[Admirgency]

The browsers in Administrator account :
IE is standard browser ;
Bing is standard Startpage ;
Bing is standard search-engine ;
Google search.

Firefox, Google Search is standard startpage ;
Google search is standard search-engine ;
Bing ;
Bol.com ;
Marktplaats.nl ;
Wikipedia (nl).

Google Chrome, Google Applications is standard startpage ;
Google.nl is standard search-engine ;
Yahoo!Nederland ;
Bing ;
Ask.com.

[Advertisements]

When opening a page here at Geeks To Go forum FF keeps preventing being automaticly reirected to another page. This does not happen on all pages. i do not dare giving permission to continue, FF->GeeksToGo seems to be working just fine without that permission to redirect. Should i give an OK or not?

Via Favorites i began with the closed thread about our laptop with illegal Windows Product Key. I noticed the green & double underlined links to advertisements again. Ofcourse i was not loged in yet. I desided to do some research on where & when i meet these links. At the time i write this i'm already working for 13 hours today. I made screenshots but did not study the topics where they appear yet. The links disappear when i log in and reamin invissible on log-out and review. However when i close Firefox, then re-open and go back to G2G, they are visible again untill i log in.

After closing and re-opening, FF has remembered which threads i have viewed previously but strangely enough my views, logged in or not, do not count with the amount of views shown on the G2G forum for a specific thread. I noticed this before somewhere in the back of my mind but have not payed attention. Now i checked with a new thread with 0 views, which i already did view before closing/re-opening FF. Also after re-opening FF and viewing not logged in and then logged in, it remained on 0 views. That thread is "task scheduler corrupted" by freemie4. Then again, this could be the way your forum works, maybe the total count is updated once per hour or such?

I'll post screenshots i made but though i'll be working here and it'll be another long day tomorrow, i won't have time to study the threads for simularities i would be able to find. The one thing i could clearly see now, that the hyperlinks (Are they hyperlinks? i also see them in the thread "cfxpy login and double underlink hyperlink" by agsmith) , when they appear, they appear in the 1st OTL log of a page. When there are more OTLlogs on the same page they don't show in subsequent logs. But when on a next page in the same thread there's one more OTL.txt, the hyperlinks re-appear. Most commonly they're present at the beginning of the OTL.txt, at "Company Name Whitelist" and then in "Processes (Safelist)" at "Microsoft Corporation" or "Mozilla Corporation".
As mentioned, they disapear when loging in. And re-appear when loging out, closing FF and then re-open FF->GeeksToGo. Maybe saturday i'll have time to look if they also show in IE and/or Chrome.

The advertisements have no relation to the underlined words, and that is new to me. My own computer and a friends computer have suffered this before but then the links gave advertisements in the form of an infomercial related to the linked words. These were infections and i could easaly remove them with an adware-scan. In one of these cases the hyperlinks appeared in the middle of seemingly unrelated malware-removal (a bit like here with my work-comp now), as if it previously was either overruled by (settings of) the removed malware or that it was part of a Rogue-scheme and therefore a further infection instead of removal.

Edited by Admirgency, 20 June 2013 - 02:29 PM.

[Admirgency]

When opening a page here at Geeks To Go forum FF keeps preventing being automaticly reirected to another page. This does not happen on all pages. i do not dare giving permission to continue, FF->GeeksToGo seems to be working just fine without that permission to redirect. Should i give an OK or not?

Via Favorites i began with the closed thread about our laptop with illegal Windows Product Key. I noticed the green & double underlined links to advertisements again. Ofcourse i was not loged in yet. I desided to do some research on where & when i meet these links. At the time i write this i'm already working for 13 hours today. I made screenshots but did not study the topics where they appear yet. The links disappear when i log in and reamin invissible on log-out and review. However when i close Firefox, then re-open and go back to G2G, they are visible again untill i log in.

After closing and re-opening, FF has remembered which threads i have viewed previously but strangely enough my views, logged in or not, do not count with the amount of views shown on the G2G forum for a specific thread. I noticed this before somewhere in the back of my mind but have not payed attention. Now i checked with a new thread with 0 views, which i already did view before closing/re-opening FF. Also after re-opening FF and viewing not logged in and then logged in, it remained on 0 views. That thread is "task scheduler corrupted" by freemie4. Then again, this could be the way your forum works, maybe the total count is updated once per hour or such?

I'll post screenshots i made but though i'll be working here and it'll be another long day tomorrow, i won't have time to study the threads for simularities i would be able to find. The one thing i could clearly see now, that the hyperlinks (Are they hyperlinks? i also see them in the thread "cfxpy login and double underlink hyperlink" by agsmith) , when they appear, they appear in the 1st OTL log of a page. When there are more OTLlogs on the same page they don't show in subsequent logs. But when on a next page in the same thread there's one more OTL.txt, the hyperlinks re-appear. Most commonly they're present at the beginning of the OTL.txt, at "Company Name Whitelist" and then in "Processes (Safelist)" at "Microsoft Corporation" or "Mozilla Corporation".
As mentioned, they disapear when loging in. And re-appear when loging out, closing FF and then re-open FF->GeeksToGo. Maybe saturday i'll have time to look if they also show in IE and/or Chrome.

The advertisements have no relation to the underlined words, and that is new to me. My own computer and a friends computer have suffered this before but then the links gave advertisements in the form of an infomercial related to the linked words. These were infections and i could easaly remove them with an adware-scan. In one of these cases the hyperlinks appeared in the middle of seemingly unrelated malware-removal (a bit like here with my work-comp now), as if it previously was either overruled by (settings of) the removed malware or that it was part of a Rogue-scheme and therefore a further infection instead of removal.

Edited by Admirgency, 20 June 2013 - 02:29 PM.

[gringo_pr]

Hello Admirgency

I have been out the last couple of days with my family

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
• Under Output, ensure that Minimal Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  
  • OTL.txt <-- Will be opened and the that I need posted back here
  • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
• Please post the contents of OTL.txt in your next reply.

Gringo

[Admirgency]

Hi Gringo,
i hope you experienced a good time with your family? I wouldn't, we'ld be walking on our toes while still crushing bones when we step on each-others toes every 3 to 4 minutes.

Nothing seemed wrong downloading OTL fr FF in Guest-acc to shared folder. In Owner-acc it wasn't visible anyway.
Back on GeeksToGo via FF in Owner-acc., i saw one more hyperlink in my last post from yesterday :


I downloaded OTL anew and now it remained visible.
Java-update : no Ask Toolbar installed ;
Updated succesfull but after closing a warning :
"GetDefaultBrowserError :2"


I ran the scan and then realized i've been working almost 11 hours today and needed food to complement the Victoria-bass i recieved from a girlfriend. I closed the computer and went shopping. I bought an Italian pasta-salad and while backing the perch in spiced oil from a can of Greek olives, i restarted the comp in Guest-acc.
Microsoft Security Essentials turned up red : no realtime protection & not updated. No access to updates or options. SystemTray Security Center message stated there's no firewall but not that there's nu Virus-protection.


I went offline & made screenshots, also becouse Start Menu was blacked-out, only showing items after they were moused-over.


I closed the comp and restarted it after 2 minutes (so left-over energy in the cirquits can fade out ; 20 sec. needed for Vista and higher i learned from Discovery Channel). Owner account showed MS SE has been updated before i went out to shop for food.

Back in Guest-acc (closed and restarted) MS SE again showed red. Oncemore i closed the computer, went to Owner-acc. where MS SE is (seems) OK and then logged off and in to Guest-acc., leaving the comp turned on. Now MS SE shows green again and Start Menu also Looks as it should be.
The 1st OTL-download from today was nowhere to be found in any (sub)folder where i could've misplased it. I did not look in the OTL.txt among new files yet. The Victoria bass is delicious while writing this in wordpad, still offline.

After the OTL.txt i'll post an edit for this will be the 1st OTLlog on page 3 of my thread, where the hyperlink might show (log-out and closing/restart of Firefox needed for it to become visible).


OTL logfile created on: 21-6-2013 19:04:38 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Eigenaar\Bureaublad
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

759.48 Mb Total Physical Memory | 440.31 Mb Available Physical Memory | 57.97% Memory free
1.81 Gb Paging File | 1.29 Gb Available in Paging File | 71.35% Paging File free
Paging file location(s): C:\pagefile.sys 1140 1140 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 21.72 Gb Free Space | 58.28% Space Free | Partition Type: NTFS

Computer Name: POWERMATE | User Name: Eigenaar | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Eigenaar\Bureaublad\11-21juneOTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Google\Update\1.3.21.145\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE (Microsoft Corporation.)
PRC - C:\Program Files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE (Microsoft Corporation.)
PRC - C:\Program Files\TSST Korea\FW LiveUpdate\FWManager.exe ( )
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
PRC - C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
PRC - C:\Program Files\Wireless\WPS\jswpbapi.exe (Wireless)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\TSST Korea\FW LiveUpdate\LiveUpdate.dat ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files\Wireless\WPS\jswscapploc.dll ()
MOD - C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()


========== Services (SafeList) ==========

SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (BBUpdate) -- C:\Program Files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE (Microsoft Corporation.)
SRV - (BBSvc) -- C:\Program Files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE (Microsoft Corporation.)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (jswpsapi) -- C:\Program Files\Wireless\WPS\jswpsapi.exe (wireless)
SRV - (jswpbapi) -- C:\Program Files\Wireless\WPS\jswpbapi.exe (Wireless)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\catchme.sys File not found
DRV - (dc3d) -- C:\WINDOWS\system32\drivers\dc3d.sys (Microsoft Corporation)
DRV - (cpudrv) -- C:\Program Files\SystemRequirementsLab\cpudrv.sys ()
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (JSWSCIMD) -- C:\WINDOWS\system32\drivers\jswscimd.sys (Atheros Communications, Inc.)
DRV - (AR9271) -- C:\WINDOWS\system32\drivers\athuw.sys (Atheros Communications, Inc.)
DRV - (HTCAND32) -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys (HTC, Corporation)
DRV - (STAC97NA) -- C:\WINDOWS\system32\drivers\stac97na.sys (SigmaTel Inc.)
DRV - (STAC97NH) -- C:\WINDOWS\system32\drivers\stac97nh.sys (SigmaTel Inc.)
DRV - (BrPar) -- C:\WINDOWS\system32\drivers\BRPAR.SYS (Brother Industries Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = nl
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 04 48 20 B2 A1 5C CD 01 [binary data]
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
FF - prefs.js..extensions.enabledItems: {EEE6C361-6118-11DC-9C72-001320C79847}:1.5.0.2
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.1912
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2013-06-19 23:23:30 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2166.3772\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013-06-04 09:27:33 | 000,000,000 | ---D | M]

[2010-05-11 15:00:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Extensions
[2012-10-30 10:34:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions
[2012-07-08 11:38:38 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2011-04-01 11:10:10 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\searchplugins\bing.xml
[2013-06-04 09:29:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013-06-04 09:29:07 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012-06-28 17:42:00 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2011-12-24 21:58:59 | 000,001,111 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\vandale-nl.xml
[2011-12-24 21:58:59 | 000,001,106 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-nl.xml

========== Chrome ==========


O1 HOSTS File: ([2013-05-25 02:51:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.2.233.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.2.233.0\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [jswtrayutil] C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Name of App] C:\Program Files\TSST Korea\FW LiveUpdate\FWManager.exe ( )
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - Startup: C:\Documents and Settings\Eigenaar\Menu Start\Programma's\Opstarten\OpenOffice.org 3.4.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Gast\Menu Start\Programma's\Opstarten\OpenOffice.org 3.4.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1271944706703 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1341578474781 (MUWebControl Class)
O16 - DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.micr...loadManager.cab (Microsoft Download Manager ActiveX control)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.syste...el_4.5.11.0.cab (SysInfo Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3C14C12F-FE35-4086-8935-5AD09B3BDF73}: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F414C247-0F38-435E-8997-36B5A343C769}: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010-04-22 13:42:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (pgdfgsvc C 1)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013-06-21 19:03:04 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\11-21juneOTL.exe
[2013-06-21 18:59:12 | 000,144,896 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013-06-21 18:59:10 | 000,263,592 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013-06-21 18:58:04 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013-06-21 18:58:04 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013-06-21 18:58:04 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013-06-13 08:56:21 | 009,089,416 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerInstaller.exe
[2013-06-08 23:58:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\Malwarebytes' Anti-Malware
[2013-06-08 23:57:45 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013-06-08 23:57:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013-06-08 23:32:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eigenaar\Onlangs geopend
[2013-06-08 23:17:23 | 004,378,864 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Eigenaar\Bureaublad\8ccsetup402.exe
[2013-06-08 23:15:18 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Eigenaar\Bureaublad\10Hiackhis installer.exe
[2013-06-08 23:15:06 | 010,285,040 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Eigenaar\Bureaublad\9monobam-setup-1.75.0.1300.exe
[2013-06-06 19:58:25 | 000,000,000 | ---D | C] -- C:\FRST
[2013-06-06 19:46:37 | 001,357,013 | ---- | C] (Farbar) -- C:\Documents and Settings\Eigenaar\Bureaublad\7bFRST.exe
[2013-06-06 19:39:51 | 001,357,013 | ---- | C] (Farbar) -- C:\Documents and Settings\Eigenaar\Bureaublad\7aFRST.exe
[2013-06-04 09:27:26 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013-05-27 11:46:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\Google Chrome
[2013-05-26 23:21:42 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013-05-26 01:05:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2013-05-25 22:11:25 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\1 OTL.exe
[2013-05-25 22:11:00 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\5 OTL.exe
[2013-05-25 02:35:06 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013-05-25 02:30:02 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013-05-25 02:30:02 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013-05-25 02:30:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013-05-25 02:30:02 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013-05-25 02:28:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013-05-25 02:28:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013-05-25 02:18:14 | 005,071,432 | R--- | C] (Swearware) -- C:\Documents and Settings\Eigenaar\Bureaublad\ComboFix.exe
[2013-05-24 16:44:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013-05-24 16:43:25 | 000,000,000 | ---D | C] -- C:\JRT
[2013-05-24 16:22:42 | 000,545,954 | ---- | C] (Oleg N. Scherbakov) -- C:\Documents and Settings\Eigenaar\Bureaublad\3 JRT.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013-06-21 19:02:40 | 000,000,460 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{19634F2B-6041-4CFB-B933-71C9576E8275}.job
[2013-06-21 18:56:15 | 000,000,940 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013-06-21 18:55:58 | 000,000,386 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013-06-21 18:54:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\11-21juneOTL.exe
[2013-06-21 18:51:15 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013-06-21 18:46:30 | 000,000,479 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\TSSTLiveUpdateConfig.ini
[2013-06-21 18:46:21 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013-06-21 18:45:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013-06-21 18:33:24 | 000,001,048 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013-06-20 00:33:04 | 000,000,283 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2013-06-19 21:49:35 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Google Chrome.lnk
[2013-06-17 16:06:01 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013-06-13 09:11:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013-06-13 08:58:17 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013-06-13 08:58:14 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013-06-13 08:56:35 | 009,089,416 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerInstaller.exe
[2013-06-12 21:48:23 | 000,867,240 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2013-06-12 21:48:17 | 000,789,416 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2013-06-12 21:48:00 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013-06-12 21:43:48 | 000,263,592 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013-06-12 21:43:44 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013-06-12 21:43:25 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013-06-12 21:35:55 | 000,144,896 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013-06-08 23:54:38 | 000,168,304 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013-06-08 23:17:44 | 004,378,864 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Eigenaar\Bureaublad\8ccsetup402.exe
[2013-06-08 23:10:25 | 010,285,040 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Eigenaar\Bureaublad\9monobam-setup-1.75.0.1300.exe
[2013-06-08 23:07:46 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Eigenaar\Bureaublad\10Hiackhis installer.exe
[2013-06-06 19:47:09 | 001,357,013 | ---- | M] (Farbar) -- C:\Documents and Settings\Eigenaar\Bureaublad\7bFRST.exe
[2013-06-06 19:40:14 | 001,357,013 | ---- | M] (Farbar) -- C:\Documents and Settings\Eigenaar\Bureaublad\7aFRST.exe
[2013-05-27 17:48:10 | 000,001,838 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013-05-25 21:56:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\5 OTL.exe
[2013-05-25 11:41:23 | 005,071,432 | R--- | M] (Swearware) -- C:\Documents and Settings\Eigenaar\Bureaublad\ComboFix.exe
[2013-05-25 11:38:09 | 000,000,751 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Mei 2013 feed.snap.do.lnk
[2013-05-25 11:37:59 | 000,000,593 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar aReebok Maintenance.lnk
[2013-05-25 02:51:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013-05-25 02:35:12 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013-05-24 16:20:41 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Gedeelde documenten.lnk
[2013-05-24 10:07:53 | 000,545,954 | ---- | M] (Oleg N. Scherbakov) -- C:\Documents and Settings\Eigenaar\Bureaublad\3 JRT.exe
[2013-05-24 10:06:20 | 000,632,031 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\2 AdwCleaner.exe
[2013-05-22 23:06:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\1 OTL.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013-06-08 23:54:38 | 000,168,304 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013-05-27 11:46:06 | 000,001,838 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013-05-27 11:46:06 | 000,001,820 | ---- | C] () -- C:\Documents and Settings\All Users\Bureaublad\Google Chrome.lnk
[2013-05-25 11:38:09 | 000,000,751 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Mei 2013 feed.snap.do.lnk
[2013-05-25 11:37:58 | 000,000,593 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar aReebok Maintenance.lnk
[2013-05-25 02:35:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013-05-25 02:35:07 | 000,261,936 | RHS- | C] () -- C:\cmldr
[2013-05-25 02:30:02 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013-05-25 02:30:02 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013-05-25 02:30:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013-05-25 02:30:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013-05-25 02:30:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013-05-24 16:22:42 | 000,632,031 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\2 AdwCleaner.exe
[2013-03-14 11:29:25 | 000,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2013-03-14 11:29:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2013-03-14 11:29:23 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini
[2013-03-14 11:29:21 | 000,014,496 | ---- | C] () -- C:\WINDOWS\HL-5240.INI
[2013-03-14 11:28:40 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\bd5240.dat
[2013-03-14 11:27:45 | 000,000,283 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2013-03-13 11:46:36 | 000,000,479 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Application Data\TSSTLiveUpdateConfig.ini
[2012-09-12 15:43:07 | 000,004,706 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012-08-10 15:06:30 | 000,268,519 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\census.cache
[2012-08-10 15:05:52 | 000,180,312 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\ars.cache
[2012-08-10 12:48:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\housecall.guid.cache
[2012-07-07 23:13:52 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\fusioncache.dat
[2012-07-06 14:44:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012-07-05 04:40:25 | 000,294,527 | ---- | C] () -- C:\WINDOWS\System32\shimg.dll
[2011-11-20 20:10:40 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

========== ZeroAccess Check ==========

[2011-03-24 11:50:20 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008-04-15 02:32:40 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009-02-09 12:56:06 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008-04-15 02:32:46 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

[Admirgency]

I found the missing OTL-download, i misplaced it.
4 hyperlinks in the last post : 2 in regular writing and 2 in the new OTL.txt.

[Admirgency]

In IE and Chrome the hyperlinks are almost the same but i only looked at my own thread yet. It's been 13 hours of work (well, there's a lot of socializing + nessesary cofee & variaty of thee and lemonades and an occasional luxurious lunch involved in my work here), i call it a day.

[Admirgency]

Finally i could read and get a screenshot of "Geekstogo.us.intellitxt.com" as before it was either to quick or i didn't think of it to check. From pcguide.com i understood it is normal to see when not being logged in and not to see when logged in. However : what i see on my screen does not match the "intelli"-part of it's name nor does it match description of it on Wikipedia, as they are not infomercials specified to the linked words but equal ads for what-ever word is linked.
Also the advertisements don't look like the example-pictures given on wikipedia.

Furthermore their domains "intellitxt.com" and "vibrantmedia.com" are deemed downricht untrustworthy on all 4 entries by WOT (.DE domains unknown, grey) (FF + Yahoo-search). Then it would be highly unlikely that GeeksToGo, or Microsoft (according to Wikkipedia) would use these advertisements. It just doesn't ad-up.

I remember (when my my friends and my owncomputers were infected with something like this) seeing linked words with infomercials on Microsoft-sites when the linking of these words could be removed with a anti-malware-scan. When i look at choice.microsoft.com/Privacy/IndustryParticipation, i don't see Intellitxt among participants. Indeed i did not see likewise linked words on any Microsoft-site i visited recently (incl. today specificly looking for them). Maybe the Wikipedia-tekst is outdated?

I went into FF-extensions and Adons and found Adblock+ to be disabled in general as well as for G2G specificly, i have done that myself in recent past (other employees won't learn to use it). I enabled it again and i don't see the intellitxts in FF anymore (though ofcourse i still have them in IE and in Chrome).

Words i found being linked to (eleged) Intellitxt : Company ; Corporation ; Print ; Printer ; Shopping ; Industries ; Transactions ; Transport ; Power ; Recources ; Enterprises ; Customer Experience ; Automotive ; Shell.

Is what i see on GeeksToGo the real intellitxt or not?



In between above described research i visited Bleepingcomputers and followed a link to malwarebites and got to Malwarebites.org as i know it to be.

[gringo_pr]

Hello

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
• Put a checkmark beside loaded modules.
• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.
• Click the Start Scan button.
• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.
• If malicious objects are found, they will show in the Scan results
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
• more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.
  
  Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it
  
  If the forum still complains about it being to long send me everything that is at the end of the report after where it says
  
  ==================
  Scan finished
  ==================
  

and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

• Quit all programs that you may have started.
• Please disconnect any external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
• Exit/Close RogueKiller+

send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo

[Admirgency]

This post is repeated becouse this 1st is a mess. Hai Gringo.<br><br>Monday this computer has not been used and today only
after work was done to check on your post, from Guest-acc. I found the
keyboard not working. Another keyboard, same manufacturer and same model
didn't work either. After reboot the 2nd keyboard did work. I
downloaded TDSS and RogueKiller and ran TDSS immediatly. TDSS found 4
problems but i had no option to cure so i skipped.<br><br>Took some time of
for i did not know how long RK would take. Had to work on another job
early in the evening and there-after it was bussiness-meeting at NA (3
more days and i am Clean and Calm for a year). Thus i can't tell about
how the comp works now as i am going home to sleep.&nbsp;&nbsp;I've run
RogueKiller on my way back from NA. 2 problems found.<br><br>[edit] after
posting this i checked the TDSS-log to see if i could easaly find&nbsp; the
warning-entries to maybe highlight them in bold so you would see them in
a glance. I see the last 2 warning-entries are quaranteined altough i
am sure "skip" was the defoult setting with all 4 of them.<br><br>Also i
forgot to mention the RK-quaranteine-folder is on desktop. On our comp
it doesn't matter much for i am the only-one with passwords to Admin-
and Owner-accounts, but for other ppl you might want to add a warnning
to be carefull and iff passible move the RK-quaranteine-folder to a
safer place. [endEdit]<br><br>14:45:31.0296 3828&nbsp; Scan finished<br>14:45:31.0296 3828&nbsp; ============================================================<br>14:45:31.0484 3820&nbsp; Detected object count: 4<br>14:45:31.0484 3820&nbsp; Actual detected object count: 4<br>14:47:10.0250 3820&nbsp; AR9271 ( UnsignedFile.Multi.Generic ) - skipped by user<br>14:47:10.0250 3820&nbsp; AR9271 ( UnsignedFile.Multi.Generic ) - User select action: Skip <br>14:47:10.0250 3820&nbsp; ialm ( UnsignedFile.Multi.Generic ) - skipped by user<br>14:47:10.0250 3820&nbsp; ialm ( UnsignedFile.Multi.Generic ) - User select action: Skip <br>14:47:10.0343 3820&nbsp; C:\Program Files\Wireless\WPS\jswpbapi.exe - copied to quarantine<br>14:47:10.0468 3820&nbsp; jswpbapi ( UnsignedFile.Multi.Generic ) - User select action: Quarantine <br>14:47:10.0562 3820&nbsp; C:\Program Files\Wireless\WPS\jswpsapi.exe - copied to quarantine<br>14:47:10.0703 3820&nbsp; jswpsapi ( UnsignedFile.Multi.Generic ) - User select action: Quarantine <br>14:48:02.0203 2268&nbsp; Deinitialize success<br><br><br>RogueKiller V8.6.1 [Jun 24 2013] by Tigzy<br>mail : tigzyRK&lt;at&gt;gmail&lt;dot&gt;com<br>Feedback : http://www.geekstogo...ler/<br>Website : http://tigzy.geeksto...ler.php<br>Blog : http://tigzyrk.blogs...sturingssysteem : Windows XP (5.1.2600 Service Pack 3) 32 bits version<br>Gestart vanuit : Normale modus<br>Gebruiker : Eigenaar [Administrator rechten]<br>Modus : Verwijder -- Datum : 06/25/2013 22:03:54<br>| ARK || FAK || MBR |<br><br>¤¤¤ Kwaadaardige processen : 0 ¤¤¤<br><br>¤¤¤ Register verwijzingen : 2 ¤¤¤<br>[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -&gt; Verwijderd<br>[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -&gt; VERVANGEN (0)<br><br>¤¤¤ geplande taken : 0 ¤¤¤<br><br>¤¤¤ Startup Entries : 0 ¤¤¤<br><br>¤¤¤ webbrowsers : 0 ¤¤¤<br><br>¤¤¤ Speciale Files / Folders: ¤¤¤<br><br>¤¤¤ Driver : [Geladen] ¤¤¤<br><br>¤¤¤ Externe Hives: ¤¤¤<br><br>¤¤¤ Infectie :&nbsp; ¤¤¤<br><br>¤¤¤ HOSTS Bestand: ¤¤¤<br>--&gt; %SystemRoot%\System32\drivers\etc\hosts<br><br><br>127.0.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; localhost<br><br><br>¤¤¤ MBR Controle: ¤¤¤<br><br>+++++ PhysicalDrive0: WDC WD400BB-60DGA0 +++++<br>--- User ---<br>[MBR] 70e13deb56b463a728b30f164ef9f03d<br>[BSP] 43e9cc77212410304c065e5b22af2195 : Windows XP MBR Code<br>Partition table:<br>0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38162 Mo<br>User = LL1 ... OK!<br>User = LL2 ... OK!<br><br>Gereed : &lt;&lt; RKreport[0]_D_06252013_220354.txt &gt;&gt;<br>RKreport[0]_S_06252013_220126.txt<br><br><br><br><br>

Edited by Admirgency, 25 June 2013 - 03:03 PM.

[Admirgency]

The previous post became a mess with the eddit (full TDSS-log seemed to fit. So here's one more try.

Hai Gringo.

Monday this computer has not been used and today only after work was done to check on your post, from Guest-acc. I found the keyboard not working. Another keyboard, same manufacturer and same model didn't work either. After reboot the 2nd keyboard did work. I downloaded TDSS and RogueKiller and ran TDSS immediatly. TDSS found 4 problems but i had no option to cure so i skipped.

Took some time of for i did not know how long RK would take. Had to work on another job early in the evening and there-after it was bussiness-meeting at NA (3 more days and i am Clean and Calm for a year). Thus i can't tell about how the comp works now as i am going home to sleep.I've run RogueKiller on my way back from NA. 2 problems found.

[edit] after posting this i checked the TDSS-log to see if i could easaly find the warning-entries to maybe highlight them in bold so you would see them in a glance. I see the last 2 warning-entries are quaranteined altough i am sure "skip" was the defoult setting with all 4 of them.

Also i forgot to mention the RK-quaranteine-folder is on desktop. On our comp it doesn't matter much for i am the only-one with passwords to Admin- and Owner-accounts, but for other ppl you might want to add a warnning to be carefull and iff passible move the RK-quaranteine-folder to a safer place. [endEdit]

TDSS :
14:45:31.0296 3828 Scan finished
14:45:31.0296 3828 ============================================================
14:45:31.0484 3820 Detected object count: 4
14:45:31.0484 3820 Actual detected object count: 4
14:47:10.0250 3820 AR9271 ( UnsignedFile.Multi.Generic ) - skipped by user
14:47:10.0250 3820 AR9271 ( UnsignedFile.Multi.Generic ) - User select action: Skip
14:47:10.0250 3820 ialm ( UnsignedFile.Multi.Generic ) - skipped by user
14:47:10.0250 3820 ialm ( UnsignedFile.Multi.Generic ) - User select action: Skip
14:47:10.0343 3820 C:\Program Files\Wireless\WPS\jswpbapi.exe - copied to quarantine
14:47:10.0468 3820 jswpbapi ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
14:47:10.0562 3820 C:\Program Files\Wireless\WPS\jswpsapi.exe - copied to quarantine
14:47:10.0703 3820 jswpsapi ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
14:48:02.0203 2268 Deinitialize success




RogueKiller V8.6.1 [Jun 24 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

besturingssysteem : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestart vanuit : Normale modus
Gebruiker : Eigenaar [Administrator rechten]
Modus : Verwijder -- Datum : 06/25/2013 22:03:54
| ARK || FAK || MBR |

¤¤¤ Kwaadaardige processen : 0 ¤¤¤

¤¤¤ Register verwijzingen : 2 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> Verwijderd
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> VERVANGEN (0)

¤¤¤ geplande taken : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ webbrowsers : 0 ¤¤¤

¤¤¤ Speciale Files / Folders: ¤¤¤

¤¤¤ Driver : [Geladen] ¤¤¤

¤¤¤ Externe Hives: ¤¤¤

¤¤¤ Infectie : ¤¤¤

¤¤¤ HOSTS Bestand: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Controle: ¤¤¤

+++++ PhysicalDrive0: WDC WD400BB-60DGA0 +++++
--- User ---
[MBR] 70e13deb56b463a728b30f164ef9f03d
[BSP] 43e9cc77212410304c065e5b22af2195 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38162 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Gereed : << RKreport[0]_D_06252013_220354.txt >>
RKreport[0]_S_06252013_220126.txt

[gringo_pr]

I am glad those found something - let me know how things are when you get a chance


gringo

[gringo_pr]

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

[gringo_pr]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[gringo_pr]

Hello Admirgency

I understand you have reinstalled the OS - are you still having problems after the reinstall?


gringo

[Admirgency]

Hai Gringo.
Sorry for the mis-understanding. No i did not re-install the PC from this very thread. I re-installed a laptop, that was another recent thread on GeeksToGo, that was closed becouse it was an illegal Windows-installment.

The PC (Windows XP) with SnapDo is working about fine, be it that SnapDo still resides in the Work-account. I would very much appreciate your continued assistance removing SnapDo.
Thank You ever so much.

[edit] This 2nd tuesday kb 2833941 (security-update for MS .NET Framework 1.1 sp1 for Windows XP, Vista and Server 2008 (x86) ) did not install. Microsoft has a mrFixit for that error 0x643. Can i use the fix or do you want to examine first?

Edited by Admirgency, 12 July 2013 - 07:58 AM.