[sarahw]

Make sure this folder does not exist on your computer.
C:\Program Files\FunWebProducts

1.
Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the code box:

REGEDIT4

[-hkey_local_machine\software\microsoft\office\word\addins\MyWebSearch.OutlookAddin]

[-HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts\]

[-HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start\]

[-HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1\]

[-HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}]

[-HKEY_CLASSES_ROOT\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}]

[-HKEY_CLASSES_ROOT\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}]

[-HKEY_CLASSES_ROOT\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)


2.
Please open ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3.
Download this file and save it to your desktop.
http://securityrespo...er/FxIstbar.exe
Close all open Windows and run the file.


4.
One more scan with Panda Active Scan should make sure everything is gone.

[Advertisements]

Hiya:

here is the report:

active scan:



Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_current_user\software\MyWebSearch
Potentially unwanted tool:application/funweb Not disinfected hkey_local_machine\software\Fun Web Products
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adrevolver[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tradedoubler[1].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Hijackthis\backups\backup-20070816-192928-246.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\Hijackthis\backups\backup-20070816-192928-380.inf
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Hijackthis\backups\backup-20070816-192928-557.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\_OTMoveIt\MovedFiles\Program Files\MSN Messenger\riched20.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\_OTMoveIt\MovedFiles\windows\system32\f3PSSavr.scr


Thanks

[gurulegend]

Hiya:

here is the report:

active scan:



Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_current_user\software\MyWebSearch
Potentially unwanted tool:application/funweb Not disinfected hkey_local_machine\software\Fun Web Products
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adrevolver[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tradedoubler[1].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Hijackthis\backups\backup-20070816-192928-246.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\Hijackthis\backups\backup-20070816-192928-380.inf
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Hijackthis\backups\backup-20070816-192928-557.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\_OTMoveIt\MovedFiles\Program Files\MSN Messenger\riched20.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\_OTMoveIt\MovedFiles\windows\system32\f3PSSavr.scr


Thanks

[sarahw]

Open OTMovieit
Press the cleanup button. Then click ok.

Congratulations, your log is now clean.
Here is a list of tools that I like to recommend to people to help ensure safe surfing on the internet, and to help you from getting infected again.

• Spybot Search & Destroy and AdAware
  These are very powerful tools which can search and remove a large number of infections from your compouter. AdAware and Spybot Search & Destroy compliment each other very well. Run one after the other.
• Grisoft AVG Anti Virus
  This is a great tool for people wanting free antivirus software. It include's real-time protection, scheduled scans, automatic definition updates, and email scanning. DO NOT install more than one antivirus program. They will conflict, and provide less protection, not more. Uninstall any existing antivirus programs if you're going to install AVG.
• AVG Anti-Spyware
  This is a geat tool that is very effective at helping remove some of the more difficult infections. It has resident memory protection. It is free for 30 days. Works well when used with ATF cleaner first.
• ATF Cleaner
  This program is for XP and Windows 2000 only. Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
• SpywareGuard
  Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
• IE-SpyAd
  This tool puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
• Windows Updates
  It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
If you have any questions be sure to ask.

[gurulegend]

Hi there,

Thank you so much. You are a legend!!!
I did not realise how infected my PC became.

Is there anything I need to do in terms of settings to get my PC back to how it was before like hidden files etc??

Thanks

[sarahw]

The instructions in the Malware Forum have asked you to turn off system restore. I have added some instructions for you.

Rehide System Files

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do Not Show hidden files and folders.
• Check the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Enabling System Restore

To enable system restore you should follow these steps.

You should first go into the Control Panel and then double click on the System icon. If you are in the control panel and do not see the System icon, then click on the link that says "Switch to classic view" in the upper left hand side of the window. Now you should be able to see the System icon. After you double click on it you should then click on the System Restore tab. If system restore is turned off you will see an image like the one below:

If you see in the Status section, designated by the green box, that it is Monitoring a partition, then system restore is already enabled and you do not have to do anything further. If it is showing that it is turned off as seen in Figure 2 above, then you should uncheck the checkbox labeled "Turn off System Restore", designated by the red box, and then adjust how much disk space you want to allow system restore to use, which is by default 12 percent of your entire disk space.

When you are done with making your settings, you should click on the apply button. Since you are turning system restore back on, a new restore point will automatically be made. After the new restore point is made, you should see in the status section that system restore is monitoring the partition; which means it is enabled.

Edited by sarahw, 20 August 2007 - 12:39 PM.

[gurulegend]

Hiya,

I have done the above.

Is everything ok now and safe?

Thanks you for all your help.

[sarahw]

Hi gurulegend ,
Your logs look clean. If you have any problems, come back to this thread.

[gurulegend]

Thats great news.

Thank you so much for all your help.

Gurulegend

[sarahw]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.