Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirection browser hijack


  • This topic is locked This topic is locked
2 replies to this topic

#1 Eric Solan

Eric Solan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 20 May 2011 - 07:57 AM

Been fighting with a redirection hijack for a month now. It affects both Firefox and IE, whenever I go to Google and aclick a result I get redirected to paid ads instead. Also, as I'm using my computer, with or without a browser open, I constantly get popup windows about javascript errors on pages that are apparently running in the background. More notably I get a lot from mevio.com.

I've already run adaware and AVG. Hijack This and SilentRunners logs below:


Hijack This:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:10:02 AM, on 5/20/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Program Files\TechSmith\Snagit 9\Snagit32.exe
C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe
C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\TechSmith\Snagit 9\snagiteditor.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\esolan\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - Global Startup: Snagit 9.lnk = C:\Program Files\TechSmith\Snagit 9\Snagit32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hudsonhorizons.com
O17 - HKLM\Software\..\Telephony: DomainName = hudsonhorizons.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{38D83523-3B94-4E58-991F-A6A7D29A77A2}: NameServer = 192.168.0.34
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hudsonhorizons.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{38D83523-3B94-4E58-991F-A6A7D29A77A2}: NameServer = 192.168.0.34
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hudsonhorizons.com
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - Winlogon Notify: spba - C:\Program Files\Common Files\SPBA\homefus2.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NTRU TSS v1.2.1.34 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

--
End of file - 4837 bytes

------------------------------------------------------------------------------------------------------------------------------------------------------------


Silent Runners log:

"Silent Runners.vbs", revision 63, http://www.silentrunners.org/
Operating System: Windows 7
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HotKeysCmds" = "C:\Windows\system32\hkcmd.exe" ["Intel Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

EnabledUnlockedFDEIconOverlay\(Default) = "{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
-> {HKLM...CLSID} = "FdeInitIcon Class"
\InProcServer32\(Default) = "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll" ["Wave Systems Corp."]

Groove Explorer Icon Overlay 1 (GFS Unread Stub)\(Default) = "{99FD978C-D287-4F50-827F-B2C658EDA8E7}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

Groove Explorer Icon Overlay 2 (GFS Stub)\(Default) = "{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)\(Default) = "{920E6DB1-9907-4370-B3A0-BAFC03D81399}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

Groove Explorer Icon Overlay 3 (GFS Folder)\(Default) = "{16F3DD56-1AF5-4347-846D-7C10C4192619}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

Groove Explorer Icon Overlay 4 (GFS Unread Mark)\(Default) = "{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

UninitializedFdeIconOverlay\(Default) = "{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
-> {HKLM...CLSID} = "FdeUninitIcon Class"
\InProcServer32\(Default) = "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll" ["Wave Systems Corp."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{00F33137-EE26-412F-8D71-F84E4C2C6625}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Autoplay Shim"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]

"{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}" = "Windows Live Photo Gallery Viewer Drop Target Shim"
-> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Shim"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]

"{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}" = "Windows Live Photo Gallery Editor Drop Target Shim"
-> {HKLM...CLSID} = "Windows Live Photo Gallery Editor Shim"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]

"{00F30F90-3E96-453B-AFCD-D71989ECC2C7}" = "Windows Live Photo Gallery Autoplay Drop Target Shim"
-> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Autoplay Shim"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "Snagit"
-> {HKLM...CLSID} = "Snagit"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll" ["TechSmith Corporation"]

"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\Snagit 9\SnagitShellExt.dll" ["TechSmith Corporation"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG Shell Extension"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG10\avgse.dll" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"wvauth"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> ("livessp" [MS]) "Security Packages" = "kerberos"|"msv1_0"|"schannel"|"wdigest"|"tspkg"|"pku2u"|"livessp"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]|"C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync" ["AVG Technologies CZ, s.r.o."]|"C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\

{AE583D93-8D1B-424F-9858-5623FB7824EE}\(Default) = "UPEK Fingerprint Credential Provider Filter"
-> {HKLM...CLSID} = "Provider Filter Object"
\InProcServer32\(Default) = "C:\Program Files\Common Files\SPBA\provider.dll" ["UPEK Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\

{18CBEEAA-6708-41A1-9379-D08915333CF2}\(Default) = "UPEK Fingerprint Credential Provider"
-> {HKLM...CLSID} = "Provider Object"
\InProcServer32\(Default) = "C:\Program Files\Common Files\SPBA\provider.dll" ["UPEK Inc."]

{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\(Default) = "WLIDCredentialProvider"
-> {HKLM...CLSID} = "WLIDCredentialProvider"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDCREDPROV.DLL" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> avgsecuritytoolbar\CLSID = "{F2DDE6B2-9684-4A55-86D4-E255E237B77C}"
-> {HKLM...CLSID} = "avgsecuritytoolbar"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll" [null data]

<<!>> grooveLocalGWS\CLSID = "{88FED34C-F0CA-4636-A375-3CB6248B04CD}"
-> {HKLM...CLSID} = "Local Groove Web Services Protocol"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll" [MS]

<<!>> linkscanner\CLSID = "{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}"
-> {HKLM...CLSID} = "XPLPPFilter Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG10\avgpp.dll" ["AVG Technologies CZ, s.r.o."]

<<!>> livecall\CLSID = "{828030A1-22C1-4009-854F-8E305202313F}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\msgrapp.dll" [MS]

<<!>> ms-help\CLSID = "{314111c7-a502-11d2-bbca-00c04f8ec294}"
-> {HKLM...CLSID} = "HxProtocol Class"
\InProcServer32\(Default) = "c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll" [MS]

<<!>> msnim\CLSID = "{828030A1-22C1-4009-854F-8E305202313F}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\msgrapp.dll" [MS]

<<!>> wlmailhtml\CLSID = "{03C514A3-1EFB-4856-9F99-10D7BE1653C0}"
-> {HKLM...CLSID} = "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Mail\mailcomm.dll" [MS]

<<!>> wlpg\CLSID = "{E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324}"
-> {HKLM...CLSID} = "Album Download IE Asynchronous Pluggable Protocol Interface"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG10\avgse.dll" ["AVG Technologies CZ, s.r.o."]

LavasoftShellExt\(Default) = "{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}"
-> {HKLM...CLSID} = "Lavasoft Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll" ["Lavasoft Limited"]

SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\Snagit 9\SnagitShellExt.dll" ["TechSmith Corporation"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\Snagit 9\SnagitShellExt.dll" ["TechSmith Corporation"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

igfxcui\(Default) = "{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"
-> {HKLM...CLSID} = "GraphicsShellExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\igfxpph.dll" ["Intel Corporation"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG10\avgse.dll" ["AVG Technologies CZ, s.r.o."]

LavasoftShellExt\(Default) = "{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}"
-> {HKLM...CLSID} = "Lavasoft Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll" ["Lavasoft Limited"]

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoBandCustomize" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars|
Disable customizing browser toolbars}

"NoToolbarCustomize" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars|
Disable customizing browser toolbar buttons}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoBandCustomize" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoToolbarCustomize" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"GeneralTab" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the General page}

"HomePage" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing home page settings}

"Cache" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"History" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Colors" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"links" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Fonts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Languages" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Accessibility" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"SecurityTab" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Security page}

"ContentTab" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Content page}

"Ratings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Certificates" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"FormSuggest Passwords" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ConnectionsTab" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Connections page}

"Connection Settings" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing connection settings}

"Connwiz Admin Lock" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Proxy" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing proxy settings}

"ProgramsTab" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Programs page}

"Messaging" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ResetWebSettings" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable the Reset Web Settings feature}

"Check_If_Default" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"AdvancedTab" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Advanced page}

"Advanced" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing Advanced page settings}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\

"GeneralTab" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the General page}

"HomePage" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing home page settings}

"Cache" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"History" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Colors" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"links" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Fonts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Languages" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Accessibility" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"SecurityTab" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Security page}

"ContentTab" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Content page}

"Ratings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Certificates" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"FormSuggest Passwords" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ConnectionsTab" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Connections page}

"Connection Settings" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing connection settings}

"Connwiz Admin Lock" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Proxy" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing proxy settings}

"ProgramsTab" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Programs page}

"Messaging" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ResetWebSettings" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable the Reset Web Settings feature}

"Check_If_Default" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"AdvancedTab" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Advanced page}

"Advanced" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing Advanced page settings}

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoJITSetup" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoJITSetup" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserSaveAs" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFileNew" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoBrowserClose" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFileOpen" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoTheaterMode" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoViewSource" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFavorites" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoAddingChannels" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoBrowserOptions" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Browser Menus|
Tools menu: Disable Internet Options... menu option}

"NoBrowserContextMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoOpeninNewWnd" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserSaveAs" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFileNew" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoBrowserClose" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFileOpen" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoTheaterMode" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoViewSource" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFavorites" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoAddingChannels" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoBrowserOptions" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Browser Menus|
Tools menu: Disable Internet Options... menu option}

"NoBrowserContextMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoOpeninNewWnd" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\esolan\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]

MSLivePhotoAcqHWEventHandler\
"Provider" = "@%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10"
"ProgID" = "Microsoft.LivePhotoAcqHWEventHandler"
HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqHWEventHandler\CLSID\(Default) = "{3BD0ACD1-71CA-4475-92CC-E0AA0AAF843F}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe" [MS]

MSLivePhotoAcquireDropHandler\
"Provider" = "@%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10"
"InvokeProgID" = "Microsoft.LivePhotoAcqDTShim.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqDTShim.1\shell\open\DropTarget\CLSID = "{00F33137-EE26-412F-8D71-F84E4C2C6625}"
-> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Autoplay Shim"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]

MSLiveShowPicturesOnArrival\
"Provider" = "@%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10"
"InvokeProgID" = "Microsoft.Photos.LiveAutoplayShim.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Microsoft.Photos.LiveAutoplayShim.1\shell\open\DropTarget\CLSID = "{00F30F90-3E96-453B-AFCD-D71989ECC2C7}"
-> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Autoplay Shim"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]

MSLiveVideoCameraArrivalCaptureWizard\
"Provider" = "@%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10"
"ProgID" = "WLXAutoPlayMgr.WLXHWEventHandler"
"InitCmdLine" = "WLXVideoAcquireWizard"
HKLM\SOFTWARE\Classes\WLXAutoPlayMgr.WLXHWEventHandler\CLSID\(Default) = "{9B5C97F6-B3A5-4A6D-8B03-993EC7291A22}"
-> {HKLM...CLSID} = "WLXWEventHandler Class"
\LocalServer32\(Default) = ""C:\Program Files\Windows Live\Photo Gallery\WLXVideoCameraAutoPlayManager.exe"" [MS]

PDVD9PlayDVDMovieOnArrival\
"Provider" = "PowerDVD 9.5"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD9"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD9\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD9\PowerDVD Cinema\PowerDVDCinema.exe" "%L"" ["CyberLink Corp."]

PDVD9PlaySVCDOnArrival\
"Provider" = "PowerDVD 9.5"
"InvokeProgID" = "SVCD"
"InvokeVerb" = "PlayWithPowerDVD9"
HKLM\SOFTWARE\Classes\SVCD\shell\PlayWithPowerDVD9\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD9\PowerDVD Cinema\PowerDVDCinema.exe" "%L"" ["CyberLink Corp."]

PDVD9PlayVCDMovieOnArrival\
"Provider" = "PowerDVD 9.5"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPowerDVD9"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD9\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD9\PowerDVD Cinema\PowerDVDCinema.exe" "%L"" ["CyberLink Corp."]


Startup items in "esolan" & "All Users" startup folders:
--------------------------------------------------------

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"Snagit 9" -> shortcut to: "C:\Program Files\TechSmith\Snagit 9\Snagit32.exe" ["TechSmith Corporation"]


Windows Sidebar Gadgets:
------------------------

C:\Users\esolan\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
"C:%5CProgram%20Files%5CWindows%20Sidebar%5CShared%20Gadgets%5CAVG.Gadget%5C"


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"Ad-Aware Update (Weekly)" -> launches: "C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe update all silent repair" ["Lavasoft Limited "]
"JavaUpdateSched" -> launches: "%CommonProgramFiles%\Java\Java Update\jusched.exe" ["Sun Microsystems, Inc."]
"SidebarExecute" -> launches: "C:\Program Files\Windows Sidebar\sidebar.exe /addGadget" [MS]
"{4E3279E1-6344-4551-B177-CF2226C2A1FE}" -> launches: "C:\Windows\system32\pcalua.exe -a "C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe" -c /Get1" [MS]
"{EC49EA6C-F2B0-4A21-AEBC-CC47FFA41D01}" -> launches: "C:\Windows\system32\pcalua.exe -a C:\Users\esolan\Desktop\HijackThis.exe -d "C:\Program Files\Mozilla Firefox"" [MS]

C:\Windows\System32\Tasks\Apple
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience
"AitAgent" -> launches: "aitagent" [MS]
"ProgramDataUpdater" -> launches: "%windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Autochk
"Proxy" -> launches: "%windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"KernelCeipTask" -> (HIDDEN!) launches: "{e7ed314f-2816-4c26-aeb5-54a34d02404c}"
-> {HKLM...CLSID} = "KernelCeipCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\kernelceip.dll" [MS]
"UsbCeip" -> (HIDDEN!) launches: "{c27f6b1d-fe0b-45e4-9257-38799fa69bc8}"
-> {HKLM...CLSID} = "UsbCeip"
\InProcServer32\(Default) = "C:\Windows\System32\usbceip.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
"Scheduled" -> (HIDDEN!) launches: "{c1f85ef8-bcc2-4606-bb39-70c523715eb3}"
-> {HKLM...CLSID} = "ScheduledDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\sdiagschd.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Location
"Notifications" -> launches: "%windir%\System32\LocationNotifications.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance
"WinSAT" -> launches: "{A9A33436-678B-4C9C-A211-7CC38785E79D}"
-> {HKLM...CLSID} = "WinSAT Task Manger Task"
\InProcServer32\(Default) = "C:\Windows\system32\WinSATAPI.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ActivateWindowsSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch" [MS]
"ConfigureInternetTimeService" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService" [MS]
"DispatchRecoveryTasks" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)" [MS]
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"InstallPlayReady" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0)" [MS]
"MediaCenterRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask" [MS]
"ObjectStoreRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)" [MS]
"PBDADiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery" [MS]
"PBDADiscoveryW1" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery" [MS]
"PBDADiscoveryW2" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery" [MS]
"PvrRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask" [MS]
"PvrScheduleTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrSchedule" [MS]
"RegisterSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)" [MS]
"ReindexSearchRoot" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot" [MS]
"SqlLiteRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
"CorruptionDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"
-> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]
"DecompressionFailureDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"
-> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace
"GatherNetworkInfo" -> launches: "%windir%\system32\gatherNetworkInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
"AnalyzeSystem" -> launches: "%SystemRoot%\System32\powercfg.exe -energy -auto" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RacTask" -> (HIDDEN!) launches: "{42060D27-CA53-41f5-96E4-B1E8169308A6}"
-> {HKLM...CLSID} = "ReliabilityAnalysisCustomHandler"
\InProcServer32\(Default) = "C:\Windows\system32\RacEngn.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Ras
"MobilityManager" -> launches: "{c463a0fc-794f-4fdf-9201-01938ceacafa}"
-> {HKLM...CLSID} = "RasMobilityManager"
\InProcServer32\(Default) = "C:\Windows\system32\rasmbmgr.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Registry
"RegIdleBackup" -> (HIDDEN!) launches: "{ca767aa8-9157-4604-b64b-40747123d5f2}"
-> {HKLM...CLSID} = "RegistryIdleBackupHandler"
\InProcServer32\(Default) = "C:\Windows\System32\regidle.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager
"Interactive" -> (HIDDEN!) launches: "{855fec53-d2e4-4999-9e87-3414e9cf0ff4}"
-> {HKLM...CLSID} = "RunTask"
\InProcServer32\(Default) = "C:\Windows\system32\wdc.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
"SynchronizeTime" -> launches: "%windir%\system32\sc.exe start w32time task_started" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Activation Technologies
"ValidationTask" -> (HIDDEN!) launches: "%SystemRoot%\system32\Wat\WatAdminSvc.exe /run" [MS]
"ValidationTaskDeadline" -> (HIDDEN!) launches: "%SystemRoot%\system32\schtasks.exe /run /I /TN "\Microsoft\Windows\Windows Activation Technologies\ValidationTask"" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
"BfeOnServiceStartTypeChange" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
"UpdateLibrary" -> launches: ""%ProgramFiles%\Windows Media Player\wmpnscfg.exe"" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup
"ConfigNotification" -> launches: "%systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows Live\SOXE
"Extractor Definitions Update Task" -> launches: "{3519154C-227E-47F3-9CC9-12C3F05817F1}"
-> {HKLM...CLSID} = "Windows Live Social Object Extractor Engine Definition Updater"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\SOXE\wlsoxe.dll" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000007\LibraryPath = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL" [MS]
000000000008\LibraryPath = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL" [MS]
000000000009\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 20


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll" [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)
-> {HKLM...CLSID} = "Snagit"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll" ["TechSmith Corporation"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Developer Tools"
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\iedvtool.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
AVG WatchDog, avgwd, ""C:\Program Files\AVG\AVG10\avgwdsvc.exe"" ["AVG Technologies CZ, s.r.o."]
AVGIDSAgent, AVGIDSAgent, ""C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe"" ["AVG Technologies CZ, s.r.o."]
Lavasoft Ad-Aware Service, Lavasoft Ad-Aware Service, ""C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"" ["Lavasoft Limited"]
Windows Live ID Sign-in Assistant, wlidsvc, ""C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"" [MS]


Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

<<!>> Lavasoft Ad-Aware Service, "Service"

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

<<!>> hitmanpro35, (null value)
<<!>> hitmanpro35.sys, (null value)
<<!>> Lavasoft Ad-Aware Service, "Service"


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2011-05-20 08:58:01)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 51 seconds, including 13 seconds for message boxes)

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 21 May 2011 - 09:44 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 28 May 2011 - 10:14 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users