C:\RBFG\6N\6N80\\FIXINTERNETICON.EXE ()
O4 - HKLM..\Run: [iscontract] c:\RBFG\6f\6f20\iscontract.exe ()
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [O2K3Icon] C:\RBFG\6N\6N01\outlook.reg ()
O4 - HKLM..\Run: [O2k3Run] C:\RBFG\6N\6N01\O2K3RUN.EXE ()
O4 - HKLM..\Run: [Otlk2K3Run] C:\Program Files\Microsoft Office\outlW2K3.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SmcService] c:\Program Files\Sygate\SSA\Smc.exe (Sygate Technologies, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [BitTorrent] C:\Program Files\BitTorrent\BitTorrent.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SugarSync] C:\Program Files\SugarSync\SugarSyncManager.exe (SugarSync, Inc.)
O4 - HKCU..\Run: [Zakideon] d:\data\rainmaker\Application Data\Kadiy\ydfof.exe (Microsoft Corporation)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINNT\System32\macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\TunnelGuard Tray Monitor.lnk = C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE (Nortel Networks)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonType = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuNetworkPlaces = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Intellimenus = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 1
O8 - Extra context menu item: Sothink Flash Downloader For IE - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe File not found
O9 - Extra Button: Sothink Flash Downloader For IE - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sothink Flash Downloader For IE - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - mswsock.dll File not found
O15 - HKLM\..Trusted Domains: catokvs101 ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([*.oak.fg] * in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([mis.fg] https in Trusted sites)
O15 - HKLM\..Trusted Domains: rbc.com ([pmtprojectserver.fg] http in Trusted sites)
O15 - HKLM\..Trusted Domains: rbccm.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: rbccm.com ([crm] * in Local intranet)
O15 - HKLM\..Trusted Domains: royalbank.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: rbc.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: royalbank.com ([]* in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oak.fg.rbc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F7CDD4B1-2448-4BD0-9C0C-A8E2B9BEF111}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINNT\system32\userinit.exe) - C:\WINNT\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - (notifyf2.dll) - C:\WINNT\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - (tphklock.dll) - C:\WINNT\System32\tphklock.dll ()
O24 - Desktop BackupWallPaper: C:\WINNT\RBCVGA.BMP
O29 - HKLM SecurityProviders - (digeste.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/18 12:01:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{e2ebe220-ab18-11e1-b513-444553544200}\Shell - "" = AutoRun
O33 - MountPoints2\{e2ebe220-ab18-11e1-b513-444553544200}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e2ebe220-ab18-11e1-b513-444553544200}\Shell\AutoRun\command - "" = F:\IronKey.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/03/29 10:52:24 | 000,602,112 | ---- | C] (OldTimer Tools) -- d:\data\rainmaker\Desktop\OTL.exe
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/03/29 10:52:25 | 000,602,112 | ---- | M] (OldTimer Tools) -- d:\data\rainmaker\Desktop\OTL.exe
[2013/03/29 10:49:59 | 000,002,101 | ---- | M] () -- d:\data\rainmaker\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2013/03/29 10:47:15 | 000,000,826 | ---- | M] () -- C:\WINNT\tasks\Adobe Flash Player Updater.job
[2013/03/29 10:45:10 | 000,000,958 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskUserS-1-5-21-3510421623-2965073675-2411060337-1012UA.job
[2013/03/29 10:44:00 | 000,000,906 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskUserS-1-5-21-3510421623-2965073675-2411060337-1012Core.job
[2013/03/29 10:43:16 | 000,000,316 | ---- | M] () -- C:\WINNT\tasks\PMTask.job
[2013/03/29 10:41:40 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2013/03/29 10:36:41 | 000,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/12/23 21:50:00 | 000,000,189 | ---- | C] () -- d:\data\rainmaker\PKI_INST.BAT
[2012/07/12 20:58:49 | 000,558,133 | ---- | C] () -- C:\WINNT\System32\sqlite3.dll
[2011/09/04 15:50:00 | 000,047,616 | ---- | C] () -- d:\data\rainmaker\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/03 12:52:54 | 000,000,118 | ---- | C] () -- d:\data\rainmaker\Local Settings\Application Data\fusioncache.dat
[2010/01/15 22:16:55 | 000,006,954 | RHS- | C] () -- d:\data\All Users\ntuser.pol
[2008/11/05 12:15:54 | 000,934,608 | ---- | C] () -- d:\data\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

