You may have to end up doing a reformat and reinstall for your friend- that's a lot of infection! But most of it is the 'junk' kind of malware- mostly adware searches on alot.com:
The main source of redirection is the following Toolbar:
O3 - Toolbar: EFOToolbar - {AB26BF6C-BB04-4F00-8F98-BDE786CDE97D} - C:\Program Files\EarthFromOrbit\EFOToolbar.dll
O8 - Extra context menu item: S&earchSave Web Search - res://C:\Program Files\EarthFromOrbit\EFOToolbar.dll/GoWebSearch.dll.htm
(This is bundled with
Earth From Orbit -
a browser hijacker redirecting to searchsave.com)
Additionally, many.most of the malware found was adware from searches with
alot.com. This may be where the redirect takes him:
alot.comcom's principle revenue is earned through the ALToolbar'sr's advertising functions. Generally, sites pay to get certain placement within keyword search results. If a user clicks an ad, the advertiser pays our search partner for the click and we share in that revenue.
alot.com's web and toolbar web search are powered by our search partner.
The Privacy Policy for alot.com should turn everyone off!
http://www.alot.com/privacy-policy
This may be incorporated in the AOL Toolbar. which would also be a source of adware:
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
It appears he is using AOL 9. I don't know how this relates to the AOL 5 Toolbar.
I also recommend checking the 2 following entries for removal:
c:\program files\common files\aol\1204589197\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe>> AOL's spyware protection program
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
It would be best if you reopen HijackThis to
'do system scan only' and checked
ALL of the HijackThis entries above in BOLD Black type. I've grouped then for you instead of listing in order to give the descriptions and because you need to see the groupings.
When you have finished checking all, close all Windows except HJT and click on
"Fix Checked."
I'll have you uninstall and remove the program folders for all he removes.
Please downloComboFixFix
HERE:
- With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Important! Save the renamed download to your desktop.
Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
- Double click on the setup file on the desktop to run
- Follow the prompts to allComboFixFix to download and install the Microsoft Windows Recovery Console.
- When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
(Please note: If the Microsoft Windows Recovery Console is already installeComboFixFix will continue it's malware removal procedures.)
- Query- Recovery Console image
- Once the Microsoft Windows Recovery Console is installed usiComboFixFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
- When finished, it will produce a log.Please include the ComboFix.txt in your next reply.
Notes:
1.Do not mouse-cliCombofix'sx's window while it is running. That may cause it to stall.
ComboFixFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Combofixfix prevenautorunrun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Follow with Eset NOD32 Online AntiVirus Scanner
Note: You will need to use Internet Explorer for this scan.
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the Active X control to install
- Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
- Click Start
- Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
- Click Scan
- Wait for the scan to finish
- Re-enable your Antivirus software.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
The rescan with HJT. Attach Combofixfix report, Esetset scan log and the new HJT log.
NOTE: something on the board is corrupting some of the entries. This has happened before. I think I caught them all but if you're unsure of any entry, please ask me.
