Redirect issues & DDS can't be downloaded

J

jpatrick

New member
Hello Spybot forums,

I've been infected with a redirect virus/malware which sends me to newsfudge.com & other sites when I use Google or Yahoo and try to open a link in the results screen. It started yesterday, July 6th. I've run Avast & Spybot & they have found no problems. Also cleared the cache.... if that's worth anything.

I've tried to download DDS, but I can't seem to get the program. What was downloaded at the DDS link was: "DDS.SCR". When I right clicked on the file to check it's properties, under the 'General' tab, it stated that the file type was a 'screen saver (.scr)'.... the description line had: 'DDS. Doesn't Do Squat'. What the heck? I didn't open it. I've read that certain maleware/viruses can block the download of DDS....is this what is happening?

I have the Erunt file already.

Any thoughts and/or help is appreciated.

jpatrick

PS I posted last year, but I have a new computer: Windows 7, IE 9, version 9.08112.16421.

Hello again SpyBot forums,

Below is the DDS info. Apparently, the .scr extension is normal....right?

Attached is the required 'attach' file.

Erunt program ran, registry backed up.

Thanks again for any help.

Jpatrick



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by Admin at 14:33:38 on 2012-07-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3838.2368 [GMT

-4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
C:\Program Files (x86)\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = hxxp://www.weather.com/weather/tenday/Bennington+VT+05201
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\6.0\youtubedownloaderToolbarIE.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: FlashCatchBHO Class: {88618a96-6d8a-42e7-b932-9073d5b2080f} - C:\Program Files (x86)\FlashCatch\flashcatch.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\6.0\youtubedownloaderToolbarIE.dll
TB: FlashCatch: {10cecf4f-a96e-4803-8ac2-f565fb29ff47} - C:\Program Files (x86)\FlashCatch\flashcatch.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\6.0\youtubedownloaderToolbarIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Temp] rundll32.exe "C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll",CreateInstance
mRun: [DMXLauncher] "C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe"
mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
mRun: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [<NO NAME>]
StartupFolder: C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WIRELE~1.LNK - C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WlanCU.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
Trusted Zone: microsoft.com\oas.support
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{27A76691-41C0-4E44-995C-D5AC9A99A256} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{96B9080E-81CC-4304-A255-8ED57B92B0A3} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Roxio\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO-X64: AVG Do Not Track - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: FlashCatchBHO Class: {88618A96-6D8A-42E7-B932-9073D5B2080F} - C:\Program Files (x86)\FlashCatch\flashcatch.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\6.0\youtubedownloaderToolbarIE.dll
TB-X64: FlashCatch: {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - C:\Program Files (x86)\FlashCatch\flashcatch.dll
TB-X64: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\6.0\youtubedownloaderToolbarIE.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [DMXLauncher] "C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe"
mRun-x64: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
mRun-x64: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [(Default)]
Hosts: 127.0.0.1 www.spywareinfo.com <http://www.spywareinfo.com>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\auc4ujdm.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Plugins\npqtplugin5.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-3-20 1153368]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
R3 RTL85n64;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\system32\DRIVERS\RTL85n64.sys --> C:\Windows\system32\DRIVERS\RTL85n64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-1-13 136176]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-9-9 309744]
S2 SessionLauncher;SessionLauncher;C:\Users\Admin\AppData\Local\Temp\DX9\SessionLauncher.exe --> C:\Users\Admin\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-1-13 136176]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-9-9 1120752]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-07-02 15:18:30 -------- d-----w- C:\Program Files (x86)\YouTube Downloader Toolbar
.
==================== Find3M ====================
.
2012-04-19 08:50:26 28480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2012-01-21 02:52:27 258560 ----a-w- C:\Program Files\UnitConverter.exe
2001-06-20 21:34:42 127488 ----a-w- C:\Program Files\QuickTimeUpdater.exe
2001-06-20 21:34:38 303616 ----a-w- C:\Program Files\PictureViewer.exe
2001-06-20 21:34:38 225792 ----a-w- C:\Program Files\QTInfo.exe
2001-06-20 21:34:38 1043968 ----a-w- C:\Program Files\QuickTimePlayer.exe
.
============= FINISH: 14:34:01.64 ===============
 
Last edited by a moderator:
Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.
 
Hello jpatrick :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Forum Rules.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Does the redirect occur with all browsers or certain ones only? What other symptoms do you experience?

--------------------

Please download aswMBR and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.
--------------------

Scan with RogueKiller
  • Please download RogueKiller© by Tigzy and save it to your desktop. Click here.
  • Allow the download if prompted by your security software and please close all your programs.
  • Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
  • Wait for PreScan to finish, then click on Scan.
  • Once completed, a log called RKreport[1].txt will be created on the desktop. It can also be accessed via the Report button.
  • Please copy and paste the contents of that log in your next reply.
--------------------

Please post back:
1. answers to my questions for more information
2. aswMBR result
3. RogueKiller log
 
Requested log, result & answer

Hello Jack&Jill,

Thank you for responding!

I've attached what you've asked for. FYI: Downloading the Avast virus definitions & the scan took longer than the 15 minutes that the AVG protections were supposed to be off, so I added another 15 minutes DURING the aswMBR scan. I don't know if this will effect the results.

As to your questions, I only use IE9 so it's only with that web browser that I'm experiencing the problem, but I do have Firefox installed.

The redirect is the primary problem which I experience with Yahoo search results(Google results as well). When I right click on a link to open it in a new tab the redirect opens a new window, there is a brief page that then shoots me off to different pages, newsfudge.com, for instance.

What I have done the last few days is clear the cache(cookie, TempFiles & history) and use IE9 without searching on Yahoo or Google and there are no symptoms. However, if I do a search on Yahoo and the redirect occurs, I've noticed that my browser is slower & I have problems with various websites. An example would be the Vermont Public TV website yesterday when I got this error message from IE9: "Internet Explorer has closed this webpage to protect your computer. A malfunctioning or malicious add-on has caused Internet Explorer to close this page." I used the Ctrl/Print Screen to get an image of the error message. If you would like to have that I can attach it next time.

Other than the above, I have avoided doing much with the computer for the past 5 days as I haven't wanted to potentially deepen the problem. As a result, I haven't been able to notice any other symptoms.

I do need to note that when this redirect occurred the first time on 7/6, I cleared the cache, as stated above, and ran CCleaner, v3.14/1616(64bit). That included the cleaner & the registry tool as well. Doing this clearly didn't help with the redirect issues. CCleaner lets you save a copy of the registry before you change it & I have that copy if you need that. Let me know.

I think that's all for now. Again, thank you for responding.... I was beginning to despair.

Jpatrick


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-13 03:37:40
-----------------------------
03:37:40.125 OS Version: Windows x64 6.1.7601 Service Pack 1
03:37:40.125 Number of processors: 3 586 0x503
03:37:40.125 ComputerName: ADMIN-PC UserName: Admin
03:37:40.985 Initialize success
03:48:36.445 AVAST engine defs: 12071201
03:48:43.115 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005b
03:48:43.115 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
03:48:43.145 Disk 0 MBR read successfully
03:48:43.145 Disk 0 MBR scan
03:48:43.155 Disk 0 Windows 7 default MBR code
03:48:43.165 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
03:48:43.175 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
03:48:43.205 Disk 0 scanning C:\Windows\system32\drivers
03:48:51.495 Service scanning
03:49:08.475 Modules scanning
03:49:08.495 Disk 0 trace - called modules:
03:49:08.515 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor.sys
03:49:08.525 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049073d0]
03:49:08.525 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa800396a9e0]
03:49:08.535 5 ACPI.sys[fffff88000f1d7a1] -> nt!IofCallDriver -> \Device\0000005b[0xfffffa80044b3060]
03:49:10.505 AVAST engine scan C:\Windows
03:49:12.655 AVAST engine scan C:\Windows\system32
03:51:59.661 AVAST engine scan C:\Windows\system32\drivers
03:52:21.367 AVAST engine scan C:\Users\Admin
03:57:47.827 AVAST engine scan C:\ProgramData
03:58:29.417 Scan finished successfully
03:58:57.427 Disk 0 MBR has been saved successfully to "C:\Users\Admin\Desktop\MBR.dat"
03:58:57.427 The log file has been saved successfully to "C:\Users\Admin\Desktop\aswMBR log 07132012.txt"


RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Admin [Admin rights]
Mode: Scan -- Date: 07/13/2012 04:03:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[BLACKLIST DLL] HKCU\[...]\Run : Temp (rundll32.exe "C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll",CreateInstance) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-4245015985-2778896149-1756623667-1000[...]\Run : Temp (rundll32.exe "C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll",CreateInstance) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD50 00AADS-00S9B SCSI Disk Device +++++
--- User ---
[MBR] 332b7a39b16aca7656fea55c2c2b9b19
[BSP] f9bcb8bee9782548fbff0e5de19b16f5 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt
 
Last edited by a moderator:
Hello jpatrick :),

Please post the logs by copy and pasting into your reply.

Please uninstall these:
YouTube Downloader 3.5
YouTube Downloader Toolbar v6.0

--------------------

We need to disable Spybot S&D's Teatimer real-time protection temporarily as it will interfere with the fix.

First step:
  • Right click the Spybot icon that looks like a blue/white calendar with a padlock symbol in the System Tray (lower right corner where the clock is situated).
  • For version 1.6, the steps are similar to either one of the below.
  • If you have version 1.5, click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked (unticked). The Spybot icon should now be colorless.
  • If you have Version 1.4, click on Exit Spybot S&D Resident.
Second step, for either version:
  • Open Spybot S&D.
  • Click Mode, choose Advanced Mode.
  • Go to the bottom of the vertical panel on the left, click Tools.
  • Then, also in left panel, click on Resident that shows a red/white shield.
  • If your firewall raises a question, say OK.
  • In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
  • OK any prompts.
  • Exit Spybot S&D and reboot your machine for the changes to take effect.
Remember to enable it after the fix.

--------------------

RogueKiller in action
  • Please rerun RogueKiller. Try a few times if it does not run.
  • Click on Scan.
  • Go to the Registry tab and uncheck (untick) the following:
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
  • Click Delete.
  • Get the result via the Report button and post back the contents of the log.
--------------------

Please download Malwarebytes' Anti-Malware (MBAM)© from Malwarebytes and save it to your desktop. Click here.

Run MBAM
  • Double click on mbam-setup.exe and follow the prompts to install the program.
  • At the end of installation, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • MBAM will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update mirror, select one of the websites and click on Check for Updates.
  • Upon completion of update and loading, select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  • After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time. It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Your Firefox browser is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Firefox browser to the latest. You may need to use Internet Explorer temporarily for this, or download the program first before continuing the uninstall step.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Mozilla Firefox 9.0.1 (x86 en-US)

  • Go to the Mozilla Firefox download page. Click here.
  • Click on the Free Download button and save the setup file to a convenient location.
  • Double click on the setup file and follow the steps accordingly.
Please check if the redirect occurs in Firefox.

--------------------

Please post back:
1. new RogueKiller log
2. MBAM report
3. if redirect occurs in Firefox
 
Last edited:
Hello Jack&Jill,

Sorry about the cut/paste/attach issue.

I have questions about your RogueKiller request:

- By rerun, you mean the scan as well, correct? There are no result to delete w/o my rerunning the scan.

- When you ask me to uncheck the following:

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

You want those boxes left with out a check mark and then hit delete? It seems counter intuitive to UNCHECK boxes that you want to delete.

Thanks,

Jpatrick
 
Hello jpatrick :),

Please run the tool the way I outlined and untick those two entries, then followed by delete. The entries are to be left out.
 
Last edited:
RK report, MBAM log.... Success?!

Hello Jack&Jill,

Below are the RK report & MBAM log.... copied & pasted this time :halo::



RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Admin [Admin rights]
Mode: Remove -- Date: 07/14/2012 03:42:04

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[BLACKLIST DLL] HKCU\[...]\Run : Temp (rundll32.exe "C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll",CreateInstance) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD50 00AADS-00S9B SCSI Disk Device +++++
--- User ---
[MBR] 332b7a39b16aca7656fea55c2c2b9b19
[BSP] f9bcb8bee9782548fbff0e5de19b16f5 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt




Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.14.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Admin :: ADMIN-PC [administrator]

7/14/2012 3:53:07 AM
mbam-log-2012-07-14 (03-53-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 320259
Time elapsed: 32 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Utilities\Eenable Help\help.exe (PUP.Radmin) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Temp\0.162408693952372 (Exploit.Drop.9) -> Quarantined and deleted successfully.

(end)


Jack&Jill,

I deleted the YouTube Downloader program & toolbar as well as Firefox. I've installed the new version of Firefox, have used it and have not had any redirect issues. I also used IE9 and I haven't had any redirect issues there either.....:yahoo:

I noted that when I restarted the computer after Malwarebytes prompted me to, that ERNDT errors popped up. This is the program that does an auto backup of the Registry. Is this serious? Should I reboot again & see if the issues continue?

In the list of malicious software found by Malwarebytes, there was PUP.Radmin. It was in folder called 'Utilities' & was created by my local computer dealer, E-enable, from whom I bought this computer. They told me that the folder contained programs that would help them diagnose problems. Should I let the company know that there is a problem with one of the files?

Lastly, do you know how I was infected with this redirect virus? I'm assuming that the YouTube Downloader was the main culprit. Does this mean I should not use any version of that program?

I want to thank you for your time & your help with this issue. Of course, I'm assuming that the fix worked- you will let me know if it has -but again I'm appreciative of your help in getting rid of this problem. :beerbeerb:

Cheers,

Jpatrick
 
Last edited by a moderator:
I spoke too soon... :(

Jack&Jill,

I continued to use IE9 & Firefox for the next hour or so just be sure there weren't any problems and suddenly in Firefox I began to be redirected again! :mad:

I think that when I deleted the old version of Firefox it kept the old settings. I was prompted to keep something & I was afraid that I would loose all my bookmarks/favorites so I unchecked/checked the box to keep the old settings. Should I remove Firefox again, this time completely, & reinstall it? Let me know what is best.

IE9 is not effected.


Jpatrick
 
Hello jpatrick :),

You are welcome.

ERUNT seems to have issues backing up correctly in Windows 7. When we are done, you can uninstall it if you like.

MBAM marked the said program as PUP, which means potentially unwanted program.

Yes, please avoid YouTube Downloader.

--------------------

Please download OTL© by OldTimer from one of the links below and save it to your desktop.

Link 1
Link 2

Scan with OTL
  • Double click on OTL.exe to run it.
  • Make sure all the Use SafeList options is checked (selected). There are five of them.
  • Under the Modules section, please select No Company Name.
  • Check Scan All Users.
  • At the lower right corner, check LOP Check and Purity Check.
  • Click on Run Scan at the top left hand corner. This might take a while.
  • When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. One log per reply please.
    Note: These files are saved as OTL.txt and Extras.txt on the desktop.
--------------------

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
  • Click here to go to ESET Online Scanner page.
  • Click on Run ESET Online Scanner. A new window will open.
    For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
  • You will be prompted to install an ActiveX Control from ESET. Please install.
  • At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
  • Then, check Scan archives.
  • Now, click on Advanced settings and make sure all these are checked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click on Scan to proceed.
  • When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
  • Post the contents in your reply.
If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Please post back:
1. the OTL logs
2. ESET report
 
Good morning Jack&Jill,

I tried to download OTL.exe and I got a security warning from my SmartScreen filter which said something to the effect: the program is not commonly downloaded, it isn't signed by the auther and it could harm my computer.

Are you sure you want me to download OTL.exe? :fear:

On the Firefox issue, I uninstalled it yesterday, I rebooted my system then reinstalled it and the redirect issue seems to be gone.

FYI: After the above reboot ERDNT didn't show any errors. :D:

Jpatrick
 
OTL Log

Jack&Jill,

OTL LOG:


OTL logfile created on: 7/15/2012 1:32:27 PM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Admin\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.75 Gb Total Physical Memory | 2.45 Gb Available Physical Memory | 65.41% Memory free
7.50 Gb Paging File | 5.53 Gb Available in Paging File | 73.76% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.66 Gb Total Space | 351.32 Gb Free Space | 75.45% Space Free | Partition Type: NTFS
Drive D: | 634.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: ADMIN-PC | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/15 05:23:19 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe
PRC - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
PRC - [2012/04/05 05:12:34 | 002,587,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
PRC - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/01/16 21:39:13 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2010/04/28 18:17:04 | 000,512,000 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WlanCU.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/09/08 12:03:58 | 000,113,136 | ---- | M] () -- C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe


========== Modules (No Company Name) ==========

MOD - [2010/04/28 18:17:04 | 000,512,000 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WlanCU.exe
MOD - [2009/10/07 17:58:10 | 000,376,832 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WlanDll.dll
MOD - [2009/03/10 20:03:52 | 000,184,320 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WPSCtrl.dll
MOD - [2008/09/08 12:03:58 | 000,113,136 | ---- | M] () -- C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/09/09 10:07:54 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2008/09/09 10:07:14 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/04/19 04:50:26 | 000,028,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\avgidsha.sys -- (AVGIDSHA)
DRV:64bit: - [2012/03/19 05:17:26 | 000,383,808 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)
DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/22 05:25:32 | 000,289,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)
DRV:64bit: - [2012/01/31 04:46:48 | 000,036,944 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)
DRV:64bit: - [2011/12/23 13:32:14 | 000,047,696 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)
DRV:64bit: - [2011/12/23 13:32:04 | 000,029,776 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\avgidsfiltera.sys -- (AVGIDSFilter)
DRV:64bit: - [2011/12/23 13:31:58 | 000,124,496 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\avgidsdrivera.sys -- (AVGIDSDriver)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/08/12 13:07:50 | 000,350,952 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvmf6264.sys -- (NVNET)
DRV:64bit: - [2010/07/02 10:08:52 | 002,061,928 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTL85n64.sys -- (RTL85n64)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 16:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/06/16 04:00:00 | 000,055,024 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2008/09/09 11:12:54 | 000,065,520 | ---- | M] (Sonic Solutions) [File_System | System | Stopped] -- C:\Windows\SysWOW64\drivers\RxFilter.sys -- (RxFilter)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/tenday/Bennington+VT+05201
IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B8 60 BF 6A 0E D6 CC 01 [binary data]
IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..\SearchScopes,DefaultScope = {7C0FB11C-C21D-472D-BEB2-B7CEBE00D336}
IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..\SearchScopes\{7C0FB11C-C21D-472D-BEB2-B7CEBE00D336}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG2012\Firefox4\ [2012/07/06 09:17:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\flashcatch@flashcatch.com: C:\Program Files (x86)\FlashCatch\firefox [2012/03/19 01:34:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/02 09:19:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/14 11:22:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/07/14 11:23:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Admin\AppData\Roaming\Mozilla\Extensions
[2012/07/14 11:22:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/01/19 23:58:41 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/06/14 18:20:49 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/01/13 11:14:47 | 000,003,739 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/06/14 18:19:40 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/06/14 18:19:40 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/16 15:19:25 | 000,443,522 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 www.123fporn.info
O1 - Hosts: 15233 more lines...
O2:64bit: - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (FlashCatchBHO Class) - {88618A96-6D8A-42E7-B932-9073D5B2080F} - C:\Program Files (x86)\FlashCatch\flashcatch.dll (Level 9 Technology, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (FlashCatch) - {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - C:\Program Files (x86)\FlashCatch\flashcatch.dll (Level 9 Technology, Inc.)
O3 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..\Toolbar\WebBrowser: (FlashCatch) - {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - C:\Program Files (x86)\FlashCatch\flashcatch.dll (Level 9 Technology, Inc.)
O4:64bit: - HKLM..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\Windows\SysNative\MSTMON_S.EXE (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe ()
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9:64bit: - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..Trusted Domains: microsoft.com ([oas.support] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{27A76691-41C0-4E44-995C-D5AC9A99A256}: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{96B9080E-81CC-4304-A255-8ED57B92B0A3}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [1999/09/23 11:38:49 | 000,000,045 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{609edac7-3df9-11e1-b644-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{609edac7-3df9-11e1-b644-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [1999/09/23 11:58:15 | 000,025,600 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/15 05:23:19 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe
[2012/07/14 11:22:58 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Mozilla
[2012/07/14 03:49:49 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Malwarebytes
[2012/07/14 03:49:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/14 03:49:30 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/14 03:49:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/07/14 03:49:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/07/13 07:18:39 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Admin\Desktop\mbam-setup-1.62.0.1300.exe
[2012/07/13 04:03:21 | 000,000,000 | ---D | C] -- C:\Users\Admin\Desktop\RK_Quarantine
[2012/07/09 20:48:23 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Admin\Desktop\aswMBR.exe
[2012/07/08 14:33:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/07/08 14:32:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/07/08 14:32:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2012/07/08 14:29:31 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Admin\Desktop\erunt-setup.exe
[2012/07/06 09:17:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
[2012/01/20 22:52:21 | 000,258,560 | ---- | C] (Quad-Lock) -- C:\Program Files\UnitConverter.exe
[2001/06/20 17:34:39 | 000,127,488 | ---- | C] (Apple Computer, Inc.) -- C:\Program Files\QuickTimeUpdater.exe
[2001/06/20 17:34:38 | 001,043,968 | ---- | C] (Apple Computer, Inc.) -- C:\Program Files\QuickTimePlayer.exe
[2001/06/20 17:34:38 | 000,303,616 | ---- | C] (Apple Computer, Inc.) -- C:\Program Files\PictureViewer.exe
[2001/06/20 17:34:38 | 000,225,792 | ---- | C] (Apple Computer, Inc.) -- C:\Program Files\QTInfo.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/15 13:26:04 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/15 13:25:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/15 05:23:19 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe
[2012/07/15 05:19:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/14 18:01:49 | 101,528,768 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
[2012/07/14 11:27:10 | 000,022,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/14 11:27:10 | 000,022,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/14 11:24:13 | 000,792,118 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/07/14 11:24:13 | 000,668,836 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/07/14 11:24:13 | 000,125,022 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/07/14 11:22:53 | 000,001,134 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/07/14 11:19:51 | 3018,690,560 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/14 04:37:43 | 000,032,894 | ---- | M] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 4.jpg
[2012/07/14 04:37:11 | 000,035,537 | ---- | M] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 3.jpg
[2012/07/14 04:36:31 | 000,033,751 | ---- | M] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 2.jpg
[2012/07/14 04:35:44 | 000,052,417 | ---- | M] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT.jpg
[2012/07/14 04:27:48 | 000,047,009 | ---- | M] () -- C:\Users\Admin\Desktop\Malwarebytes results 07142012.jpg
[2012/07/14 03:49:31 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/13 09:40:18 | 000,013,312 | -H-- | M] () -- C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/07/13 07:19:36 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Admin\Desktop\mbam-setup-1.62.0.1300.exe
[2012/07/13 04:01:29 | 001,558,016 | ---- | M] () -- C:\Users\Admin\Desktop\RogueKiller.exe
[2012/07/13 03:58:57 | 000,000,512 | ---- | M] () -- C:\Users\Admin\Desktop\MBR.dat
[2012/07/12 09:01:41 | 000,076,515 | ---- | M] () -- C:\Users\Admin\Desktop\VPT malware issue 07122012.jpg
[2012/07/12 09:00:01 | 000,387,979 | ---- | M] () -- C:\Users\Admin\Desktop\2012-07-World-Detailed.pdf
[2012/07/12 08:58:01 | 000,088,275 | ---- | M] () -- C:\Users\Admin\Desktop\2012-07-World-Grid.pdf
[2012/07/12 08:57:05 | 000,108,656 | ---- | M] () -- C:\Users\Admin\Desktop\2012-07-Create-Grid.pdf
[2012/07/12 08:56:06 | 000,388,956 | ---- | M] () -- C:\Users\Admin\Desktop\2012-07-VPT-Detailed.pdf
[2012/07/11 22:19:57 | 000,443,522 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/07/11 22:14:54 | 000,000,938 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120711-221957.backup
[2012/07/11 22:13:58 | 000,443,522 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120711-221454.backup
[2012/07/11 12:32:41 | 000,007,611 | -H-- | M] () -- C:\Users\Admin\AppData\Local\resmon.resmoncfg
[2012/07/10 10:41:51 | 017,855,727 | ---- | M] () -- C:\Users\Admin\Documents\Styx The Grand Illusion with lyrics.wmv
[2012/07/10 10:40:02 | 023,780,647 | ---- | M] () -- C:\Users\Admin\Documents\Styx The Grand Illusion with lyrics.flv
[2012/07/10 10:24:02 | 015,478,199 | ---- | M] () -- C:\Users\Admin\Documents\Why America is NOT the greatest country in the world, anymore..wmv
[2012/07/10 10:21:24 | 015,722,051 | ---- | M] () -- C:\Users\Admin\Documents\Why America is NOT the greatest country in the world, anymore..flv
[2012/07/09 20:48:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Admin\Desktop\aswMBR.exe
[2012/07/08 22:09:52 | 000,277,807 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm
[2012/07/08 14:32:23 | 000,001,108 | ---- | M] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/08 14:32:00 | 000,000,928 | ---- | M] () -- C:\Users\Admin\Desktop\NTREGOPT.lnk
[2012/07/08 14:32:00 | 000,000,909 | ---- | M] () -- C:\Users\Admin\Desktop\ERUNT.lnk
[2012/07/07 15:27:22 | 000,017,884 | ---- | M] () -- C:\Users\Admin\Documents\cc_20120707_152716.reg
[2012/07/06 20:38:29 | 000,443,048 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120711-221358.backup
[2012/07/06 09:17:48 | 000,000,965 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk
[2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/02 17:00:16 | 000,001,369 | ---- | M] () -- C:\Windows\wininit.ini
[2012/07/02 11:43:12 | 000,442,922 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120706-203829.backup
[2012/07/02 11:39:37 | 000,046,270 | ---- | M] () -- C:\Users\Admin\Documents\cc_20120702_113920.reg
[2012/06/26 10:32:43 | 000,442,922 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120702-114312.backup
[2012/06/16 02:37:20 | 000,442,922 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120626-103243.backup
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/14 11:22:52 | 000,001,134 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/07/14 04:37:43 | 000,032,894 | ---- | C] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 4.jpg
[2012/07/14 04:37:11 | 000,035,537 | ---- | C] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 3.jpg
[2012/07/14 04:36:31 | 000,033,751 | ---- | C] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 2.jpg
[2012/07/14 04:35:44 | 000,052,417 | ---- | C] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT.jpg
[2012/07/14 04:27:48 | 000,047,009 | ---- | C] () -- C:\Users\Admin\Desktop\Malwarebytes results 07142012.jpg
[2012/07/14 03:49:31 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/13 04:01:28 | 001,558,016 | ---- | C] () -- C:\Users\Admin\Desktop\RogueKiller.exe
[2012/07/12 09:01:41 | 000,076,515 | ---- | C] () -- C:\Users\Admin\Desktop\VPT malware issue 07122012.jpg
[2012/07/12 09:00:01 | 000,387,979 | ---- | C] () -- C:\Users\Admin\Desktop\2012-07-World-Detailed.pdf
[2012/07/12 08:58:01 | 000,088,275 | ---- | C] () -- C:\Users\Admin\Desktop\2012-07-World-Grid.pdf
[2012/07/12 08:57:05 | 000,108,656 | ---- | C] () -- C:\Users\Admin\Desktop\2012-07-Create-Grid.pdf
[2012/07/12 08:56:06 | 000,388,956 | ---- | C] () -- C:\Users\Admin\Desktop\2012-07-VPT-Detailed.pdf
[2012/07/10 10:40:26 | 017,855,727 | ---- | C] () -- C:\Users\Admin\Documents\Styx The Grand Illusion with lyrics.wmv
[2012/07/10 10:35:42 | 023,780,647 | ---- | C] () -- C:\Users\Admin\Documents\Styx The Grand Illusion with lyrics.flv
[2012/07/10 10:22:49 | 015,478,199 | ---- | C] () -- C:\Users\Admin\Documents\Why America is NOT the greatest country in the world, anymore..wmv
[2012/07/10 10:17:46 | 015,722,051 | ---- | C] () -- C:\Users\Admin\Documents\Why America is NOT the greatest country in the world, anymore..flv
[2012/07/09 20:50:33 | 000,000,512 | ---- | C] () -- C:\Users\Admin\Desktop\MBR.dat
[2012/07/08 14:32:23 | 000,001,108 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/08 14:32:00 | 000,000,928 | ---- | C] () -- C:\Users\Admin\Desktop\NTREGOPT.lnk
[2012/07/08 14:32:00 | 000,000,909 | ---- | C] () -- C:\Users\Admin\Desktop\ERUNT.lnk
[2012/07/07 15:27:20 | 000,017,884 | ---- | C] () -- C:\Users\Admin\Documents\cc_20120707_152716.reg
[2012/07/02 17:00:11 | 000,001,369 | ---- | C] () -- C:\Windows\wininit.ini
[2012/07/02 11:39:31 | 000,046,270 | ---- | C] () -- C:\Users\Admin\Documents\cc_20120702_113920.reg
[2012/02/16 23:43:03 | 000,000,000 | -H-- | C] () -- C:\Users\Admin\AppData\Local\rx_image32.Cache
[2012/02/05 15:56:35 | 000,013,312 | -H-- | C] () -- C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/02 20:43:30 | 000,007,611 | -H-- | C] () -- C:\Users\Admin\AppData\Local\resmon.resmoncfg
[2012/01/30 02:14:08 | 000,000,061 | ---- | C] () -- C:\Windows\avinstalled.ini
[2012/01/14 17:19:30 | 000,020,436 | ---- | C] () -- C:\Windows\W2BNEUnin.dat
[2012/01/13 19:14:43 | 000,019,632 | ---- | C] () -- C:\Windows\MSTMON_S.INI
[2012/01/13 19:14:43 | 000,019,472 | ---- | C] () -- C:\Windows\MSUMLT_S.INI
[2012/01/13 19:04:01 | 000,000,000 | ---- | C] () -- C:\Windows\OpPrintServer.INI
[2012/01/13 10:01:49 | 000,785,842 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/01/13 09:48:10 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2001/06/20 17:34:32 | 000,082,395 | ---- | C] () -- C:\Program Files\Sample.mov
[2001/06/20 17:34:32 | 000,029,363 | ---- | C] () -- C:\Program Files\Sample.qtif
[2001/06/20 17:34:32 | 000,004,653 | ---- | C] () -- C:\Program Files\readme.wri

========== LOP Check ==========

[2012/03/13 00:16:44 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Audacity
[2012/01/13 11:26:36 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\AVG2012
[2012/01/13 23:19:05 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\IrfanView
[2012/01/13 11:36:51 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\OpenOffice.org
[2012/01/20 22:52:27 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\UnitConverter
[2009/07/14 01:08:49 | 000,011,634 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
 
Last edited by a moderator:
Otl extras log

Jack&Jill,

The OTL EXTRAS log:



OTL Extras logfile created on: 7/15/2012 1:32:27 PM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Admin\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.75 Gb Total Physical Memory | 2.45 Gb Available Physical Memory | 65.41% Memory free
7.50 Gb Paging File | 5.53 Gb Available in Paging File | 73.76% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.66 Gb Total Space | 351.32 Gb Free Space | 75.45% Space Free | Partition Type: NTFS
Drive D: | 634.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: ADMIN-PC | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0313D945-F3CA-4A16-BD78-89DF7D2F0F68}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{050DABD9-4A75-4E2D-B1C8-CFD58A1BCA20}" = rport=445 | protocol=6 | dir=out | app=system |
"{21E3C675-D447-47CC-9B8F-886C6F1C61BD}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{2E014DC4-D5D4-479D-A653-B1243CAC1708}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{2E68E02A-77DE-4B71-8FAE-9577E33E9E46}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{40E0EC41-9C56-4DD7-AF30-B29B4EEB3DE2}" = rport=10243 | protocol=6 | dir=out | app=system |
"{546F77E4-5094-4585-A81E-B6453F3FC62C}" = rport=138 | protocol=17 | dir=out | app=system |
"{5C4A16DF-1703-4B1E-BA03-8F3AA19E3A40}" = rport=137 | protocol=17 | dir=out | app=system |
"{880992ED-1D4A-4977-B00A-5E38AC14C024}" = lport=10243 | protocol=6 | dir=in | app=system |
"{95FAAE37-E3E2-4DE8-8A70-A428A373578E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AC786BA4-6710-4AFF-ACE0-931D1B7B00F7}" = rport=139 | protocol=6 | dir=out | app=system |
"{AD8C752E-CB35-49FF-A727-7525B5BC8C29}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B37C10B1-D8E5-4947-B3D4-FCD0156A897D}" = lport=138 | protocol=17 | dir=in | app=system |
"{B8CB82F6-4191-4F56-AC33-517F830DC390}" = lport=137 | protocol=17 | dir=in | app=system |
"{BA649EEA-4A4A-4BB6-9140-9D103140CD0F}" = lport=445 | protocol=6 | dir=in | app=system |
"{BB01630B-62FA-4407-8E43-A1889F28A3B3}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C305C4F3-6B45-405F-BE6B-970FE95EDC0A}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{D2231BD0-CF34-46EF-B243-E2E6316BDAF9}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D39A4952-41BF-430D-A129-E6298FFB2CF9}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{D96CC3DB-2F9B-4C62-91D9-A4840F653BAE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{E390A330-17A6-4F41-B478-F541301832C9}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F264C598-DEBB-4814-BB14-73966FF719E8}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{FDC38785-F232-4A8B-8AEF-9F1B6474C637}" = lport=139 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{06C8BDA1-8C18-499A-92D8-F8EFFEEC28D9}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgdiagex.exe |
"{07426982-116A-4E74-A7B6-5C49B6EB9F07}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgemca.exe |
"{0AF34461-C86A-4A00-8495-1FAC66BD8325}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{11854DCA-E797-428F-8941-0B8966D463DE}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgnsa.exe |
"{20451FE7-1A62-4450-A362-636931BF15C9}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgnsa.exe |
"{25ADB5D1-5A66-4C6F-AF62-D8D736C258A4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{28EA1FE0-5DE3-4AE7-8512-04B4CCD0CC3E}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgdiagex.exe |
"{2C7AAD98-C5BE-4831-9BF1-F6E459F804AE}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{2F624ED8-FEA0-40B3-85E9-E5D4895D845B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{2FD21A30-E388-478B-9BC2-05219A8C024F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{3351907B-64BE-40B0-9456-9AFD61E5E9E4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{40242CD5-69F3-4CB8-A473-1C8122EB64A5}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgemca.exe |
"{474BDA8B-22C2-47B4-98D8-6ABF81964276}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{491962E1-44D2-4015-82F6-34413D18FD9C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{4EE3A50E-F34D-4594-8EE6-1FD91AC2E030}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgnsa.exe |
"{61F4C2B7-D9B1-4B62-91C5-BBA7BA527E84}" = protocol=6 | dir=out | app=system |
"{6C862B35-73D7-40B5-BDF4-66B5AC2DF649}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{6FCF89EF-1D22-44AD-811A-4AA29D4C16EF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{79A25403-6BCE-448F-91D6-D45BC3C1290A}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgmfapx.exe |
"{7C8422A9-2A8F-42D0-BF0D-0C0272BADBD5}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{7FDB253E-FD6D-4BE5-A7D2-7F2D36CBDE9F}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{8D9A7334-8751-4E72-8E6F-747E0EEF9EE1}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgemca.exe |
"{A16378D3-7E9D-4A9D-A039-BE1A8D28C83F}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgdiagex.exe |
"{AB565E20-D988-474F-9933-1D393374B8AB}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{AE31AF2C-BC48-4580-85A6-C3FE7E8AB566}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C6690302-D785-491E-8473-C67B468866A9}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgemca.exe |
"{CE3562A2-C2B6-4B32-824C-C8E9CC45DD6F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{E4010475-DDBA-420F-B548-DC4941205A8A}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgmfapx.exe |
"{E55D9CB9-F7FF-4D00-A42B-9104497BD890}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{E63B6197-4630-4DD1-93C0-3461DF0F738A}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgnsa.exe |
"{E6FD7598-4A42-4489-924B-E0CBC1BE01E9}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{E7E75174-4AE2-4E08-BE8E-20537A27AD1A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E947FC74-0A10-4984-94A2-44FC93F20116}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgmfapx.exe |
"{EDD3CFF4-8E2C-42E0-9AB0-194D6B5D6C18}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgdiagex.exe |
"{F8B53D5C-E4DB-4A24-8A95-0B26B2A7D004}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgmfapx.exe |
"{FBC1E7CB-C3D5-4531-9AB2-605147C9648A}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{3C8159DD-1890-4625-A5B2-E3D8D78D4486}" = AVG 2012
"{6B9CE44B-52D0-4B2F-BDFA-56FF4977A790}" = AVG 2012
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"1196D442E5ECB5E86948906FE5B87E4D58C27BA4" = Windows Driver Package - Realtek Semiconductor Corp (RTL85n64) Net (06/15/2010 6.1125.0615.2010)
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
"AVG" = AVG 2012
"CCleaner" = CCleaner
"KONICA MINOLTA magicolor 2400W" = KONICA MINOLTA magicolor 2400W
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"VueScan" = VueScan

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03F1CC67-5BD8-4C36-8394-76311B2AE69A}" = ArcSoft PhotoStudio 5
"{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}" = Canon PhotoRecord
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
"{1B683082-8791-4D00-8ADE-6C8986FCCC68}" = Roxio CinePlayer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = PhotoStitch
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 30
"{26E80502-72BB-4095-877F-44925A5D6B91}" = FrenchNow!
"{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = RemoteCapture Task 1.1
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = RAW Image Task 1.2
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C96958A-6562-4143-B820-FF4890D3B734}" = Camera Window DVC
"{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Creator 10 CE
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
"{7CFD02D2-44CF-4033-97E8-768A82C4C007}" = Roxio Plextor Driver Documentation
"{7F10292C-A190-4176-A665-A1ED3478DF86}" = LightScribe System Software
"{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = MovieEdit Task
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Roxio CinePlayer Decoder Pack
"{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Camera Window DS
"{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Camera Support Core Library
"{99024F9F-40ED-4CBF-9744-2015334006E0}" = GrammarPro!
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A0AB2980-1FDD-4b6c-940C-FC87C84F05B7}_is1" = FlashCatch
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{B1BDEA80-95CE-4DFB-B9D3-DC800E7F87B4}" = TRENDnet 802.11g Wireless CardBus/PCI Adapter
"{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}" = @BIOS
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}" = ArcSoft PhotoBase 3
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX
"{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Camera Window MC
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB3C10B1-C8C2-4197-A687-0901064F68AB}" = Roxio Creator 10 CE
"{D533DC05-E776-4ABC-82E1-D8D733D2E6B3}" = AncestryView 2.6
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.14 (Unicode)
"Digital Editions" = Adobe Digital Editions
"ERUNT_is1" = ERUNT 1.1j
"InstallShield_{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{4C96958A-6562-4143-B820-FF4890D3B734}" = Canon Camera Window DVC for ZoomBrowser EX
"InstallShield_{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Canon Camera Window DS for ZoomBrowser EX
"InstallShield_{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Canon Camera Support Core Library
"InstallShield_{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{D533DC05-E776-4ABC-82E1-D8D733D2E6B3}" = AncestryView 2.6
"IrfanView" = IrfanView (remove only)
"LAME_is1" = LAME v3.99.3 (for Windows)
"Legacy 6.0" = Legacy 6.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"QuickTime" = QuickTime
"Universal Extractor_is1" = Universal Extractor 1.6.1
"Warcraft II BNE" = Warcraft II BNE

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BandiZip" = BandiZip

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/10/2012 12:31:28 AM | Computer Name = Admin-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 7/12/2012 4:33:02 AM | Computer Name = Admin-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 7/12/2012 8:56:39 AM | Computer Name = Admin-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16421 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 13a0 Start
Time: 01cd6029b0c545b4 Termination Time: 47 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id:

Error - 7/12/2012 8:58:22 AM | Computer Name = Admin-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
time stamp: 0x4d76255d Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x73b0c9f1 Faulting process id:
0xc98 Faulting application start time: 0x01cd602de556ed24 Faulting application path:
C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: unknown
Report
Id: 423d3674-cc21-11e1-9de3-50e5499d7e93

Error - 7/12/2012 9:00:07 AM | Computer Name = Admin-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
time stamp: 0x4d76255d Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00e05ab0 Faulting process id:
0x10c0 Faulting application start time: 0x01cd602e0fefa684 Faulting application path:
C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: unknown
Report
Id: 80cbb94c-cc21-11e1-9de3-50e5499d7e93

Error - 7/12/2012 1:57:28 PM | Computer Name = Admin-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16421 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 1dc Start
Time: 01cd60527d3d2b70 Termination Time: 30 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id:

Error - 7/13/2012 7:45:56 AM | Computer Name = Admin-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 7/14/2012 4:33:53 AM | Computer Name = Admin-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/14/2012 11:20:00 AM | Computer Name = Admin-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/15/2012 6:27:29 AM | Computer Name = Admin-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

[ System Events ]
Error - 7/9/2012 8:28:30 PM | Computer Name = Admin-PC | Source = DCOM | ID = 10016
Description =

Error - 7/13/2012 4:06:40 AM | Computer Name = Admin-PC | Source = DCOM | ID = 10016
Description =

Error - 7/13/2012 7:18:11 PM | Computer Name = Admin-PC | Source = DCOM | ID = 10016
Description =

Error - 7/14/2012 4:33:52 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7000
Description = The SessionLauncher service failed to start due to the following error:
%%2

Error - 7/14/2012 4:34:02 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RxFilter

Error - 7/14/2012 7:40:55 AM | Computer Name = Admin-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 7/14/2012 11:19:59 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7000
Description = The SessionLauncher service failed to start due to the following error:
%%2

Error - 7/14/2012 11:20:06 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RxFilter

Error - 7/14/2012 11:21:23 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7034
Description = The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly.
It has done this 1 time(s).

Error - 7/14/2012 11:03:54 PM | Computer Name = Admin-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.


< End of report >
 
Eset log

Jack&Jill,

ESET LOG:


C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll a variant of Win32/Kryptik.AIGG trojan
C:\Users\Admin\Desktop\RK_Quarantine\ggqkf.dll.vir a variant of Win32/Kryptik.AIGG trojan
C:\Users\Admin\Desktop\Various\Applications\IE7ProSetup_2.5.1.exe Win32/OpenCandy application
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.1.setup.exe Win32/Toolbar.Widgi application
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.9.setup.exe a variant of Win32/Toolbar.Widgi application
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup272.exe a variant of Win32/Toolbar.Widgi application
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe Win32/Toolbar.Widgi application
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe.yc1ptij.partial Win32/Toolbar.Widgi application
C:\Utilities\produkey\produkey.zip a variant of Win32/PSWTool.ProductKey application
 
Hello jpatrick :),

Fix with OTL
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click on OTL.exe to run it.
  • Copy and paste the following text into the white box below Custom Scans/Fixes:
    Code: 
    :otl
O15 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..Trusted Domains: microsoft.com ([oas.support] http in Trusted sites)

:files
C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll
C:\Users\Admin\Desktop\Various\Applications\IE7ProSetup_2.5.1.exe
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.1.setup.exe
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.9.setup.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup272.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe.yc1ptij.partial
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[EMPTYTEMP]
  • Click Run Fix. Everything on the desktop may disappear, this is normal. Please wait until the tool completes its routine.
  • Please post the contents of the fix log file back here if you are prompted to open the file. It can also be found at C:\_OTL\Moved Files as MMDDYYY_HHMMSS.log where MMDDYYY is date format and HHMMSS is time format.
  • If requested to reboot, please do so. The log file will open after restart.
  • Enable back your security softwares as soon as you completed the OTL fix steps.
--------------------

Please post back:
1. the OTL fix log
2. any more problems?
 
OTL fix log

Hello Jack&Jill,

The OTL fix log:

All processes killed
========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\oas.support\ deleted successfully.
========== FILES ==========
C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll moved successfully.
C:\Users\Admin\Desktop\Various\Applications\IE7ProSetup_2.5.1.exe moved successfully.
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.1.setup.exe moved successfully.
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.9.setup.exe moved successfully.
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup272.exe moved successfully.
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe moved successfully.
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe.yc1ptij.partial moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Admin\Desktop\cmd.bat deleted successfully.
C:\Users\Admin\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 66048856 bytes
->Temporary Internet Files folder emptied: 33544541 bytes
->Java cache emptied: 5004506 bytes
->FireFox cache emptied: 65404611 bytes
->Flash cache emptied: 120955 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56475 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 747776 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 9533158 bytes

Total Files Cleaned = 172.00 mb


OTL by OldTimer - Version 3.2.54.0 log created on 07162012_150319

Files\Folders moved on Reboot...
C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...



Jack&Jill,


FYI: After the fix/reboot, I noticed that an issue I had been having for a few months had been resolved. In windows 7, on the desktop, the tool bar at the bottom of the page allows you to "pin" application icon shortcuts. Two of those icons had "lost" their image and in their place was the unrecognized file icon. Strange how this was connected to the redirect infection.

I will post questions & concerns in the next post.

Thanks,

Jpatrick
 
Questions/Concerns

Hello Jack&Jill,

Below are some questions/concerns that I have:


- What should I do with the programs: OTL, aswMBR, RogueKiller, mbam & ESET(this one I didn't delete after the online scan)?

- I use Spybot & AVG, but neither of these detected any problems. Should I keep mbam & bag one of the others?

- I noted that these program setup files were "infected":

C:\Users\Admin\Desktop\Various\Applications\IE7ProSetup_2.5.1.exe
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.1.setup.exe
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.9.setup.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup272.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe.yc1ptij.partial

Two issues: 1. Were these infected when I downloaded them from CNET, or where they infected by malware after I downloaded them, or were they not "infected", but just a vehicle for infections, PUP type programs? 2. I have backed up those files on an EXTERNAL hard drive. Can I go into that external hd and delete those files without reinfecting my system? Is it possible to scan the external drive with the programs you had me download?

- I have also used USB Flash drives to backup some files... none of those files. Is there a threat with those?

- The RogueKiller, -RK_Quarantine folder-, with contents, is still on my desktop. Should I delete the folder and/or the contents?

- Could this malware issue have made me vulnerable to identity theft? Do I need to change passwords or call my bank?

This is all I can think of right now.

Thank you for taking the time to answer the above.

Jpatrick
 
Hello jpatrick :),

Two issues: 1. Were these infected when I downloaded them from CNET, or where they infected by malware after I downloaded them, or were they not "infected", but just a vehicle for infections, PUP type programs? 2. I have backed up those files on an EXTERNAL hard drive. Can I go into that external hd and delete those files without reinfecting my system? Is it possible to scan the external drive with the programs you had me download?

- I have also used USB Flash drives to backup some files... none of those files. Is there a threat with those?
Click to expand...
They are PUP or borderline type, basicaly from the source. Yes, you can go into the external drive and delete them. To be sure, you can try MBAM or ESET on any drives or USB device you have.

- Could this malware issue have made me vulnerable to identity theft? Do I need to change passwords or call my bank?
Click to expand...
As far as I can tell, the threat is not that severe, but with malware, you will never know. Due to this, better safe than sorry.

For the rest of your questions, the answers are below.

--------------------

Congratulations, you are All Clear to go. Glad to hear everything is good and running :). If you have any more problems, please let me know.

Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.
  • Run OTL by double clicking on OTL.exe. Click on CleanUp, proceed to reboot if prompted.
  • Delete the aswMBR and RogueKiller files on your desktop.
  • Delete any logs on the desktop.

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows 7 to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Purge System Restore, for this one time only. A recovery feature will only be useful if it is clean from malwares. See Windows 7 System Restore Guide for some detail explanations.

3. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials and Avast are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 and Kaspersky are some good options. Please keep only one AV installed.

4. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

5. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications. You need to choose between Spybot or Winpatrol.

6. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose. You don't need this if you have Spybot's immunization.

7. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

8. Protect your computer from removable or USB drive infections with MCShield, an effective method to prevent malware from spreading.

9. Keep all your softwares updated. Visit Secunia Software Inspector to find out if any updates required.

10. Make full use of Windows 7 firewall to step up the defense against internet dangers.

11. Also look up:
Computer Security - a short guide to staying safer online
PC Safety and Security - What Do I Need? By Glaswegian
How to prevent malware: By miekiemoes
So how did I get infected in the first place? By Tony Klein
Microsoft Online Safety

Stay safe.

Your donation helps in improving Spybot-S&D!
 
Issue returned!! MBAM scan: Trojan.BHO

Hello Jack&Jill,

This is getting ridiculous! I was using Firefox (I usually use IE9... I've heard/read the Firefox is more secure so I thought I use that more regularly.) and again, when I right click on a link to open it in a new tab I've been redirected!!

I ran MBAM and it found this:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.14.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Admin :: ADMIN-PC [administrator]

7/17/2012 1:01:05 AM
mbam-log-2012-07-17 (01-47-51).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 320813
Time elapsed: 30 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Admin\AppData\Local\Temp\0.8223045982200018 (Trojan.BHO) -> No action taken.

(end)


WTF!! :mad:

I didn't delete it... I wanted you to see it first.

I had an XP machine for 9 years.... that's right 9 years! I was infected once, in April 2011. I thought an 'upgrade' might be in order.... 1/2 a gigbyte of RAM memory was ridiculously slow, but the cost of this new operating system & newer IE is making me long XP Home & IE7!!

What could be causing this reinfection? I have NOT connected my external HD to deal with the PUP programs we deleted early yesterday nor have I used the flash drives. I just surfed in Firefox!

I checked the Add-on Manager in Firefox & the Java plug-in has issues but Firefox has blocked it's use. Spybot TeaTimer is running.

FYI: I haven't deleted any of the programs we used to diagnose these problems if we need to use the them again.

Now what?

Jpatrick
 
You must log in or register to reply here.
Back
Top