========== ZeroAccess Check ==========

[2012/12/26 18:03:32 | 000,002,048 | -HS- | M] () -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\@
[2012/12/26 18:03:32 | 000,028,672 | -HS- | M] () -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\n
[2012/12/27 09:22:38 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\L
[2013/03/29 10:38:08 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U
[2013/03/29 10:42:18 | 000,000,804 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\L\[email protected]
[2012/12/26 18:03:33 | 000,002,048 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U\[email protected]
[2013/03/29 10:38:08 | 000,001,024 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U\[email protected]
[2012/12/26 18:03:33 | 000,001,632 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U\[email protected]
[2012/12/26 18:03:34 | 000,011,776 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U\[email protected]
[2013/03/29 10:38:08 | 000,089,600 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U\[email protected]
[2007/03/20 16:47:16 | 000,000,227 | RHS- | M] () -- C:\WINNT\assembly\Desktop.ini
[2013/03/29 10:42:17 | 000,005,120 | -HS- | M] () -- C:\WINNT\assembly\GAC\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"ThreadingModel" = Both
"" = C:\RECYCLER\S-1-5-21-3510421623-2965073675-2411060337-1012\$4e59006ce7b09117c6e2fad5954c1ab3\n. -- File not found

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/12/22 01:35:10 | 001,509,888 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\n. -- [2012/12/26 18:03:32 | 000,028,672 | -HS- | M] ()
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINNT\system32\wbem\wbemess.dll -- [2004/08/04 00:56:48 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/07/01 16:08:26 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\Babylon
[2012/07/03 08:26:57 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\Bcool
[2008/07/14 19:57:39 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\Bloomberg
[2012/07/01 16:08:26 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\InstallMate
[2009/04/25 19:16:19 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\iPass
[2010/02/05 16:38:28 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\LiquidTechnologies
[2007/03/20 17:15:11 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\Network Associates
[2012/07/01 16:08:08 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\OptimizerPro
[2012/07/01 16:08:25 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\Premium
[2010/02/05 16:38:09 | 000,000,000 | -H-D | M] -- d:\data\All Users\Application Data\{1E2473C2-7307-4952-8F94-5AFE8309DF4D}
[2009/06/17 14:12:31 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2012/12/26 15:37:03 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\Axro
[2012/07/01 16:08:25 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\Babylon
[2013/03/29 11:03:52 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\BitTorrent
[2012/05/05 12:56:38 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\Dropbox
[2012/12/26 15:37:03 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\Kadiy
[2013/01/12 17:05:54 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\Vaqew
[2011/11/22 10:48:41 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Please note that I am currently in training as a GeekU Senior. My posts must be reviewed by an instructor, so there may be a slight delay.

I am reviewing your logs and will get back to you soon.
  • 0

#3
jolces

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Thanks Buddierdl. I appreciate the assistance and will stand by.
  • 0

#4
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi jolces,

Note: You have a backdoor infection.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. There is no way for us to know exactly what the malware has done to your machine to give itself access, nor how it may have damaged critical files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. Many experts in the security community believe that once infected with this type of trojan, the best and safest course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

That being said, I can still help you clean out the malware as best as I can without going that route (though there is no guarantee that it will work right or be totally safe after disinfection), so if you decide that you don't want to do a format and reinstall of Windows, then please follow the instructions below:

Step 1: Run OTL fix.
Start OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Commands
    [createrestorepoint]
    
    :OTL
    SRV - [2007/04/25 19:28:25 | 000,036,864 | ---- | M] ( ) [Auto | Stopped] -- C:\RBFG\YKJ\RegsetService.exe -- (CCUREGSET)
    
    IE - HKCU\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit1.dll (Conduit Ltd.)
    IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT2790392
    
    FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
    FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
    FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
    FF - prefs.js..extensions.enabledItems: {88c7f2aa-f93f-432c-8f0e-b7d85967a527}:3.5.0.12
    FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=112454&tt=280612_6_&babsrc=KW_ss&mntrId=00da752d000000000000444553544200&q="
    
    [2012/07/01 16:08:31 | 000,002,352 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
    
    O2 - BHO: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit1.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit1.dll (Conduit Ltd.)
    O3 - HKCU\..\Toolbar\WebBrowser: (BitTorrentBar Toolbar) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files\BitTorrentBar\prxtbBit1.dll (Conduit Ltd.)
    
    O4 - HKLM..\Run: [00winnt] c:\RBFG\6f\6f20\SETBACK.EXE ()
    O4 - HKLM..\Run: [ieiconfix] C:\RBFG\6N\6N80\\FIXINTERNETICON.EXE ()
    O4 - HKLM..\Run: [iscontract] c:\RBFG\6f\6f20\iscontract.exe ()
    O4 - HKLM..\Run: [O2K3Icon] C:\RBFG\6N\6N01\outlook.reg ()
    O4 - HKLM..\Run: [O2k3Run] C:\RBFG\6N\6N01\O2K3RUN.EXE ()
    O4 - HKLM..\Run: [Otlk2K3Run] C:\Program Files\Microsoft Office\outlW2K3.exe ()
    O4 - HKCU..\Run: [Zakideon] d:\data\rainmaker\Application Data\Kadiy\ydfof.exe (Microsoft Corporation)
    
    O15 - HKLM\..Trusted Domains: catokvs101 ([]* in Local intranet)
    
    @Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F64C164
    
    :Files
    C:\RECYCLER\S-1-5-18
    [2013/03/29 10:42:17 | 000,005,120 | -HS- | M] () -- C:\WINNT\assembly\GAC\Desktop.ini
    c:\RBFG
    
    :Reg
    [-HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\fastprox.dll
    
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Post the log it produces in your next reply.

Step 2: Run RogueKiller.

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan

Posted Image

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.

Posted Image

  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Step 3: Run adwCleaner.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Posted Image

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please attach that

Things I need in your next reply:
  • OTL fix log
  • RogueKiller logs
  • adwCleaner log
  • How is your computer running now? Any more redirects?

  • 0

#5
jolces

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Hello. I was able to run the OTL with the fix script. Log below. I downloaded Rougekiller and it opens with no other apps open. After it starts up and starts processing, I get a blue screen error stating a physical memory dump and need to reboot. Please advise.

