[Resolved] hoowaa.com popups

Oh, I forgot to post the results of my online scans.

Here's the result from Symantec:
C:\WINDOWS\SYSTEM32\nsj30.dll is infected with Adware.Begin2search
C:\WINDOWS\SYSTEM32\nsq36.dll is infected with Adware.Begin2search
C:\WINDOWS\SYSTEM32\nsx3C.dll is infected with Adware.Begin2search
C:\WINDOWS\SYSTEM32\nsv42.dll is infected with Adware.Begin2search
C:\WINDOWS\SYSTEM32\nsa48.dll is infected with Adware.Begin2search
C:\WINDOWS\SYSTEM32\nsg4E.dll is infected with Adware.Begin2search
C:\WINDOWS\SYSTEM32\wirelanb.dll is infected with Spyware.SafeSurfing
C:\WINDOWS\SYSTEM32\aamrgpps.dll is infected with Spyware.SafeSurfing
C:\WINDOWS\SYSTEM32\lanbrup.exe is infected with Spyware.SafeSurfing

The other scan, McAffee didnt find anything. Should I just delete these files? I don't think all of them were removed by the other scans.

Hang in there and be patient, if you would, please - I don't have time right now to tackle this, but I'll try to get to your specific ongoing problems within the next 24 hours. I'm pretty sure we can sort this out.

My bad about the button confusion re Stinger; yeah, they're the same thing.

We can prolly speed up your boot and shutdown too - but, again - please be patient; I'll get back to you as soon as I can. In the meanwhile, you can go ahead and try to delete those files you asked about - try it in safe mode for the best chance.

Whenever you have time is fine, I think now I have the Begin2Search adware not Aurora anymore Anyways, I'll start deleting those files now, thanks so much for your help

I tried to delete those files, and could only delete two of them. wirelanb.dll and aamrgpps.dll The rest of the files couldn't be found with the search tool, which is really weird since I don't remember any of the programs deleting anything affected with Begin2Search.

Sorry it took so long to get back to you - no excuse, I thought I had replied already, but I guess I just spaced this one. Oh, and if you have not done so today, visit Windows Update and get the necessary updates - a bunch came out today. Included is the latest version of Microsoft's Malicious Software Removal tool; run it as soon as you have downloaded and installed all the updates.


Anyhow, here's what I suggest you do now:

(Print out these instructions, as you will be carrying out most of these steps while in safe mode)


First, update Microsoft Antispyware, Ad-Aware SE, and Ewido. Download-save CWSSmartKiller When it has downloaded, right-click on the .zip folder, select "Extract all", and follow the prompts. Just extract it right now, don't run it. Launch CWShredder, which you should already have downloaded and used at least once, and click "Search for update" When that has completed, don't run it, just close and exit back to your desktop. Download Silent Runners[/i][/u]. Just download it right now, we'll use it a bit later. See This Tutorial.

Go to Start>Control Panel>Add/Remove Programs, look for "MySearch" or anything very similar, and remove it if found.

Boot into safemode, locate and run CWSSmartkiller, then locate and launch CWSShredder, select "Fix", and let it run to completion. Do not reboot.

Locate and run the Ad-Aware SE "VX2" plugin, which you should already have downloaded and used once already. Follow that with a full Ad-Aware SE system scan, fixing all issues found. Do not reboot unless Ad-Aware SE prompts you to let it run again on next boot. If it does, reboot normally, let Ad-Aware SE run its scan, fix any issues found, then reboot back into safe mode and carry on with the renmaining steps.

Run HJT, and place a checkmark next to each of the following entries, if they appear:

O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\aamrgpps.dll
O4 - HKLM\..\Run: [KazaaBooster] aaDisabled
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe - Unknown
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {86BC8440-8693-4076-A144-6BAF942B40B0} - http://mysearch.8848.com/mysearch/MySearch.CAB

Click "Fix Checked", do not reboot.

While still in safemode, launch Microsoft Antispyware, select "Advanced Tools", select "Browser Restore", select "Check all", click "Restore", confirm, then run a full system scan with Miscrosoft Antispyware. "Fix" any issues found. Do not reboot.

While still in safemode, launch Ewido, perform a full system scan, fix all found, and save the log. Do not reboot.

Using Windows Explorer, navigate to C:\WINDOWS\SYSTEM32, look for and delete, if found, ONLY the following exact files:

nsj30.dll
nsq36.dll
nsx3C.dll
nsv42.dll
nsa48.dll

Again using Windows Explorer, navigate to C:\Program Files, look for and delete if found any folder named or closely resembling "MySearch"

Launch CCleaner, select "Issues", click to remove the checkmark from the "Unused File Extensions", "Help Files", and "Start Menu Ordering" boxes over in the left panel, select "Scan for issues", and when the scan has completed, select "Fix selected issues", confirm the registry backup as prompted, then select and confirm "Fix all issues". While still in CCleaner, select "Cleaner", select "Analyze", then select "Run Cleaner".

Reboot normally, and immediately run SilentRunners, just saving the log, then run scans only (don't "Fix" anything) with both HJT and Ewido, saving the logs. While you're in Ewido, I'd like you also to select "Analysis", then select "Processes", then select "Save Report".

Now, connect to the internet and post the saved logs here.

Actually, the popups have stopped since I deleted those files Symantec found. But I'm going to follow these instructions just to be sure, and I'll post the log after I finish all the steps here.

I have another problem with the computer though =( Ever since I scanned my computer with all the new programs on the adware/spyware removal guide, my antivirus gives me warnings every once in a while, at startup(about 4 or 5 times already) saying something like:

TELUS Antivirus didn't start correctly, if you recently activated your antivirus, please restart the computer. If this problem persists, please reinstall TELUS Antivirus.

However, after I clicked OK, the antivirus loads normally, there's nothing missing. So, I'm wondering if the scans accidentally deleted a file or is it because I deactivate then reactived the antivirus (for the online scans)?

The disabling/re-enabling may have something to do with that. Once you've gotten things back to normal, meaning not turning your antivirus on and off all the time, the problem might go away. If not, uninstall and reinstall your antivirus, just as suggested by the error message.

OK, here is the Ewido report from the scan in safe mode

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:17:14 PM, 8/9/2005
+ Report-Checksum: CDD4DBB

+ Scan result:

C:\Documents and Settings\Cathy\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


::Report End


Here's the report from SilentRunners:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"TELUS Security service" = "C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe" ["Zero-Knowledge Systems Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll" ["Zero-Knowledge Systems Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{56071E0D-C61B-11D3-B41C-00E02927A304}\(Default) = "Form Filler BHO"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll" ["Zero-Knowledge Systems Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Cathy" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 3
%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DvpApi, dvpapi, ""C:\Program Files\Common Files\Command Software\dvpapi.exe"" ["Command Software Systems, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 51 seconds, including 15 seconds for message boxes)



Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:13 PM, on 8/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122924237437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe



The second Ewido scan didn't find anything, so I didn't save the report.

And finally the process report:


---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 11:06:38 PM, 8/9/2005
+ Report-Checksum: 48D736CF

0: System Process
8: System Process
128: \SystemRoot\System32\smss.exe
152: \??\C:\WINDOWS\system32\winlogon.exe
156: \??\C:\WINDOWS\system32\csrss.exe
204: C:\WINDOWS\system32\services.exe
216: C:\WINDOWS\system32\lsass.exe
400: C:\WINDOWS\system32\svchost.exe
424: C:\WINDOWS\system32\spoolsv.exe
456: C:\Program Files\Common Files\Command Software\dvpapi.exe
468: C:\WINDOWS\System32\svchost.exe
492: C:\Program Files\ewido\security suite\ewidoctrl.exe
520: C:\Program Files\ewido\security suite\ewidoguard.exe
608: C:\WINDOWS\system32\MSTask.exe
632: C:\WINDOWS\System32\WBEM\WinMgmt.exe
684: C:\WINDOWS\system32\svchost.exe
780: C:\Program Files\ewido\security suite\SecuritySuite.exe
876: C:\WINDOWS\Explorer.EXE
904: C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
968: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
1020: C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

That looks pretty good. The only thing there that gives me any pause at all is your Internet Explorer start page setting, R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com; - which, it seems to me, is a nag to register your iVista webcam software; that strikes me as odd. Although iVista is not a known yuckware vector, I'd favor setting your home page to Google or to MSN or your own blog, or something of the sort. However, if you're happy with it, leave it as it is. If you do wish to reset it to something else, there are a number of methods you could use. One way would be simply to navigate to the page you want for a start page, then from your browser's toolbar, select Tools>Internet Options - then in the top panel, click "Use Current". Clicking "Use Default" should set your start page to MSN, and "Use Blank" should set your start page to a blank page, just as it says. Another method would be to use HJT again, and click to fix just that one entry; HJT should reset your start page to the same thing, Internet Explorer's default MSN start page. Using the Browser HiJack restore function under "Advanced Tools" in Microsoft Antispyware will do the same thing, and so will the browser restore functions in both Spybot S&D and Ad-Aware SE. My choice would be to do it manually, but what you do is up to you; if you like what you've got, leave it as it is.

That aside, it looks to me as though you're clean now. If your machine seems to be running OK, and your browsing and searching are going the way you want, I think you're good to go. Test things for a little while to make sure, then run CCleaner one more time to clean everything up, defrag your machine (usually best done in safe mode), then go ahead and re-enable System Restore, establish a new restore point. If you wish, you can deletete the various tools you downloaded. They won't hurt anything, but they do take up disk space. I'd suggest you keep Microsoft Antispyware, Spybot S&D, Spyware Blaster, and Ad-Aware SE, and keep them updated, running scans every couple weeks or so, but the rest can go. And to keep things clean, Stay Safe Out There

Thanks for all your help timberlandko But I find that inetcam.com thing very weird since my internet explorer homepage is actually msn.com and always has been.

I have never had any iVista webcam sofware nor any notice to register. The software I do have for my webcam, is called "Intel Create and Share software" and I have never received any notice from it.

The address displayed on the "internet options" tab is also msn.com, and I have already used the "brower hijack restore" option since it was one of the steps you mentioned earlier. Do you suppose I should just fix that on HJT anyways?

The Intel webcams come with iVista software - so that explains that - nothing to worry about, nothing mysterious. Wouldn't hurt a thing to have HJT "Fix" that, though - you don't need it.

OK then, I guess this thing is finally gone. Thank you again for everything you've done here

Cool ... yer entirely weccum. Glad we could help - that's not all we do around here - wander about the website some; you'll prolly find something that fascinates you. Enjoy.