MalWare Removal Forum

Hi NH.

If you cannot find Weather Bug Gadget in your list of installed programs then please do not perform the steps obtained from EHow.com but rather continue on with Steps III – VI (OTL fix through end) of my instructions.

Thanks.

mambass

Hello Mambass,

The only issue that comes up is the occasional pop up "AVG has detected high memory usage by Firefox." Do you think this is normal and that the memory sizes I mentioned in my last post are normal? Nothing else has shown up. Again, it looks like we will be finishing up soon, so I have 2 questions:

1. Let me know when I can download the latest AVG virus updates and Windows Updates? I have not downloaded anything and I am waiting until we are done.

2. I am ready to make a monetary donation to this Malware Removal site because of how happy I am with your help, so can I do that?

Log below. Cheerio, NH

All processes killed
========== PROCESSES ==========
========== OTL ==========
Prefs.js: "Search Results" removed from browser.search.defaultenginename
Prefs.js: "Search Results" removed from browser.search.order.1
Prefs.js: "http://dts.search-results.com/sr?src=ffb&appid=113&systemid=406&sr=0&q=" removed from keyword.URL
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3721252062-802896268-3220788300-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http not found.
Registry value HKEY_USERS\S-1-5-21-3721252062-802896268-3220788300-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\"DisableMonitoring" | 0 /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\"DisableMonitoring" | 0 /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\"DisableMonitoring" | 0 /E : value set successfully!
========== FILES ==========
C:\Users\David2\AppData\Roaming\Mozilla\Firefox\Profiles\g2tki269.default\searchplugins\Search_Results.xml moved successfully.
C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml moved successfully.
C:\Program Files\WI371A~1 folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: David2
->Temp folder emptied: 536560 bytes
->Temporary Internet Files folder emptied: 35495650 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 1111843417 bytes
->Flash cache emptied: 8675 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7063222 bytes
RecycleBin emptied: 583680 bytes

Total Files Cleaned = 1,102.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 03062012_202921

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
_________________

Hi NH,

I use Firefox as my primary browser. The memory usage that you reported seems normal for Firefox.


You can go ahead and perform those updates after executing the steps below.
While you're doing that, please also bring both Internet Explorer and Firefox up to date as well.


Yes you can and thank you for the kind words.

------------------------------

Your computer appears to be clear of malware. Good job.

Please stay with me a bit longer because there are a few important things that we still need to do to cleanup and make sure that you don't get infected again.

Please print these instructions because you will need to close this browser window in a step below.

1. Create a System Restore Point
   
   1. Go to Start, right-click on Computer and select Properties.
   2. In the left pane under Tasks, click System protection.
   3. If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
   4. Select System Protection ...then choose Create.
   5. In the System Restore dialog box, type a description for the restore point (e.g., All Clean) and click Create again.
   6. A window should pop up with "The Restore Point was created successfully" message.
   7. Click OK and close the System Restore dialog.
      
      Note: If the message window was not displayed stating that the system restore point was created successfully then STOP - Do not continue with the steps below but rather reply to let me know what happened.
   
   
2. Delete old System Restore Points
   We can now remove any old System Restore Points that may be infected.
   Note: This step should not be done regularly but rather only as a Special Case after the removal of malware or changes in the Restore settings.
   
   
   1. Click Start > All Programs > Accessories > System Tools > Disk Cleanup.
   2. If provided with the option, select the appropriate drive letter (usually C:).
   3. A progress window will be displayed while the program scans files. Please be patient because this can take a few minutes.
   4. Click the Clean up system files button. Another progress window will be displayed while the program scans files.
   5. If provided with the option, again select the appropriate drive letter (usually C:).
   6. Click the More Options tab.
   7. In the System Restore and Shadow Copies section click the Clean up button.
   8. Click Delete when asked Are you sure you want to delete all but the most recent restore point?
   9. Click the OK button in the Disk Cleanup window and then click the Delete Files button in the confirmation window.
   10. Reboot your computer after the files have been deleted.
   
   
3. Cleanup with OTL
   
   1. Close all windows/applications.
   2. Right-click the OTL icon on your Desktop and select Run As Administrator.
   3. Click the CleanUp button in the OTL window. The cleanup will begin after which a dialog will be displayed indicating that a reboot is required.
   4. Click the OK button in the message window. The system will reboot.
   
   
   
4. Stay clean
   The important thing now is to actively do things that will help keep you from getting infected in the future.
   
   
   1. Keep Antivirus and applications updated
      This is the MOST IMPORTANT thing that you can do to keep from becoming infected.
      
      • Keep Microsoft products up-to-date with the latest security patches. Either
        
        • Enable some level of Automatic Updates
          
          • Click Start > Control Panel. The Control Panel window will be displayed.
          • Click the Windows Update entry. The Windows Update frame will be displayed.
          • Click the Change setting link in the left column of the window. The Choose how Windows can install updates frame will be displayed.
          • Select the option which best fits your needs.
        • Or click Start > All Programs > Windows Update on a regular basis and follow the instructions to install all important updates.
        
        
      • I personally use and recommend the free Secunia Personal Software Inspector (PSI). This program will keep you aware of software that is installed on your computer that contains security vulnerabilities for which security patches exist. I have mine set to automatically scan my computer weekly.
        
        
      • All updates are important but pay particular attention to updates for all browsers as well as Microsoft, Java and Adobe products. These are widely-used products that Malware writers frequently target.
      
      
   2. There are a number of free programs that you can install to improve your computer's security: Many people feel that having a "layered" protection scheme is beneficial. You will have to decide what works best for your situation. Here are a few you may want to look into.
      
      Malwarebytes Anti-malware
      Malwarebytes is free for non-business use and can be download from Malewarebytes © Malwarebytes Corporation. . Malwarebytes can thoroughly remove even advanced malware. Run scans at least weekly and always allow the databases to be updated if asked. It's powerful, easy to use and free. For real-time protection you will have to purchase the product. Tutorials are available for installing and running , Malwarebytes' Anti-Malware.
      
      
      SiteAdvisor
      SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
      You can find more information and download it from here
      
      
      WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
      For more information, please visit here
      
      
      MVPS Hosts
      You can learn about and download the MVPS Hosts File here
      The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      You can Find the Tutorial here
      
      
   3. Read and stay informed!
      
      To help minimize the chances of becoming re-infected, please read.
      Computer Security - a short guide to staying safer online
      
      If your computer is running slowly after your clean up, please read.
      What to do if your Computer is running slowly

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!


mambass

Hello Mambass,

Yes, I did receive and read this email. I hope to follow your steps in the next couple of days. Again, many many thanks for fixing my computer! I will make a donation to this site because I am so happy for your help which was really a Yeoman's job!

Best Regards,
NefariousHoyden
_________________

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.