========== COMMANDS ==========
System Restore Service not available.
========== OTL ==========
Service CCUREGSET stopped successfully!
Service CCUREGSET deleted successfully!
C:\RBFG\YKJ\RegsetService.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\ deleted successfully.
C:\Program Files\BitTorrentBar\prxtbBit1.dll moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename
Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1
Prefs.js: "Search the web (Babylon)" removed from browser.search.selectedEngine
Prefs.js: {88c7f2aa-f93f-432c-8f0e-b7d85967a527}:3.5.0.12 removed from extensions.enabledItems
Prefs.js: "http://search.babylo...44553544200&q=" removed from keyword.URL
C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\ not found.
File C:\Program Files\BitTorrentBar\prxtbBit1.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\ not found.
File C:\Program Files\BitTorrentBar\prxtbBit1.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{88C7F2AA-F93F-432C-8F0E-B7D85967A527} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88C7F2AA-F93F-432C-8F0E-B7D85967A527}\ not found.
File C:\Program Files\BitTorrentBar\prxtbBit1.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\00winnt deleted successfully.
c:\RBFG\6f\6f20\SETBACK.EXE moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ieiconfix deleted successfully.
File move failed. C:\RBFG\6N\6N80\\FIXINTERNETICON.EXE scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\iscontract deleted successfully.
c:\RBFG\6f\6f20\iscontract.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\O2K3Icon deleted successfully.
C:\RBFG\6N\6N01\outlook.reg moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\O2k3Run deleted successfully.
C:\RBFG\6N\6N01\O2K3RUN.EXE moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Otlk2K3Run deleted successfully.
C:\Program Files\Microsoft Office\OutlW2k3.EXE moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Zakideon deleted successfully.
d:\data\rainmaker\Application Data\Kadiy\ydfof.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\catokvs101\ deleted successfully.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5F64C164 .
========== FILES ==========
C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U folder moved successfully.
C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\L folder moved successfully.
Folder move failed. C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3 scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-18 scheduled to be moved on reboot.
Invalid Switch: 29 10:42:17 | 000,005,120 | -HS- | M] () -- C:\WINNT\assembly\GAC\Desktop.ini
c:\RBFG\YLM7\QuickStartTest folder moved successfully.
c:\RBFG\YLM7 folder moved successfully.
c:\RBFG\YLM2\QuickStartTest folder moved successfully.
c:\RBFG\YLM2 folder moved successfully.
c:\RBFG\YKJ folder moved successfully.
c:\RBFG\YES\Sylink folder moved successfully.
c:\RBFG\YES\Serdef folder moved successfully.
c:\RBFG\YES folder moved successfully.
c:\RBFG\NK\VirusScan85i\MASE folder moved successfully.
c:\RBFG\NK\VirusScan85i\Hotfixes folder moved successfully.
c:\RBFG\NK\VirusScan85i folder moved successfully.
c:\RBFG\NK\Updates folder moved successfully.
c:\RBFG\NK\CMA folder moved successfully.
c:\RBFG\NK folder moved successfully.
c:\RBFG\Log\YLM7 folder moved successfully.
c:\RBFG\Log\PR folder moved successfully.
Folder move failed. c:\RBFG\Log\nk scheduled to be moved on reboot.
c:\RBFG\Log\FRAMEWORK folder moved successfully.
c:\RBFG\Log\6N folder moved successfully.
Folder move failed. c:\RBFG\Log scheduled to be moved on reboot.
c:\RBFG\KC42 folder moved successfully.
c:\RBFG\HKCU folder moved successfully.
c:\RBFG\6N\6N95 folder moved successfully.
c:\RBFG\6N\6n81\BRANDING\RBC\VPN folder moved successfully.
c:\RBFG\6N\6n81\BRANDING\RBC folder moved successfully.
c:\RBFG\6N\6n81\BRANDING\LIBERTY\VPN folder moved successfully.
c:\RBFG\6N\6n81\BRANDING\LIBERTY folder moved successfully.
c:\RBFG\6N\6n81\BRANDING\CENTURA\VPN folder moved successfully.
c:\RBFG\6N\6n81\BRANDING\CENTURA folder moved successfully.
c:\RBFG\6N\6n81\BRANDING folder moved successfully.
c:\RBFG\6N\6n81 folder moved successfully.
c:\RBFG\6N\6N80\BRANDING\RBC\VPN folder moved successfully.
c:\RBFG\6N\6N80\BRANDING\RBC folder moved successfully.
c:\RBFG\6N\6N80\BRANDING\LIBERTY\VPN folder moved successfully.
c:\RBFG\6N\6N80\BRANDING\LIBERTY folder moved successfully.
c:\RBFG\6N\6N80\BRANDING\CENTURA\VPN folder moved successfully.
c:\RBFG\6N\6N80\BRANDING\CENTURA folder moved successfully.
c:\RBFG\6N\6N80\BRANDING\CAPITAL MARKET\VPN folder moved successfully.
c:\RBFG\6N\6N80\BRANDING\CAPITAL MARKET folder moved successfully.
c:\RBFG\6N\6N80\BRANDING folder moved successfully.
c:\RBFG\6N\6N80 folder moved successfully.
c:\RBFG\6N\6N01 folder moved successfully.
c:\RBFG\6N folder moved successfully.
c:\RBFG\6f\6fgl folder moved successfully.
c:\RBFG\6f\6f20\COE Info folder moved successfully.
c:\RBFG\6f\6f20\BOB folder moved successfully.
c:\RBFG\6f\6f20 folder moved successfully.
c:\RBFG\6f folder moved successfully.
c:\RBFG\5D folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\_MSI\WINDOWS\PROFILES folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\_MSI\WINDOWS folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\_MSI\PROGRAM FILES\NEXXIA folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\_MSI\PROGRAM FILES folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\_MSI folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\WINDOWS\SYSTEM32\DRIVERS folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\WINDOWS\SYSTEM32 folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\WINDOWS\PROFILES\ALL USERS\START MENU folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\WINDOWS\PROFILES\ALL USERS folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\WINDOWS\PROFILES folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\WINDOWS\INF folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\WINDOWS folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\VPN CLIENT folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\PROGRAM FILES\NEXXIA folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\PROGRAM FILES\IPASS\IPASSCONNECT REMOTE ACCESS DIALER\MONERIS folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\PROGRAM FILES\IPASS\IPASSCONNECT REMOTE ACCESS DIALER\LOG folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\PROGRAM FILES\IPASS\IPASSCONNECT REMOTE ACCESS DIALER folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\PROGRAM FILES\IPASS folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\PROGRAM FILES folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\NEXXIA folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\DIAL\passutil folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP\DIAL folder moved successfully.
c:\RBFG\4c\4c06\DESKTOP folder moved successfully.
c:\RBFG\4c\4c06 folder moved successfully.
c:\RBFG\4c folder moved successfully.
Folder move failed. c:\RBFG scheduled to be moved on reboot.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32\\"" | C:\WINDOWS\system32\wbem\fastprox.dll /E :invalid edit format. Invalid data type.

OTL by OldTimer - Version 3.2.69.0 log created on 03292013_211858

Files\Folders moved on Reboot...
File\Folder C:\RBFG\6N\6N80\\FIXINTERNETICON.EXE not found!
C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U folder moved successfully.
Folder move failed. C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3 scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\U scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3 scheduled to be moved on reboot.
Folder move failed. C:\RECYCLER\S-1-5-18 scheduled to be moved on reboot.
Folder move failed. c:\RBFG\Log\nk scheduled to be moved on reboot.
Folder move failed. c:\RBFG\Log\nk scheduled to be moved on reboot.
Folder move failed. c:\RBFG\Log scheduled to be moved on reboot.
Folder move failed. c:\RBFG\Log\nk scheduled to be moved on reboot.
Folder move failed. c:\RBFG\Log scheduled to be moved on reboot.
Folder move failed. c:\RBFG scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#6
jolces

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
I was able to run the Adwcleaner with no issues. Issue is just with the Rougekiller. Below is the Adwcleaner log file.

# AdwCleaner v2.115 - Logfile created 03/30/2013 at 20:48:29
# Updated 17/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : rainmaker - 3YFK943Z
# Boot Mode : Normal
# Running from : D:\data\rainmaker\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : d:\data\rainmaker\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mhfdcmehmjcclgopdodkjdicohagipid
File Deleted : C:\WINNT\system32\conduitEngine.tmp
File Deleted : d:\data\rainmaker\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_apps.conduit.com_0.localstorage
File Deleted : d:\data\rainmaker\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_apps.conduit.com_0.localstorage-journal
Folder Deleted : C:\Program Files\BitTorrentBar
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : d:\data\Admin\Local Settings\Application Data\BitTorrentBar
Folder Deleted : d:\data\Admin\Local Settings\Application Data\Conduit
Folder Deleted : d:\data\Admin\Local Settings\Application Data\ConduitEngine
Folder Deleted : d:\data\All Users\Application Data\Babylon
Folder Deleted : d:\data\All Users\Application Data\InstallMate
Folder Deleted : d:\data\All Users\Application Data\Premium
Folder Deleted : d:\data\RAINMA~1\LOCALS~1\Temp\BabylonToolbar
Folder Deleted : d:\data\rainmaker\Application Data\Babylon
Folder Deleted : d:\data\rainmaker\Local Settings\Application Data\BitTorrentBar
Folder Deleted : d:\data\rainmaker\Local Settings\Application Data\Conduit
Folder Deleted : d:\data\rainmaker\Local Settings\Application Data\ConduitEngine

***** [Registry] *****

Key Deleted : HKCU\Software\BitTorrentBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\conduitEngine
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{88C7F2AA-F93F-432C-8F0E-B7D85967A527}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\BitTorrentBar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{32804100-B238-45F4-B15E-C5A2F2F7400B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A76CAD0E-7EAC-4E59-AE24-6FB67E274C86}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2790392
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mhfdcmehmjcclgopdodkjdicohagipid
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0288AF93-6C03-4FE4-A83C-BCFFCFC335C5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E4E8837-BCA3-48D6-8D86-227CC5A2F9D4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BitTorrentBar Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{32804100-B238-45F4-B15E-C5A2F2F7400B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrentBar Toolbar
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.2180

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0gqxbqod.default\prefs.js

d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0gqxbqod.default\user.js ... Deleted !

Deleted : user_pref("CT2790392.DialogsGetterLastCheckTime", "Sat Dec 15 2012 16:44:36 GMT-0500 (Eastern Standa[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13[...]
Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
Deleted : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=112454&tt=280612_6_&babsrc=NT_ss&m[...]
Deleted : user_pref("extensions.4ff0ac46aaa99.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...]
Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar.babTrack", "affID=112454&tt=280612_6_");
Deleted : user_pref("extensions.BabylonToolbar.bbDpng", 15);
Deleted : user_pref("extensions.BabylonToolbar.dfltSrch", false);
Deleted : user_pref("extensions.BabylonToolbar.hmpg", false);
Deleted : user_pref("extensions.BabylonToolbar.id", "00da752d000000000000444553544200");
Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15522");
Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar.lastDP", 15);
Deleted : user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.1716:08:36");
Deleted : user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "12.0");
Deleted : user_pref("extensions.BabylonToolbar.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar.newTabUrl", "hxxp://search.babylon.com/?babsrc=NT_bb");
Deleted : user_pref("extensions.BabylonToolbar.noFFXTlbr", false);
Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar.propectorlck", 94167867);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 1);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 1);
Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar.ptch_0717", true);
Deleted : user_pref("extensions.BabylonToolbar.smplGrp", "azb");
Deleted : user_pref("extensions.BabylonToolbar.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.1716:08:36");
Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=112454&tt=280612_6_");
Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "00da752d000000000000444553544200");
Deleted : user_pref("extensions.BabylonToolbar_i.id", "00da752d000000000000444553544200");
Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15522");
Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=112454&tt=28061[...]
Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1716:08:36");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");

File : d:\data\Admin\Application Data\Mozilla\Firefox\Profiles\ilojflhm.default\prefs.js

d:\data\Admin\Application Data\Mozilla\Firefox\Profiles\ilojflhm.default\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v26.0.1410.43

File : d:\data\rainmaker\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [9612 octets] - [30/03/2013 20:48:29]

########## EOF - d:\AdwCleaner[S1].txt - [9672 octets] ##########
  • 0

#7
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi jolces,


Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#8
jolces

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Ok, I ran the Combofix per above. While running it, I kept getting a pop-up looking for a missing file "NIRKMD". Not sure what this was.

Here is the log from Combofix. Browsers seem more responsive and no more redirecting.

