Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Browser Home Page Hijacked http://xn--*


  • Please log in to reply

#1
Zebwen

Zebwen

    New Member

  • Member
  • Pip
  • 3 posts
Hi there, first time posting here, hopefully I don't miss anything.

I have an annoying issue on a Server 2008r2 Terminal Server that I have recently been handed management of. All users (although strangely, not the Administrator) browser home pages have been locked in IE to three sites:

http://intranet/ (primary)
http://www.google.com/ (first secondary)
http://xn--* (* = different combination of letters every time)

The first two are remnants of an old group policy which has now been removed. However if you go in to the settings and make ANY changes to the home pages, the next time the user logs off / back on, this list of sites returns. Sometimes two or even three tabs open in addition to the intranet and google tabs, sometimes only one, and each time it is a different address. Additionally if you open the IE settings page and look at the third entry (which appears in oriental characters as shown in the attachment), then close the settings tab and immediately open it again, the set of oriental characters is completely different, so something appears to be running that is updating this setting regularly.

Steps taken so far to try and rectify this issue:
Searched the registry for http://xn-- < No results found.
Searched the registry for http://intranet/ < Found the setting locations but there is nothing untowards that I could find regarding these issues in those locations.
Updating the existing (legacy) GPO to remove intranet and google and add a new single homepage location (http://Sharepoint/) < No effect.
Added a newer GPO using Group Policy Preferences again defining the newer home page < No effect.
Run Malwarebytes full scan < This found three issues which were cleaned, but did not seem to be related and have had no effect on the issue.
Run AdAware full scan which has found one item (which was a tracking cookie).

Below is the dump from OTL.txt, please let me know if I have missed anything and a huge thank you in advance for any help you might be able to give!

OTL logfile created on: 26/06/2013 10:22:23 - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\administrator.PBBNET\Downloads
64bit- Server Standard Edition (full installation)  (Version = 6.1.7600) - Type = NTServer
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
12.00 Gb Total Physical Memory | 4.78 Gb Available Physical Memory | 39.81% Memory free
24.00 Gb Paging File | 15.34 Gb Available in Paging File | 63.94% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 54.90 Gb Total Space | 12.06 Gb Free Space | 21.98% Space Free | Partition Type: NTFS
Drive H: | 984.00 Gb Total Space | 69.08 Gb Free Space | 7.02% Space Free | Partition Type: NTFS
Drive I: | 175.78 Gb Total Space | 27.28 Gb Free Space | 15.52% Space Free | Partition Type: NTFS
Drive N: | 984.00 Gb Total Space | 69.08 Gb Free Space | 7.02% Space Free | Partition Type: NTFS
Drive O: | 984.00 Gb Total Space | 69.08 Gb Free Space | 7.02% Space Free | Partition Type: NTFS
Drive T: | 380.87 Gb Total Space | 3.33 Gb Free Space | 0.87% Space Free | Partition Type: NTFS
Drive Z: | 19.53 Gb Total Space | 2.80 Gb Free Space | 14.33% Space Free | Partition Type: NTFS
 
Computer Name: PBBTS01 | User Name: administrator | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2013/06/25 13:24:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\administrator.PBBNET\Downloads\OTL.exe
PRC - [2013/06/13 02:27:38 | 001,236,336 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
PRC - [2013/06/13 02:27:36 | 018,834,784 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAware.exe
PRC - [2013/05/15 16:17:34 | 000,554,408 | ---- | M] (Lavasoft) -- C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
PRC - [2012/09/23 21:43:34 | 001,343,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
PRC - [2012/09/23 21:43:34 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/09/20 05:39:12 | 003,677,000 | ---- | M] (GFI Software) -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
PRC - [2009/07/14 02:14:28 | 000,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\prevhost.exe
 
 
[color=#E56717]========== Modules (No Company Name) ==========[/color]
 
 
[color=#E56717]========== Services (SafeList) ==========[/color]
 
SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmicvss)
SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmictimesync)
SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmicshutdown)
SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmickvpexchange)
SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmicheartbeat)
SRV:[b]64bit:[/b] - [2011/04/27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:[b]64bit:[/b] - [2011/04/27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:[b]64bit:[/b] - [2009/07/14 02:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:[b]64bit:[/b] - [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:[b]64bit:[/b] - [2009/07/14 02:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:[b]64bit:[/b] - [2009/07/14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:13 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2013/06/25 18:14:09 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/06/13 02:27:38 | 001,236,336 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe -- (Ad-Aware Service)
SRV - [2012/09/23 21:43:34 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/09/20 05:39:12 | 003,677,000 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe -- (SBAMSvc)
SRV - [2009/07/14 02:15:31 | 000,396,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2009/07/14 02:15:31 | 000,396,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2009/07/14 02:14:53 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV:[b]64bit:[/b] - [2013/06/26 09:31:17 | 000,014,456 | ---- | M] (GFI Software) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\gfibto.sys -- (gfibto)
DRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VMBusVideoM.sys -- (SynthVid)
DRV:[b]64bit:[/b] - [2011/04/27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:[b]64bit:[/b] - [2009/07/14 02:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:[b]64bit:[/b] - [2009/07/14 02:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:[b]64bit:[/b] - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:[b]64bit:[/b] - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:[b]64bit:[/b] - [2009/07/14 02:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:[b]64bit:[/b] - [2009/07/14 02:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:[b]64bit:[/b] - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:[b]64bit:[/b] - [2009/07/14 02:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:[b]64bit:[/b] - [2009/07/14 00:42:54 | 000,121,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:[b]64bit:[/b] - [2009/07/14 00:42:47 | 000,181,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:[b]64bit:[/b] - [2009/06/10 21:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma)
DRV:[b]64bit:[/b] - [2009/06/10 21:34:41 | 000,057,344 | ---- | M] (Microsoft Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc21x4vm.sys -- (dc21x4vm)
DRV:[b]64bit:[/b] - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:[b]64bit:[/b] - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:[b]64bit:[/b] - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 00:14:26 | 000,115,712 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\mrxdav.sys -- (MRxDAV)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\URLSearchHook: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = pbbgw01:8080
 
 
[color=#E56717]========== FireFox ==========[/color]
 
