Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible Malware Toolbar/Hijacker/etc

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby anya0234 » April 27th, 2011, 12:04 pm

Have run into another problem since working on the computer the other day. Instead of redirecting all the time, I'm seeing the address bar just not being responsive at all. I'll put in the web address, and the internet will do nothing at all. If you press enter, it will just sit there, and if you press the arrow, it will go back to the page that it's already on, usually the homepage. I'm still getting some redirection, but not nearly as much. Let me know what to do, thanks!
anya0234
Regular Member
 
Posts: 19
Joined: April 22nd, 2011, 1:55 am
Advertisement
Register to Remove

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby askey127 » April 27th, 2011, 4:25 pm

anya0234,
Most of your troubles are unintentionally self inflicted.
Please take note of the website names included in the list for the fix below.
They and their toolbars are best left to someone else. They get you to click by telling lies and half truths..
Anchorfree/Expat Shield, Price Gong, Shop2win, ask.com (Yahoo search)
You will have to remake some settings after running this. Just don't put any of them back!
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:

Expat Shield 1.57
PriceGong 2.1.0

Take extra care in answering questions posed by any Uninstaller.
----------------------------------------------
Perform a Custom Scan or Fix with OTL
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/def ... earch.html
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cndt
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Secure Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
    FF - prefs.js..browser.search.order.1: "Ask.com"
    FF - prefs.js..browser.search.selectedEngine: "Secure Search"
    FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
    FF - prefs.js..extensions.enabledItems: {5835466c-49af-4cbe-b102-a8c8b6313749}:1.0.24
    FF - prefs.js..extensions.enabledItems: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}:2.1.0
    FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="
    [2011/03/31 18:32:02 | 000,000,000 | ---D | M] (ShopToWin2) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}
    [2011/04/02 11:11:51 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    
    [2011/04/01 07:23:31 | 000,000,000 | ---D | M] (afurladvisor) -- C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
    O2 - BHO: (PriceGongBHO Class) - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.1.0\PriceGongIE.dll (PriceGong)
    O2 - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files\Expat Shield\HssIE\ExpatIE.dll (AnchorFree Inc.)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Updater For Simppull Toolbar) - {C4B8BAB4-1667-11DF-A242-BA9455D89593} - File not found
    O2 - BHO: (no name) - {E4E6BF2A-1667-11DF-A01F-1F9655D89593} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
    
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby anya0234 » April 27th, 2011, 9:13 pm

This is what came up when the computer was rebooted:

All processes killed
========== PROCESSES ==========
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomSearch| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page| /E : value set successfully!
Prefs.js: "Ask.com" removed from browser.search.defaultengine
Prefs.js: "Secure Search" removed from browser.search.defaultenginename
Prefs.js: "http://search.yahoo.com/search?fr=ffsp1&p=" removed from browser.search.defaulturl
Prefs.js: "Ask.com" removed from browser.search.order.1
Prefs.js: "Secure Search" removed from browser.search.selectedEngine
Prefs.js: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313 removed from extensions.enabledItems
Prefs.js: {5835466c-49af-4cbe-b102-a8c8b6313749}:1.0.24 removed from extensions.enabledItems
Prefs.js: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}:2.1.0 removed from extensions.enabledItems
Prefs.js: "http://search.yahoo.com/search?fr=mcafee&p=" removed from keyword.URL
Folder C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}\ not found.
Folder C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\ not found.
Folder C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1631550F-191D-4826-B069-D9439253D926}\ not found.
File C:\Program Files\PriceGong\2.1.0\PriceGongIE.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}\ not found.
File C:\Program Files\Expat Shield\HssIE\ExpatIE.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4B8BAB4-1667-11DF-A242-BA9455D89593}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4B8BAB4-1667-11DF-A242-BA9455D89593}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E4E6BF2A-1667-11DF-A01F-1F9655D89593}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4E6BF2A-1667-11DF-A01F-1F9655D89593}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Low Rights\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: McAlpine
->Temp folder emptied: 136065 bytes
->Temporary Internet Files folder emptied: 22416547 bytes
->Java cache emptied: 86562799 bytes
->FireFox cache emptied: 56046225 bytes
->Google Chrome cache emptied: 390868176 bytes
->Flash cache emptied: 310414 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1971655 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 746509824 bytes
RecycleBin emptied: 3281657836 bytes

