Spyware Warrior

[Gary R]

Temporarily disable Avira before running the following OTL fix.

• Double click OTL.exe to launch the programme.
  
• Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
  

[hlwalkerst]

The first time I tried to run OTL I forgot to disable Avira, so I killed it and then did the disable.

When I executed OTL, it seemed to hang (kept getting Not Responding), so I killed it again.

I launched it a third time and it ran fine. I only have the log file from the last execution. sorry for the missteps on my part.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A28AFCB-D7B6-4628-8EA2-D66964A22F01}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A28AFCB-D7B6-4628-8EA2-D66964A22F01}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8214ADD5-AD05-4B67-BD93-C3BB6003BCCF}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8214ADD5-AD05-4B67-BD93-C3BB6003BCCF}\ not found.
HKEY_USERS\S-1-5-21-3444987807-3986069032-107293006-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3444987807-3986069032-107293006-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8214ADD5-AD05-4B67-BD93-C3BB6003BCCF}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8214ADD5-AD05-4B67-BD93-C3BB6003BCCF}\ not found.
File C:\USERS\KRIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UPMH8NTC.DEFAULT\EXTENSIONS\ADBLOCKPOPUPS@JESSEHAKANEN.NET.XPI not found.
File C:\USERS\KRIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UPMH8NTC.DEFAULT\EXTENSIONS\TRACKMENOT@MRL.NYU.EDU.XPI not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
File C:\Windows\Tasks\Ad-Aware Update (Daily 1).job not found.
File C:\Windows\Tasks\Ad-Aware Update (Daily 2).job not found.
File C:\Windows\Tasks\Ad-Aware Update (Daily 3).job not found.
File C:\Windows\Tasks\Ad-Aware Update (Daily 4).job not found.
File C:\Windows\Tasks\Ad-Aware Update (Weekly).job not found.
File C:\Windows\system32\tasks\{9C89CB98-3BCD-4960-8421-30F9BEFE0131} not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kris
->Temp folder emptied: 24552571 bytes
->Temporary Internet Files folder emptied: 2588520 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 55314652 bytes
->Flash cache emptied: 456 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1254 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 2335557 bytes

Total Files Cleaned = 81.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Kris\Downloads\cmd.bat deleted successfully.
C:\Users\Kris\Downloads\cmd.txt deleted successfully.
< ipconfig /displaydns /c >
Windows IP Configuration
Could not display the DNS Resolver Cache.
C:\Users\Kris\Downloads\cmd.bat deleted successfully.
C:\Users\Kris\Downloads\cmd.txt deleted successfully.
< ipconfig /all /c >
Windows IP Configuration
Host Name . . . . . . . . . . . . : Kris-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Wireless LAN adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : Atheros AR5009 802.11a/g/n WiFi Adapter
Physical Address. . . . . . . . . : 00-24-2B-03-48-3E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8102/8103 Family PCI-E FE NIC
Physical Address. . . . . . . . . : 00-1F-16-62-F2-38
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f893:4519:7566:cf95%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, July 09, 2012 8:39:05 AM
Lease Expires . . . . . . . . . . : Tuesday, July 10, 2012 8:39:05 AM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 167780118
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-FF-EF-A5-00-24-2B-03-48-3E
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 6:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{6EA0CE12-8DA6-4161-A69E-91DF26BEF9E9}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 12:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2083:15e:3f57:febf(Preferred)
Link-local IPv6 Address . . . . . : fe80::2083:15e:3f57:febf%13(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter Local Area Connection* 14:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.Belkin
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 15:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\Kris\Downloads\cmd.bat deleted successfully.
C:\Users\Kris\Downloads\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.53.1 log created on 07092012_084136

Files\Folders moved on Reboot...
C:\Users\Kris\AppData\Local\Temp\ehmsas.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Kris\AppData\Local\Temp\ehmsas.txt not found!

Registry entries deleted on Reboot...

[hlwalkerst]

By the way, Ghostery has caught a couple of the attempted redirects from our Ukrainian friend (I see his IP in my history). I clicked on a site called www.kitco.com (some kind of gold buying site that is rated as safe by Web of Trust).

I had one yesterday evening and one today:

"Ghostery prevented a redirect from 166.157206.ampnetwork.net to 1166.sg4ken.com, which is part of Double Click"

The one last night was an attempted redirect from "1.ampnetwork.net to click.linksynergy.com, which is part of LinkShare"

[Gary R]

Are you being re-directed since the last OTL fix was run ?
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

Yes

[hlwalkerst]

Yes

[Gary R]

Well there's nothing on your computer that I can see that would explain why.

Please try the following ....

Reset Internet Explorer Settings

To do this ....

• Start Internet Explorer.
  
• Click Tools > Internet Options > Advanced
  

• In the Reset Internet Explorer settings section click the Reset button.
  

• Check the Delete personal settings.
  
• Reset Internet Explorer Settings will now process your request using the settings you've selected.
  

Please try going online using Internet Explorer, run a few searches, and let me know if you're still being re-directed.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

When I hit the Reset button, a window pops up that says I have to close all open programs and windows. I was using Firefox and Outlook, so I closed them.

Tried again, and get the same message. For whatever reason, it's blocking me.

FWIW, the original message that I got that I suspect started the problem claimed to be from IE. And yesterday and IE window popped up also, even though I wasn't using it as a browser and hadn't opened it. I always use Firefox. I only keep IE around for the rare occasion that something is incompatible with Firefox. For instance, I wanted to use the IKEA kitchen planning tool, and that addon was incompatible with the then-current version of Firefox. So I used IE until the addon was made compliant with FF.

Would uninstalling IE with either Windows or CCleaner be an option? Then re-install from safe site?

Just looking at the options set in IE. One is "Enable third-party extensions to browser", and it is checked.

Also, "Warn if changing between secure and non-secure mode" is unchecked.

[Gary R]

I've been doing a little thinking, and before we proceed any further with resetting Internet Explorer, I'd like you to try the following .....

• Click Start > Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings
  
• Right click on your connection and select Properties
  
• Under the Network tab, click on Internet Protocol Version 4 (TCP/IPv4) to highlight it.
  
• Click Properties
  
  
  
  • Ensure that Obtain an IP address automatically is selected
    
  • Ensure that Use the following DNS Server addresses is selected
    
    
    
    • Enter 208.67.220.220 into the Preferred DNS Server box.
      
    • Enter 208.67.222.222 into the Alternate DNS Server box.
      
    
    
  • Click OK
    
  
  
• Under the Network tab, click on Internet Protocol Version 6 (TCP/IPv6) to highlight it.
  
• Click Properties
  
  
  
  • Ensure that Obtain an IP address automatically is selected
    
  • Ensure that Use the following DNS Server addresses is selected
    
    
    
    • Enter 208.67.220.220 into the Preferred DNS Server box.
      
    • Enter 208.67.222.222 into the Alternate DNS Server box.
      
    
    
  • Click OK
    
  
  
• Click Close
  
• Exit any open windows
  

Now try running a search with either Firefox or Internet Explorer and let me know if you're still being re-directed.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

For IPv4, I can enter the values without a problem.


For IPv6, when I try to enter 208.67.220.220 in the preferred DNS server, I get what looks almost like a cartoon bubble/balloon pointing to the field and it says "The network address entered is invalid". The only thing I can do is erase the value; otherwise it won't let me OK or even Cancel.

Another thing, for IPv4, the entry field was preformatted with "." so that when I did my paste, the IP address was formatted.

For IPv6, the field seems to be free form.

[hlwalkerst]

There is a way to disable IPv6 in Firefox:

From http://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

[Gary R]

Just change the TCP/IPv4 settings then, IE an FF should try to establish using TCP/IPv4 first anyway, so if this is going to work it should work with just TCP/IPv4 changed.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

Have been Googling madly using Firefox since we applied the IPv4 changes. No redirects so far. I closed my Firefox session and restarted it, and still no redirects. I did check the history file and the cookies, and the Ukranian hasn't left any footprints since the IPv4 settings modification.

I haven't done any searches in IE. I have to admit that I'm a little gun-shy, as I don't have anything like Web of Trust installed over there, so I feel as if I'm working a little blindly and I don't' want to stumble into any bad sites.



Kris

[Gary R]

There's a Web of Trust add on for IE as well ..... http://www.mywot.com/en/download/ie
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

Thanks for the great tip about McAfee. I installed it and feel much more comfortable with IE, though I'll stick with my Firefox and WOT: It's much faster!

I did some searches in IE and have not gotten any redirects.

So where do we stand? Do you want me to continue working for another day or so to see if the redirects are really gone? I still don't see any footprints in the history file, so I think the redirects are blocked.

And is this the permanent solution? Or is it a patch until we can remove the malware? (I guess I'm assuming it's still here, but we're working around it).

I have not yet reconnected the router. Would it be advisable to update the firmware? As I think I mentioned before, I've had it for 5 years and have never done any firmware updates.

I'm also reading the threads on the forum regarding security measures. I'm pleased to say that I've already implemented many of them. Sandboxing was a completely new concept and I plan to investigate that further.

Again, I cannot thank you enough for your efforts on my behalf.

Kris

Edit: Just saw that you changed the link to a WOT add-on for IE. For now, I'll leave McAfee in place but will bookmark the WOT add-on for IE for future reference.

[Gary R]

You're welcome, glad we're making some progress.

For the moment I want to leave the Open DNS settings in place, run searches for a while with the machine we've been working on to make sure the re-directs don't reappear. If I can, I'd rather establish just exactly what is causing the problem when your computer is set to obtain a DNS server automatically, but so far I haven't spotted it. I'm going to have to go through all the logs again and see if I've missed something.

Now you said you have other computers connected into your home network, do any of them get re-directed when you run searches ? What I'm trying to establish is whether the infection is restricted to one machine, or is network mobile.

I've had a long day today, so I'll be turning in for the night soon, so it will probably be tomorrow morning when I see your reply.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

My husband has a work PC running XP that we have used in the last couple of days since the redirect problem started. It's locked down pretty tightly by his company, and he has no admin privileges on that machine. Also, he just retired, and that machine is only being used occasionally to check email, or if he does an day of consulting, which is not very often. He uses it mostly for email and Oracle access.

I also have an iPad and an iPod touch.

I'll reconnect the router and we'll test the other devices. I think i'll start with the iPad and report results to you.

[hlwalkerst]

I was online a good part of the day and using Google, and got no redirects at all since changing the DNS settings for the network connection.

I reconnected the router. As you may recall, I had restored it to factory settings yesterday, used it, and then disconnected it.

I hooked it back up, and I got a redirect after the second Google search that I did.

I applied the same fix to the wireless connection as I had to the wired connection, namely specifying the preferred and alternate DNS servers. I think that's what you referred to as leaving the Open DNS settings in place.

Went back to Google and got another redirect almost immediately.

[hlwalkerst]

So I reset the router again.

I checked the System Settings on the router. There was one value that didn't seem right. It was the UPnP, which was set to Enable. The Belkin website and manual say that the router ships with this set to Disable. The fact that it was enabled even after a factory reset was a bit odd, though I guess the documentation might not be accurate. Not a parameter that I ever changed, so it may have well been set to Enable all along.

The other thing that happened was that at one point I was locked out of the router admin software, and it said something about two Administrators having access. Something about 192.168.2.2 having control. Maybe something I did; not sure it means anything.


I disconnected the router from the modem, so there was no Internet access. I did the factory settings restore again, connected the router to my PC and then went through the setups, including setting the UPnP to Disable. Redid my passwords and wireless keys while I was offline and have now reconnected everything and am trying wireless again.

Update: It didn't take long for a redirect to occur with the router in the loop, so changing that UPnP system setting apparently didn't help. I'm back to a direct connect to the modem. Router is sitting on the dining room table looking lonely.

The really bad news is that now I'm getting redirects even when I'm directly connected to the modem and the router is out of the picture.



Talk to you on the morrow.

[Gary R]

Seems the router is the source of the problem then, and it sounds like it might have re-infected your computer when you connected back to it.

For whatever as yet unknown reason, the router re-set does not appear to be cleaning the infection from the router. We'll come back to that shortly, but first we need to check your computer out again.

• Double click OTL.exe to launch the programme.
  
• Check the following.
  
  
  
  • Scan all users.
    
  • Standard Output.
    
  • Lop check.
    
  • Purity check.
    
  
  
• Under Extra Registry section, select Use SafeList
  
• Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  
• When finished it will produce two logs.
  
  
  
  • OTL.txt (open on your desktop).
    
  • Extras.txt (minimised in your taskbar)
    
  
  
• Please post me both logs.
  

Next

Please download SystemLook from one of the links below and save it to your Desktop.

For 32 bit Systems
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

[hlwalkerst]

OTL logfile created on: 7/10/2012 4:44:14 AM - Run 4
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Kris\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.93 Gb Total Physical Memory | 1.73 Gb Available Physical Memory | 58.86% Memory free
6.06 Gb Paging File | 4.72 Gb Available in Paging File | 77.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 287.21 Gb Total Space | 201.97 Gb Free Space | 70.32% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.81 Gb Free Space | 16.63% Space Free | Partition Type: NTFS

Computer Name: KRIS-PC | User Name: Kris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/06 16:15:15 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Kris\Downloads\OTL.exe
PRC - [2012/06/18 05:44:13 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/06/15 15:44:04 | 000,548,264 | ---- | M] (Splashtop Inc.) -- C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe
PRC - [2012/06/15 15:44:02 | 002,463,648 | ---- | M] (Splashtop Inc.) -- C:\Program Files\Splashtop\Splashtop Remote\Server\SRServer.exe
PRC - [2012/06/15 15:43:54 | 006,526,888 | ---- | M] (Splashtop Inc.) -- C:\Program Files\Splashtop\Splashtop Remote\Server\SRFeature.exe
PRC - [2012/06/15 12:26:22 | 000,095,232 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2012/05/08 08:03:05 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012/05/08 08:02:59 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012/05/08 08:02:58 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012/05/08 08:02:58 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2012/03/15 00:20:30 | 000,370,504 | ---- | M] (Splashtop Inc.) -- C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe
PRC - [2010/11/18 09:05:11 | 000,083,792 | R--- | M] (Storage Appliance Corp.) -- C:\ProgramData\OfficeGuardianV2N\UACProxy.exe
PRC - [2010/11/18 09:05:07 | 000,862,032 | R--- | M] (Storage Appliance Corp.) -- C:\ProgramData\OfficeGuardianV2N\Reminder\SacReminder.exe
PRC - [2010/11/18 09:05:06 | 000,163,664 | R--- | M] (Storage Appliance Corporation) -- C:\ProgramData\OfficeGuardianV2N\Reminder\SacNetAgent.exe
PRC - [2009/04/10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe
PRC - [2008/03/17 20:06:00 | 001,848,648 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2008/01/20 21:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/05/21 03:37:36 | 000,124,512 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
PRC - [2007/03/09 11:09:58 | 000,063,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/18 05:44:12 | 002,042,848 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/06/14 20:55:07 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll
MOD - [2012/06/14 20:54:51 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll
MOD - [2012/06/14 20:54:24 | 014,329,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7343fbab1ba137db2f8b284047ef3f3c\PresentationFramework.ni.dll
MOD - [2012/06/14 20:53:02 | 012,219,392 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\7b6293b0c23321c255c2530aea8e32bb\PresentationCore.ni.dll
MOD - [2012/05/09 15:28:35 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f3d4d5fe5ab848fbfcf91a49960dc8ae\System.Management.ni.dll
MOD - [2012/05/09 15:26:51 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll
MOD - [2012/05/09 15:26:49 | 000,627,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\b6d83a652c94b32fc8f99a6df0acd7f4\System.Transactions.ni.dll
MOD - [2012/05/09 15:26:48 | 000,627,712 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4b5eaa70d2900b98ccf6fd9915f34d69\System.EnterpriseServices.ni.dll
MOD - [2012/05/09 15:26:48 | 000,280,064 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4b5eaa70d2900b98ccf6fd9915f34d69\System.EnterpriseServices.Wrapper.dll
MOD - [2012/05/09 15:26:39 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll
MOD - [2012/05/09 15:05:06 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll
MOD - [2012/05/09 15:04:26 | 006,621,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\bfdd10e0a0aacf46bac557ffc5d55ba5\System.Data.ni.dll
MOD - [2012/05/09 15:04:15 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c8c3ab08933fef9fb6657da871395c46\PresentationFramework.Aero.ni.dll
MOD - [2012/05/09 15:03:42 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\54426ee1881b42af5b090e223f43823c\WindowsBase.ni.dll
MOD - [2012/05/09 15:03:38 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
MOD - [2012/05/09 15:03:29 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/04/10 23:28:22 | 000,368,640 | ---- | M] () -- C:\Windows\System32\msjetoledb40.dll
MOD - [2009/04/10 19:04:16 | 000,113,664 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
MOD - [2009/03/29 21:42:20 | 000,261,632 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2009/03/29 21:42:18 | 002,933,760 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2008/09/30 18:56:06 | 000,032,768 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Content.XmlSerializers.dll
MOD - [2008/09/30 18:52:02 | 000,007,168 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll
MOD - [2008/09/30 18:52:00 | 000,057,344 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
MOD - [2008/09/30 18:51:52 | 000,118,784 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\ECLibrary.dll
MOD - [2008/09/30 18:51:52 | 000,010,240 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll
MOD - [2008/09/30 18:51:36 | 000,040,960 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll
MOD - [2008/09/30 18:51:36 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll
MOD - [2008/09/30 18:51:36 | 000,005,632 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll
MOD - [2008/09/23 20:21:22 | 000,066,856 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll
MOD - [2007/08/14 16:59:54 | 006,365,184 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtGui4.dll
MOD - [2007/07/12 16:55:52 | 000,131,072 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
MOD - [2007/07/12 16:55:28 | 001,581,056 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtCore4.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/06/18 05:44:12 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/15 15:44:04 | 000,548,264 | ---- | M] (Splashtop Inc.) [Auto | Running] -- C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe -- (SplashtopRemoteService)
SRV - [2012/06/15 12:26:22 | 000,095,232 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2012/05/08 08:03:05 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/08 08:02:58 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012/03/15 00:20:30 | 000,370,504 | ---- | M] (Splashtop Inc.) [Auto | Running] -- C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe -- (SSUService)
SRV - [2010/11/18 09:05:11 | 000,083,792 | R--- | M] (Storage Appliance Corp.) [Auto | Running] -- C:\ProgramData\OfficeGuardianV2N\UACProxy.exe -- (CFUACProxy_officeguardianv2n)
SRV - [2010/11/18 09:05:06 | 000,163,664 | R--- | M] (Storage Appliance Corporation) [Auto | Running] -- C:\ProgramData\OfficeGuardianV2N\Reminder\SacNetAgent.exe -- (SacNetAgentService_C57C4F854F53)
SRV - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2012/05/08 08:03:08 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/05/08 08:03:08 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/09/15 23:55:04 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/05/19 15:52:20 | 001,166,848 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/03/06 09:06:02 | 000,140,800 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/10/03 04:39:28 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/06/29 09:52:26 | 000,112,128 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV - [2008/01/20 21:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2008/01/20 21:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2007/10/17 18:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/18 19:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE - HKLM\..\SearchScopes,DefaultScope = {6A28AFCB-D7B6-4628-8EA2-D66964A22F01}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\..\SearchScopes,DefaultScope = {6A28AFCB-D7B6-4628-8EA2-D66964A22F01}
IE - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\..\SearchScopes\{6A28AFCB-D7B6-4628-8EA2-D66964A22F01}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.startup.homepage: "http://www.google.com/firefox"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/07/09 14:40:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/18 05:44:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/28 07:23:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/05/28 07:23:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/18 05:44:13 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/28 07:23:13 | 000,000,000 | ---D | M]

[2009/02/07 08:43:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kris\AppData\Roaming\Mozilla\Extensions
[2012/07/09 08:28:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\upmh8ntc.default\extensions
[2010/04/27 16:33:50 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\upmh8ntc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/05/17 12:45:31 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\upmh8ntc.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/06/07 16:31:11 | 000,000,000 | ---D | M] (20-20 3D Viewer - IKEA) -- C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\upmh8ntc.default\extensions\2020Player_IKEA@2020Technologies.com
[2012/02/16 21:42:26 | 000,000,000 | ---D | M] (Click&amp;Clean) -- C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\upmh8ntc.default\extensions\clickclean@hotcleaner.com
[2012/07/03 07:48:34 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\upmh8ntc.default\extensions\firefox@ghostery.com
[2012/05/14 08:27:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/18 05:44:13 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/03 18:30:11 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/06/18 05:44:10 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/18 05:44:10 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/09 08:43:20 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3444987807-3986069032-107293006-1000..\Run: [LightScribe] C:\Users\Kris\AppData\Local\LightScribe\ibuzvdbz.dll (Winsoft SA)
O4 - HKU\S-1-5-21-3444987807-3986069032-107293006-1000..\Run: [SacReminderHDDV2N] C:\ProgramData\OfficeGuardianV2N\Reminder\SacReminder.exe (Storage Appliance Corp.)
O7 - HKU\S-1-5-21-3444987807-3986069032-107293006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} http://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab (20-20 3D Viewer for IKEA)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6EA0CE12-8DA6-4161-A69E-91DF26BEF9E9}: NameServer = 208.67.222.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2}: NameServer = 208.67.220.220,208.67.220.222
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - File not found
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img36.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img36.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/09 14:40:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2012/07/09 14:40:32 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2012/07/07 09:00:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/06 15:39:36 | 000,014,664 | ---- | C] (McAfee, Inc.) -- C:\Windows\stinger.sys
[2012/07/06 15:38:39 | 000,000,000 | ---D | C] -- C:\Program Files\stinger
[2012/07/05 15:58:06 | 000,000,000 | ---D | C] -- C:\Users\Kris\AppData\Local\Google
[2012/07/05 15:58:04 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/07/05 11:59:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Sophos
[2012/07/05 11:59:16 | 000,000,000 | ---D | C] -- C:\Users\Kris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
[2012/07/05 11:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2012/07/03 08:26:39 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2012/07/03 08:26:10 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2012/07/02 20:01:46 | 002,135,640 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Kris\Desktop\TDSSKiller.exe
[2012/07/02 06:30:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/07/02 06:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/07/02 06:29:24 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/07/01 20:54:28 | 000,000,000 | ---D | C] -- C:\Users\Kris\AppData\Local\LightScribe
[2012/06/19 05:36:43 | 002,422,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll
[2012/06/19 05:36:43 | 000,045,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll
[2012/06/19 05:35:57 | 000,088,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
[2012/06/19 05:35:57 | 000,035,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
[2012/06/19 05:35:56 | 000,577,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
[2012/06/19 05:35:45 | 000,171,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
[2012/06/19 05:35:45 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
[2012/06/14 12:15:37 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/06/14 12:15:35 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/06/14 12:15:35 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/06/14 12:15:34 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/06/14 12:15:34 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/06/14 12:15:34 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/06/14 12:15:33 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/06/14 12:13:00 | 002,045,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

========== Files - Modified Within 30 Days ==========

[2012/07/10 04:50:47 | 000,002,617 | ---- | M] () -- C:\Users\Kris\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook 2007.lnk
[2012/07/10 04:46:58 | 000,607,406 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/07/10 04:46:58 | 000,105,014 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/07/10 04:40:54 | 000,000,284 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2012/07/10 04:40:34 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/10 04:40:34 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/10 04:40:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/10 04:40:22 | 3149,078,528 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/09 21:24:50 | 000,092,035 | ---- | M] () -- C:\Users\Kris\Desktop\IP address conflict.jpg
[2012/07/09 08:43:20 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/07/09 07:22:58 | 000,000,512 | ---- | M] () -- C:\Users\Kris\Desktop\MBR.dat
[2012/07/08 16:11:20 | 014,181,242 | ---- | M] () -- C:\Users\Kris\Documents\belkin router manual.pdf
[2012/07/06 16:38:39 | 002,135,640 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kris\Desktop\TDSSKiller.exe
[2012/07/06 15:42:29 | 000,014,664 | ---- | M] (McAfee, Inc.) -- C:\Windows\stinger.sys
[2012/07/06 13:28:50 | 000,002,904 | ---- | M] () -- C:\Users\Kris\Documents\cc_20120706_132845.reg
[2012/07/05 11:59:16 | 000,002,036 | ---- | M] () -- C:\Users\Kris\Desktop\Sophos Virus Removal Tool.lnk
[2012/07/03 17:12:22 | 000,009,702 | ---- | M] () -- C:\Users\Kris\Documents\cc_20120703_171218.reg
[2012/07/03 08:16:57 | 000,019,266 | ---- | M] () -- C:\Users\Kris\Documents\cc_20120703_081651.reg
[2012/07/02 20:28:02 | 000,000,318 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForKris.job
[2012/07/02 06:30:38 | 000,001,624 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/06/27 15:46:22 | 000,000,898 | ---- | M] () -- C:\Users\Kris\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/06/14 20:51:16 | 000,398,744 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2012/07/09 21:24:49 | 000,092,035 | ---- | C] () -- C:\Users\Kris\Desktop\IP address conflict.jpg
[2012/07/09 07:22:58 | 000,000,512 | ---- | C] () -- C:\Users\Kris\Desktop\MBR.dat
[2012/07/08 16:11:20 | 014,181,242 | ---- | C] () -- C:\Users\Kris\Documents\belkin router manual.pdf
[2012/07/06 13:28:49 | 000,002,904 | ---- | C] () -- C:\Users\Kris\Documents\cc_20120706_132845.reg
[2012/07/05 11:59:16 | 000,002,036 | ---- | C] () -- C:\Users\Kris\Desktop\Sophos Virus Removal Tool.lnk
[2012/07/03 17:12:20 | 000,009,702 | ---- | C] () -- C:\Users\Kris\Documents\cc_20120703_171218.reg
[2012/07/03 08:16:55 | 000,019,266 | ---- | C] () -- C:\Users\Kris\Documents\cc_20120703_081651.reg
[2012/07/02 06:30:38 | 000,001,624 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/06/27 15:46:22 | 000,000,898 | ---- | C] () -- C:\Users\Kris\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/11/17 14:14:04 | 000,060,304 | ---- | C] () -- C:\Users\Kris\g2mdlhlpx.exe
[2010/08/25 20:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 20:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 20:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 19:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2010/08/25 19:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/08/25 19:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2010/08/25 19:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2010/05/20 18:08:22 | 000,003,584 | ---- | C] () -- C:\Users\Kris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/03 18:10:39 | 000,013,732 | ---- | C] () -- C:\Users\Kris\AppData\Roaming\wklnhst.dat
[2009/02/07 16:26:17 | 000,007,052 | ---- | C] () -- C:\Users\Kris\AppData\Local\d3d9caps.dat
[2009/01/14 14:37:50 | 000,000,284 | ---- | C] () -- C:\ProgramData\hpqp.ini

========== LOP Check ==========

[2010/10/04 08:59:33 | 000,000,000 | ---D | M] -- C:\Users\Kris\AppData\Roaming\Amazon
[2012/02/06 16:22:50 | 000,000,000 | ---D | M] -- C:\Users\Kris\AppData\Roaming\Canon
[2009/06/29 09:32:19 | 000,000,000 | ---D | M] -- C:\Users\Kris\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/08/31 15:34:54 | 000,000,000 | ---D | M] -- C:\Users\Kris\AppData\Roaming\IrfanView
[2012/05/17 13:53:39 | 000,000,000 | ---D | M] -- C:\Users\Kris\AppData\Roaming\JPEGsnoop
[2009/04/02 11:23:50 | 000,000,000 | ---D | M] -- C:\Users\Kris\AppData\Roaming\Leadertech
[2009/06/03 18:10:41 | 000,000,000 | ---D | M] -- C:\Users\Kris\AppData\Roaming\Template
[2009/02/07 08:49:16 | 000,000,000 | ---D | M] -- C:\Users\Kris\AppData\Roaming\Thunderbird
[2012/07/09 22:10:07 | 000,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

[hlwalkerst]

OTL Extras logfile created on: 7/10/2012 4:44:14 AM - Run 4
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Kris\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.93 Gb Total Physical Memory | 1.73 Gb Available Physical Memory | 58.86% Memory free
6.06 Gb Paging File | 4.72 Gb Available in Paging File | 77.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 287.21 Gb Total Space | 201.97 Gb Free Space | 70.32% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.81 Gb Free Space | 16.63% Space Free | Partition Type: NTFS

Computer Name: KRIS-PC | User Name: Kris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3444987807-3986069032-107293006-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"9000:TCP" = 9000:TCP:*:Enabled:Squeezebox Server 9000 tcp (UI)
"9001:TCP" = 9001:TCP:*:Enabled:Squeezebox Server 9001 tcp (UI)
"9002:TCP" = 9002:TCP:*:Enabled:Squeezebox Server 9002 tcp (UI)
"9003:TCP" = 9003:TCP:*:Enabled:Squeezebox Server 9003 tcp (UI)
"9004:TCP" = 9004:TCP:*:Enabled:Squeezebox Server 9004 tcp (UI)
"9005:TCP" = 9005:TCP:*:Enabled:Squeezebox Server 9005 tcp (UI)
"9006:TCP" = 9006:TCP:*:Enabled:Squeezebox Server 9006 tcp (UI)
"9007:TCP" = 9007:TCP:*:Enabled:Squeezebox Server 9007 tcp (UI)
"9008:TCP" = 9008:TCP:*:Enabled:Squeezebox Server 9008 tcp (UI)
"9009:TCP" = 9009:TCP:*:Enabled:Squeezebox Server 9009 tcp (UI)
"9010:TCP" = 9010:TCP:*:Enabled:Squeezebox Server 9010 tcp (UI)
"9100:TCP" = 9100:TCP:*:Enabled:Squeezebox Server 9100 tcp (UI)
"8000:TCP" = 8000:TCP:*:Enabled:Squeezebox Server 8000 tcp (UI)
"10000:TCP" = 10000:TCP:*:Enabled:Squeezebox Server 10000 tcp (UI)
"9090:TCP" = 9090:TCP:*:Enabled:Squeezebox Server 9090 tcp (UI)
"3483:UDP" = 3483:UDP:*:Enabled:Squeezebox Server 3483 udp
"3483:TCP" = 3483:TCP:*:Enabled:Squeezebox Server 3483 tcp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"9000:TCP" = 9000:TCP:*:Enabled:Squeezebox Server 9000 tcp (UI)
"9001:TCP" = 9001:TCP:*:Enabled:Squeezebox Server 9001 tcp (UI)
"9002:TCP" = 9002:TCP:*:Enabled:Squeezebox Server 9002 tcp (UI)
"9003:TCP" = 9003:TCP:*:Enabled:Squeezebox Server 9003 tcp (UI)
"9004:TCP" = 9004:TCP:*:Enabled:Squeezebox Server 9004 tcp (UI)
"9005:TCP" = 9005:TCP:*:Enabled:Squeezebox Server 9005 tcp (UI)
"9006:TCP" = 9006:TCP:*:Enabled:Squeezebox Server 9006 tcp (UI)
"9007:TCP" = 9007:TCP:*:Enabled:Squeezebox Server 9007 tcp (UI)
"9008:TCP" = 9008:TCP:*:Enabled:Squeezebox Server 9008 tcp (UI)
"9009:TCP" = 9009:TCP:*:Enabled:Squeezebox Server 9009 tcp (UI)
"9010:TCP" = 9010:TCP:*:Enabled:Squeezebox Server 9010 tcp (UI)
"9100:TCP" = 9100:TCP:*:Enabled:Squeezebox Server 9100 tcp (UI)
"8000:TCP" = 8000:TCP:*:Enabled:Squeezebox Server 8000 tcp (UI)
"10000:TCP" = 10000:TCP:*:Enabled:Squeezebox Server 10000 tcp (UI)
"9090:TCP" = 9090:TCP:*:Enabled:Squeezebox Server 9090 tcp (UI)
"3483:UDP" = 3483:UDP:*:Enabled:Squeezebox Server 3483 udp
"3483:TCP" = 3483:TCP:*:Enabled:Squeezebox Server 3483 tcp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0EAA51B0-4A91-43BC-82E8-F4A00315B2E3}" = lport=137 | protocol=17 | dir=in | app=system |
"{15C9EB64-B7AF-4483-9AC8-24E53E95AE29}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{21C47BEC-7E0B-4483-817B-7E557394A4F2}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{331F2420-B7BA-4A86-98D6-C7ADAF32E377}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{338073B0-CA2B-4F60-8CF6-B44AB05EB763}" = rport=137 | protocol=17 | dir=out | app=system |
"{38687772-7376-4FBD-BBAC-A4449BCAF58B}" = rport=139 | protocol=6 | dir=out | app=system |
"{63759515-A37F-4EC1-B4C6-FA659CBBD583}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{715C5D14-981E-43CA-AB28-090B2A20CFF9}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{89399FD5-C21E-4A12-865F-9861B12FCF9A}" = rport=445 | protocol=6 | dir=out | app=system |
"{8B102732-7A14-4BA9-9E8E-1D661C447380}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{904F2790-6004-485C-A4A9-212A1EB9B1B5}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{9D053A60-D8CC-4061-8947-66E6310E1785}" = lport=53272 | protocol=6 | dir=in | app=c:\programdata\officeguardianv2n\reminder\sacnetagent.exe |
"{A3397F8C-12A2-44C1-BF65-37426E195491}" = lport=445 | protocol=6 | dir=in | app=system |
"{A71421DD-5F08-4993-83FF-EBEF6991AD69}" = lport=53271 | protocol=17 | dir=in | app=c:\programdata\officeguardianv2n\reminder\sacnetagent.exe |
"{A7D618C2-8D6C-45F6-94E8-01AB158D97ED}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{B6026D14-F08A-40AA-9F94-0D4857F9D415}" = lport=138 | protocol=17 | dir=in | app=system |
"{C30A70F7-5E11-4982-B596-4AECEA747727}" = rport=138 | protocol=17 | dir=out | app=system |
"{D73C68C7-3796-43FC-B7EE-42917DBB58E5}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{D87B875A-9614-4AF3-9878-DA27DAC69511}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DC12504D-8EB7-4800-9982-779D368BF2E8}" = lport=139 | protocol=6 | dir=in | app=system |
"{DD42E8B5-E42C-4173-B774-4E773E80F2B4}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{F48A2BB2-DFE0-4A48-BF96-FEF7B4DEC391}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{FEBDA065-C045-4284-8CD7-6BAF27801C7F}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{094D0D18-24AE-4A0C-98C9-20790A3BC9DC}" = protocol=6 | dir=in | app=c:\users\kris\appdata\local\temp\7zs2d37.tmp\symnrt.exe |
"{0F3CFE98-5D4A-4FD2-8D49-0F8F81098D03}" = protocol=17 | dir=in | app=c:\program files\splashtop\splashtop remote\server\dataproxy.exe |
"{13D1F671-78B2-4BDE-9097-79E4B6647116}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{1ABEA5D1-5E65-4574-A5FD-1523EA2766B3}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{223E138E-9053-4593-A1F1-591CAE5C34DA}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{22F8B472-25DF-4525-ABEE-E192BCB21F30}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{27F2452E-5162-4A8F-8E80-E0FDF41C0513}" = protocol=6 | dir=in | app=c:\users\kris\appdata\local\temp\7zsad6d.tmp\symnrt.exe |
"{3053D97C-241E-4AC5-9170-CB3FF8399023}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{35AB767B-20D5-4C0C-9A0C-20E40546D847}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{5F671407-247B-4767-8A47-E74E54D32D34}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{6488101D-70EA-4629-8042-C5282E5D84F6}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{68D27C18-3DD9-4739-B5D7-0BF7EB221D64}" = protocol=6 | dir=in | app=c:\program files\splashtop\splashtop remote\server\inputserv.exe |
"{71C4F68B-E4F6-4156-BB62-A10E189D9FAC}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{7AD1C5C3-CEC7-41C8-86D3-751E39148E65}" = protocol=17 | dir=in | app=c:\users\kris\appdata\local\temp\7zsad6d.tmp\symnrt.exe |
"{83766235-776A-44E7-A9D3-8B63EA8C4A18}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{8F626705-DEE9-47E2-891D-187B976620D4}" = protocol=17 | dir=in | app=c:\program files\splashtop\splashtop remote\server\inputserv.exe |
"{8FC4E0E6-8BDC-48D8-9C35-C3CDB5F5DD26}" = protocol=17 | dir=in | app=c:\users\kris\appdata\local\temp\7zs2d37.tmp\symnrt.exe |
"{9767F50A-4B02-43A6-BD01-17E3E8FF93EE}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{99D64473-0FE4-4A64-AE91-34F1CF7BCC1B}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{AAA63CF9-0D7F-4E85-B193-028A6D20EDFA}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{AC0FF574-B9AB-4DF8-B5F6-73CF8346CD7C}" = protocol=17 | dir=in | app=c:\program files\splashtop\splashtop remote\server\srlogin.exe |
"{B28B38CE-DE14-4016-825B-F911EECECA26}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{B3CDC2C8-49BE-4FC5-ABFF-C1A5E40CD184}" = protocol=6 | dir=in | app=c:\program files\splashtop\splashtop remote\server\srfeature.exe |
"{BE0C8F4A-61DD-40C8-8EE0-1905F7C7FC87}" = protocol=17 | dir=in | app=c:\program files\splashtop\splashtop remote\server\srserver.exe |
"{C4D95BC3-21B8-4ECB-9CDA-A145F63CC702}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{C88DF078-FDD1-4751-9AFC-58FCDDE74D84}" = protocol=6 | dir=in | app=c:\program files\splashtop\splashtop remote\server\srserver.exe |
"{D0A545E3-50A7-496D-92E3-541F5EEBE7DA}" = protocol=6 | dir=in | app=c:\program files\splashtop\splashtop remote\server\dataproxy.exe |
"{DDC4B415-B23F-4D16-8779-3A788EC170F9}" = protocol=17 | dir=in | app=c:\program files\splashtop\splashtop remote\server\srfeature.exe |
"{DF5253AB-4DA4-4BDC-9A14-D012FDB52FFD}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{E92A0518-790E-4186-B7C5-9001623E7EC1}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{EE2196E7-323C-4246-9EB0-72A1D011E796}" = protocol=6 | dir=in | app=c:\program files\splashtop\splashtop remote\server\srlogin.exe |
"{EEE41D73-DD48-400B-BAE2-A0018AEB85CD}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F606E248-3A46-4A9C-929F-6B8D2ED2204C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"TCP Query User{0382D856-A221-47E9-893F-34BAA456BD49}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"TCP Query User{E55FA079-78A6-4867-A780-E11819D35C40}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{04D216AB-46C0-4E28-9D35-9C54D2F5F5F3}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{6EC07611-0D11-499B-9D52-8A9B25EA5599}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}" = LightScribe System Software 1.14.17.1
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP620_series" = Canon MP620 series MP Drivers
"{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support
"{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}" = HP Total Care Advisor
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{27F00C63-449B-2FAB-CBE8-24AB80E17449}" = Acrobat.com
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{2EFEAD58-3311-4B2B-9D8A-8D663581D109}" = Splashtop Streamer
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6AD9F5F3-5BD0-4000-BD9C-B536CF86D988}" = iTunes
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{846DDADA-0239-4B67-A6B1-33658863793B}" = HPTCSSetup
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{885F5AC6-4413-4D30-99A9-F4494BFA4923}" = Logitech Harmony Remote Software 7
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8F1ADE4D-EFAC-4F5A-B346-23C2687FAF50}" = Apple Mobile Device Support
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96384578-C6A2-4EC6-92CD-B62A60713040}" = Microsoft Live Search Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}" = HP User Guides 0118
"{B829E117-D072-41EA-9606-9826A38D34C1}" = Sophos Virus Removal Tool
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD35C328-F115-BEDA-6EEE-E00C5AACCCBC}" = muvee Reveal
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.15
"Avira AntiVir Desktop" = Avira Free Antivirus
"Canon MP620 series User Registration" = Canon MP620 series User Registration
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"Digital Editions" = Adobe Digital Editions
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ENTERPRISER" = Microsoft Office Enterprise 2007
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{2EFEAD58-3311-4B2B-9D8A-8D663581D109}" = Splashtop Streamer
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3444987807-3986069032-107293006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Amazon Kindle" = Amazon Kindle
"GoToMeeting" = GoToMeeting 5.1.0.873

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/9/2012 2:21:54 PM | Computer Name = Kris-PC | Source = ESENT | ID = 490
Description = Windows (2276) Windows: An attempt to open the file "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 7/9/2012 2:21:54 PM | Computer Name = Kris-PC | Source = ESENT | ID = 439
Description = Windows (2276) Windows: Unable to write a shadowed header for file
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk. Error -1032.

Error - 7/9/2012 2:22:04 PM | Computer Name = Kris-PC | Source = ESENT | ID = 490
Description = Windows (2276) Windows: An attempt to open the file "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 7/9/2012 2:22:04 PM | Computer Name = Kris-PC | Source = ESENT | ID = 439
Description = Windows (2276) Windows: Unable to write a shadowed header for file
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk. Error -1032.

Error - 7/9/2012 2:22:20 PM | Computer Name = Kris-PC | Source = ESENT | ID = 490
Description = Windows (2276) Windows: An attempt to open the file "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 7/9/2012 2:22:20 PM | Computer Name = Kris-PC | Source = ESENT | ID = 439
Description = Windows (2276) Windows: Unable to write a shadowed header for file
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk. Error -1032.

Error - 7/9/2012 2:25:55 PM | Computer Name = Kris-PC | Source = ESENT | ID = 490
Description = Windows (2276) Windows: An attempt to open the file "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 7/9/2012 2:25:55 PM | Computer Name = Kris-PC | Source = ESENT | ID = 439
Description = Windows (2276) Windows: Unable to write a shadowed header for file
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk. Error -1032.

Error - 7/10/2012 5:40:56 AM | Computer Name = Kris-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 9.0.8112.16446, time stamp
0x4fb57c8f, faulting module IEFRAME.dll, version 9.0.8112.16446, time stamp 0x4fb57fbb,
exception code 0xc0000005, fault offset 0x000fd1e1, process id 0xfc4, application
start time 0x01cd5e801a2f01da.

Error - 7/10/2012 5:41:12 AM | Computer Name = Kris-PC | Source = WinMgmt | ID = 10
Description =

[ OSession Events ]
Error - 11/6/2010 9:23:16 AM | Computer Name = Kris-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 67
seconds with 60 seconds of active time. This session ended with a crash.

Error - 12/23/2010 8:41:47 AM | Computer Name = Kris-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6548.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 102
seconds with 60 seconds of active time. This session ended with a crash.

Error - 4/30/2011 2:49:23 PM | Computer Name = Kris-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6555.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 18
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11/2/2011 6:19:22 PM | Computer Name = Kris-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 48
seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/16/2011 7:29:31 AM | Computer Name = Kris-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 3940
seconds with 180 seconds of active time. This session ended with a crash.

Error - 12/16/2011 7:29:49 AM | Computer Name = Kris-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 8
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 7/9/2012 9:45:54 PM | Computer Name = Kris-PC | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 001F1662F238. The following
error occurred: %%1168. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 7/9/2012 9:46:22 PM | Computer Name = Kris-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.2 for the Network Card with network
address 00242B03483E has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 7/9/2012 10:16:06 PM | Computer Name = Kris-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.2 for the Network Card with network
address 001F1662F238 has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 7/9/2012 10:23:08 PM | Computer Name = Kris-PC | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.64
with the system having network hardware address 00-1C-DF-7F-BF-94. Network operations
on this system may be disrupted as a result.

Error - 7/9/2012 10:46:28 PM | Computer Name = Kris-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.3 for the Network Card with network
address 00242B03483E has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 7/9/2012 10:46:39 PM | Computer Name = Kris-PC | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 00242B03483E. The following
error occurred: %%1168. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 7/9/2012 10:50:14 PM | Computer Name = Kris-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.2 for the Network Card with network
address 001F1662F238 has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 7/10/2012 5:41:12 AM | Computer Name = Kris-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 7/10/2012 5:41:12 AM | Computer Name = Kris-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 7/10/2012 5:41:33 AM | Computer Name = Kris-PC | Source = DCOM | ID = 10016
Description =


< End of report >

[hlwalkerst]

SystemLook 30.07.11 by jpshortstuff
Log created at 04:58 on 10/07/2012 by Kris
Administrator - Elevation successful

========== Regfind ==========

Searching for "31.193.0.178"
No data found.

-= EOF =-


The DNS settings were in place as we had modified them yesterday and I did not need not need to change them when I checked them today.

I also did a couple of Google searches and got a redirect.

[Gary R]

Please temporarily disable Avira

• Double click OTL.exe to launch the programme.
  
• Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
  

[hlwalkerst]

The router is not connected; I am using the modem only.

I got a redirect this morning.

I ran the OTL fix and then did some searches and got a redirect after the fix ran.

Here's the log from the OTL fix:

All processes killed
========== OTL ==========
Prefs.js: "" removed from browser.search.defaultenginename
Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin\ deleted successfully.
C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll moved successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2}\\DhcpNameServer| /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Kris\Downloads\cmd.bat deleted successfully.
C:\Users\Kris\Downloads\cmd.txt deleted successfully.
< ipconfig /displaydns /c >
Windows IP Configuration
Could not display the DNS Resolver Cache.
C:\Users\Kris\Downloads\cmd.bat deleted successfully.
C:\Users\Kris\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kris
->Temp folder emptied: 860457 bytes
->Temporary Internet Files folder emptied: 8817119 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 74560573 bytes
->Flash cache emptied: 566 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1254 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 484 bytes

Total Files Cleaned = 80.00 mb


OTL by OldTimer - Version 3.2.53.1 log created on 07102012_070512

Files\Folders moved on Reboot...
C:\Users\Kris\AppData\Local\Temp\ehmsas.txt moved successfully.
File\Folder C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{50353F66-3156-4FD5-B436-F561321242E4}.tmp not found!
C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{654102F6-DFDF-4913-BBE5-567043971A1F}.tmp moved successfully.
C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8F3A2E4A-3AF9-42B3-82FE-337FA0AF68D7}.tmp moved successfully.
C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D997AEA1-5382-4C87-9D60-D85B37FA6AF7}.tmp moved successfully.

PendingFileRenameOperations files...
File C:\Users\Kris\AppData\Local\Temp\ehmsas.txt not found!
File C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{50353F66-3156-4FD5-B436-F561321242E4}.tmp not found!
File C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{654102F6-DFDF-4913-BBE5-567043971A1F}.tmp not found!
File C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8F3A2E4A-3AF9-42B3-82FE-337FA0AF68D7}.tmp not found!
File C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D997AEA1-5382-4C87-9D60-D85B37FA6AF7}.tmp not found!

Registry entries deleted on Reboot...

[hlwalkerst]

The system had rebooted after OTL, so Avira was enabled.

I executed GMER, and whilie it was running a message popped up saying that it had stopped working and Windows was going to close it. I hit "Close Program", reconnected to the Internet and am posting this message.

should Avira be disabled for GMER to run?

Also, there are two drives on this machine, a C: and a D: There's only one physical drive on the machine as far as I know. D was not checked when I launched GMER; that was the way it came up when I launched GMER. Pls let me know if I should be checking D

[Gary R]

Yes, temporarily disable Avira while you run GMER. And just scan the C:\ drive.

GMER is a rootkit scanner which looks pretty deep into your computer, and its actions may be misinterpreted and blocked by Avira.

At the moment I can't see any real reason why your searches are being re-directed, and it may be that it's going to be impossible for me to resolve your issues using online methods.

Hopefully the GMER results may throw more light on the matter, but I'm not confident at this point.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

I downloaded GMER to get a fresh copy.

Disconnected from the Internet and turned off Avira

GMER started running, and then got stuck at the same point it did the first time. \Device\HarddiskVolumeShadowCopy1

Same windows message indicating that it had stopped working, and I hit Close Program.

If you think you will not be able to assist any further, can you suggest the best way to proceed and what kind of resources I should be looking for?

Also, from what you've seen, should I be concerned about accessing my financial institutions with this redirect problem still on my machine?

Also, found this link on Mozilla about redirects: http://support.mozilla.org/en-US/questions/726801#answer-4438

Lots of interesting possibilities. This one : https://addons.mozilla.org/en-US/firefox/addon/browserprotect/

looked especially interesting, but I think it's supposed to stop the malware from getting installed rather than getting rid of it once it's there.

The redirects are not limited to Google. I was also redirected using Bing.

[Gary R]

OK, a HarddiskVolumeShadowCopy would suggest some sort of backup. Why GMER would get stuck on that I couldn't say.

If you are using that computer for financial matters, then I most certainly would NOT suggest that you use it while the cause of the re-directs are still unresolved. In fact if you're using that computer for financial matters, I would suggest that you should consider reformatting the hard drive and re-installing Windows.

The reason I have not suggested that so far, is because I'm not convinced that your computer is the source of your problems.

The tests we've run so far should have picked up any infection present on your computer, and I'm much more convinced that the problem lies within your router/modem setup. The trouble is I don't have any tools that I can run that will enable me to analyse your router/modem from here, so I'm limited to asking you to reset it, with no way of checking whether the reset was successful or not.

On the matter of whether one of your Firefox extensions is the source of the problem, I have to say that I don't believe they are. If your problem was being caused by a FF extension, then Internet Explorer would not be being re-directed, but of course it is.

There are a couple of things left that we can attempt on your computer, but I'm as certain as I can be that the computer is not the source of the problem, still we can try them if you wish.

I just didn't want to keep you running scan after scan and test after test without letting you know that the probability of resolving this using online methods is getting less and less.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

Since the router is currently not part of the setup, is it reasonable to assume that there is something on the PC causing the redirects? At one point when I was modem-only, the redirects were stopped. Maybe the malware is being passed back and forth. A firmware update and/or a new router might work once we have the computer running cleanly?

I'm wondering if we can run the other things you might suggest to see if we can find it on the computer.

Can the modem get infected, too?

I have no financial information on the computer; I simply use it to access my institutions via the Internet. And I don't store the passwords in FF master password feature. I just enter them manually.

I can call my institutions and ask them to put a security alert on my accounts.

Reformatting the hard drive and reinstalling Windows is beyond my skill set, so I'd have to find someone here to do that for me. I have a friend who uses a company for his business. Might be time to consider having them come in and review my entire setup.

[Gary R]

Yes, it's possible for the modem to have its settings changed by an infection, just like it is/was for the router, so if it's possible to do a modem reset then I would suggest you perform one.

When we got a temporary stop on your re-directs, it seemed likely that as they resumed once you'd connected to your router, that the infection had been passed back to the computer, but subsequent scans have not shown any signs of re-infection of the computer.

However, since we don't have a GMER log, it's possible something may be concealing itself on your computer that is not being picked up by the scans we've run so far.

The next scan is run from Recovery Environment, which means that Windows will not be booted, so any infection if there is one will not be running and will therefore not be able to conceal itself.

• Download FRST to a USB flash drive.
  
• Plug the USB drive into the infected machine.
  

Boot your computer into Recovery Environment

• Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  
• Select Repair your computer.
  
• Select Language and click Next
  
• Enter password (if necessary) and click OK, you should now see the screen below ...
  

• Select the Command Prompt option.
  
• A command window will open.
  
  
  
  • Type notepad then hit Enter.
    
  • Notepad will open.
    
    
    
    • Click File > Open then select Computer.
      
    • Note down the drive letter for your USB Drive.
      
    • Close Notepad.
      
    
    
  
  
• Back in the command window ....
  
  
  
  • Type e:/frst.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    
  • FRST will start to run.
    
    
    
    • When the tool opens click Yes to disclaimer.
      
    • Press Scan button.
      
    • When finished scanning it will make a log FRST.txt on the flash drive.
      
    
    
  
  
• Close the command window.
  
• Boot back into normal mode and post me the FRST.txt log please.
  

_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

Hi Gary,

After further consideration, I've decided that it would be best to step back and take a look at my entire hardware and software set up and work with someone locally to analyze what has been affected by this malware. I think I need to call in someone with much greater expertise than I have and have them work through this in my home where they have physical access to all of the devices. With a router, modem, two computers and a couple of iThings, the scope is broader than what I think we can accomplish online.

I need to document what I have and what my objectives are for setting up my network at home. I have a dead PC that I've been putting off dealing with for many months, and that will be part of this larger project, too.

You have been helping me through this on a volunteer basis and have been extremely generous with your expertise and your time. I can't thank you enough and find it amazing that there are people like you who are willing to help others wade through this complex web of technology.

As soon as I can get to a secure computer, I will be making a donation to Spyware Warriors.

It's been a pleasure to work with you.

Warmest regards,
Kris

[Gary R]

Hi Kris,

I think you've probably made the best decision considering the circumstances. Someone working hands on should be able to see and test things that we're just not able to do working at a distance.

It's been a pleasure working with you too. I'm sorry we weren't able to resolve your problem, and I wish you all the best in getting your re-directs fixed.

Thanks very much for the donation it is much appreciated.

Keep safe.

Gary
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

I have lined up someone to come to my home on Wednesday morning to help with the malware and to check out the various devices.

Would it be possible to leave this thread up for a few days (two, no more than three) so I can refer that person to it in case he wants to know what we've already tried? He probably has his own methodology of checking things out, but I'd like to have the option for him to see the history.

Thanks,
Kris

[Gary R]

Sure, no problem.

Even if I close it you should still have been able to see it, but I'll leave it open till Friday just to make sure.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

Gary,

Just wanted to let you know that the re-directs have been stopped. A tech guy came out and used ComboFix and Norton Power Eraser. Not sure what ended up getting found, but it was on the computer and the router doesn't seem to have been involved. Or at least I've been on the router and re-direct free since the fixes were applied several hours ago.

While he was here, he helped me get my old XP back into running mode and I had the opportunity to bombard him with a zillion questions about a lot of things. I got lots of great info about setting up a home network to support our computing requirements. He's big on using free software and really seemed to know his stuff. And his hourly rate was very reasonable!

In the end, I'm glad this malware struck my machine, because I got the opportunity to work with a couple of great guys, namely you and Ken!

Anyway, just wanted to let you know things look like they're fixed and to once again thank you for your help.

Regards,
Kris

[Gary R]

Glad to hear you got your problems resolved. Thanks for letting me know.

It would have been interesting to know exactly what got found (or to be more precise what I missed).

Can you do me a favour?

Combofix should have created a log .... C:\Combofix.txt .... if it is present, could you post it for me please.
_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

He ran ComboFix first, then the Norton Power Eraser. Norton cleaned up four or five things, but there was one file it couldn't erase. The message was

[Gary R]

There were a couple of things that I'd missed ....

c:\users\Kris\g2mdlhlpx.exe
c:\users\Kris\AppData\Local\LightScribe\ibuzvdbz.dll

.... neither are diagnostic, but I should have spotted them, and at the very least had them scanned for viruses. My apologies for not doing so, it would have saved a lot of time and bother for you.

I don't need to see anything more, I was just curious as to what I'd missed.

OK, if you've still got Combofix.txt on your computer, then Combofix hasn't been properly removed from your computer, and it needs to be. We should also be removing the programs that I used to test your machine as well.

• Download .... CF_Uninst.exe
  
  
  
  • Alternate Download
    
  
  
• Double click it to uninstall Combofix.
  
• Delete it when it's finished.
  

Next

Let's clear out OTL and the files and folders it created. This will also remove TDSSKiller, aswMBR, SystemLook, GMER

• Double click OTL.exe to launch the programme.
  
• Click on the CleanUp! button.
  
• OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  
• You will be prompted to allow the clean up procedure, click Yes
  
• When finished exit out of OTL
  
• Now delete OTL.exe (if still present).
  

Next

Delete MiniToolbox.exe

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

• Computer Security - a short guide to staying safer online
  

_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations

[hlwalkerst]

Thanks for the heads up on cleaning up some of those programs. I had deleted a number of them but there was still some trash to take out.

I glanced at the security guide when I first found your site and plan to review it in detail now that the immediate problem has been repaired. It's an excellent document and I'll be passing along the link to my friends.