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
O1 HOSTS File: ([2013/06/25 13:32:28 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1       localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4:[b]64bit:[/b] - HKLM..\Run: [MSC] "c:\Program Files\Microsoft Security Client\Antimalware\mssecex.exe" -hide -runkey File not found
O4 - HKLM..\Run: [Ad-Aware Antivirus] C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher.exe (Lavasoft Limited)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [MSCRM] c:\Program Files (x86)\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PspUsbCf] C:\Windows\SysWow64\pspusbcf.exe (Philips Speech Recognition Systems GmbH)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll (Malwarebytes Corporation)
O4 - HKCU..\RunOnce: [adawarebp] reg.exe delete "HKCU\Software\AppDataLow\Software\adawarebp" /f File not found
O4 - HKCU..\RunOnce: [adawarebp_XP] reg.exe delete "HKCU\Software\adawarebp" /f File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Feed Discovery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Security present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisableLocalMachineRunOnce = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDisconnect = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonType = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O13[b]64bit:[/b] - gopher Prefix: missing
O13 - gopher Prefix: missing
O15:[b]64bit:[/b] - ..Trusted Domains: erims.com ([www] http in Trusted sites)
O15:[b]64bit:[/b] - ..Trusted Domains: intranet ([]http in Trusted sites)
O15:[b]64bit:[/b] - ..Trusted Domains: meridianuk.net ([www] http in Trusted sites)
O15:[b]64bit:[/b] - ..Trusted Domains: sharepoint ([]http in Trusted sites)
O15:[b]64bit:[/b] - ..Trusted Domains: threadneedle.co.uk ([]https in Trusted sites)
O15:[b]64bit:[/b] - ..Trusted Domains: threadneedle.co.uk ([horizonbo] https in Trusted sites)
O15:[b]64bit:[/b] - ..Trusted Domains: threadneedle.co.uk ([horizontpil] https in Trusted sites)
O15:[b]64bit:[/b] - ..Trusted Domains: threadneedle.co.uk ([horizontpilsso] https in Trusted sites)
O15 - HKCU\..Trusted Domains: sharepoint ([]http in Trusted sites)
O16 - DPF: {25D3A217-374E-449F-BC30-8043CA608428} https://10.0.1.29/itcclient.cab (KvmIp Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {9AA042FB-3665-4E66-9152-D8A133FC3322} http://pbbbk01/osd/DMSTypist4230.cab (Transcription for the Web)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbbnet.phoenix-beard.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6DB81B5E-215B-4C25-8FB3-4DFF588D9CFD}: NameServer = 10.0.1.12,10.0.1.26
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/20 15:58:17 | 000,000,000 | ---D | M] - C:\autofile -- [ NTFS ]
O33 - MountPoints2\{8b5ae631-35de-11df-bc89-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{8b5ae631-35de-11df-bc89-806e6f6e6963}\Shell\AutoRun\command - "" = D:\support\x86\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:[b]64bit:[/b] - HKLM\..comfile [open] -- "%1" %*
O35:[b]64bit:[/b] - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...com [@ = comfile] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2013/06/26 09:42:15 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Roaming\LavasoftStatistics
[2013/06/26 09:36:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Antivirus
[2013/06/26 09:33:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2013/06/26 09:33:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ad-Aware Antivirus
[2013/06/26 09:32:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Downloaded Installations
[2013/06/26 09:32:57 | 000,000,000 | ---D | C] -- C:\ProgramData\blekko toolbars
[2013/06/26 09:32:57 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Local\adawarebp
[2013/06/26 09:32:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection
[2013/06/26 09:32:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\adawaretb
[2013/06/26 09:32:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Toolbar Cleaner
[2013/06/26 09:31:17 | 000,047,496 | ---- | C] (GFI Software) -- C:\Windows\SysNative\sbbd.exe
[2013/06/26 09:31:17 | 000,014,456 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\gfibto.sys
[2013/06/26 09:31:16 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Roaming\Ad-Aware Antivirus
[2013/06/26 09:30:52 | 005,616,264 | ---- | C] (Lavasoft Limited) -- C:\Users\administrator.PBBNET\Desktop\Adaware_Installer.exe
[2013/06/25 13:32:26 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/06/25 13:12:40 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Roaming\Malwarebytes
[2013/06/25 13:11:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/06/25 13:11:00 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Local\Programs
[2008/03/31 17:51:42 | 001,056,768 | ---- | C] (Philips Speech Processing - Dictation Systems) -- C:\Program Files (x86)\Common Files\DPMCtrl.dll
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2013/06/26 10:19:02 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/26 09:44:34 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\SBRC.dat
[2013/06/26 09:44:01 | 000,000,940 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-790525478-682003330-10717UA.job
[2013/06/26 09:42:50 | 000,002,349 | ---- | M] () -- C:\Users\administrator.PBBNET\Desktop\Ad-Aware Antivirus.lnk
[2013/06/26 09:42:50 | 000,001,784 | ---- | M] () -- C:\Users\administrator.PBBNET\Desktop\Uninstall Ad-Aware Antivirus.lnk
[2013/06/26 09:39:03 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-790525478-682003330-6685Core.job
[2013/06/26 09:39:01 | 000,000,932 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-790525478-682003330-6685UA.job
[2013/06/26 09:31:17 | 000,047,496 | ---- | M] (GFI Software) -- C:\Windows\SysNative\sbbd.exe
[2013/06/26 09:31:17 | 000,014,456 | ---- | M] (GFI Software) -- C:\Windows\SysNative\drivers\gfibto.sys
[2013/06/26 09:24:35 | 005,616,264 | ---- | M] (Lavasoft Limited) -- C:\Users\administrator.PBBNET\Desktop\Adaware_Installer.exe
[2013/06/25 18:19:36 | 000,020,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/25 18:19:36 | 000,020,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/25 18:15:02 | 000,024,388 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2013/06/25 18:15:02 | 000,001,722 | RHS- | M] () -- C:\Users\administrator.PBBNET\ntuser.pol
[2013/06/25 18:07:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/25 14:44:07 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-790525478-682003330-10717Core.job
[2013/06/25 13:32:28 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2013/06/25 13:11:35 | 000,001,105 | ---- | M] () -- C:\Users\administrator.PBBNET\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/25 13:09:13 | 000,005,096 | ---- | M] () -- C:\Users\administrator.PBBNET\Desktop\TSSRegIE.reg
[2013/06/05 09:43:43 | 000,001,994 | -H-- | M] () -- C:\Users\administrator.PBBNET\Documents\Default.rdp
[2013/05/28 22:30:58 | 000,832,996 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/05/28 22:30:58 | 000,702,658 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/05/28 22:30:58 | 000,139,278 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2013/06/26 09:44:34 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\SBRC.dat
[2013/06/26 09:33:19 | 000,002,349 | ---- | C] () -- C:\Users\administrator.PBBNET\Desktop\Ad-Aware Antivirus.lnk
[2013/06/26 09:33:19 | 000,001,784 | ---- | C] () -- C:\Users\administrator.PBBNET\Desktop\Uninstall Ad-Aware Antivirus.lnk
[2013/06/25 18:14:11 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/25 13:11:35 | 000,001,105 | ---- | C] () -- C:\Users\administrator.PBBNET\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/25 13:09:13 | 000,005,096 | ---- | C] () -- C:\Users\administrator.PBBNET\Desktop\TSSRegIE.reg
[2012/06/21 15:08:23 | 000,007,622 | ---- | C] () -- C:\Users\administrator.PBBNET\AppData\Local\Resmon.ResmonCfg
[2012/05/03 15:11:29 | 000,001,722 | RHS- | C] () -- C:\Users\administrator.PBBNET\ntuser.pol
[2010/06/14 11:58:28 | 000,000,139 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
[2010/03/25 13:26:40 | 000,024,388 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2004/05/17 14:57:04 | 000,000,225 | ---- | C] () -- C:\Program Files (x86)\Common Files\DPMCtrl.ini
 
[color=#E56717]========== ZeroAccess Check ==========[/color]
 
[2009/07/14 05:58:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2010/07/27 15:59:11 | 014,162,944 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2010/07/27 15:03:24 | 012,867,584 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2013/06/26 09:42:54 | 000,000,000 | ---D | M] -- C:\Users\administrator.PBBNET\AppData\Roaming\Ad-Aware Antivirus
[2010/04/26 15:42:12 | 000,000,000 | ---D | M] -- C:\Users\administrator.PBBNET\AppData\Roaming\Blueberry
[2010/04/30 11:53:52 | 000,000,000 | ---D | M] -- C:\Users\administrator.PBBNET\AppData\Roaming\FilePlus.NET
[2012/04/12 22:39:45 | 000,000,000 | ---D | M] -- C:\Users\administrator.PBBNET\AppData\Roaming\Scinaptic
 
[color=#E56717]========== Purity Check ==========[/color]
 
 

< End of report >

IE1.png
IE2.png IE3.png

Thanks!

Zeb

Attached Files

  • Attached File  OTL.txt   26.62KB   312 downloads

Edited by Zebwen, 26 June 2013 - 10:06 AM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,701 posts
  • MVP
xn-- etc is punycode used to convert from Chinese and other languages.

http://www.pir.org/h...ecode=<< Decode

I expect the Chinese characters are stored in the registry and not the punycode so you might have more luck searching for them.

We can look at the main IE registry entries and see if something sticks out:

Open a Command window and copy and paste the following:

reg query "HKLM\Software\Policies\Microsoft\Internet Explorer" /s > "%userprofile%\Desktop\junk.txt"
reg query "HKCU\Software\Policies\Microsoft\Internet Explorer" /s >> "%userprofile%\Desktop\junk.txt"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /s >> "%userprofile%\Desktop\junk.txt"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /s >> "%userprofile%\Desktop\junk.txt"

Hit Enter then look on your desktop for junk.txt. Attach it to your next post. Don't try and copy and paste it as it will be too big.

Ron
  • 0

#3
Zebwen

Zebwen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Ron thanks for replying! I'll go try searching for some of the Chinese characters in the registry now. In the meantime, here is the junk.txt. I had to do this while logged on as the Administrator, so there is no HKCU result (location not found). The users don't have access to cmd or much else, although if needed I could change the rights of a test user to pull those values.

Zeb

Attached Files

  • Attached File  junk.txt   190.56KB   646 downloads

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,701 posts
  • MVP
I'm not seeing anything odd. Does your admin login see the same changes to the Start page? If not you need to enable CMD for a user who does and make a new junk.txt
  • 0

#5
Zebwen

Zebwen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
No the admin login is strangely unaffected by this issue. I will go about enabling CMD for a test user and re-creating junk.txt to see what it turns up!
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,701 posts
  • MVP
Also have the test user run OTL and post the log(s). Perhaps we can see what is happening.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP