I have an annoying issue on a Server 2008r2 Terminal Server that I have recently been handed management of. All users (although strangely, not the Administrator) browser home pages have been locked in IE to three sites:
http://intranet/ (primary)
http://www.google.com/ (first secondary)
http://xn--* (* = different combination of letters every time)
The first two are remnants of an old group policy which has now been removed. However if you go in to the settings and make ANY changes to the home pages, the next time the user logs off / back on, this list of sites returns. Sometimes two or even three tabs open in addition to the intranet and google tabs, sometimes only one, and each time it is a different address. Additionally if you open the IE settings page and look at the third entry (which appears in oriental characters as shown in the attachment), then close the settings tab and immediately open it again, the set of oriental characters is completely different, so something appears to be running that is updating this setting regularly.
Steps taken so far to try and rectify this issue:
Searched the registry for http://xn-- < No results found.
Searched the registry for http://intranet/ < Found the setting locations but there is nothing untowards that I could find regarding these issues in those locations.
Updating the existing (legacy) GPO to remove intranet and google and add a new single homepage location (http://Sharepoint/) < No effect.
Added a newer GPO using Group Policy Preferences again defining the newer home page < No effect.
Run Malwarebytes full scan < This found three issues which were cleaned, but did not seem to be related and have had no effect on the issue.
Run AdAware full scan which has found one item (which was a tracking cookie).
Below is the dump from OTL.txt, please let me know if I have missed anything and a huge thank you in advance for any help you might be able to give!
OTL logfile created on: 26/06/2013 10:22:23 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\administrator.PBBNET\Downloads 64bit- Server Standard Edition (full installation) (Version = 6.1.7600) - Type = NTServer Internet Explorer (Version = 8.0.7600.16385) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 12.00 Gb Total Physical Memory | 4.78 Gb Available Physical Memory | 39.81% Memory free 24.00 Gb Paging File | 15.34 Gb Available in Paging File | 63.94% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 54.90 Gb Total Space | 12.06 Gb Free Space | 21.98% Space Free | Partition Type: NTFS Drive H: | 984.00 Gb Total Space | 69.08 Gb Free Space | 7.02% Space Free | Partition Type: NTFS Drive I: | 175.78 Gb Total Space | 27.28 Gb Free Space | 15.52% Space Free | Partition Type: NTFS Drive N: | 984.00 Gb Total Space | 69.08 Gb Free Space | 7.02% Space Free | Partition Type: NTFS Drive O: | 984.00 Gb Total Space | 69.08 Gb Free Space | 7.02% Space Free | Partition Type: NTFS Drive T: | 380.87 Gb Total Space | 3.33 Gb Free Space | 0.87% Space Free | Partition Type: NTFS Drive Z: | 19.53 Gb Total Space | 2.80 Gb Free Space | 14.33% Space Free | Partition Type: NTFS Computer Name: PBBTS01 | User Name: administrator | NOT logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2013/06/25 13:24:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\administrator.PBBNET\Downloads\OTL.exe PRC - [2013/06/13 02:27:38 | 001,236,336 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe PRC - [2013/06/13 02:27:36 | 018,834,784 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAware.exe PRC - [2013/05/15 16:17:34 | 000,554,408 | ---- | M] (Lavasoft) -- C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe PRC - [2012/09/23 21:43:34 | 001,343,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe PRC - [2012/09/23 21:43:34 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012/09/20 05:39:12 | 003,677,000 | ---- | M] (GFI Software) -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe PRC - [2009/07/14 02:14:28 | 000,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\prevhost.exe [color=#E56717]========== Modules (No Company Name) ==========[/color] [color=#E56717]========== Services (SafeList) ==========[/color] SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmicvss) SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmictimesync) SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmicshutdown) SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmickvpexchange) SRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,244,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmicsvc.exe -- (vmicheartbeat) SRV:[b]64bit:[/b] - [2011/04/27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv) SRV:[b]64bit:[/b] - [2011/04/27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc) SRV:[b]64bit:[/b] - [2009/07/14 02:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr) SRV:[b]64bit:[/b] - [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:[b]64bit:[/b] - [2009/07/14 02:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc) SRV:[b]64bit:[/b] - [2009/07/14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV:[b]64bit:[/b] - [2009/07/14 02:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv) SRV:[b]64bit:[/b] - [2009/07/14 02:39:13 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN) SRV - [2013/06/25 18:14:09 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013/06/13 02:27:38 | 001,236,336 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe -- (Ad-Aware Service) SRV - [2012/09/23 21:43:34 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/09/20 05:39:12 | 003,677,000 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe -- (SBAMSvc) SRV - [2009/07/14 02:15:31 | 000,396,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS) SRV - [2009/07/14 02:15:31 | 000,396,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC) SRV - [2009/07/14 02:14:53 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc) SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV:[b]64bit:[/b] - [2013/06/26 09:31:17 | 000,014,456 | ---- | M] (GFI Software) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\gfibto.sys -- (gfibto) DRV:[b]64bit:[/b] - [2012/10/19 11:23:14 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VMBusVideoM.sys -- (SynthVid) DRV:[b]64bit:[/b] - [2011/04/27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv) DRV:[b]64bit:[/b] - [2009/07/14 02:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:[b]64bit:[/b] - [2009/07/14 02:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:[b]64bit:[/b] - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:[b]64bit:[/b] - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:[b]64bit:[/b] - [2009/07/14 02:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:[b]64bit:[/b] - [2009/07/14 02:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:[b]64bit:[/b] - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:[b]64bit:[/b] - [2009/07/14 02:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv) DRV:[b]64bit:[/b] - [2009/07/14 00:42:54 | 000,121,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp) DRV:[b]64bit:[/b] - [2009/07/14 00:42:47 | 000,181,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid) DRV:[b]64bit:[/b] - [2009/06/10 21:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma) DRV:[b]64bit:[/b] - [2009/06/10 21:34:41 | 000,057,344 | ---- | M] (Microsoft Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc21x4vm.sys -- (dc21x4vm) DRV:[b]64bit:[/b] - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:[b]64bit:[/b] - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:[b]64bit:[/b] - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) DRV - [2009/07/14 00:14:26 | 000,115,712 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\mrxdav.sys -- (MRxDAV) [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ IE - HKCU\..\URLSearchHook: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = pbbgw01:8080 [color=#E56717]========== FireFox ==========[/color] FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) O1 HOSTS File: ([2013/06/25 13:32:28 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O4:[b]64bit:[/b] - HKLM..\Run: [MSC] "c:\Program Files\Microsoft Security Client\Antimalware\mssecex.exe" -hide -runkey File not found O4 - HKLM..\Run: [Ad-Aware Antivirus] C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher.exe (Lavasoft Limited) O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft) O4 - HKLM..\Run: [MSCRM] c:\Program Files (x86)\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe (Microsoft Corporation) O4 - HKLM..\Run: [PspUsbCf] C:\Windows\SysWow64\pspusbcf.exe (Philips Speech Recognition Systems GmbH) O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll (Malwarebytes Corporation) O4 - HKCU..\RunOnce: [adawarebp] reg.exe delete "HKCU\Software\AppDataLow\Software\adawarebp" /f File not found O4 - HKCU..\RunOnce: [adawarebp_XP] reg.exe delete "HKCU\Software\adawarebp" /f File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Feed Discovery present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Security present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisableLocalMachineRunOnce = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDisconnect = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonType = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149 O13[b]64bit:[/b] - gopher Prefix: missing O13 - gopher Prefix: missing O15:[b]64bit:[/b] - ..Trusted Domains: erims.com ([www] http in Trusted sites) O15:[b]64bit:[/b] - ..Trusted Domains: intranet ([]http in Trusted sites) O15:[b]64bit:[/b] - ..Trusted Domains: meridianuk.net ([www] http in Trusted sites) O15:[b]64bit:[/b] - ..Trusted Domains: sharepoint ([]http in Trusted sites) O15:[b]64bit:[/b] - ..Trusted Domains: threadneedle.co.uk ([]https in Trusted sites) O15:[b]64bit:[/b] - ..Trusted Domains: threadneedle.co.uk ([horizonbo] https in Trusted sites) O15:[b]64bit:[/b] - ..Trusted Domains: threadneedle.co.uk ([horizontpil] https in Trusted sites) O15:[b]64bit:[/b] - ..Trusted Domains: threadneedle.co.uk ([horizontpilsso] https in Trusted sites) O15 - HKCU\..Trusted Domains: sharepoint ([]http in Trusted sites) O16 - DPF: {25D3A217-374E-449F-BC30-8043CA608428} https://10.0.1.29/itcclient.cab (KvmIp Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {9AA042FB-3665-4E66-9152-D8A133FC3322} http://pbbbk01/osd/DMSTypist4230.cab (Transcription for the Web) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbbnet.phoenix-beard.co.uk O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6DB81B5E-215B-4C25-8FB3-4DFF588D9CFD}: NameServer = 10.0.1.12,10.0.1.26 O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010/07/20 15:58:17 | 000,000,000 | ---D | M] - C:\autofile -- [ NTFS ] O33 - MountPoints2\{8b5ae631-35de-11df-bc89-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{8b5ae631-35de-11df-bc89-806e6f6e6963}\Shell\AutoRun\command - "" = D:\support\x86\setup.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:[b]64bit:[/b] - HKLM\..comfile [open] -- "%1" %* O35:[b]64bit:[/b] - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:[b]64bit:[/b] - HKLM\...com [@ = comfile] -- "%1" %* O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2013/06/26 09:42:15 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Roaming\LavasoftStatistics [2013/06/26 09:36:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Antivirus [2013/06/26 09:33:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft [2013/06/26 09:33:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ad-Aware Antivirus [2013/06/26 09:32:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Downloaded Installations [2013/06/26 09:32:57 | 000,000,000 | ---D | C] -- C:\ProgramData\blekko toolbars [2013/06/26 09:32:57 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Local\adawarebp [2013/06/26 09:32:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection [2013/06/26 09:32:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\adawaretb [2013/06/26 09:32:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Toolbar Cleaner [2013/06/26 09:31:17 | 000,047,496 | ---- | C] (GFI Software) -- C:\Windows\SysNative\sbbd.exe [2013/06/26 09:31:17 | 000,014,456 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\gfibto.sys [2013/06/26 09:31:16 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Roaming\Ad-Aware Antivirus [2013/06/26 09:30:52 | 005,616,264 | ---- | C] (Lavasoft Limited) -- C:\Users\administrator.PBBNET\Desktop\Adaware_Installer.exe [2013/06/25 13:32:26 | 000,000,000 | ---D | C] -- C:\_OTL [2013/06/25 13:12:40 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Roaming\Malwarebytes [2013/06/25 13:11:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013/06/25 13:11:00 | 000,000,000 | ---D | C] -- C:\Users\administrator.PBBNET\AppData\Local\Programs [2008/03/31 17:51:42 | 001,056,768 | ---- | C] (Philips Speech Processing - Dictation Systems) -- C:\Program Files (x86)\Common Files\DPMCtrl.dll [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2013/06/26 10:19:02 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/06/26 09:44:34 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\SBRC.dat [2013/06/26 09:44:01 | 000,000,940 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-790525478-682003330-10717UA.job [2013/06/26 09:42:50 | 000,002,349 | ---- | M] () -- C:\Users\administrator.PBBNET\Desktop\Ad-Aware Antivirus.lnk [2013/06/26 09:42:50 | 000,001,784 | ---- | M] () -- C:\Users\administrator.PBBNET\Desktop\Uninstall Ad-Aware Antivirus.lnk [2013/06/26 09:39:03 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-790525478-682003330-6685Core.job [2013/06/26 09:39:01 | 000,000,932 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-790525478-682003330-6685UA.job [2013/06/26 09:31:17 | 000,047,496 | ---- | M] (GFI Software) -- C:\Windows\SysNative\sbbd.exe [2013/06/26 09:31:17 | 000,014,456 | ---- | M] (GFI Software) -- C:\Windows\SysNative\drivers\gfibto.sys [2013/06/26 09:24:35 | 005,616,264 | ---- | M] (Lavasoft Limited) -- C:\Users\administrator.PBBNET\Desktop\Adaware_Installer.exe [2013/06/25 18:19:36 | 000,020,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/06/25 18:19:36 | 000,020,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/06/25 18:15:02 | 000,024,388 | RHS- | M] () -- C:\ProgramData\ntuser.pol [2013/06/25 18:15:02 | 000,001,722 | RHS- | M] () -- C:\Users\administrator.PBBNET\ntuser.pol [2013/06/25 18:07:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013/06/25 14:44:07 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-790525478-682003330-10717Core.job [2013/06/25 13:32:28 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts [2013/06/25 13:11:35 | 000,001,105 | ---- | M] () -- C:\Users\administrator.PBBNET\Desktop\Malwarebytes Anti-Malware.lnk [2013/06/25 13:09:13 | 000,005,096 | ---- | M] () -- C:\Users\administrator.PBBNET\Desktop\TSSRegIE.reg [2013/06/05 09:43:43 | 000,001,994 | -H-- | M] () -- C:\Users\administrator.PBBNET\Documents\Default.rdp [2013/05/28 22:30:58 | 000,832,996 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013/05/28 22:30:58 | 000,702,658 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013/05/28 22:30:58 | 000,139,278 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [color=#E56717]========== Files Created - No Company Name ==========[/color] [2013/06/26 09:44:34 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\SBRC.dat [2013/06/26 09:33:19 | 000,002,349 | ---- | C] () -- C:\Users\administrator.PBBNET\Desktop\Ad-Aware Antivirus.lnk [2013/06/26 09:33:19 | 000,001,784 | ---- | C] () -- C:\Users\administrator.PBBNET\Desktop\Uninstall Ad-Aware Antivirus.lnk [2013/06/25 18:14:11 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013/06/25 13:11:35 | 000,001,105 | ---- | C] () -- C:\Users\administrator.PBBNET\Desktop\Malwarebytes Anti-Malware.lnk [2013/06/25 13:09:13 | 000,005,096 | ---- | C] () -- C:\Users\administrator.PBBNET\Desktop\TSSRegIE.reg [2012/06/21 15:08:23 | 000,007,622 | ---- | C] () -- C:\Users\administrator.PBBNET\AppData\Local\Resmon.ResmonCfg [2012/05/03 15:11:29 | 000,001,722 | RHS- | C] () -- C:\Users\administrator.PBBNET\ntuser.pol [2010/06/14 11:58:28 | 000,000,139 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc [2010/03/25 13:26:40 | 000,024,388 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2004/05/17 14:57:04 | 000,000,225 | ---- | C] () -- C:\Program Files (x86)\Common Files\DPMCtrl.ini [color=#E56717]========== ZeroAccess Check ==========[/color] [2009/07/14 05:58:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2010/07/27 15:59:11 | 014,162,944 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2010/07/27 15:03:24 | 012,867,584 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] [color=#E56717]========== LOP Check ==========[/color] [2013/06/26 09:42:54 | 000,000,000 | ---D | M] -- C:\Users\administrator.PBBNET\AppData\Roaming\Ad-Aware Antivirus [2010/04/26 15:42:12 | 000,000,000 | ---D | M] -- C:\Users\administrator.PBBNET\AppData\Roaming\Blueberry [2010/04/30 11:53:52 | 000,000,000 | ---D | M] -- C:\Users\administrator.PBBNET\AppData\Roaming\FilePlus.NET [2012/04/12 22:39:45 | 000,000,000 | ---D | M] -- C:\Users\administrator.PBBNET\AppData\Roaming\Scinaptic [color=#E56717]========== Purity Check ==========[/color] < End of report >
Thanks!
Zeb
Attached Files
Edited by Zebwen, 26 June 2013 - 10:06 AM.