Google Pop Up Virus

December 25, 2009 at 21:43:37
Specs: Windows XP
Whenever I click on a search on google I get these
annoying pop ups.
I have done my research on this and have logs from
both hijack and Malwarebytes if you need them.

Any help would be appreciated.

For malware bytes...I cleared out the infections


See More: Google Pop Up Virus

Report •


#1
December 26, 2009 at 13:08:06
Please post the Malwarebytes log and the following scan results.

Download RootRepeal from one of the links on the rootrepeal download page. It can be downloaded as a .rar or .zip file which ever you like. If you get a bandwidth problem notice just try another link.


RootRepeal

Extract the RootRepeal.exe file from the RAR or ZIP and save the EXE file to your Desktop.
Disable your antivirus, antispyware, and firewalls before continuing or they may block RootRepeal from running properly.
Now run the RootRepeal.exe program by double clicking on it.
On the botton click the Files tab and then click the Scan button
A Select Drives form will open. Select all of your drives by checking the boxes and then click ok.
It will start scanning. It may take a while to finish depending on how many drives, files and folder you have so be patient and wait on it.
When it finishes click “save report” and save at a easy place to locate such as your desktop. Save it as Rrlog.txt.
Place post the log that was produced to the forum.

Download RootRepeal from one of the links on the rootrepeal download page. It can be downloaded as a .rar or .zip file which ever you like. If you get a bandwidth problem notice just try another link.


RootRepeal

Extract the RootRepeal.exe file from the RAR or ZIP and save the EXE file to your Desktop.
Disable your antivirus, antispyware, and firewalls before continuing or they may block RootRepeal from running properly.
Now run the RootRepeal.exe program by double clicking on it.
On the botton click the Files tab and then click the Scan button
A Select Drives form will open. Select all of your drives by checking the boxes and then click ok.
It will start scanning. It may take a while to finish depending on how many drives, files and folder you have so be patient and wait on it.
When it finishes click “save report” and save at a easy place to locate such as your desktop. Save it as Rrlog.txt.
Place post the log that was produced to the forum.


Report •

#2
December 27, 2009 at 18:48:18
Malwarebytes' Anti-Malware 1.42

Database version: 3431
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/26/2009 12:09:54 AM
mbam-log-2009-12-26 (00-09-51).txt

Scan type: Quick Scan
Objects scanned: 111822
Time elapsed: 10 minute(s), 41 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 29

Memory Processes Infected:
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) ->
No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -
> No action taken.
C:\WINDOWS\system32\antiwpa.dll
(Trojan.I.Stole.Windows) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\fastnetsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\
Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> No action
taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\bu
ildw (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\fir
stinstallflag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ui
d (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulr
n (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\up
date (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\up
datenew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ud
fa (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mf
a (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) ->
No action taken.
C:\uwlwfa.exe (Trojan.Dropper) -> No action taken.
C:\wxis.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\system32\mshlps.dll (Spyware.Passwords) -
> No action taken.
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -
> No action taken.
C:\WINDOWS\system32\ndisdrv.sys (Rootkit.Agent) -> No
action taken.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> No
action taken.
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> No
action taken.
C:\WINDOWS\Temp\vmti.tmp\svchost.exe (Trojan.Dropper) -
> No action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\Setup.tmp (Adware.Agent) -> No action
taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\scownmxare.tmp (Trojan.Dropper) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\armxeoswcn.tmp (Trojan.FakeAlert) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\emnswaocxr.tmp (Trojan.Inject) -> No action
taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\ncsmeworax.tmp (Trojan.Dropper) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\oaxncswmre.tmp (Trojan.Dropper) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\ocwxmnreas.tmp (Trojan.Inject) -> No action
taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\osrnemaxcw.tmp (Trojan.Dropper) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\wonscraexm.tmp (Trojan.FakeAlert) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\xoemnwarcs.tmp (Trojan.Dropper) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\sornxcewam.tmp (Trojan.Dropper) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temp\activator\xpTCPIP.exe (Malware.Tool) -> No
action taken.
C:\Documents and Settings\LocalService\Local
Settings\Temporary Internet
Files\Content.IE5\0PQOMKCJ\w[1].bin (Backdoor.Bot) -> No
action taken.
C:\Documents and Settings\Owner\Local
Settings\Temporary Internet
Files\Content.IE5\N3M4S80J\Setup[1].exe (Adware.Agent) -
> No action taken.
C:\nbhfy.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\antiwpa.dll
(Trojan.I.Stole.Windows) -> No action taken.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> No
action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No
action taken.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> No
action taken.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> No
action taken.
________________________________________________
ROOTREPEAL (c) AD, 2007-2009
============================================
======
Scan Start Time: 2009/12/27 21:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
============================================
======

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Owner\Application
Data\Apple Computer\Safari\Cookies\Cookies.plist
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Owner\Local
Settings\Application Data\Apple
Computer\Safari\History\Cookies.plist
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local
Settings\Application Data\Apple
Computer\Safari\History\segments
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Owner\Local
Settings\Application Data\Apple
Computer\Safari\History\_1fc.cfs
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local
Settings\Application Data\Apple
Computer\Safari\History\_1fg.cfs
Status: Visible to the Windows API, but not on disk.

Thanks mate!


Report •

#3
December 27, 2009 at 19:06:23
Please download Combofix with internet explorer instead FireFox or other browser.

Remember..your Antivirus and any Anti-Spyware programs with real time protection (not malwarebytes) must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

Related Solutions

#4
December 27, 2009 at 20:27:20
ComboFix 09-12-26.05 - Owner 12/27/2009 23:19:03.1.1 -
x86
Microsoft Windows XP Home Edition
5.1.2600.2.1252.1.1033.18.503.261 [GMT -5:00]
Running from: c:\documents and
settings\Owner\Desktop\Combo-Fix.exe
AV: ESET Smart Security 3.0 *On-access scanning
disabled* (Updated) {E5E70D32-0101-4F12-8FB0-
D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-
4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-
4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-
4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-
4207-A565-0C94C42D590D}\install.rdf
c:\windows\Install.txt
c:\windows\system32\Install.txt

Infected copy of c:\windows\system32\DRIVERS\atapi.sys
was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-
12-28 )))))))))))))))))))))))))))))))
.

2009-12-26 05:08 . 2009-12-26 05:08 -------- d-----w-
c:\program files\Trend Micro
2009-12-26 04:52 . 2009-12-26 04:52 -------- d-----w-
c:\documents and settings\Owner\Application
Data\Malwarebytes
2009-12-26 04:52 . 2009-12-03 21:14 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 04:52 . 2009-12-26 04:52 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-12-26 04:52 . 2009-12-03 21:13 19160 ----a-w-
c:\windows\system32\drivers\mbam.sys
2009-12-26 04:52 . 2009-12-26 04:52 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2009-12-26 01:54 . 2009-12-26 03:28 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Lavasoft
2009-12-26 01:54 . 2009-12-26 01:54 -------- d-----w-
c:\program files\Lavasoft
2009-12-25 04:26 . 2009-12-25 04:26 -------- d-----w-
c:\windows\system32\wbem\Repository
2009-12-25 03:45 . 2009-12-25 03:45 -------- d-sh--w-
c:\windows\system32\config\systemprofile\IETldCache
2009-12-25 01:45 . 2009-12-25 01:45 -------- d-----w-
c:\documents and settings\Owner\Application Data\VitySoft
2009-12-25 01:23 . 2009-12-28 02:35 -------- d-----w-
c:\documents and settings\Owner\Application Data\uTorrent
2009-12-10 22:17 . 2009-12-10 22:17 33558 ----a-w-
c:\documents and settings\All Users\Application
Data\Google\Toolbar for
Firefox\Firefox_Toolbar_Uninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 02:42 . 2009-03-27 03:25 -------- d---a-w-
c:\documents and settings\All Users\Application Data\TEMP
2009-12-26 05:15 . 2009-03-27 03:51 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Microsoft Help
2009-12-26 01:49 . 2004-08-04 10:00 95360 ----a-w-
c:\windows\system32\drivers\atapi.sys
2009-12-25 21:56 . 2009-03-27 03:25 -------- d-----w-
c:\program files\Spyware Doctor
2009-12-25 03:59 . 2009-03-27 01:58 -------- d-----w-
c:\documents and settings\Owner\Application Data\U3
2009-12-24 22:44 . 2009-03-24 09:28 68456 ----a-w-
c:\documents and settings\Owner\Local Settings\Application
Data\GDIPFONTCACHEV1.DAT
2009-12-02 01:46 . 2009-03-27 04:00 -------- d-----w-
c:\program files\Microsoft Works
2009-10-29 07:45 . 2006-03-04 03:33 916480 ----a-w-
c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-08-04 10:00 75776 ----a-w-
c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 10:00 25088 ----a-w-
c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 10:00 263552 ----a-w-
c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 10:00 266752 ----a-w-
c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 10:00 69632 ----a-w-
c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 10:00 112128 ----a-w-
c:\windows\system32\rastls.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01
155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-
07-01 118784]
"egui"="c:\program files\ESET\ESET Smart
Security\egui.exe" [2008-03-01 1443072]
"GrooveMonitor"="c:\program files\Microsoft
Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"High Definition Audio Property Page
Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 90112]
"AppleSyncNotifier"="c:\program files\Common
Files\Apple\Mobile Device
Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe"
[2009-05-26 413696]
"Belkin Storage Manager"="c:\program files\Belkin Storage
Manager\StorageManager.exe" [2009-02-03 858624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
[2009-07-13 292128]
"SunJavaUpdateSched"="c:\program
files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\
session manager\appcertdlls]
appsecdll REG_SZ c:\windows\system32\mshlps.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\st
andardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\st
andardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft
Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft
Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft
Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and
Settings\\Owner\\Desktop\\utorrent.exe"=

R0 PCTCore;PCTools
KDS;c:\windows\system32\drivers\PCTCore.sys [6/20/2009
5:36 PM 130936]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart
Security\ekrn.exe [12/21/2007 11:21 AM 468224]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys -->
c:\windows\system32\ndisdrv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program
files\Spyware Doctor\pctsAuxs.exe [3/26/2009 11:49 PM
348752]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 212.159.65.126:1080
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and
settings\Owner\Application
Data\Mozilla\Firefox\Profiles\682r8z2u.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Google\Google
Updater\2.4.1636.7222\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\Microsoft.NET\Framework\v3.5\Windows
Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} -
c:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} -
c:\program files\AskBarDis\bar\bin\askBar.dll

**********************************************************************
****

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 23:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**********************************************************************
****
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-1060284298-
725345543-
1003\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{0BA748D7-5AF9-11E0-A497-
A1E03FD623E6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes -------
--------------

- - - - - - - > 'explorer.exe'(2808)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e
18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SOUNDMAN.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**********************************************************************
****
.
Completion time: 2009-12-27 23:29:32 - machine was
rebooted
ComboFix-quarantined-files.txt 2009-12-28 04:29

Pre-Run: 50,750,988,288 bytes free
Post-Run: 50,678,390,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery
Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft
Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 1BEFCE1131D795589603380821B1F206


Report •

#5
December 27, 2009 at 20:40:02
I tested my computer with a random search on google and no
pop ups seem to come up. I don't know if this means I am clean
. So far thanks for all your help. :)

Report •

#6
December 28, 2009 at 03:42:50
A little clean-up to do.

Delete RootRepeal from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#7
December 28, 2009 at 11:08:01
Wow. Thank you so much for your help, mate. Is there
anywhere I can rate you for your help? except in voting the
answers?

Report •

#8
December 28, 2009 at 18:49:06
There is no way to rate or donate on the forum that I am aware of. Thanks for the kind offer.

Report •


Ask Question