Search Hijack problem

Hi mlleeder

I am not yet quite sure about that "google search" trouble......I will continue searching :)

Lets´s try different online-scan

F-Secure Online Scan

  1. Please go to F-Secure website to perform an online scan. Click on Start scanning at the bottom of the page.
  2. You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
  3. Click on Accept to accept the License Agreement.
  4. Click on Custom Scan.
    • Under Virus Scan Options, select the Scan whole system option.
    • Under Other Scan Options, select these options:
      • Scan all files
      • Scan whole system for rootkits
      • Scan whole system for spyware
      • Scan inside archives
      • Use advanced heuristics
  5. Click Start.
  6. It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
  7. Click on I want decide item by item.
  8. Under Actions, select None for all infections found.
  9. Click Next.
  10. Click on Show Report.
  11. Please copy and paste this report in your next reply.
  12. Click Finish.
 
Last edited:
Hi mlleeder

Open Notepad.
Copy the text from the box to an empty file.
Save it as export.bat to your desktop.
Choose save as all types
Code:
regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32"
Close Notepad.

Locate Export.bat on your Desktop and double-click on it It will create a file called look.txt in C:\
Copy the entire text and past it to your reply here in this topic.

Thanks peku006
 
Status report: waiting for F-Secure to Finish

Thank you for the additional instructions; for your information, I want to let you know what's going on with this:

I started the F-Secure Online scan about 9:00 am EST - about 5 hours ago.

The Online Scan seems to be running fine; below is a snapshot of the F-Secure status screen as of now:

Scanning. Please wait...


Target:
C:\ + system for malware + system for rootkits

Currently scanning:
C:\Program Files\Intuit\QuickBooks 2006\Components\DownloadQB16\Patch\QB2006_Core_R6R7_msp.dat\stream 2\premier_n.chm

Scanned:
388729

Skipped:
24

Viruses:
0

Hidden items:
0

Spyware:
1


When this is finished, I will proceed with your instructions to create and run export.bat.
 
Status Report #2

Hi, peku006, just checking in...

Hard to believe, but it's still going! As I recall, the number of files typically scanned (by AdAware, for example), is between 700000 and 800000; F-Secure is now up to about 625000.

I'm assuming it's slow because it's an Online scan, as opposed to a scan that runs locally.

I'm hoping I'll be able to have the log and the "look.txt" file posted before tomorrow (using GMT+1). Not sure you'll be able to look at it until tomorrow, though.

Regards,
 
F-Secure Report

Peku006; the scan finally finished, after almost 11 hours! I selected "Decide Item by Item" and selected "None" for Actions.


Report is below:
--------------------------

Scanning Report
Sunday, February 15, 2009 08:51:49 - 19:32:25
Computer name: MARYLOU
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 9 malware found
TrackingCookie.2o7 (spyware)
System
Trojan-Downloader.Win32.Agent.caa (virus)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80000.VBN (Disinfected & Submitted)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80001.VBN (Disinfected & Submitted)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80002.VBN (Renamed & Submitted)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80003.VBN (Renamed & Submitted)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80004.VBN (Renamed & Submitted)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80005.VBN (Renamed & Submitted)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80006.VBN (Renamed & Submitted)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80007.VBN (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 693287
System: 6013
Not scanned: 150
Actions:
Disinfected: 2
Renamed: 6
Deleted: 0
None: 1
Submitted: 8
Files not scanned:
x~�@�*ONFIG\SOFTWARE.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\WINDOWS\CSC\d7\800006AE\SETUP.WZ\WINZIP32.EX_
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MASTER.MDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MASTLOG.LDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MODEL.MDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MODELLOG.LDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MSDBDATA.MDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MSDBLOG.LDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\TEMPDB.MDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\TEMPLOG.LDF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\REFSPCL.TTF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\REFSAN.TTF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\MISTRAL.TTF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\PAPYRUS.TTF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\FREESCPT.TTF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\ARIALNB.TTF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\ARIALNBI.TTF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\ARIALNI.TTF
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\ARIALN.TTF
C:\INETPUB\CATALOG.WCI\CICL0001.000
C:\INETPUB\CATALOG.WCI\CIP10000.000
C:\INETPUB\CATALOG.WCI\CIP20000.000
C:\INETPUB\CATALOG.WCI\CIPT0000.000
C:\INETPUB\CATALOG.WCI\CISL0001.000
C:\INETPUB\CATALOG.WCI\CISP0000.000
C:\INETPUB\CATALOG.WCI\CIST0000.000
C:\INETPUB\CATALOG.WCI\CIVP0000.000
C:\INETPUB\CATALOG.WCI\INDEX.000
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\PERFLIB_PERFDATA_788.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\DOCUMENTS AND SETTINGS\MLDELLAFERA\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\MLDELLAFERA\NTUSER.DAT.LOG
C:\Documents and Settings\mldellafera\My Documents\SW\ZDnet\Free\Music_Download_Search_Engine.exe\AutoPlay\autorun.cdd\_detect.dat
C:\Documents and Settings\mldellafera\My Documents\SW\ZDnet\Free\Music_Download_Search_Engine.exe\AutoPlay\autorun.cdd\_proj.dat
C:\Documents and Settings\mldellafera\My Documents\SW\ZDnet\Free\Music_Download_Search_Engine.exe\AutoPlay\autorun.cdd\_fonts.dat
C:\Documents and Settings\mldellafera\My Documents\PUMH Documents\iTunesSetup.exe\1031.mst\stream 1
C:\Documents and Settings\mldellafera\My Documents\PUMH Documents\iTunesSetup.exe\1034.mst\stream 1
C:\Documents and Settings\mldellafera\My Documents\PUMH Documents\iTunesSetup.exe\1040.mst\stream 1
C:\Documents and Settings\mldellafera\My Documents\PUMH Documents\iTunesSetup.exe\1043.mst\stream 1
C:\DOCUMENTS AND SETTINGS\MLDELLAFERA\L��r
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_25C.DAT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\WINDOWS\CSC\d7\800006AE\SETUP.WZ\WINZIP32.EX_
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MASTER.MDF
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\DATA\MA�G

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.6.8511, 2009-02-13
F-Secure AVP: 7.0.171, 2009-02-13
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics
 
Results from Look.txt

Peku006, below is the text from the file "C:\look.txt"

Looking forward to our next steps....

Thanks again for your help.


-----------------------



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"vidc.LEAD"="LCODCCMP.DLL"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"vidc.ffds"="C:\\Program Files\\ffdshow\\ffdshow.ax"
"VIDC.MJPG"="pvmjpg21.dll"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux"="wdmaud.sys"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"
 
Norton and Ad-Aware messages generated overnight

FYI, Norton Antivirus generated the following message, in a window entitled "Symantec AntiVirus Notification":

----------------------
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan Horse
File: C:\WINDOWS\TEMP\AB.tmp
Location: Quarantine
Computer: MARYLOU
User: SYSTEM
Action taken: Quarantine succeeded : Access denied
Date found: Sunday, February 15, 2009 11:53:09 PM



--------------------------------

Ad-Aware generated the following, in a window entitled "Send Error Report to Lavasoft":

-----------------------------
Ad-Aware was shut down unexpectedly and has generated an error report.

By sending the error report to Lavasoft you can help us identify the problem and fix it.

Click OK to send the report (no other information will be sent) or Cancel if you prefer not to send it.
-----------------------------

I clicked OK to and sent the report.
 
Exported Norton Threat History

Below is the Threat History list from recent Symantec Norton Antivirus scans on my computer, exported as a comma delimited file (csv). I am sending this list in case it will help identify what malware is causing my search hijack problem.

These files have been quarantined. Should I permanently delete them?

Date,Filename,Threat,Threat Type,Action Taken,Computer,User,Original Location,Status,Current Location,Primary Action,Secondary Action,Scan Type,Action Description
2/16/2009 2:32:37 AM,16D80001.VBN,??????,Compressed file,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\,Still contains 3 infected items,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
2/16/2009 2:32:37 AM,Adobe.exe,Downloader,File; Compressed file,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80001.VBN>>C:\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
2/16/2009 2:32:37 AM,Adobe.exe,Downloader,File; Compressed file,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80001.VBN>>C:\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
2/16/2009 2:32:37 AM,Adobe.exe,Downloader,File; Compressed file,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80001.VBN>>C:\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
2/16/2009 2:32:36 AM,16D80000.VBN,??????,Compressed file,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\,Still contains 3 infected items,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
2/16/2009 2:32:36 AM,Adobe.exe,Downloader,File; Compressed file,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80000.VBN>>C:\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
2/16/2009 2:32:36 AM,Adobe.exe,Downloader,File; Compressed file,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80000.VBN>>C:\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
2/16/2009 2:32:36 AM,Adobe.exe,Downloader,File; Compressed file,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16D80000.VBN>>C:\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
2/15/2009 11:53:09 PM,AB.tmp,Trojan Horse,File,Quarantined,MARYLOU,SYSTEM,C:\WINDOWS\TEMP\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully.
2/14/2009 1:29:50 PM,82.tmp,Trojan Horse,File,Quarantined,MARYLOU,SYSTEM,C:\WINDOWS\TEMP\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully.
2/14/2009 1:29:41 PM,cgtjbewx.dll,Trojan Horse,File,Quarantined,MARYLOU,mldellafera,C:\DOCUME~1\MLDELL~4\LOCALS~1\Temp\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully.
2/14/2009 1:29:39 PM,7E.tmp,Trojan Horse,File,Quarantined,MARYLOU,SYSTEM,C:\WINDOWS\TEMP\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully.
2/14/2009 1:25:36 PM,7B.tmp,Trojan Horse,File,Quarantined,MARYLOU,SYSTEM,C:\WINDOWS\TEMP\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully.
2/14/2009 1:25:20 PM,cgtjbewx.dll,Trojan Horse,File,Quarantined,MARYLOU,mldellafera,C:\DOCUME~1\MLDELL~4\LOCALS~1\Temp\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully.
2/14/2009 1:25:13 PM,77.tmp,Trojan Horse,File,Quarantined,MARYLOU,SYSTEM,C:\WINDOWS\TEMP\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully.
2/14/2009 2:45:44 AM,1[1].pdf,Trojan.Pidief.D,File,Quarantined,MARYLOU,mldellafera,C:\Documents and Settings\mldellafera\Local Settings\Temporary Internet Files\Content.IE5\C4ACFS6N\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully.
 
Hi mlleeder

Please empty your Norton AntiVirus Quarantine. f you don't know how, click here.

1 - Download anf Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe.
  • Copy the lines in the codebox below.
Code:
:files
C:\Windows\system32\wdmaud.sys file

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"="wdmaud.drv"
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Please reply with

the OTMoveIt3 log

How is the computer running now?
 
the* OTMoveIt3 log*

========== FILES ==========
File/Folder C:\Windows\system32\wdmaud.sys file not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"aux"|"wdmaud.drv" /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02162009_190424
 
Thank you peku006 - and, Wooooooo Hooooooo!

I can finally search using Google, and not a single bogus link in sight!

Thanks so much for sticking with this, and for taking the time to reply so far into the evening.

After seeing that Google search was working properly, I shut down/restarted - and AdAware loaded on its own again - which it hadn't been doing. I also re-loaded Symantec Anti-Virus.

I then ran my freshly updated version of Spybot, enabled TeaTimer, then Immunized.

If you have any other thoughts about additional virus/spyware protection I should consider, I'd like to hear your recommendations (I know you can't necessarily endorse a specific vendor/product).

Also, I'd really like to learn how to help as a volunteer - I have done a little research into the Malware Removal University and I noticed that UNITE offers training as well. I know it's a lot of work, but I've worked in IT for most of my career and would welcome the challenge. And, I feel strongly about volunteering in communities in which I live and work, and this would be a good way to volunteer in the virtual world/community!

I know it will take a while before I can contribute, but I'm willing - so, if you have any recommendations about with what training program I should start, I'd appreciate your input.

Thanks again, a thousand times over!

Take care,
 
Hi mlleeder

Great that Google works better now, the scans are fine and it looks like your machine is clean :yahoo:
If you are interested in the fight against malware, I suggest you join the forums at Malware Removal University :welcome:

Next we remove all used tools.
Delete RSIT from your desktop, also delete this folder C:\rsit.

  • Double-click OTMoveIt3.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.


Happy safe surfing! :bigthumb:
 
Thanks, final steps completed!

peku006, thanks for the follow-up - I'm so pleased with my system's performance now (in addition to the fact that Google Search works)!

I have completed the final cleanup steps and have copied links so I can download the recommended programs and install tomorrow. As you know, I already have and use Spybot, in addition to AdAware and Norton.

And, I'm glad you pointed me towards the "How did I get Infected Anyway" article - I had already read it once, but couldn't remember where to find it - didn't realize it was right here on Safer Networking:-)

Thanks again, and maybe I'll see you around Malware Removal University - if you still drop in there from time to time!

Best,

MaryLou
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
Back
Top