Total Files Cleaned = 4,374.00 mb



OTL by OldTimer - Version 3.2.22.3 log created on 04272011_195157

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


This is what the Quick Scan picked up:

OTL logfile created on: 4/27/2011 8:06:42 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = c:\Users\McAlpine\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.80 Gb Total Space | 49.45 Gb Free Space | 17.24% Space Free | Partition Type: NTFS
Drive D: | 11.28 Gb Total Space | 1.59 Gb Free Space | 14.13% Space Free | Partition Type: NTFS

Computer Name: MCALPINE-PC | User Name: McAlpine | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/27 19:51:11 | 000,580,608 | ---- | M] (OldTimer Tools) -- c:\Users\McAlpine\Downloads\OTL(4).exe
PRC - [2011/04/25 22:10:53 | 000,403,240 | ---- | M] (Valve Corporation) -- C:\Program Files\Common Files\Steam\SteamService.exe
PRC - [2011/03/28 15:41:14 | 001,910,152 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
PRC - [2011/03/28 15:41:12 | 001,242,504 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2011/03/18 12:53:06 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/17 03:37:34 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/11/22 08:52:25 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2010/11/03 03:30:38 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/11/03 03:30:38 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/10/15 13:42:14 | 000,326,704 | ---- | M] () -- C:\Program Files\Expat Shield\bin\hsswd.exe
PRC - [2010/09/24 13:19:08 | 006,351,600 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Zune\ZuneNss.exe
PRC - [2010/09/24 13:19:08 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/06/04 08:10:36 | 000,822,384 | ---- | M] (The Weather Channel Interactive, Inc.) -- C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/12/03 20:28:08 | 000,026,112 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2009/09/23 15:04:56 | 000,203,608 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2009/09/23 15:04:52 | 000,447,832 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2009/05/18 15:45:16 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/04/27 19:51:11 | 000,580,608 | ---- | M] (OldTimer Tools) -- c:\Users\McAlpine\Downloads\OTL(4).exe
MOD - [2011/03/28 11:48:30 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/31 10:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (scupdateservice)
SRV - [2011/04/25 22:10:53 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/03/28 15:41:12 | 001,242,504 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2011/03/17 03:37:34 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/11/03 03:30:38 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/10/15 13:42:14 | 000,326,704 | ---- | M] () [Auto | Running] -- C:\Program Files\Expat Shield\bin\hsswd.exe -- (ExpatWd)
SRV - [2010/09/24 13:19:16 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/09/24 13:19:16 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/09/24 13:19:08 | 006,351,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/12/03 20:28:08 | 000,026,112 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2009/09/23 15:04:56 | 000,203,608 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2009/09/23 15:04:52 | 000,447,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2009/08/24 07:16:12 | 000,378,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - [2008/12/08 21:51:08 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/03/17 03:37:35 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/11/22 12:51:44 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/09/22 14:19:02 | 000,037,376 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HssDrv.sys -- (HssDrv)
DRV - [2010/07/09 17:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/02/03 15:56:56 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2010/01/26 17:38:06 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/09/23 15:04:56 | 000,021,848 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2009/09/23 15:04:56 | 000,014,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\SftVollh.sys -- (sftvol)
DRV - [2009/09/23 15:04:54 | 000,190,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys -- (sftplay)
DRV - [2009/09/23 15:04:50 | 000,543,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\SftFSlh.sys -- (sftfs)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/11/12 12:02:46 | 000,133,152 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2008/11/12 12:02:18 | 000,146,464 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2008/08/01 07:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/22 04:39:34 | 000,015,360 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/20 21:23:26 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\Windows\system32\speedfan.sys -- (speedfan)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=524517"
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"


FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/01/30 22:14:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/04/23 08:03:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/24 13:24:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/24 13:24:33 | 000,000,000 | ---D | M]

[2009/09/18 14:49:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Extensions
[2011/04/27 19:26:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions
[2010/07/30 08:12:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/30 07:45:53 | 000,000,000 | ---D | M] (Quick Locale Switcher) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\{25A1388B-6B18-46c3-BEBA-A81915D0DE8F}
[2011/04/21 23:38:47 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/12/22 04:10:01 | 000,000,000 | ---D | M] (Dictionary Switcher) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\dictionary-switcher@design-noir.de
[2011/03/25 17:22:05 | 000,000,000 | ---D | M] (Dicionário para Ortografia pt-BR) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\pt-BR@dictionaries.addons.mozilla.org
[2011/03/25 17:22:05 | 000,000,000 | ---D | M] (Russian spellchecking dictionary) -- C:\Users\McAlpine\AppData\Roaming\Mozilla\Firefox\Profiles\pj2y9m20.default\extensions\ru@dictionaries.addons.mozilla.org
[2011/04/27 19:26:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/29 17:05:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
File not found (No name found) --
[2011/04/23 08:03:40 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2011/03/18 12:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/08/29 17:05:07 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2011/04/21 23:43:45 | 000,001,949 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe (The Weather Channel Interactive, Inc.)
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} http://content.systemrequirementslab.co ... 1.71.0.cab (SysInfo Class)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\McAlpine\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\McAlpine\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O29 - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{11415d77-0c69-11df-9cbd-00248cf86ab2}\Shell - "" = AutoRun
O33 - MountPoints2\{11415d77-0c69-11df-9cbd-00248cf86ab2}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/27 19:26:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/22 01:27:34 | 000,000,000 | ---D | C] -- C:\Users\McAlpine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/04/22 01:27:33 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/04/21 23:38:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2011/04/21 23:00:40 | 000,000,000 | ---D | C] -- C:\Users\McAlpine\AppData\Roaming\Malwarebytes
[2011/04/21 22:58:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/04/21 22:58:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/21 22:58:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/04/21 22:58:45 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/04/21 22:58:45 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/08 16:15:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Hamachi
[2011/04/08 16:15:10 | 000,000,000 | ---D | C] -- C:\Program Files\LogMeIn Hamachi
[2011/04/01 07:23:32 | 000,000,000 | ---D | C] -- C:\Expat Shield
[2011/04/01 07:23:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Expat Shield
[2011/04/01 07:23:28 | 000,000,000 | ---D | C] -- C:\Program Files\Expat Shield
[2011/03/30 12:28:14 | 000,000,000 | ---D | C] -- C:\Users\McAlpine\Desktop\Artistic Muses

========== Files - Modified Within 30 Days ==========

[2011/04/27 20:01:40 | 000,056,213 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/04/27 20:01:40 | 000,056,213 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/04/27 19:59:01 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/27 19:59:01 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/27 19:58:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/27 19:58:53 | 3219,570,688 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/27 19:51:25 | 000,613,476 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/27 19:51:25 | 000,108,176 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/27 19:41:14 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3813002812-403067811-3136601845-1000UA.job
[2011/04/27 19:39:31 | 000,422,344 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/04/22 04:41:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3813002812-403067811-3136601845-1000Core.job
[2011/04/22 01:27:34 | 000,001,954 | ---- | M] () -- C:\Users\McAlpine\Desktop\HiJackThis.lnk
[2011/04/21 22:58:50 | 000,000,936 | ---- | M] () -- C:\Users\McAlpine\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/04/21 22:58:50 | 000,000,912 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/12 12:30:37 | 000,031,232 | ---- | M] () -- C:\Users\McAlpine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/08 16:15:35 | 000,008,592 | ---- | M] () -- C:\Users\McAlpine\AppData\Local\d3d9caps.dat
[2011/04/01 09:57:31 | 000,001,056 | ---- | M] () -- C:\Users\Public\Desktop\The Weather Channel Desktop .lnk
[2011/04/01 07:29:50 | 005,807,264 | ---- | M] () -- C:\Users\McAlpine\Desktop\HSS-1.57-install-anchorfree-76-conduit.exe
[2011/03/31 14:51:02 | 000,000,876 | ---- | M] () -- C:\Users\McAlpine\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/03/31 14:51:02 | 000,000,852 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/03/31 11:50:03 | 000,000,334 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForMcAlpine.job

========== Files Created - No Company Name ==========

[2011/04/22 01:27:34 | 000,001,954 | ---- | C] () -- C:\Users\McAlpine\Desktop\HiJackThis.lnk
[2011/04/21 22:58:50 | 000,000,936 | ---- | C] () -- C:\Users\McAlpine\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/04/21 22:58:50 | 000,000,912 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/01 07:29:41 | 005,807,264 | ---- | C] () -- C:\Users\McAlpine\Desktop\HSS-1.57-install-anchorfree-76-conduit.exe
[2011/03/31 14:51:02 | 000,000,864 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/03/31 14:51:02 | 000,000,852 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/01/30 23:20:16 | 000,207,001 | ---- | C] () -- C:\Windows\hpoins46.dat.temp
[2011/01/30 23:20:16 | 000,000,574 | ---- | C] () -- C:\Windows\hpomdl46.dat.temp
[2011/01/30 22:06:16 | 000,206,997 | ---- | C] () -- C:\Windows\hpoins46.dat
[2010/11/12 16:52:10 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat
[2010/10/14 02:36:44 | 000,179,263 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2010/10/03 22:50:08 | 000,000,096 | ---- | C] () -- C:\Users\McAlpine\AppData\Local\fusioncache.dat
[2010/09/11 22:15:53 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/09/11 15:43:19 | 000,056,213 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/09/11 15:43:19 | 000,056,213 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/09/09 20:23:39 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/08/27 21:29:58 | 000,008,592 | ---- | C] () -- C:\Users\McAlpine\AppData\Local\d3d9caps.dat
[2010/06/30 00:12:16 | 000,013,312 | ---- | C] () -- C:\Windows\LPRES.DLL
[2010/05/11 23:24:34 | 000,073,220 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
[2010/05/11 23:24:34 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
[2010/05/11 23:24:34 | 000,029,114 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
[2010/05/11 23:24:34 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
[2010/05/11 23:24:34 | 000,021,021 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
[2010/05/11 23:24:34 | 000,015,670 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
[2010/05/11 23:24:34 | 000,013,280 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
[2010/05/11 23:24:34 | 000,010,673 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
[2010/05/11 23:24:34 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
[2010/05/11 23:24:34 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
[2010/05/11 23:24:34 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
[2010/05/11 23:24:34 | 000,001,137 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
[2010/05/11 23:24:34 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
[2010/05/11 23:24:34 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
[2010/05/11 23:24:34 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
[2010/05/11 23:24:34 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2010/03/31 19:34:36 | 000,000,574 | ---- | C] () -- C:\Windows\hpomdl46.dat
[2010/02/05 13:34:47 | 000,065,329 | ---- | C] () -- C:\Program Files\Sec
[2009/09/25 12:36:18 | 000,009,814 | ---- | C] () -- C:\Users\McAlpine\AppData\Roaming\wklnhst.dat
[2009/09/18 15:04:38 | 000,031,232 | ---- | C] () -- C:\Users\McAlpine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/18 13:34:37 | 000,008,704 | ---- | C] () -- C:\Windows\System32\scsprembt.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/08/03 00:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009/05/18 15:36:28 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/05/18 15:36:28 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/05/18 15:06:49 | 000,354,816 | ---- | C] () -- C:\Windows\System32\pythoncom26.dll
[2009/05/18 15:06:49 | 000,108,032 | ---- | C] () -- C:\Windows\System32\pywintypes26.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,422,344 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,613,476 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,108,176 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

========== LOP Check ==========

[2009/10/22 01:16:23 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\GetRightToGo
[2010/01/18 00:51:12 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\Kybtec Software
[2010/01/18 00:50:44 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\MipKukSoft
[2010/08/29 17:18:23 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\OpenOffice.org
[2009/09/18 12:55:22 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\PictureMover
[2010/09/11 18:29:29 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\SystemRequirementsLab
[2009/09/25 12:48:34 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\Template
[2010/03/22 19:10:06 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\TP
[2009/11/02 12:33:48 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\W Photo Studio
[2009/11/02 12:27:25 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\W Photo Studio Viewer
[2009/11/02 12:28:20 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\Walgreens
[2009/12/29 08:54:36 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\WinBatch
[2009/10/08 12:22:01 | 000,000,000 | ---D | M] -- C:\Users\McAlpine\AppData\Roaming\Windows SideBar
[2011/04/27 19:58:07 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >



Please note that I did have some trouble with the first Scan you requested. It ran through part of the process, and then froze completely to the point I had to restart the computer. I ran the same scan again, once rebooted, and the first portion is from the 2nd try of that scan. When I did the Quick Scan, it also froze for a few minutes, but then corrected itself-->the results which I have included.
anya0234
Regular Member
 
Posts: 19
Joined: April 22nd, 2011, 1:55 am

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby askey127 » April 28th, 2011, 6:48 am

anya0234,
That's OK.
You have an installer on your desktop named HSS-1.57-install-anchorfree-76-conduit.exe
Please right click it and choose delete.
That's the AnchorFree installer. Conduit websites are best avoided.
-----------------------------------------------------------
Flush DNS Cache
  • Click the Microsoft Vista Start logo in the bottom left corner of the screen
  • Click All Programs
  • Click Accessories
  • RIGHT-click on Command Prompt
  • Select Run As Administrator
  • In the command window type the following, and then hit Enter: ipconfig /flushdns
  • You will see the following confirmation:
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache
-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more.
It will ask what to do with any item it finds.
Tell it to Delete or Quarantine any items it finds.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

Experiment a bit and let me know about the redirects,and anything else.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby anya0234 » April 30th, 2011, 6:59 pm

Avira AntiVir Personal
Report file date: Thursday, April 28, 2011 18:03

Scanning for 2587282 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 1) [6.0.6001]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MCALPINE-PC

Version information:
BUILD.DAT : 10.0.0.635 31822 Bytes 3/7/2011 12:15:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 12/8/2010 17:48:21
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 12/8/2010 17:48:22
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 03:16:10
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 09:38:04
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 12:49:35
VBASE004.VDF : 7.11.5.226 2048 Bytes 4/7/2011 12:49:35
VBASE005.VDF : 7.11.5.227 2048 Bytes 4/7/2011 12:49:35
VBASE006.VDF : 7.11.5.228 2048 Bytes 4/7/2011 12:49:35
VBASE007.VDF : 7.11.5.229 2048 Bytes 4/7/2011 12:49:35
VBASE008.VDF : 7.11.5.230 2048 Bytes 4/7/2011 12:49:36
VBASE009.VDF : 7.11.5.231 2048 Bytes 4/7/2011 12:49:36
VBASE010.VDF : 7.11.5.232 2048 Bytes 4/7/2011 12:49:36
VBASE011.VDF : 7.11.5.233 2048 Bytes 4/7/2011 12:49:36
VBASE012.VDF : 7.11.5.234 2048 Bytes 4/7/2011 12:49:36
VBASE013.VDF : 7.11.6.28 158208 Bytes 4/11/2011 21:10:41
VBASE014.VDF : 7.11.6.74 116224 Bytes 4/13/2011 21:10:44
VBASE015.VDF : 7.11.6.113 137728 Bytes 4/14/2011 08:45:04
VBASE016.VDF : 7.11.6.150 146944 Bytes 4/18/2011 08:45:11
VBASE017.VDF : 7.11.6.192 138240 Bytes 4/20/2011 08:45:11
VBASE018.VDF : 7.11.6.193 2048 Bytes 4/20/2011 08:45:12
VBASE019.VDF : 7.11.6.194 2048 Bytes 4/20/2011 08:45:12
VBASE020.VDF : 7.11.6.195 2048 Bytes 4/20/2011 08:45:12
VBASE021.VDF : 7.11.6.196 2048 Bytes 4/20/2011 08:45:12
VBASE022.VDF : 7.11.6.197 2048 Bytes 4/20/2011 08:45:12
VBASE023.VDF : 7.11.6.198 2048 Bytes 4/20/2011 08:45:13
VBASE024.VDF : 7.11.6.199 2048 Bytes 4/20/2011 08:45:13
VBASE025.VDF : 7.11.6.200 2048 Bytes 4/20/2011 08:45:13
VBASE026.VDF : 7.11.6.201 2048 Bytes 4/20/2011 08:45:13
VBASE027.VDF : 7.11.6.202 2048 Bytes 4/20/2011 08:45:13
VBASE028.VDF : 7.11.6.203 2048 Bytes 4/20/2011 08:45:13
VBASE029.VDF : 7.11.6.204 2048 Bytes 4/20/2011 08:45:14
VBASE030.VDF : 7.11.6.205 2048 Bytes 4/20/2011 08:45:14
VBASE031.VDF : 7.11.6.221 68096 Bytes 4/21/2011 08:45:09
Engineversion : 8.2.4.214
AEVDF.DLL : 8.1.2.1 106868 Bytes 9/11/2010 21:37:11
AESCRIPT.DLL : 8.1.3.59 1261947 Bytes 4/21/2011 08:45:16
AESCN.DLL : 8.1.7.2 127349 Bytes 11/22/2010 17:50:58
AESBX.DLL : 8.1.3.2 254324 Bytes 11/22/2010 17:51:36
AERDL.DLL : 8.1.9.9 639347 Bytes 3/26/2011 04:51:23
AEPACK.DLL : 8.2.6.0 549237 Bytes 4/8/2011 12:49:28
AEOFFICE.DLL : 8.1.1.20 205177 Bytes 4/4/2011 12:49:32
AEHEUR.DLL : 8.1.2.105 3453303 Bytes 4/21/2011 08:45:14
AEHELP.DLL : 8.1.16.1 246134 Bytes 2/3/2011 22:48:35
AEGEN.DLL : 8.1.5.4 397684 Bytes 4/4/2011 12:49:27
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 17:48:39
AECORE.DLL : 8.1.20.2 196982 Bytes 4/8/2011 12:49:22
AEBB.DLL : 8.1.1.0 53618 Bytes 9/11/2010 21:37:05
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 18:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 18:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 22:47:40
AVREG.DLL : 10.0.3.2 53096 Bytes 11/3/2010 08:30:38
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 12/8/2010 17:48:21
AVARKT.DLL : 10.0.22.6 231784 Bytes 12/8/2010 17:48:18
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 15:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 18:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 21:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 20:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 11/3/2010 08:30:38

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, Q:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, April 28, 2011 18:03

Starting search for hidden objects.
An ARK library instance is already running.

The scan of running processes will be started
Scan process 'avscan.exe' - '73' Module(s) have been scanned
Scan process 'avscan.exe' - '29' Module(s) have been scanned
Scan process 'avscan.exe' - '74' Module(s) have been scanned
Scan process 'avscan.exe' - '29' Module(s) have been scanned
Scan process 'avcenter.exe' - '66' Module(s) have been scanned
Scan process 'chrome.exe' - '51' Module(s) have been scanned
Scan process 'rundll32.exe' - '44' Module(s) have been scanned
Scan process 'chrome.exe' - '35' Module(s) have been scanned
Scan process 'chrome.exe' - '42' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '64' Module(s) have been scanned
Scan process 'conime.exe' - '17' Module(s) have been scanned
Scan process 'plugin-container.exe' - '73' Module(s) have been scanned
Scan process 'firefox.exe' - '120' Module(s) have been scanned
Scan process 'ZuneNss.exe' - '96' Module(s) have been scanned
Scan process 'hphc_service.exe' - '29' Module(s) have been scanned
Scan process 'hpqgpc01.exe' - '49' Module(s) have been scanned
Scan process 'hpqbam08.exe' - '26' Module(s) have been scanned
Scan process 'hpqSTE08.exe' - '59' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'SteamService.exe' - '38' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '74' Module(s) have been scanned
Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned
Scan process 'CVHSVC.EXE' - '44' Module(s) have been scanned
Scan process 'sftlist.exe' - '62' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '60' Module(s) have been scanned
Scan process 'WLIDSVC.EXE' - '52' Module(s) have been scanned
Scan process 'svchost.exe' - '7' Module(s) have been scanned
Scan process 'svchost.exe' - '45' Module(s) have been scanned
Scan process 'sftvsa.exe' - '28' Module(s) have been scanned
Scan process 'SeaPort.EXE' - '54' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'rundll32.exe' - '27' Module(s) have been scanned
Scan process 'svchost.exe' - '24' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'avshadow.exe' - '27' Module(s) have been scanned
Scan process 'mcsacore.exe' - '65' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'hamachi-2.exe' - '56' Module(s) have been scanned
Scan process 'hsswd.exe' - '35' Module(s) have been scanned
Scan process 'avguard.exe' - '64' Module(s) have been scanned
Scan process 'agrsmsvc.exe' - '16' Module(s) have been scanned
Scan process 'ehmsas.exe' - '19' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '82' Module(s) have been scanned
Scan process 'DesktopWeather.exe' - '96' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '29' Module(s) have been scanned
Scan process 'Steam.exe' - '93' Module(s) have been scanned
Scan process 'ehtray.exe' - '26' Module(s) have been scanned
Scan process 'hamachi-2-ui.exe' - '33' Module(s) have been scanned
Scan process 'hpwuschd2.exe' - '16' Module(s) have been scanned
Scan process 'ZuneLauncher.exe' - '30' Module(s) have been scanned
Scan process 'avgnt.exe' - '54' Module(s) have been scanned
Scan process 'taskeng.exe' - '49' Module(s) have been scanned
Scan process 'Explorer.EXE' - '140' Module(s) have been scanned
Scan process 'Dwm.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '58' Module(s) have been scanned
Scan process 'taskeng.exe' - '78' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'spoolsv.exe' - '85' Module(s) have been scanned
Scan process 'svchost.exe' - '96' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '45' Module(s) have been scanned
Scan process 'svchost.exe' - '92' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '150' Module(s) have been scanned
Scan process 'svchost.exe' - '102' Module(s) have been scanned
Scan process 'svchost.exe' - '64' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'winlogon.exe' - '31' Module(s) have been scanned
Scan process 'lsm.exe' - '32' Module(s) have been scanned
Scan process 'lsass.exe' - '59' Module(s) have been scanned
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'Q:\'
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights

Starting to scan executable files (registry).
The registry was scanned ( '1680' files ).


Starting the file scan:

Begin scan in 'C:\' <COMPAQ>
Begin scan in 'D:\' <FACTORY_IMAGE>
Begin scan in 'Q:\'
Search path Q:\ could not be opened!
System error [5]: Access is denied.


End of the scan: Thursday, April 28, 2011 21:29
Used time: 3:26:41 Hour(s)

The scan has been done completely.

33480 Scanned directories
994087 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
994087 Files not concerned
4608 Archives were scanned
0 Warnings
0 Notes

It said that nothing was wrong with the computer on the report, but the internet is consistantly freezing and then crashing, and is still not connecting to sites requested, bringing it to a Page Not Found
anya0234
Regular Member
 
Posts: 19
Joined: April 22nd, 2011, 1:55 am

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby askey127 » April 30th, 2011, 8:31 pm

anya0234,
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • XP : Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • VISTA/Win7: Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby anya0234 » May 1st, 2011, 1:34 am

This is all that came up on the txt document, did I do everything right?

GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-01 00:33:11
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\0000005c ST332041 rev.HP22
Running: 4ozm3mnz.exe; Driver: C:\Users\McAlpine\AppData\Local\Temp\kgdyqkod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
anya0234
Regular Member
 
Posts: 19
Joined: April 22nd, 2011, 1:55 am

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby askey127 » May 1st, 2011, 7:45 am

anya0234,
Do you use the ImageSurfer software? Is that 3D microscopy?
Do you use LogMeIn?
Do you use WildTangent games?
Any of the above could have an effect on your network behavior.

------------------------------------------------
Expat Shield is showing that it has not been removed. Please take a look again and see if you can Uninstall it.
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click this Entry, if it exists, choose Uninstall/Change, and give permission to Continue:

Expat Shield 1.57

Take extra care in answering questions posed by any Uninstaller.
----------------------------------------------
Perform a Custom Scan or Fix with OTL
Run OTL (Right click and choose "Run as administrator")
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    DRV - [2010/09/22 14:19:02 | 000,037,376 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HssDrv.sys -- (HssDrv)
    SRV - [2010/10/15 13:42:14 | 000,326,704 | ---- | M] () [Auto | Running] -- C:\Program Files\Expat Shield\bin\hsswd.exe -- (ExpatWd)
    
    :Files
    C:\Windows\System32\drivers\HssDrv.sys
    C:\Program Files\Expat Shield\bin\hsswd.exe
    
    :Commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

So we will be looking for answers to the three or four questions above, and the Log from OTL (OTL.txt)
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby anya0234 » May 1st, 2011, 5:56 pm

I was able to uninstall the latter two of the three programs you referred to, but the ImageSurfer I could not find nor do I know what it is or if it is connected to the Microscopy you asked about. I ran the Run Fix you recommended, rebooted, and when the computer was back up, the internet was not working. I checked the connection--the internet itself is working fine. We have other devises that are able to run off the connection, but for some reason the computer is not allowing us to connect. I ran a dignostic to see what the problem was, and it said that some of the updates had not been able to install. It gave the option to try installing them again, but even after several tries, they still would not install. The following is a rundown on the updates:

**Listed as Important**

*Security Update for Microsoft.NET Framework 1.1SP1 on WindowsXP, Windows Vista, and Windows Server 2008x86 (KB 24161447)
--Synopsis on Update: Could allow attacker to compromise Windows-based system that is running the Microsoft.NET Framework and gain access to information.

*Security Update for Microsoft Visual C++2005 Service Pack 1 Redistributable Package (KB 2467175)
--Synopsis on Update: MFC application vulnerability in DLL planting due to MFC not specifying full path to system/location DLLs.

*Security Update for Microsoft Visual C++2008 Service Pack 1 Restributable Package (KB 2467174)
--Synopsis on Update: Same as previous update.

**Listed as Optional**

*nVIDIA-Display, Other hardware-NVIDIA GeForce 8800 GT
--Synopsis on Update: None available

*Update for Zune Software 4.7
--Synopsis on Update: None available

When going through the Network Diagnostics, it also says that the Network adapter "Local Area Connection" is not correctly configued to use the IP protocol. States that the "NVIDIA nForce 10/100 Mbps Ethernet" is experiencing driver or hardware related issues.

Under the device Manager, the Network adapters that this computer has listed is as follows:
-NVIDIA nForce 10/100 Mbps Ethernet
-NVIDIA nForce 10/100 Mbps Ethernet-Expat Shield Routing Miniport (Yellow Caution Sign over icon)
-WAN Miniport (IP)-Expat Shield Routing Miniport (Yellow Caution Sign over icon)
-WAN Miniport (IPv6)-Expat Shield Routing Miniport (Yellow Caution Sign over icon)
-WAN Miniport (Network Monitor)-Expat Shield Routing Miniport (Yellow Caution Sign over icon)

Consequently, I am not able to send my Quick Scan to you at this time. My apologies.
anya0234
Regular Member
 
Posts: 19
Joined: April 22nd, 2011, 1:55 am

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby askey127 » May 2nd, 2011, 6:52 am

anya0234,
It appears that Expat Shield did not uninstall correctly, and there may be problems with the Network Hardware or NVidia driver.
The two issues may be related.
I would download a new copy of Expat Shield from here http://expatshield.com/ onto a flash drive using a different machine, then re-install it here to see whether any Internet connections can be re-established.

Otherwise you will need to have the machine repaired. It appears that it has repeatedly had trouble with network connections, from the very first posts. Repairs on the machine could involve Reformatting the drive and re-installing Windows, so you should copy off any critical personal files/documents onto CDs or Flash drives first.

I do not see any malware on the system at this time.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby anya0234 » May 2nd, 2011, 9:05 am

Okay, thanks for all your help!
anya0234
Regular Member
 
Posts: 19
Joined: April 22nd, 2011, 1:55 am

Re: Possible Malware Toolbar/Hijacker/etc

Unread postby askey127 » May 3rd, 2011, 3:53 pm

As any remaining issues do not involve malware and therefore fall outside the scope of this forum, this topic is now closed.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 281 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware