PDA

View Full Version : Getting rid of ShopDrop from Chrome ( a variant of Safesaver ?)



Anton Kiwi
2014-01-02, 08:36
First ever post..
I do a bit of web work and have multiple browsers. Chrome and Mozilla have become infected with adware that have a 'Safesaver' keyword on roll-over. There is a green heart with an arrow coming out of it after various keywords and really annoying drop boxes. However, the extensions in settings did not have Safesaver, they had NetoC0UUppon and ShopDrop. I can manually remove NetoCoUUpppon but not ShopDrop. Spybot seems to have cleaned up Mozilla but not Chrome.

(Not sure - they keep coming back)

Surprisingly, there is nothing in Google on ShopDrop malware, quite a lot on Safesaver.
I am using Windows-XP

I have deleted ShopDrop as software in C:\Program Files|ShopDrop\ and in various App Data folders.
When I delete it from Chrome extensions and exit, it re-instates on restarting.
Can't find anything obvious in Startup that would run a malware re-installation.

Any ideas on fixes. Might have to re-install Chrome.

Thanks

Dakeyras
2014-01-02, 12:45
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.
Hi and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:


I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Scan with aswMBR:

Please download aswMBR.exe (http://files.avast.com/files/rootkit-scanner/aswmbr.exe) to your desktop.


Double-click on aswMBR.exe to start aswMBR.
When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
Now click on the Scan button to start scan
On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply

Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Scan with OTL:

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) and save it to your desktop.

Alternate downloads are here (http://oldtimer.geekstogo.com/OTL.com) and here (http://oldtimer.geekstogo.com/OTL.scr).


Double-click on OTL.exe to start OTL.
Under Output, ensure that Standard Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Select both the LOP and Purity checkbox's.
Under the Custom Scan/Fixes box cut & paste this in:-

Netsvcs
Baseservices
%systemdrive%\*.exe
C:\Program Files (x86)\Google\Desktop
C:\Program Files\Google\Desktop
Dir "%systemdrive%\*" /S /A:L /C
CreateRestorePoint


Now click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized
Please post the contents of these two Notepad files in your next reply.

Anton Kiwi
2014-01-03, 00:24
Thanks for the detailed instructions.
The three files requested have been created, but 2 were too big to attach.

All three have been put into a zipped folder on my website
http://www.antonz.co.nz/filelist.html
62 kb but they unpack to 500 kb or so.

I will be interested in your interpretation. I once was adroit at the mass-spectrometry of steroids and the horrors that students did to library databases, but all this Adware is a mystery to me.

I looked back on browser history for around the time the problem happened. Only item of interest was a 'survey' site that I accidentally stumbled into and out of: "Ebhostingnz survey" associated with consumersgroupsurvey.biz and mtrackin.com
I have the detailed links if need be, but that could be an invitation for someone else to get infected.

Thanks

Anton

Dakeyras
2014-01-03, 13:31
Hi. :)


Thanks for the detailed instructions.
The three files requested have been created, but 2 were too big to attach.
Acknowledged and you're welcome!

I have a fair few tasks for yourself to complete below, just take your time...

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.


Please go here (http://www.aumha.org/downloads/erunt-setup.exe) and download ERUNT.
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Double click on erunt-setup.exe to Install ERUNT by following the prompts.
Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK
Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK


firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> check-mark On(recommended) if it is not selected >> OK.

Java Advice:

There has been a recent severe exploitation of this software. Even though this exploit has been reportedly fixed there is still a vulnerability with the software. I will be advising the uninstalltion of all related(see below), your choice if you wish to go ahead and reinstall but I advise against it and for the present I do not even have anything Java related installed on any of my machines.

Please let myself know what you wish to do about this in your next reply please and if you opt to re-install I will provide both the appropriate instructions and safety advice etc.

Uninstall Software:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Ad-Aware 2007
Azureus
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) 6 Update 16
Java(TM) 6 Update 20
J2SE Development Kit 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1
Scott's Windows Startup Program Manager
Security Task Manager
Vuze

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program

Custom OTL Script:


Double-click on OTL.exe to start the program.
Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


:Commands
[CreateRestorePoint]

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://websearch.searchrocket.info/?pid=945&r=2013/05/26&hid=1419967750&lg=EN&cc=NZ&unqvl=16
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.searchrocket.info/?l=1&q={searchTerms}&pid=945&r=2013/05/26&hid=1419967750&lg=EN&cc=NZ&unqvl=16
IE - HKU\S-1-5-21-1028650419-271652883-2196580752-1006\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
FF - prefs.js..browser.search.defaultenginename: "WebSearch"
FF - prefs.js..browser.search.defaultenginename,S: S", "WebSearch"
FF - prefs.js..browser.search.defaulturl: "http://websearch.searchrocket.info/?pid=945&r=2013/05/26&hid=1419967750&lg=EN&cc=NZ&unqvl=16&l=1&q="
FF - prefs.js..browser.search.order.1: "WebSearch"
FF - prefs.js..browser.search.order.1,S: S", "WebSearch"
FF - prefs.js..browser.search.selectedEngine: "WebSearch"
FF - prefs.js..browser.search.selectedEngine,S: S", "WebSearch"
FF - prefs.js..keyword.URL: "http://websearch.searchrocket.info/?pid=945&r=2013/05/26&hid=1419967750&lg=EN&cc=NZ&unqvl=16&l=1&q="
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: ""
FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: ""
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: ""
[2008/12/24 09:47:01 | 000,024,576 | ---- | M] (My Search) -- C:\Program Files\mozilla firefox\plugins\NPMySrch.dll
CHR - plugin: My Search Plugin Stub (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPMySrch.dll
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - exploitation: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - AppInit_DLLs: (c:\docume~1\alluse~1\applic~1\intele~1\intele~1.dll) - c:\Documents and Settings\All Users\Application Data\Intelewin filter\Intelewinfilter.dll ()
[2013/12/31 15:56:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ollmalhdokedohjhchdgoocoongbpgmj
[2013/12/31 15:56:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\683f47e27ebd587
[2008/02/06 17:39:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2012/05/29 22:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\General\Application Data\Azureus

:Files
ipconfig /flushdns /c
C:\Program Files\Azureus
C:\Program Files\Java
C:\Program Files\Lavasoft
C:\Program Files\Vuze

:Commands
[ResetHosts]
[EmptyTemp]

Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The log-file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

Please download the installer for Malwarebytes' Anti-Malware (http://downloads.malwarebytes.org/mbam-download-standalone-random.php) to your desktop.

Note: The installer will be randomly named, say for example something like 549od2jqai.exe


Double-click on the randomly named exe file, then follow the prompts to install the program.
At the end, be sure a check-mark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.When the program loads, Decline the Malwarebytes' Anti-Malware Trial (You can activate this when we've finished, if you so wish)

Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please post that log in your next reply.

The log can also be found here:

Launch Malwarebytes' Anti-Malware
Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next:

When completed the above, please post back the following in the order asked for:


How is your computer performing now, any further symptoms and or problems encountered?
Your decision about a new Java installation.
OTL Log from the Custom Script.
Malwarebytes Anti-Malware Log.

Anton Kiwi
2014-01-04, 03:49
It looks to be all fixed.
In Chrome, the many keywords with links and pop-ups are no longer present, nor when you go into Settings>Extensions has Shopdrop reappeared.

Java - I will not be using this anymore.

Logs are attached.
OTL: 01042014_092517.txt (suffix changed from .log to be one of the allowed suffixes)
Malware: mbam-log-2014-01-(12-52-59).txt

Many thanks for solving this problem. I hope the attached files will help you in the continuing fight against malware.

Regards

Anton

Dakeyras
2014-01-04, 13:49
Hi. :)


It looks to be all fixed.
In Chrome, the many keywords with links and pop-ups are no longer present, nor when you go into Settings>Extensions has Shopdrop reappeared.

Good.


Java - I will not be using this anymore.
Acknowledged.

Scan with AdwCleaner:

Please download adwcleaner from here (http://www.bleepingcomputer.com/download/adwcleaner/) and save to your desktop.

Alternate downloads are here (http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml) or here (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner).


Double-click on adwcleaner.exe to launch the application.
Now click on the Scan tab >> once the scan is complete click on the Clean tab and follow the prompts.
Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

Note: The log can also be located at C: >> AdwCleaner >> AdwCleaner[S0].txt

Check Hard Disk For Errors:

Press Start->Run, then copy/paste the following command into the box and press OK:


cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
A blank command window will open on your desktop, then close in a few minutes. This is normal.

A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

Anton Kiwi
2014-01-05, 02:16
Completed the next stage, thank you.

Ckeckdisk seems to have stopped early due to read-only mode.

Regards

Anton

Dakeyras
2014-01-05, 17:29
Hi. :)


Ckeckdisk seems to have stopped early due to read-only mode
This merely denotes some in-depth system maintenance is required, which we will address.

TFC(Temp File Cleaner):


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to the desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click on TFC.exe to run the program.
Click the Start button in the bottom left of the GUI(graphical user interface)'
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

I advise you keep TFC on the desktop after I give the all clear and run it say at least once per week as it is a very effective piece of software for cleaning out temp' files etc.

Hard-Drive Maintenance/Repair:

Note: For the CHKDSK portion you may refer to this tutorial of mine here (http://forums.whatthetech.com/How_run_CHKDSK_Windows_XP_t102348.html) and follow the instructions for Graphical Mode if you so wish.


Click Start >> Run... then type in CMD and click on OK.
At the Command Prompt C:\ > type the following:
CD C:\ and hit the Enter/Return key.
Now type in DEFRAG C: -F
A Analysis report will be displayed and then Windows will start the Defragmentation run automatically.
This may take some time, when completed the Command Prompt C:\ > will appear.
Now type in CHKDSK C: /R and hit the Enter/Return key.
When prompted with:

CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)
Hit the Y key then at the Command Prompt C:\ >
Type in EXIT and and hit the Enter/Return key.
Now Reboot(Restart) your computer.

Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

You should see a screen like this just after the Post(power on self test) screen:

http://i223.photobucket.com/albums/dd202/Dakeyras_album/ChkDsk01.png

Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be canceled and you computer will continue to boot-up as normal.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).

If you wish to use Google Chrome for the online scan, merely inform myself and I will provide alternate/the appropriate instructions for that etc.


Please go here (http://www.eset.com/online-scanner-popup/) to run the scan...

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the log file located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

My friendly advice is you consider keeping the online scanner installed then run it say once per month as a extra check. A quick easy way to do so would be via:-

Click on Start >> My Computer >> C: >> Program Files) >> ESET >> ESET Online Scanner >> then double-click on OnlineScannerApp.

Anton Kiwi
2014-01-06, 08:55
Completed all your requests.

Attached is the ESET log file.

12 threats and they are still there....

On we go.

Regards

Anton

Dakeyras
2014-01-06, 10:40
Hi. :)


12 threats and they are still there....
Some have been quarantined by both ADWCleaner and OTL and will be fully purged in due course, the remaining we can deal with now as follows.

Next:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files and one folder (if still present):

C:\Documents and Settings\General\My Documents\Downloads\Setup_FreeBurner.exe
C:\Documents and Settings\General\My Documents\Downloads\Setup_FreeVideoConverter.exe
C:\Documents and Settings\General\My Documents\Downloads\spybotsearchanddestroy-setup.exe
C:\Documents and Settings\General\My Documents\Downloads\Unconfirmed 626353.crdownload
C:\Documents and Settings\General\My Documents\Installations\noadware.exe
F:\angela_my_documents\Downloads\CuteWriter.exe
F:\Dell desktop\downloads\4shared_Desktop_320.exe

Then empty the Recycle Bin.

Next:

Let check/update some software as follows shall we...


Download and install FileHippo Update Checker from here (http://www.filehippo.com/updatechecker/).
Once installed(during the installation process deselect the option:- Run at Startup >> Start >> All Programs >> double-click on Update Checker >> a browser window will open after the scan is complete.
Download any updates detected(apart from beta updates) to the desktop >> uninstall anything that requires updating via Add/Remove Programs in the Control Panel.
Re-install the updated software, delete the installers and then empty the Recycle Bin.
When completed the above let myself know and if any further issues remaining, thank you.

Note: When I give the all clear my advice would be to consider keeping FileHippo Update Checker installed. Then periodically use it to check for any updates as having certain software outdated is a potential for malware to gain a foothold and exploit a system etc.

Anton Kiwi
2014-01-07, 06:16
Deleted as advised. Didn't update everything. I just deleted DivX and iTunes as I don't use them. They are left over from brief experiments.

No remaining issues but advice wanted:
CuteWriter was there as a backup for another machine which does not have pdf creation by Adobe available.
I would like to use the program. I think I should delete it off my other computer completely, and download a clean version.
Is it ok to do a download from a trustworthy site, and install, but before running, check that it is indeed virus free?

Thanks

Anton

Dakeyras
2014-01-07, 10:54
Hi. :)


CuteWriter was there as a backup for another machine which does not have pdf creation by Adobe available.
I would like to use the program. I think I should delete it off my other computer completely, and download a clean version.
Is it ok to do a download from a trustworthy site, and install, but before running, check that it is indeed virus free?
I am not really ofay with the software in question to be honest but what you mentioned does indeed sound a prudent course of action.

Next:

Congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow! (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)

Also so is this:

What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)

Uninstall AdwCleaner:


Double-click on AdwCleaner.exe to start the program
Click on Uninstall >> Yes, this will remove the application and its log(s) etc.

Reset SR Points/Clean up with OTL:


Double-click OTL to start the program.
Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Commands
[ClearAllRestorePoints]
Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered. When finished click on OK and close the log that appears.
Note: I do not need to review the log produced.
Now close all other programs apart from OTL as this step will require a reboot.
On the OTL main screen, depress the CleanUp button.
Say Yes to the prompt and then allow the program to reboot your computer.

The above process will flush old System Restore points and create a new clean one. It should also clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Next:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center (http://www.microsoft.com/en-gb/security/default.aspx)

As is this: Computer Security - a short guide to staying safer online (http://malwareremoval.com/forum/viewtopic.php?f=4&t=54766)

If not aware support for XP SP3 will be withdrawn in April of this year, this article (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=62384#.Urcg3rRs_TI) explains further and provides salient advice etc.

Next:

Any questions? Feel free to ask, if not stay safe!

Anton Kiwi
2014-01-08, 09:57
All now well.

Thank you very much for the help and for the advice.

I even hit something suspect with Malwarebytes today.
(Looking at old files and deciding that unused software is either out of date or a threat. being a hoarder can cause problems.)

Hopefully others can benefit from the process as well.

Regards

Anton

Dakeyras
2014-01-08, 11:37
Acknowledged and you're most welcome! :)

Dakeyras
2014-01-09, 10:50
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)