ComboFix 13-04-02.01 - rainmaker 2013/04/02 16:40:11.1.2 - x86
Running from: d:\data\rainmaker\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\recycler\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\@
c:\recycler\S-1-5-18\$4e59006ce7b09117c6e2fad5954c1ab3\n
c:\winnt\assembly\GAC\Desktop.ini
c:\winnt\system32\pwdmon.dll
c:\winnt\system32\TPAPSLOG.LOG
c:\winnt\system32\TPHDLOG0.LOG
c:\winnt\system32\URTTemp
c:\winnt\system32\URTTemp\fusion.dll
c:\winnt\system32\URTTemp\mscoree.dll
c:\winnt\system32\URTTemp\mscoree.dll.local
c:\winnt\system32\URTTemp\mscorsn.dll
c:\winnt\system32\URTTemp\mscorwks.dll
c:\winnt\system32\URTTemp\msvcr71.dll
c:\winnt\system32\URTTemp\regtlib.exe
d:\data\All Users\Application Data\Bcool
d:\data\All Users\Application Data\Bcool\background.html
d:\data\All Users\Application Data\Bcool\bhoclass.dll
d:\data\All Users\Application Data\Bcool\content.js
d:\data\All Users\Application Data\Bcool\mpahijmpmegaoanabgdaibplimibaieb.crx
d:\data\All Users\Application Data\Bcool\settings.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-03-02 to 2013-04-02 )))))))))))))))))))))))))))))))
.
.
2013-04-02 01:13 . 2013-04-02 01:13 -------- d-sh--w- d:\data\NetworkService\IETldCache
2013-04-02 01:06 . 2013-04-02 01:06 -------- d-----w- d:\data\NetworkService\Local Settings\Application Data\PCHealth
2013-04-02 01:05 . 2013-04-02 01:06 -------- dc-h--w- c:\winnt\ie8
2013-03-31 00:35 . 2013-03-31 00:38 15616 ----a-w- c:\winnt\system32\drivers\TrueSight.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-31 02:23 . 2013-03-31 02:23 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn2\yt.dll" [2012-06-11 1524056]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2009-02-06 19:03 73728 ----a-w- c:\winnt\system32\VirtualExpander\VEShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2012-02-22 650104]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-02-23 6591800]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2013-01-24 11184480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-12-14 136512]
"igfxtray"="c:\winnt\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\winnt\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\winnt\system32\igfxpers.exe" [2006-09-15 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-02-01 94208]
"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2006-07-25 2635480]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-17 111952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]
.
d:\data\All Users\Start Menu\Programs\Startup\
TunnelGuard Tray Monitor.lnk - c:\program files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE [2005-9-6 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-02-01 20:09 28672 ------w- c:\winnt\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-01 20:09 24576 ------w- c:\winnt\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1364589140-839522115-118464\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1364589140-839522115-49618\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1364589140-839522115-61785\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1364589140-839522115-98606\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
.
R3 ExtranetAccess;Contivity VPN Service;c:\program files\Nexxia\Extranet_serv.exe [x]
R3 FLMCKUSB;Bloomberg Secure Access Technology Driver (BSI100);c:\winnt\system32\Drivers\FLMckUSB.sys [x]
R3 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\DRIVERS\ipsecw2k.sys [x]
R3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe [x]
R3 tpflhlp;tpflhlp;c:\drivers\t60\bios\tpflhlp.sys [x]
S0 ANCSQ;ANCSQ;c:\winnt\System32\drivers\ANCSQ.sys [x]
S1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\winnt\system32\DRIVERS\dwvkbd.sys [x]
S3 DwMirror;DwMirror;c:\winnt\system32\DRIVERS\DamewareMini.sys [x]
S3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\DRIVERS\eacfilt.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\winnt\system32\advpack.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2009-03-08 08:32 128512 ----a-w- c:\winnt\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-02 c:\winnt\Tasks\Adobe Flash Player Updater.job
- c:\winnt\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 18:35]
.
2013-02-14 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2013-04-02 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-3510421623-2965073675-2411060337-1012Core.job
- d:\data\rainmaker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-03 12:22]
.
2013-04-02 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-3510421623-2965073675-2411060337-1012UA.job
- d:\data\rainmaker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-03 12:22]
.
2013-04-02 c:\winnt\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-09-01 06:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink Flash Downloader For IE - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: rbc.com\mis.fg
Trusted Zone: rbc.com\pmtprojectserver.fg
Trusted Zone: rbccm.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0gqxbqod.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - about:blank
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Zakideon - d:\data\rainmaker\Application Data\Kadiy\ydfof.exe
HKLM_ActiveSetup-6N01 - c:\winnt\regedit
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-02 17:03
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1684)
c:\winnt\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(3592)
c:\winnt\system32\SynTPFcs.dll
c:\program files\SugarSync\SugarSyncShellExt.dll
c:\winnt\system32\VirtualExpander\VEShellExt.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
c:\winnt\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ibmpmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\winnt\system32\DWRCS.EXE
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\winnt\System32\TPHDEXLG.EXE
c:\program files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\winnt\system32\DWRCST.exe
c:\winnt\system32\rundll32.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\winnt\system32\TpShocks.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2013-04-02 17:07:52 - machine was rebooted
ComboFix-quarantined-files.txt 2013-04-02 21:07
.
Pre-Run: 35,149,541,376 bytes free
Post-Run: 35,097,624,576 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C71864C5953EE50EF938137001E831A0
  • 0

#9
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi jolces,

Do you have a subscription for McAfee Enterprise? It looks like a leftover from a corporate environment. If you don't have a subscription, I would recommend that we remove it and install a free antivirus, because it seems to be not quite installed correctly. Let me know.

Things are starting to look better. Let's do a little more cleanup.

Step 1: Run OTL fix.

Please be aware that this fix will delete your temporary files. If the virus has "hidden" any of your files, please do not run the fix, but stop and let me know.

Start OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Commands
    [createrestorepoint]
    
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    ""="C:\\WINDOWS\\system32\\wbem\\fastprox.dll"
    
    :Commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Post the log it produces in your next reply. The log should be saved in C:\_OTL\MovedFiles and should be named with numbers describing the date and time it was run.

Step 2: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the all of the options are checked:

    Posted Image
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Step 3: Run SecurityCheck

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 4: Run MBAM.

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 5: Run online scan.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Things I need in your next reply:
  • OTL fix log
  • FSS log
  • SecurityCheck log
  • MBAM log
  • ESET log
  • Any outstanding problems?

  • 0

#10
jolces

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
That is correct. This machine no longer has an enterprise McAfee agent. Pleasde advise how to remove and replace. In the mean time, I will run the items in your last message. Thanks
  • 0

#11
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Okay. Send me the logs when you finish the tasks. In the meantime, please avoid surfing the internet except to do the online scan until we get an anti-virus installed.
  • 0

#12
Buddierdl

Buddierdl

    Trusted Helper

  • Malware Removal
  • 2,524 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP