Solved Search result redirected to another site

[bulmanian]

Hi,

I use both Internet Explorer and Mozilla Firefox for browsing, however the search result keeps redirected me to another site (ads sites) from the link I originally click. I have to click 2 - 3 times before it gets me to the right page. It's very frustrating.

I tried complete scan using Avira Antivirus, Malwarebytes Anti-Malware, Super Anti Spyware and finally detected 252 infections, which were quarantined. But it doesn't seem to solve the problem. Lastly, I download hijackthis.exe. Here I attached the log for further assessment

How to I remove these adware? Your help is highly appreciated. Thanks!

 

[Bobbye]

Welcome to TechSpot. I'll help you with the malware, but I need more information. The Hijackthis log alone is not enough. We need to see the logs from the cleaning programs. They will show us if any specialized program needs to be run.

Please follow the steps in the Preliminary Virus and Malware Removal HERE.

When you have finished, leave all 3 of the logs in your next reply for review.

 

[bulmanian]

Hi,

I have already scan the computer using Malwarebytes Antimalware, SuperAntiSpyware, and Hijack This. Please find attachment. I'm unable to re-attach the log for Hijack This. But you can find the information below. Thanks for your assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:04 PM, on 30/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Common Toolkit Suite\FighterSuiteService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Fighters\SPAMfighter\sfus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Fighters\SPAMfighter\sfagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lite.rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Nuclear Games Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [sfagent] C:\Program Files\Fighters\SPAMfighter\sfagent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250709925250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250710019750
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Common Toolkit Service - SPAMfighter - C:\Program Files\Common Files\Common Toolkit Suite\FighterSuiteService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\Fighters\SPAMfighter\sfus.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8936 bytes

 

[bulmanian]

Hi,

I also receive another assistance, which suggested me to perform another scan using DDS and GMER. Should I do that too? Thanks.

 

[Bobbye]

I also receive another assistance, which suggested me to perform another scan using DDS and GMER. Should I do that too? Thanks.

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem.

I will either review your logs or close the thread depending on your answer.

 

[bulmanian]

Hi,

Thanks for the advise and sorry about that, I thought I posted it once only on this forum.

Anyhow, I'd very much like you to assist me through this problem, if you may. Please review my logs. Looking forward to your reply.

Thanks!

 

[Bobbye]

There is no malware showing in these logs. We will look further:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Follow that with an online AV scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please give me the Combofix report and the Eset log in your next reply.

Don't run any other cleaning programs unless I instruct you to. Don't make ant Registry changes and if you have a Registry cleaner please disable it while I'm working with you.

When the system is clean, I'll advise you on the multiple auto-updates you're running. There are also some unnecessary processes you can take off of Startup.

One question I have is for a description of this:
C:\Program Files\Common Files\Common Toolkit Suite\FighterSuiteService.exe
If this is the CCS Suite from Symantec, that's all I need to know. If it's not, please describe it.

 

[bulmanian]

Hi,

When downloading ComboFix, there is no option appear where I can save the file or rename the file to Combo-Fix(.exe). My computer automatically save the file to "download" folder in My Document with filename ComboFix.exe

Please advise. Thanks.

 

[Bobbye]

Your computer will save to the default location. A dialogue box appears for a Save. You can change the location there.

You are supposed to rename it [before] downloading:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Important! Save the renamed download to your desktop.

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Now try it again.

 

[bulmanian]

Hi,

Combofix seems like a sensitive application and I just really want to make sure that I do this right.

I tried downloading Combofix earlier from one of the links you provided. When I clicked to download, the window appeared with only 2 option: Save File or Cancel. You can see it in the attachment. When I clicked "Save File," the file start downloading instantly. The file name that was successfully downloaded is ComboFix.exe. There is no "dash" sign between letter o and F, nor open or close bracket on the word "exe."

I know that you emphasize on renaming it before downloading. But I got no option that enable me to rename the file as suggested: Combo-Fix(.exe). Afraid that I made a mistake that can cause further implication, I immediately delete the downloaded file and erase it permanently from Recycle Bin.

Based on your suggestion to uninstall ComboFix, I did follow your instruction listed below just to double-check, yet no Combofix files is found in my system.

* Click START> then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between
the X and the U, it needs to be there.

Before I tried downloading again, please advise if with or without the dash/bracket sign made any difference in how the file will run.

Appreciate it much. Thanks!

 

[Bobbye]

When you click on Save File, you will get this screen:

Make sure the Save In dialog box at the top has Desktop
Type ComboFix.exe in the File Name dialog box on the bottom of the screen.
Click on Save.
========================================
Helpful information for all downloads:
The Save In box is usually set to the default location, frequently the Desktop. But it can be changed for any download by clicking on the arrow point to the right of the box.

The File Name is entered at this time. The entry in the box can either be accepted, or it can be changed at this time. Click in the dialog box and type name and file extension in.

Once the 'save in' location has been chosen and the file has been named, you are ready to Save.

 

[bulmanian]

Hi,

Okay, I've completed both ComboFix and Eset Online Scan. Please find attachment for the logs as requested.

Awaiting for next instruction. Thank you!

 

[Bobbye]

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
D:\Games\Sallys Salon\SallysSalon.exe
c:\program files\Ask.com\GenericAskToolbar.dll
c:\\Program Files\\uTorrent\\uTorrent.exe
c:\program files\Ask.com\UpdateTask.exe

Folder::
c:\program files\uTorrent
c:\documents and settings\Denis\Local Settings\Application Data\AskToolbar

Registry::
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

Firefox::
Firefox -:Profile - c:\documents and settings\Denis\Application Data\Mozilla\Firefox\Profiles\p5mk4w5i.default\
FireFox -:prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=NG1V5&o=101791&locale=en_US&q=

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
P2P or 'file sharing Warning:
I noticed you installed uTorrent on 3/16/2010. Applications data was also collected on that date.
One the same date, you downloaded a program named GRETECH. While this program is a legitimate program, if you downloaded from the torrent site, all of the following can have affected the system:

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

 

[bulmanian]

Hi,

Thanks for the suggestion. I agree with you and will uninstall UTorrent from my computer. Please find another ComboFix log for your review.

Btw, from my last usage, I notice that the search engine works wonderfully now. It doesn't redirect me to another page anymore, which is great.

However, if you feel necessary, please continue the process to eliminate the possibility of this malware problem occurring in the near future.

Appreciate it much. Thanks!

 

[Bobbye]

Okay, you're almost there! It's not uncommon for a malware related problem to resolve after running some of the programs. We can't assume though that all the bad files are gone. Remove a few entries as below:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:[/b]

File::
c:\documents and settings\Denis\Application Data\uTorrent

Folder::
c:\program files\Ask.com

Firefox::
Firefox-: Profile- c:\documents and settings\Denis\Application Data\Mozilla\Firefox\Profiles\mkmk4w5i.default\
Firefox-prefsfjsjs: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=NG1V5&o=101791&locale=en_US&q=

Registry::

Driver::

Save this CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at ComboFix.txt . Please attach to your next reply.
== ==================
Then run an online AV scan to make sure we haven't missed anything:

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Give me CFFix log that is generated after the code is put in and Eset log. If it's clean, I'll have you remove the cleaning tools and old restore points.

 

[bulmanian]

Hi,

Okay. Here is the 2 logs from ComboFix and Eset Online Scan as requested.

Glad to know we are near to end! Thanks.

 

[Bobbye]

Okay, it's been a long day and I have a case of the 'sillies'. If I ask you what Fugazo, would you tell me it was a bunch of MumboJumbo!? Could resist when I saw them in Combofix! No reply needed- just a bit of light 'stuff'!:haha:

I'm not going to try and remove this again- you've been warned:
2010-04-06 20:11> c:\documents and settings\Denis\Application Data\uTorrent.

Your computer is clean! Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    
    
  ========================
• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
======================

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of more help.

 

[bulmanian]

Hooray, we did it! my computer is malware free.

Thanks so much, Bobbye! Couldn't have done it without your great assistance. I wish you best of luck with the other "sillies" case. Fugazo is a bunch of MumboJumbo! There, I said it.

Have a great day!

 

[Bobbye]

You're welcome. Glad to help. and I appreciate your sharing my strange sense of humor! here are some tips to help you stay clean!

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know.
I am closing the thread as Solved- sigh!