Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google/Yahoo Search Hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google/Yahoo Search Hijack

Unread postby lynnw » September 29th, 2011, 4:58 pm

Hello-

The last two days whenever I click on a link from a search from either Google or Yahoo, it will not take me to the correct page, but rather some spam website. I have ran malwarebytes initially and that had helped. Upon reopening firefox and doing another search, it had gone back to taking me to bogus pages. I downloaded Chrome this morning, which worked well initially, and now I reopened it, it is doing the same thing for the searches. We recently downloaded an updated version of firefox (6.0.2) on Monday.

I ran hijack this and this is the log. Any help is appreciated.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:56:28 PM, on 9/29/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.17037)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Users\lynnwade\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {58776b25-a6b1-453d-b73f-8a7363ad68cf} - C:\Windows\system32\lasipuna.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Lala Music Mover] "C:\Program Files\Lala.com\Lala Music Mover\LalaMover.exe" /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\lynnwade\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10t_Plugin.exe -update plugin
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {00085C14-0000-0000-0000-000000000000} - https://cwscp.sbcis.sbc.com/wizlet/Vist ... taller.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w ... der_v6.cab
O20 - AppInit_DLLs: c:\windows\system32\husebasi.dll, C:\Windows\system32\mizojuna.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Seagate Dashboard Service (SeagateDashboardService) - Memeo - C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe

--
End of file - 10236 bytes
lynnw
Active Member
 
Posts: 7
Joined: September 29th, 2011, 4:49 pm
Advertisement
Register to Remove

Re: Google/Yahoo Search Hijack

Unread postby deltalima » September 29th, 2011, 5:03 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google/Yahoo Search Hijack

Unread postby deltalima » September 29th, 2011, 5:13 pm

Hi lynnw,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please Note:
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    BitTorrent


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe and select: Run as Administrator.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and select: Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google/Yahoo Search Hijack

Unread postby lynnw » September 29th, 2011, 6:42 pm

OTL Extras logfile created on: 9/29/2011 4:18:24 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Users\lynnwade\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.94 Mb Total Physical Memory | 166.75 Mb Available Physical Memory | 21.74% Memory free
1.86 Gb Paging File | 0.26 Gb Available in Paging File | 14.23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 113.20 Gb Total Space | 63.83 Gb Free Space | 56.39% Space Free | Partition Type: NTFS
Drive D: | 112.85 Gb Total Space | 112.76 Gb Free Space | 99.92% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 872.53 Gb Free Space | 93.67% Space Free | Partition Type: NTFS

Computer Name: LYNNWADE-PC | User Name: lynnwade | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-3391914120-3035634451-1718377386-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3391914120-3035634451-1718377386-1000]
"EnableNotifications" = 1
"EnableNotificationsRef" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02C6B2B3-2C60-4874-98BA-DCDC0D4B1793}" = rport=137 | protocol=17 | dir=out | app=system |
"{2DB8611B-C995-448B-935D-98DE4AAB9039}" = rport=445 | protocol=6 | dir=out | app=system |
"{506D2EFB-CF18-4A09-931F-24C3424F5F3B}" = lport=139 | protocol=6 | dir=in | app=system |
"{5B997365-80FF-4D4B-B749-813FEB4DE626}" = lport=137 | protocol=17 | dir=in | app=system |
"{65DEB560-5821-45CB-9E33-BE767FACBC1A}" = lport=445 | protocol=6 | dir=in | app=system |
"{675D07B6-B509-479C-B4D6-B4D4A5D32E52}" = rport=138 | protocol=17 | dir=out | app=system |
"{7D837BFB-D54B-48EC-BE5F-EB9D5B29E626}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{88B108CA-330D-463B-B127-191C92394A77}" = rport=139 | protocol=6 | dir=out | app=system |
"{CCA9D24F-1945-4F64-8C8E-A3AF72CB8343}" = lport=138 | protocol=17 | dir=in | app=system |
"{CCED676D-3EB2-4777-9338-61606BB118A5}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{F46EF66B-F4B4-4FEF-982B-3CD23DE7C15F}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02E3F807-C2B5-410A-818B-5797D68D9868}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{03DE0338-B9D1-4DEA-986A-80946EA0CDE7}" = protocol=17 | dir=in | app=c:\program files\acer zone\acer zone softdma\softdma.exe |
"{0A3EC9C2-E638-478F-A58C-ED16295C2A4F}" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"{0C764EEA-4B92-4251-88CF-A63A3B6BAC2F}" = protocol=17 | dir=in | app=c:\program files\acer zone\acer picture slide dvd\component\clsldvd.exe |
"{0F7AEABB-71D4-45B6-A434-130DC29F8237}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{1211375F-3F13-48A7-959A-6CD529AF0EAF}" = protocol=6 | dir=in | app=c:\windows\rthdvcpl.exe |
"{12590B70-693D-43EA-BE9E-DCE35CE18A00}" = dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"{141ED6E6-C550-448D-A464-C2EBB0020012}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{17F181F7-CBEC-48B4-ACD9-79FE31E4C81C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{189050A4-AC85-4B99-9D6B-17718125780B}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{1E1716E4-1400-46CF-83E9-762B765B43D5}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{2AAAE0F5-28E8-4890-88D0-AEB929EB250D}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{2BC5CF27-16D8-4E33-A8CD-2BDA12AB9C4C}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2DD6907F-9FA3-4B69-8CFC-B87F1E013837}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{2DDCA253-094B-489E-B464-BC126C4E166C}" = protocol=17 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"{2DF1E1A6-3F36-4247-A130-BB3A740CE97C}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{2E5CE9F1-3237-47B0-A2B4-9C3053AB5A3C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{306863A8-7924-4FA4-BD83-F767CD9ECC28}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{31E6BD8F-BD8B-4E79-99B7-6EDE464E758D}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{3458AEBA-98FC-486B-9870-3494FB5107AE}" = protocol=17 | dir=in | app=c:\program files\skype\phone\skype.exe |
"{37368E3F-5298-4D98-97B5-73D5F4D1AB27}" = protocol=6 | dir=in | app=c:\windows\rthdvcpl.exe |
"{373A93A6-3C6E-4930-BE66-F09D6F12C86A}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{37D3D822-7261-494F-855D-32E563096C76}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{382256D3-8A24-44EC-B605-823B9798D3AF}" = protocol=17 | dir=in | app=c:\windows\rthdvcpl.exe |
"{387C09FA-0DBC-4690-8D72-D7E6FEC7F35A}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{3EBC62CD-9051-4A76-B2DF-015298BDE80F}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{41A6F988-D8CF-43FB-85BA-3D38F2DD043C}" = protocol=17 | dir=in | app=c:\program files\spotify\spotify.exe |
"{46DF572A-C4BB-4546-99AE-61BBAB00FED3}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{4A5C87AA-1069-4E87-AC10-0BB2110D9D51}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{4A8094F6-0C6F-46C2-8113-1B3A93FB4C14}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{4B01769D-674C-499F-98EA-9CD2BA20FC47}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{4DFC6A91-BFE9-4064-B6F0-CA157BC49A8E}" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"{53DBA74A-093C-4270-BF2C-A9A443CAA248}" = protocol=17 | dir=in | app=c:\program files\acer zone\acer plug and record\component\arawp.exe |
"{5428362E-FD21-48F8-8171-3C5196313F73}" = protocol=17 | dir=in | app=c:\windows\system32\dwm.exe |
"{55B977DF-6808-4771-BE02-06849FA26416}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{5DD41FAA-096F-4367-838A-36C8C3E3313C}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{606F9767-608B-402B-961F-09F4FD26CF0D}" = protocol=6 | dir=in | app=c:\program files\acer zone\acer zone main page\mce deluxe suite.exe |
"{682BD5E6-0C76-45B4-A516-FB1DFC6BBF00}" = protocol=6 | dir=in | app=c:\windows\system32\dwm.exe |
"{69E5CD57-D89E-46A5-BB98-A79C39D6EC2A}" = protocol=6 | dir=in | app=c:\program files\acer zone\acer plug and record\component\dvax2process.exe |
"{6C1ACA9D-08A8-4A5A-8E07-4F3E5BE99FB4}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{6EF05A2E-2624-4EF1-90E3-7F58B3DDFDBB}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{72B513E0-5C67-4A53-8425-B82FD6AFE105}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{730A0C24-C55E-4A6A-81BE-20FC4E449E64}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{74C8EEE7-5FFB-47E0-AF8B-4971245908CA}" = protocol=17 | dir=in | app=c:\windows\rthdvcpl.exe |
"{7656E5F7-4215-4BF9-B7EE-0582554010B8}" = protocol=17 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"{7A5CBA66-D006-4CD7-BA7B-7086872ADBC1}" = protocol=6 | dir=in | app=c:\program files\acer zone\acer zone softdma\softdma.exe |
"{7DE42FBF-ACF3-4E8F-8A29-CC549C4E61C5}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{868A50BA-F5B8-472B-BBE4-6792935A4834}" = protocol=6 | dir=in | app=c:\program files\skype\phone\skype.exe |
"{9DCEC880-3536-4619-9F6D-B7793A3D6F8A}" = protocol=17 | dir=in | app=c:\windows\ehome\ehtray.exe |
"{9DE2CC96-75DC-47FF-BA30-9162BE1C38CF}" = protocol=17 | dir=in | app=c:\program files\acer zone\acer plug and record\component\dvax2process.exe |
"{9FD1C499-81A2-46E7-A581-82B41173358B}" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"{9FF6AD10-3FF7-4B9A-AE08-660730BBB5AA}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{A06EA803-E165-43BD-829E-6F2EAC6A2CA9}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{A78BC911-2511-459C-87F1-414D46CA32D5}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{AFCA6403-E2D7-4192-B19F-5EE221580DC5}" = protocol=6 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"{B457AEF8-01CF-4E5A-B916-51136A665938}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{B72072FB-56BB-43FD-9A80-9BCF8D7289E0}" = protocol=6 | dir=in | app=c:\program files\acer zone\acer picture slide dvd\component\clsldvd.exe |
"{B76FED4E-E466-4396-9980-7B68902A6786}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{BF1B54E1-C519-43F7-BA00-DE95635B6FCD}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{C0C1E090-8C7A-48CA-96F5-F3B98046EDC1}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{C1764CD5-BD0B-435C-ACE4-58EBE804D60D}" = protocol=6 | dir=in | app=c:\windows\ehome\ehtray.exe |
"{CCC058AA-2F4C-4604-8F3C-93811B85C4A2}" = protocol=6 | dir=in | app=c:\program files\acer zone\acer plug and record\component\arawp.exe |
"{E08CF3B8-FF14-4F94-86BD-7D539E85F04A}" = protocol=6 | dir=in | app=c:\program files\spotify\spotify.exe |
"{E08D794B-CEE8-481B-BAA2-0F4E1B4FB584}" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"{E688423C-0D91-4825-A856-8B8A18883F7E}" = protocol=6 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe |
"{E898729A-8693-49D4-807E-8796DB73C1FD}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{F4F92EC9-AF87-428C-8695-341E22B5ACA9}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{F805D548-A289-46D1-BD6F-D4F60A7C6050}" = protocol=17 | dir=in | app=c:\program files\acer zone\acer zone main page\mce deluxe suite.exe |
"{F92D6FF4-6C00-4923-8901-E7AA97049EDE}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{F9DC97B9-EABA-46EA-A7A6-9A66F2C4973C}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{FFAB5748-11DC-4D63-89AF-191C14AC21E0}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{FFF9A71C-EBC7-4C41-864D-EC577D1874E3}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"TCP Query User{02D406D9-58D8-4BC7-98C5-43A46CA22785}C:\program files\veoh networks\veoh\veohclient.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veoh\veohclient.exe |
"TCP Query User{05E04C7A-51CF-42C4-8197-9E941C261335}C:\program files\tvants\tvants.exe" = protocol=6 | dir=in | app=c:\program files\tvants\tvants.exe |
"TCP Query User{0D2CFC86-CD14-4CAB-B59E-0EC33F935B22}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{10B0B552-9B3A-4193-B64B-4214234054EE}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{27C52EAF-420F-4111-B048-A4B6326125FB}C:\program files\tvants\tvants.exe" = protocol=6 | dir=in | app=c:\program files\tvants\tvants.exe |
"TCP Query User{61D980FF-04A3-4DD2-991C-FEE9475CA81F}C:\program files\windows sidebar\sidebar.exe" = protocol=6 | dir=in | app=c:\program files\windows sidebar\sidebar.exe |
"TCP Query User{8A7616D9-6CED-44D7-888F-58DAD741309F}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |
"TCP Query User{9940011D-C263-451E-AC04-541C4FD5DD22}C:\program files\soulseek\slsk.exe" = protocol=6 | dir=in | app=c:\program files\soulseek\slsk.exe |
"TCP Query User{A8C2EDE8-0135-43EA-9D37-55DC4E38C573}C:\program files\filezilla\filezilla.exe" = protocol=6 | dir=in | app=c:\program files\filezilla\filezilla.exe |
"TCP Query User{AE0C5104-EE84-4898-AB6B-84CCD3507160}C:\program files\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\program files\spotify\spotify.exe |
"TCP Query User{B619BCE9-C8B2-49E2-857C-522677CDADD9}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=6 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe |
"TCP Query User{BE95DC79-E013-401B-915A-88311563D1A8}C:\users\lynnwade\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=6 | dir=in | app=c:\users\lynnwade\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"TCP Query User{C359366A-2047-4CBC-90EA-5AC55FC5E028}C:\users\lynnwade\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=6 | dir=in | app=c:\users\lynnwade\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"TCP Query User{C4AD8857-E197-4128-8B71-28D1CAF49200}C:\program files\veoh networks\veoh\veohclient.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veoh\veohclient.exe |
"TCP Query User{D3F832FB-EA31-4C63-8A74-D12A57E465BB}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |
"TCP Query User{DCC5AC9B-37B6-4987-B655-5FB18D016EEC}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{E5A0AF0D-FFAA-407F-85A5-2F2000FEBCB6}C:\program files\soulseek\slsk.exe" = protocol=6 | dir=in | app=c:\program files\soulseek\slsk.exe |
"UDP Query User{011E20EF-1574-48B3-90E4-540D3B1AC1E0}C:\program files\tvants\tvants.exe" = protocol=17 | dir=in | app=c:\program files\tvants\tvants.exe |
"UDP Query User{07AD5B39-4B3C-4E00-8B54-127DA787A417}C:\program files\windows sidebar\sidebar.exe" = protocol=17 | dir=in | app=c:\program files\windows sidebar\sidebar.exe |
"UDP Query User{2C995874-DF4F-4579-B8D2-5A1EEBA9C0DF}C:\program files\bearshare applications\bearshare\bearshare.exe" = protocol=17 | dir=in | app=c:\program files\bearshare applications\bearshare\bearshare.exe |
"UDP Query User{2D88D270-6AFE-433F-96A2-6DB042280428}C:\program files\soulseek\slsk.exe" = protocol=17 | dir=in | app=c:\program files\soulseek\slsk.exe |
"UDP Query User{2F297E4F-05C8-4C82-9184-DA2E2895A46A}C:\program files\veoh networks\veoh\veohclient.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veoh\veohclient.exe |
"UDP Query User{3E317E94-18E3-4751-BA41-29C591193BA7}C:\program files\filezilla\filezilla.exe" = protocol=17 | dir=in | app=c:\program files\filezilla\filezilla.exe |
"UDP Query User{58F41A53-272A-43B9-A90C-32355E6E458D}C:\users\lynnwade\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=17 | dir=in | app=c:\users\lynnwade\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"UDP Query User{7F8CE00D-56E1-4F67-944B-2BF9AABAB83C}C:\program files\veoh networks\veoh\veohclient.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veoh\veohclient.exe |
"UDP Query User{9F9EC6B8-F0B0-4220-A680-F76B1A9EAAF8}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |
"UDP Query User{B0688855-6AA3-4CF6-8C19-FA12F86AC3F6}C:\users\lynnwade\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=17 | dir=in | app=c:\users\lynnwade\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"UDP Query User{B5C8A3E3-CE39-4700-9274-B466B34635E8}C:\program files\tvants\tvants.exe" = protocol=17 | dir=in | app=c:\program files\tvants\tvants.exe |
"UDP Query User{BA3BE4BA-2CFA-4589-A724-F249415FCF84}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{BBD1B2C6-AFCE-4CAD-BBF6-772B5212CF91}C:\program files\soulseek\slsk.exe" = protocol=17 | dir=in | app=c:\program files\soulseek\slsk.exe |
"UDP Query User{E1F0CE02-0AA7-4BB2-B444-B671AD6A9C8A}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{ECD838A4-2511-4F8E-9C2B-B3F6C422836E}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{ED71A4EA-9720-4C28-886D-3FB9D35CF0D0}C:\program files\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\program files\spotify\spotify.exe |
"UDP Query User{EF17A740-A43F-4B7F-8DC2-F76E3EF28FCD}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series" = Canon iP1800 series
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2EC4EC2C-273E-4674-854A-7C2F97082E5E}" = Neokast Web Browser Plugins
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3E270C95-8327-4C2F-A8E1-902CC2604A20}" = HP Photo and Imaging 2.3 - Scanjet 4600 Series
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{67ADE9AF-5CD9-4089-8825-55DE4B366799}" = NTI Backup NOW! 4.7
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7DEBAA4-B211-4D1A-A6B3-E52BFAAA1D0C}" = Garmin Communicator Plugin
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AA4BF92B-2AAF-11DA-9D78-000129760D75}" = Acer Zone SoftDMA
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AEEAE013-92F1-4515-B278-139F1A692A35}" = Acer eDataSecurity Management
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{C3A11907-930D-41AC-A135-CC3B12F92011}" = Seagate Dashboard
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}" = WinZip 11.2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D462BF9E-0C35-4705-BF9B-3DF9F3816643}" = Acer ePerformance Management
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}" = Acer Zone Main Page
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6EFFB76-4A07-11DA-9D78-000129760D75}" = Acer Plug and Record
"{F79A208D-D929-11D9-9D77-000129760D75}" = Acer Zone MagicDirector
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"4Musics FLAC to MP3 Converter 4.0 Shareware_is1" = 4Musics FLAC to MP3 Converter 4.0
"Acer Registration" = Acer Registration
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATT-PRT22" = ATT-PRT22
"Baseball Card Collector Pro" = Baseball Card Collector Pro
"Belkin Setup and Router Monitor_is1" = Belkin Setup and Router Monitor
"BitTorrent" = BitTorrent
"BroadJump Client Foundation" = BroadJump Client Foundation
"Canon iP1800 series User Registration" = Canon iP1800 series User Registration
"CanonMyPrinter" = Canon My Printer
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Creative Media Lite" = Creative Media Lite
"DVD Shrink_is1" = DVD Shrink 3.2
"Easy-LayoutPrint" = Canon Utilities Easy-LayoutPrint
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"FileZilla" = FileZilla (remove only)
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 6.2
"hp instant support" = hp instant support
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"IrfanView" = IrfanView (remove only)
"Ken Ward's Zipper_is1" = Ken Ward's Zipper 1.4000
"lvdrivers_11.50" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)
"MVApplication1" = Memorex exPressit Label Design Studio
"NVIDIA Drivers" = NVIDIA Drivers
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Soulseek" = SoulSeek Client 156c
"Spotify" = Spotify
"TVAnts 1.0" = TVAnts 1.0
"WinFF_is1" = WinFF 1.1
"WinRAR archiver" = WinRAR archiver
"Yahoo! Widget Engine" = Yahoo! Widgets
"ZENStonePlusUG" = Creative ZEN Stone Plus User's Guide

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3391914120-3035634451-1718377386-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/25/2011 7:31:29 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/25/2011 7:31:29 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 14539

Error - 9/25/2011 7:31:29 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 14539

Error - 9/25/2011 7:31:30 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/25/2011 7:31:30 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 15553

Error - 9/25/2011 7:31:30 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 15553

Error - 9/25/2011 7:31:31 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/25/2011 7:31:31 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 16552

Error - 9/25/2011 7:31:31 PM | Computer Name = lynnwade-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 16552

Error - 9/25/2011 8:04:01 PM | Computer Name = lynnwade-PC | Source = Application Error | ID = 1000
Description = Faulting application mDNSResponder.exe, version 2.0.4.0, time stamp
0x4cae1be1, faulting module mDNSResponder.exe, version 2.0.4.0, time stamp 0x4cae1be1,
exception code 0xc0000005, fault offset 0x0000110a, process id 0xacc, application
start time 0x01cc7ac1c8a1b96f.

[ Media Center Events ]
Error - 5/23/2008 5:15:54 PM | Computer Name = lynnwade-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 5/29/2008 5:10:34 PM | Computer Name = lynnwade-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 6/1/2008 6:01:52 PM | Computer Name = lynnwade-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 8/28/2008 12:02:56 PM | Computer Name = lynnwade-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 4/12/2009 11:44:40 PM | Computer Name = lynnwade-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 9/7/2009 9:28:49 PM | Computer Name = lynnwade-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 9/29/2011 11:00:45 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:00:53 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:01:01 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:01:09 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:01:17 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:01:35 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:01:43 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:01:51 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:01:59 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/29/2011 11:02:09 AM | Computer Name = lynnwade-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.


< End of report >


Rootkit scan 2011-09-29 17:37:33
Windows 6.0.6000 Harddisk0\DR0 -> \Device\00000053 Hitachi_ rev.V5DO
Running: nuepqu8b.exe; Driver: C:\Users\lynnwade\AppData\Local\Temp\uxlcrkog.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\drivers\wgpqx.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x89AE0340, 0x3DB197, 0xE8000020]
? C:\Windows\system32\drivers\mbamswissarmy.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[1840] Explorer.EXE 003B3BD7 2 Bytes [58, 18]
.text C:\Windows\Explorer.EXE[1840] Explorer.EXE 003BD071 2 Bytes CALL 003BCDE0 C:\Windows\Explorer.EXE (Windows Explorer/Microsoft Corporation)
.text C:\Windows\Explorer.EXE[1840] kernel32.dll!CreateProcessInternalW 77B4E445 5 Bytes JMP 001E771D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74F5FBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74F2B9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74F1A31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74F1CBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74F18AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74F2CF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74F17D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74F17CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74F16A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74FAC1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74F37F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74F190CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74F22179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74F221A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74F27F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74F27D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74F583D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----
lynnw
Active Member
 
Posts: 7
Joined: September 29th, 2011, 4:49 pm

Re: Google/Yahoo Search Hijack

Unread postby deltalima » September 30th, 2011, 8:00 am

Hi lynnw,

Did you uninstall BitTorrent? It still shows in the uninstall list.

Please also remove SoulSeek Client

Security Check
Please download Security Check ... by screen317. Save it to your desktop.
Alternate download site: Link 2
  1. Double click the SecurityCheck.exe icon to begin.
  2. Press the Space Bar when you see the "press any key to continue..." message.
    A Notepad results file will open automatically called checkup.txt
  3. Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
  4. Please copy/paste the entire contents of the checkup.txt file into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google/Yahoo Search Hijack

Unread postby lynnw » September 30th, 2011, 8:31 am

I have removed BitTorrent and Soulseek.

Here is the log from Security Check:

Results of screen317's Security Check version 0.99.19
Windows Vista (UAC is disabled!)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
McAfee Security Scan Plus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 18
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.3.181.26
Mozilla Firefox (Player..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSASCui.exe
Windows Defender MSASCui.exe
``````````End of Log````````````
lynnw
Active Member
 
Posts: 7
Joined: September 29th, 2011, 4:49 pm

Re: Google/Yahoo Search Hijack

Unread postby deltalima » September 30th, 2011, 8:55 am

Hi lynnw,

No Anti-virus Software Installed!
Looking over your log ... there is NO evidence of anti-virus software installed.. This puts you at serious risk.
Anti-virus software will help detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories.

To protect your computer from infection...download a (free for personal use) anti-virus program from one these reliable vendors.

  1. avast! Free Antivirus - Excellent detection, the freeware version includes email scanning.
  2. Microsoft Security Essentials ** - New, from Microsoft, with email scanning, easy to install, easy to use.
    ** Your PC must run genuine Windows to install Microsoft Security Essentials.

Installing a new AV product.
Do NOT uninstall any existing anti-virus product yet!
  1. Download the new Anti-virus product to your computer desktop.
  2. Save any work. Close all applications, especially your Internet connection.
  3. Uninstall any existing anti-virus product... Use the AV uninstall option if available.
  4. Reboot your computer, if not done during the uninstall.
  5. Install the new AV product... following installation instructions.
  6. Check for updates to the new AV product, if not done during install setup.
  7. Run a full scan of your computer.

It is strongly recommended that you run only one antivirus program at a time.
Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google/Yahoo Search Hijack

Unread postby lynnw » September 30th, 2011, 11:59 pm

Thank you,

I downloaded avast! Antivirus and it cleared out what was affecting my google/yahoo searches. However, when I try to open "My Computer", etc. a pop-up comes up and won't let me open the folder on my computer because it contains a virus.

The exact message is

":{21EC2020-3AEA-1069-A2DD-08002B3030903}

Operation did not complete because the file contains a virus."

Is there anyway to have avast! not recognize this?
When I did the scan it found:
C:\Windows\explorer.exe
C:\Windows\system32\wininit.exe
As high threats due to the Win32patch.

I tried to select "Do Nothing", but it still won't open windows so I can see in My documents, photos, music as well as any devices connected to the computer.
lynnw
Active Member
 
Posts: 7
Joined: September 29th, 2011, 4:49 pm

Re: Google/Yahoo Search Hijack

Unread postby lynnw » October 1st, 2011, 12:01 am

Also, it won't let me access Control Panel to uninstall software, which I think is a higher threat than what I was dealing with.

I appreciate all of your help.
lynnw
Active Member
 
Posts: 7
Joined: September 29th, 2011, 4:49 pm

Re: Google/Yahoo Search Hijack

Unread postby lynnw » October 1st, 2011, 12:10 am

Void whatever I mentioned about avast! helping with corrupted google/yahoo searches. My searches were working fine immediately after I had run the scan, but when I reopen Chrome, they are back to what they were. (Search results leading me to Zaginga and findyourdegree.com, as well as other spam sites.)
lynnw
Active Member
 
Posts: 7
Joined: September 29th, 2011, 4:49 pm

Re: Google/Yahoo Search Hijack

Unread postby lynnw » October 1st, 2011, 7:36 am

Last update: Husband restarted computer last night, now all seems to be fine.
lynnw
Active Member
 
Posts: 7
Joined: September 29th, 2011, 4:49 pm

Re: Google/Yahoo Search Hijack

Unread postby deltalima » October 1st, 2011, 10:41 am

Hi lynnw,

Husband restarted computer last night, now all seems to be fine.


Thanks for the update, however the symptoms suggest that the computer is suffering from a very serious infection and will require further work before it can be considered clean.

  • Please download this tool from Microsoft.
  • Right click on MGADiag.exe and select: Run as Administrator.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Download SystemLook and save it to your Desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    explorer.exe
    wininit.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google/Yahoo Search Hijack

Unread postby deltalima » October 4th, 2011, 12:35 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 326 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware