Redirected Searches, Advertising Pop-Ups

  • 7 Replies
  • 2354 Views
*

Offline eblaine

  • Bronze Member
  • 5
Redirected Searches, Advertising Pop-Ups
« on: September 07, 2010, 10:42:43 AM »
Thanks in advance with your help in resolving this issue.

Here are the Problems I have:
1 after doing a search, when i click on the link it will redirect to a different page.  (happens in IE & Firefox)
2 pop-ups when using IE

Somehow a tango toolbar was downloaded on my computer and I de-installed it.  I found out it was malware so I downloaded the PC Tools Spyware doctor & ExterminateIT.  When I ran these programs, it found some trojans and cookies and remove them.  However, I'm still having issues. 

OS:  Microsoft Windows XP Professional SP3

Here is the anti virus & other software I have:
Norton Security Scan
Symantec Antivirus
PC Tools Spyware doctor
ExterminateIT


Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:40:10 AM, on 9/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afasrv32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Iomega\QuikProtect\QpMonitor.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medeanalytics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02D9E8F4-3138-4355-BF36-087854324055} - C:\WINDOWS\system32\dpvacm32.dll (file missing)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: a416bd32 - {3BE12953-7517-427A-D509-9A8E2A98788E} - C:\WINDOWS\system32\dmstyle32.dll (file missing)
O2 - BHO: Virtual Storage Mount Notification - {3CF560DC-DFCB-4737-82C2-9564CA8F733B} - C:\WINDOWS\system32\VSMntNtf.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1943FDF7-2330-4EEC-B7E3-74D9C7864ECE} (CvncViewer Object) - https://conference.medeanalytics.com/buddies/eDialCollabViewer.cab
O16 - DPF: {2C4B89FF-685C-471A-BFF1-AEFAEAE15D33} (Hook Class) - https://conference.medeanalytics.com/buddies/edial.cab
O16 - DPF: {BFCF3234-E815-4966-8C1A-9B606110378B} (CSess Object) - https://conference.medeanalytics.com/buddies/eDialCollab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://medeanalytics.webex.com/client/T27L10NSP11EP5/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.medefinance.com
O17 - HKLM\Software\..\Telephony: DomainName = us.medefinance.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.medefinance.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.medefinance.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\dmstyle32.dll
O21 - SSODL: EldosMountNotificator - {3CF560DC-DFCB-4737-82C2-9564CA8F733B} - C:\WINDOWS\system32\VSMntNtf.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Virtual Storage Mount Notification - {3CF560DC-DFCB-4737-82C2-9564CA8F733B} - C:\WINDOWS\system32\VSMntNtf.dll
O23 - Service: Afa Card Reader Service (AfaService) - Unknown owner - C:\WINDOWS\system32\afasrv32.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JungleDiskService - Jungle Disk, Inc. - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QPCopyEngine - Unknown owner - C:\Program Files\Iomega\QuikProtect\QpMonitor.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9781 bytes


*

Offline Rorschach112

  • Malware Removal Staff
  • Bronze Member
  • 313
Re: Redirected Searches, Advertising Pop-Ups
« Reply #1 on: September 07, 2010, 12:14:56 PM »
Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
I gotta hold on to my angst. I preserve it because I need it. It keeps me sharp, on the edge, where I gotta be.


~Scratch~

*

Offline eblaine

  • Bronze Member
  • 5
Re: Redirected Searches, Advertising Pop-Ups
« Reply #2 on: September 07, 2010, 01:32:37 PM »
ComboFix 10-09-07.01 - eholliday 09/07/2010  12:23:26.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1416 [GMT -7:00]
Running from: c:\documents and settings\EHolliday\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\EHolliday\Application Data\0200000075aa0bae989C.manifest
c:\documents and settings\EHolliday\Application Data\0200000075aa0bae989O.manifest
c:\documents and settings\EHolliday\Application Data\0200000075aa0bae989P.manifest
c:\documents and settings\EHolliday\Application Data\0200000075aa0bae989S.manifest
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{3c8f1d5c-bbff-4360-bc9f-41dde4f3b97a}
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{3c8f1d5c-bbff-4360-bc9f-41dde4f3b97a}\chrome.manifest
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{3c8f1d5c-bbff-4360-bc9f-41dde4f3b97a}\chrome\xulcache.jar
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{3c8f1d5c-bbff-4360-bc9f-41dde4f3b97a}\defaults\preferences\xulcache.js
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{3c8f1d5c-bbff-4360-bc9f-41dde4f3b97a}\install.rdf
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{5265c5f1-a61c-4a97-82d3-78821e03f1f7}
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{5265c5f1-a61c-4a97-82d3-78821e03f1f7}\chrome.manifest
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{5265c5f1-a61c-4a97-82d3-78821e03f1f7}\chrome\xulcache.jar
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{5265c5f1-a61c-4a97-82d3-78821e03f1f7}\defaults\preferences\xulcache.js
c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\extensions\{5265c5f1-a61c-4a97-82d3-78821e03f1f7}\install.rdf
c:\windows\GnuHashes.ini
c:\windows\system32\1717012992
c:\windows\system32\Cache
c:\windows\system32\Cache\jd2-6a0d667006f51f337543412e692006b5-us\erickholliday\c6696b78371adcbf7fa6d54c06496f9e-backup.db-journal
c:\windows\system32\Cache\jd2-6a0d667006f51f337543412e692006b5-us\erickholliday\c6696b78371adcbf7fa6d54c06496f9e-backup.db
c:\windows\system32\Cache\jd2-6a0d667006f51f337543412e692006b5-us\erickholliday\cache.db-journal
c:\windows\system32\Cache\jd2-6a0d667006f51f337543412e692006b5-us\erickholliday\cache.db
c:\windows\system32\dnsrslvr32.dll
c:\windows\system32\SysWoW32
c:\windows\system32\SysWoW32\mu239056701v4
c:\windows\system32\SysWoW32\mu239056701v4.kwd
c:\windows\system32\SysWoW32\mu239056701v5
c:\windows\system32\SysWoW32\mu239056701v5.kwd
c:\windows\system32\SysWoW32\mu239056701v6
c:\windows\system32\SysWoW32\mu239056701v6.kwd
c:\windows\system32\SysWoW32\mu239056701v7
c:\windows\system32\SysWoW32\mu239056701v7.kwd
c:\windows\system32\SysWoW32\wu239056701v0
c:\windows\system32\SysWoW32\wu239056701v0.kwd
c:\windows\system32\SysWoW32\wu239056701v1
c:\windows\system32\SysWoW32\wu239056701v1.kwd
c:\windows\system32\SysWoW32\wu239056701v2
c:\windows\system32\SysWoW32\wu239056701v2.kwd
c:\windows\system32\SysWoW32\wu239056701v3
c:\windows\system32\SysWoW32\wu239056701v3.kwd
c:\windows\system32\unrar.exe
G:\autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2010-08-07 to 2010-09-07  )))))))))))))))))))))))))))))))
.

2010-09-07 17:22 . 2010-09-07 17:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\nView_Profiles
2010-09-06 21:18 . 2010-09-06 21:18   388096   ----a-r-   c:\documents and settings\EHolliday\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-06 21:18 . 2010-09-06 21:18   --------   d-----w-   c:\program files\Trend Micro
2010-09-06 21:04 . 2010-02-05 16:17   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-09-06 21:04 . 2010-03-29 17:06   218592   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-09-06 21:04 . 2009-11-23 20:54   88040   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-09-06 21:03 . 2010-04-08 21:29   63360   ----a-w-   c:\windows\system32\drivers\pctplsg.sys
2010-09-06 21:03 . 2010-09-06 21:04   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-09-06 21:03 . 2010-09-07 19:10   --------   d-----w-   c:\program files\Spyware Doctor
2010-09-06 21:03 . 2010-09-06 21:03   --------   d-----w-   c:\documents and settings\EHolliday\Application Data\PC Tools
2010-09-06 21:03 . 2010-09-06 21:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
2010-09-06 21:03 . 2010-09-07 19:10   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-09-06 21:01 . 2010-09-06 21:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2010-09-04 00:39 . 2010-06-24 23:04   19384   ----a-r-   c:\windows\system32\drivers\QsFsFltr.sys
2010-09-04 00:39 . 2010-09-04 00:39   --------   d-----w-   c:\program files\Iomega
2010-09-03 01:55 . 2010-09-06 00:57   --------   d-----w-   c:\program files\Exterminate It!
2010-09-03 00:40 . 2010-09-03 00:40   322560   ----a-w-   c:\windows\system32\HPZinw1232.dll
2010-09-02 21:45 . 2010-09-02 21:45   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-08-31 05:08 . 2010-08-31 05:08   --------   d-----w-   c:\program files\cardicon
2010-08-31 05:08 . 2010-08-31 05:08   65536   ----a-w-   c:\windows\system32\afasrv32.exe
2010-08-31 05:08 . 2010-08-31 05:08   --------   d-----w-   c:\program files\Dynex mini card reader
2010-08-24 15:56 . 2010-08-24 15:56   4710   ----a-r-   c:\documents and settings\EHolliday\Application Data\Microsoft\Installer\{DF6DA606-904D-4C18-823F-A4CFC3035E53}\ext.exe
2010-08-24 15:49 . 2010-08-24 15:49   5614456   ----a-w-   c:\documents and settings\EHolliday\Application Data\j2 Global\eFax Messenger\updates\4.4.1 Minor Update\msgrplus.exe
2010-08-24 00:39 . 2010-09-06 01:53   --------   d-----w-   c:\documents and settings\EHolliday\Application Data\ZumoDrive
2010-08-24 00:39 . 2010-08-24 00:39   --------   d-----w-   c:\program files\Zecter
2010-08-24 00:39 . 2010-04-24 01:29   148424   ----a-w-   c:\windows\system32\drivers\cbfs.sys
2010-08-21 16:04 . 2010-08-21 16:05   --------   d-----w-   c:\program files\QuickTime

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 19:17 . 2009-03-17 16:36   --------   d-----w-   c:\program files\Symantec AntiVirus
2010-09-07 17:08 . 2009-03-16 20:13   244167   ----a-w-   c:\windows\system32\nvModes.dat
2010-09-07 16:22 . 2010-06-05 10:01   57344   -c--a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-09-07 16:15 . 2010-03-19 09:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-09-07 16:14 . 2010-03-19 09:21   --------   d-----w-   c:\program files\DivX
2010-09-06 22:48 . 2010-02-23 16:05   --------   d-----w-   c:\documents and settings\EHolliday\Application Data\HPAppData
2010-09-06 21:01 . 2010-09-02 21:39   --------   d-----w-   c:\program files\Google
2010-09-04 01:09 . 2010-02-16 23:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\WinZip
2010-09-03 01:34 . 2010-02-23 17:27   --------   d-----r-   c:\program files\Skype
2010-09-03 01:29 . 2010-02-23 17:27   --------   d-----w-   c:\documents and settings\EHolliday\Application Data\Skype
2010-09-03 00:40 . 2010-09-03 00:40   0   ---ha-w-   c:\documents and settings\EHolliday\raskglqgaa.tmp
2010-09-02 23:46 . 2010-09-02 23:46   1152000   --sha-w-   c:\windows\system32\161.tmp
2010-09-02 02:20 . 2010-03-10 23:39   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-09-02 00:00 . 2010-09-02 00:00   86016   ----a-w-   c:\documents and settings\EHolliday\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\meetingconvertor.dll
2010-09-02 00:00 . 2010-09-02 00:00   81920   ----a-w-   c:\documents and settings\EHolliday\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connecthook.dll
2010-09-02 00:00 . 2010-09-02 00:00   5064200   ----a-w-   c:\documents and settings\EHolliday\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe
2010-09-01 23:52 . 2010-09-01 23:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\JungleDisk
2010-09-01 23:52 . 2010-09-01 23:52   --------   d-----w-   c:\program files\Jungle Disk Desktop
2010-08-24 15:56 . 2010-02-20 23:43   --------   d-----w-   c:\program files\eFax Messenger 4.4
2010-08-20 14:47 . 2010-07-25 19:25   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-08-13 18:02 . 2009-03-17 16:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-09 17:42 . 2010-03-25 15:22   119   ----a-w-   c:\windows\wpd99.drv
2010-08-06 11:37 . 2010-08-06 11:37   503808   ----a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3c12ef6c-n\msvcp71.dll
2010-08-06 11:37 . 2010-08-06 11:37   499712   ----a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3c12ef6c-n\jmc.dll
2010-08-06 11:37 . 2010-08-06 11:37   348160   ----a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3c12ef6c-n\msvcr71.dll
2010-08-06 11:37 . 2010-08-06 11:37   61440   ----a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-549e34e3-n\decora-sse.dll
2010-08-06 11:37 . 2010-08-06 11:37   12800   ----a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-549e34e3-n\decora-d3d.dll
2010-07-29 05:22 . 2010-07-11 19:18   --------   d-----w-   c:\program files\Common Files\Real
2010-07-24 15:53 . 2010-07-24 15:53   --------   d-----w-   c:\program files\iTunes
2010-07-24 15:53 . 2010-07-24 15:53   --------   d-----w-   c:\program files\iPod
2010-07-24 15:53 . 2010-02-27 18:07   --------   d-----w-   c:\program files\Common Files\Apple
2010-07-24 15:49 . 2010-07-24 15:49   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-23 18:00 . 2010-02-18 18:39   --------   d-----w-   c:\documents and settings\EHolliday\Application Data\webex
2010-07-20 08:56 . 2010-02-23 17:29   --------   d-----w-   c:\documents and settings\EHolliday\Application Data\skypePM
2010-07-11 19:19 . 2010-07-11 19:19   49152   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-07-11 19:19 . 2010-07-11 19:19   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-07-11 19:19 . 2010-07-11 19:19   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-07-11 19:19 . 2010-07-11 19:19   308808   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-30 12:31 . 2008-04-14 12:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2008-04-14 12:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2008-04-14 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2008-04-14 12:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2008-04-14 12:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 12:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-15 05:37 . 2010-06-12 21:30   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-06-14 14:31 . 2009-03-14 00:36   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 12:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2010-06-12 21:30 . 2010-06-12 21:30   62464   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\cache\6.0\35\546d4a63-77ee09ce-n\avutil-49.dll
2010-06-12 21:30 . 2010-06-12 21:30   516096   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\cache\6.0\35\546d4a63-77ee09ce-n\ivjni.dll
2010-06-12 21:30 . 2010-06-12 21:30   288361   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\cache\6.0\35\546d4a63-77ee09ce-n\libmp3lame-0.dll
2010-06-12 21:30 . 2010-06-12 21:30   1941504   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\cache\6.0\35\546d4a63-77ee09ce-n\avcodec-51.dll
2010-06-12 21:30 . 2010-06-12 21:30   107520   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\cache\6.0\35\546d4a63-77ee09ce-n\avformat-52.dll
2010-06-12 21:30 . 2010-06-12 21:30   61440   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63896542-n\decora-sse.dll
2010-06-12 21:30 . 2010-06-12 21:30   503808   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70c9d2be-n\msvcp71.dll
2010-06-12 21:30 . 2010-06-12 21:30   499712   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70c9d2be-n\jmc.dll
2010-06-12 21:30 . 2010-06-12 21:30   348160   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70c9d2be-n\msvcr71.dll
2010-06-12 21:30 . 2010-06-12 21:30   12800   -c--a-w-   c:\documents and settings\EHolliday\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63896542-n\decora-d3d.dll
2010-06-11 23:51 . 2010-06-11 23:51   3055600   ----a-w-   c:\documents and settings\EHolliday\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 23:36 . 2010-06-11 23:36   275952   ----a-w-   c:\documents and settings\EHolliday\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-09-29 21:16 . 2009-09-29 21:16   28488   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-05-24 22:05 . 2009-09-29 21:16   185240   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-04-30 18:06 . 2010-04-30 18:06   46408   ----a-w-   c:\program files\mozilla firefox\plugins\atmccli.dll
2009-09-29 21:16 . 2009-09-29 21:16   99224   ----a-w-   c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-06-16 01:28   754176   ----a-w-   c:\program files\Zecter\ZumoDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-06-16 01:28   754176   ----a-w-   c:\program files\Zecter\ZumoDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-06-16 01:28   754176   ----a-w-   c:\program files\Zecter\ZumoDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-06-16 01:28   754176   ----a-w-   c:\program files\Zecter\ZumoDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-06-16 01:28   754176   ----a-w-   c:\program files\Zecter\ZumoDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{0E653882-06F5-48CA-9726-BFABE5E50CE0}"
[HKEY_CLASSES_ROOT\CLSID\{0E653882-06F5-48CA-9726-BFABE5E50CE0}]
2010-04-24 01:29   138976   ----a-w-   c:\windows\system32\VSMntNtf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]
@="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"
[HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]
2010-06-16 22:28   804608   ----a-w-   c:\program files\Jungle Disk Desktop\monitor_shellext.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]
@="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"
[HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]
2010-06-16 22:28   804608   ----a-w-   c:\program files\Jungle Disk Desktop\monitor_shellext.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]
@="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"
[HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]
2010-06-16 22:28   804608   ----a-w-   c:\program files\Jungle Disk Desktop\monitor_shellext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVHotkey"="nvHotkey.dll" [2008-11-22 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-22 13594624]
"nwiz"="nwiz.exe" [2008-11-22 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-22 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 30 (0x1e)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-2025429265-725345543-9177\Scripts\Logon\0\0]
"Script"=\\us.medefinance.com\netlogon\ReHomeAV.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-2025429265-725345543-9177\Scripts\Logon\1\0]
"Script"=\\us.medefinance.com\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Jungle Disk Desktop.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Jungle Disk Desktop.lnk
backup=c:\windows\pss\Jungle Disk Desktop.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^EHolliday^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\EHolliday\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06   976832   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 21:29   159744   ----a-w-   c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-10-25 02:00   2220032   ----a-w-   c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2008-02-22 20:43   1245184   ----a-w-   c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2010-07-02 18:24   95744   ----a-w-   c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-01 23:16   136176   ----atw-   c:\documents and settings\EHolliday\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-09-06 21:01   161336   ----a-w-   c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 20:08   49208   ----a-w-   c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 17:54   150016   ----a-w-   c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-05-11 18:51   1287120   ----a-w-   c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 22:53   141608   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-05-23 21:06   128296   ------w-   c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuiKProtect]
2010-06-24 23:04   58672   ----a-r-   c:\program files\Iomega\QuikProtect\startQuikProtect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 18:22   405504   ----a-w-   c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-09-06 21:01   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\systray]
2009-04-24 17:37   331851   ----a-w-   c:\program files\Dell\Dell Mobile Broadband\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBestCR]
2010-08-31 05:09   7041024   ----a-w-   c:\program files\cardicon\iconcs1494998843.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-28 03:33   125168   ----a-w-   c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZumoDrive]
2010-08-24 00:39   1640   ----a-w-   c:\program files\Zecter\ZumoDrive\ZumoLauncher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{FA0F0A01-4631-4161-A6C2-948BF694382E}\\setup\\hpznui01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Zecter\\ZumoDrive\\zumodrive.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/6/2010 2:04 PM 218592]
R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [8/23/2010 5:39 PM 148424]
R1 NvtSp50;Novatel Wireless NDIS 5 Single-Packet Read Protocol Driver;c:\windows\system32\drivers\NvtSp50.sys [6/10/2008 1:32 PM 22016]
R2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [6/16/2010 3:29 PM 7131392]
R2 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [6/24/2010 4:04 PM 247088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/11/2010 11:54 AM 102448]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [11/2/2007 3:41 PM 166144]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [11/2/2007 3:41 PM 166144]
S0 cerc6;cerc6;

S2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [8/30/2010 10:08 PM 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/2/2010 2:40 PM 136176]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [3/6/2010 11:13 PM 17149]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [5/27/2008 2:52 AM 51072]
S3 NWDellPort2;Dell Wireless Mobile Broadband Status2 Port Driver;c:\windows\system32\drivers\nwdelser2.sys [11/2/2007 3:41 PM 166144]
S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [9/3/2010 5:39 PM 19384]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/6/2010 2:03 PM 366840]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-09-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-09-06 21:01]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-02 23:16]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-02 23:16]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-2025429265-725345543-9177Core.job
- c:\documents and settings\EHolliday\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 23:16]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-2025429265-725345543-9177UA.job
- c:\documents and settings\EHolliday\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 23:16]

2010-09-06 c:\windows\Tasks\Norton Security Scan for eholliday.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-12 08:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.medeanalytics.com/
uInternet Settings,ProxyOverride = *.local
IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll
DPF: {1943FDF7-2330-4EEC-B7E3-74D9C7864ECE} - hxxps://conference.medeanalytics.com/buddies/eDialCollabViewer.cab
DPF: {2C4B89FF-685C-471A-BFF1-AEFAEAE15D33} - hxxps://conference.medeanalytics.com/buddies/edial.cab
DPF: {BFCF3234-E815-4966-8C1A-9B606110378B} - hxxps://conference.medeanalytics.com/buddies/eDialCollab.cab
FF - ProfilePath - c:\documents and settings\EHolliday\Application Data\Mozilla\Firefox\Profiles\t52p9eyt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\EHolliday\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\EHolliday\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\EHolliday\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{02D9E8F4-3138-4355-BF36-087854324055} - c:\windows\system32\dpvacm32.dll
BHO-{3BE12953-7517-427A-D509-9A8E2A98788E} - c:\windows\system32\dmstyle32.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 12:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-09-07  12:29:00
ComboFix-quarantined-files.txt  2010-09-07 19:28

Pre-Run: 103,482,318,848 bytes free
Post-Run: 103,591,104,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 02AA86713079EB0315E5E5F287D2F61D

*

Offline Rorschach112

  • Malware Removal Staff
  • Bronze Member
  • 313
Re: Redirected Searches, Advertising Pop-Ups
« Reply #3 on: September 07, 2010, 03:26:57 PM »
Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]
:Processes

:Services

:Reg

:Files
ipconfig /flushdns /c
c:\documents and settings\EHolliday\*.tmp
c:\windows\system32\*.tmp
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
    On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    Back at the main Scanner screen:
    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
    • Exit MBAM when done.
    Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




    Run an online virus scan called Kaspersky from HERE.
      1. At the main page. Press on "
    Accept". After reading the contents.
    2. At the next window Select  Update. Allow the Database to update.
    Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
    3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
    4. Select Scan Report.
    5. If any threats were found they will appear in the report
    6. Select "Save error report as"
    Then in the file name just type in kaspersky
    Under "save as type" select text .txt
    Save it to your Desktop.

    Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.[/list]
    I gotta hold on to my angst. I preserve it because I need it. It keeps me sharp, on the edge, where I gotta be.


    ~Scratch~

    *

    Offline eblaine

    • Bronze Member
    • 5
    Re: Redirected Searches, Advertising Pop-Ups
    « Reply #4 on: September 07, 2010, 04:30:58 PM »
    OTM:
    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\EHolliday\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\EHolliday\Desktop\cmd.txt deleted successfully.
    File/Folder c:\documents and settings\EHolliday\*.tmp not found.
    File/Folder c:\windows\system32\*.tmp not found.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully
     
    [EMPTYTEMP]
     
    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes
     
    User: All Users
     
    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes
     
    User: EHolliday
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 1199629 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes
     
    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
     
    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
     
    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 246255 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes
     
    Total Files Cleaned = 1.00 mb
     
    Error starting restore point: System Restore is disabled.
    Error closing restore point: System Restore is disabled.
     
    OTM by OldTimer - Version 3.1.15.0 log created on 09072010_144119

    Files moved on Reboot...
    C:\Documents and Settings\EHolliday\Local Settings\Temporary Internet Files\Content.IE5\S9FWOJDG\index[2].htm moved successfully.
    C:\Documents and Settings\EHolliday\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

    Registry entries deleted on Reboot...


    MBAM:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4564

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    9/7/2010 2:53:38 PM
    mbam-log-2010-09-07 (14-53-38).txt

    Scan type: Quick scan
    Objects scanned: 142998
    Time elapsed: 5 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\HPZinw1232.dll (Trojan.Tracur) -> Quarantined and deleted successfully.

    *

    Offline eblaine

    • Bronze Member
    • 5
    Re: Redirected Searches, Advertising Pop-Ups
    « Reply #5 on: September 07, 2010, 06:29:26 PM »
    Rorschach112 :  No threats found in the Kapersky scan.  Do I need to do anything else? Thx

    *

    Offline Rorschach112

    • Malware Removal Staff
    • Bronze Member
    • 313
    Re: Redirected Searches, Advertising Pop-Ups
    « Reply #6 on: September 08, 2010, 06:53:13 AM »
    Your logs are clean


    Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

    ComboFix /Uninstall

    Performing this function will uninstall Combofix for you automatically.



    • Download OTC by OldTimer and save it to your desktop.
    • Double click icon to start the program.
      If you are using Vista, please right-click and choose run as administrator
    • Then Click the big button.
    • You will get a prompt saying "Being Cleanup Process". Please select Yes.
    • Restart your computer when prompted.




    Below I have included a number of recommendations for how to protect your computer against malware infections.
    • Keep Windows updated by regularly checking their website at :

    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.[/list]



    • Make Internet Explorer more secure
      • Click Start > Run
      • Type Inetcpl.cpl & click OK
      • Click on the Security tab
      • Click Reset all zones to default level
      • Make sure the Internet Zone is selected & Click Custom level
      • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
      • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
    • Please read my guide on how to prevent malware and about safe computing here
    Thank you for your patience, and performing all of the procedures requested.
    I gotta hold on to my angst. I preserve it because I need it. It keeps me sharp, on the edge, where I gotta be.


    ~Scratch~

    *

    Offline eblaine

    • Bronze Member
    • 5
    Re: Redirected Searches, Advertising Pop-Ups
    « Reply #7 on: September 08, 2010, 09:44:26 AM »
    Thanks very much Rorschach112!