How to remove avcommand.net (Browser hijacker)

avcommand.net a malicious site, which is managed by the creators of the program called Antivirus Soft. This program is a fake security application that also known as rogue antispyware. The rogue is promoted and installed onto computer through the use of trojans. During installation, Antivirus Soft configures your browser (Internet Explorer) in such a way that it can redirect you to the avcommand.net.

Thus, when you open any site, instead it will display a page from the avcommand.net, which reported that a visit to open the site is dangerous, because it contains malicious exploits that can launch a virus on your computer. This warning is nothing but a fake, so you can safely ignore it.

Continue reading How to remove avcommand.net (Browser hijacker)…

How to remove clickfraudmanager.com redirect (browser hijack)

Redirect to clickfraudmanager.com site is a result of trojan/virus activity. The trojan horse may represent security risk for the infected computer and uses rootkit-specific techniques designed to hide the software presence in the system.

Once infected, search results in Google, Yahoo, MSN and other redirect you through clickfraudmanager.com to MonsterMarketplace.com and other non related sites.
Continue reading How to remove clickfraudmanager.com redirect (browser hijack)…

How to remove VideoActiveXCodec malware

Video ActiveX Codec (VAC, VideoCach, MediaTubeCodec, Media Codec Software, VideoAccessCodec) is a series of malicious codecs that deliver popup advertisements and hijack search engine results, installed from web sites proposing video and a codec (trojan) installation. Programs like these could be used to spread any piece of bad.

They also frequently deliver advertisements for rogue antispyware applications and display false alert on compromised computer.

Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware…

Also it installs a toolbar in Internet Explorer:

Use the following instructions to remove VideoActiveXCodec.
Continue reading How to remove VideoActiveXCodec malware…

How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar

Softwarereferral infection is a hijacker. If your computer was infected, you got many popups, Internet Explorer start page changed to softwarereferral.com, blinking stopsign with X in system tray, continual system alert popups.

Ignore these fake popups and use the free instructions below for removing the softwarereferral/safewebnavigate hijackers and any associated malware from your computer.
Continue reading How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar…

How to remove webcry.com hijacker

Symptom: When you do any kind of search, the search results come up like normal, however when you click on a link under the results the page goes blank and you keep getting re-directed to webcry.com

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O2 – BHO: (no name) – {4A4CB994-9A38-DF0F-2760-0708BFE8F63A} – C:\Program Files\****\****.dll
O2 – BHO: (no name) – {52EA2AED-161F-45A5-EBAC-0293CA8C771C} – C:\Program Files\****\****.dll
O4 – HKLM\..\Run: [*****] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\*****.dll”

Note: Where **** is a random chars, as ‘utgboudx’,’mgfaejew’

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning – Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: Spyware removal – Read this before posting

How to remove savetheinformation.com and secirityonpage.com hijackers

Symptoms:

• IE pop-up windows, mostly to a site called www.savetheinformation.com but also to some other sites
• Yellow baloons from taskbar prompting to download antispyware software.
• Grey pop-ups, like error messages, also prompting to download antivirus/spyware software.
• 2 programs added to start menu program list: online security guide and live safety center
• when you open an IE window it goes to www.savetheinformation.com

Download VundoFix and save the file to your desktop.
Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.

Disable your Anti-Spyware Program, once your PC is clean you can re-enable.

Double-click VundoFix.exe to run it.

When VundoFix opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

If you still have a problems, the follow steps:

Download FixSTI.reg to your desktop.

Double-click on the FixSTI. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Run HijackThis, Close all programs leaving only HijackThis running. Place a check against each of the following if found, making sure you get them all and not any others by mistake:

O2 – BHO: (no name) – {33BF7E26-185B-46C7-87FB-A8F94C7E696C} – C:\WINDOWS\system32\pmnlk.dll
O2 – BHO: (no name) – {5a2e9fa3-5acd-4013-961b-aae311cdb902} – C:\WINDOWS\system32\****.dll (file missing)
O2 – BHO: (no name) – {60D97635-E582-E002-F541-EA2B589ED998} – C:\WINDOWS\system32\****.dll (file missing)
O2 – BHO: (no name) – {89AD4D75-2429-462e-BD4E-443F233F6033} – C:\WINDOWS\system32\****.dll
O2 – BHO: (no name) – {A95B2816-1D7E-4561-A202-68C0DE02353A} – C:\WINDOWS\system32\****.dll
O2 – BHO: (no name) – {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} – C:\WINDOWS\system32\****.dll
O3 – Toolbar: Security Toolbar – {11A69AE4-FBED-4832-A2BF-45AF82825583} – C:\WINDOWS\system32\****.dll
O20 – Winlogon Notify: **** – C:\WINDOWS\SYSTEM32\****.dll

Where **** a random chars, for example: xjegktl, nuyix, ldbvcpwu, khcmkrws …

Now close all others windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

If you still have a problems with your PC or cannot remove hijackers follow the steps outlined in the topic linked below:
Spyware removal – Read Before Posting.
savetheinformationcom & secirityonpagecom-hijackers

Don`t forget, we want help you, make logs and post to spyware removal forum!

How to remove Pcsecuritylab.com Hijacker

Pcsecuritylab.com is a browser hijacker.
It may also change desktop wallpaper, shows message:

Warning! SpyWare Threat Detected on Your PC!

You will also periodically get fake security warning:

Your Security and Privacy are at risk: Spyware has been detected. Click HERE to remove it.

It automatically runs on every Windows startup. Pcsecuritylab.com is a very high security risk threat and should be removed immediately as to prevent harm to your computer and your privacy.

Download HijackThis and save the file to your desktop. Double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Avenger and unzip to your desktop.

Open notepad and copy/paste the text in the quotebox below into it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e690500e-1dd1-11b2-a943-9ecd016314d0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
“Userinit”=”C:\\WINDOWS\\system32\\userinit.exe,”

Save this as Fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the Fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

O2 – BHO: (no name) – {12F02779-6D88-4958-8AD3-83C12D86ADC7} – (no file)
O8 – Extra context menu item: &Search – http://edits.mywebsearch.com/toolbar…p=ZJxdm186NJUS

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\ace16win.dll

Folders to delete:
C:\WINDOWS\system32\Mz15r
C:\WINDOWS\PerfInfo
C:\WINDOWS\McAfee.com
C:\Program Files\LimeWire
C:\WINDOWS\system32\acespy

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps outlined in the topic linked below:
Spyware removal – Read Before Posting

How to remove safenavweb.com hijacker

Symptoms: system keeps popping up warning messages & launching Internet Explorer & directing it to safenavweb.com

For fix safenavweb.com malware, make follow steps:

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download CCleaner. Double click on the file for install.
Download and unzip Avenger to your desktop.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 – BHO: MSVPS System – {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} – C:\WINDOWS\ntspkfxt.dll
O2 – BHO: (no name) – {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} – (no file)
O3 – Toolbar: The htunistock – {C58A4487-4C2E-45E4-9E3A-52B3A23CC396} – C:\WINDOWS\htunistock.dll
O18 – Filter hijack: text/html – (no CLSID) – (no file)
O21 – SSODL: hostctrl – {20D7F2C0-86AB-4F63-88E4-E3F4887E0CC1} – C:\WINDOWS\hostctrl.dll
O21 – SSODL: hstsys – {44195BC8-06C2-4D25-81E9-1607B1313715} – C:\WINDOWS\hstsys.dll

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:
C:\WINDOWS\ntspkfxt.dll
C:\WINDOWS\htunistock.dll
C:\WINDOWS\hostctrl.dll
C:\WINDOWS\hstsys.dll

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Boot your PC again in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning – Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Download the HostsXpert 3.7 – Hosts File Manager.

# Unzip HostsXpert 3.7 – Hosts File Manager to a convenient folder such as C:\HostsXpert
# Click HostsXpert.exe to Run HostsXpert 3.7 – Hosts File Manager from its new home
# Click “Make Hosts Writable?” in the upper right corner (If available).
# Click Restore Microsoft’s Hosts file and then click OK.
# Click the X to exit the program.
# Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topics linked below

Help | How to remove safenavweb.com hijacker
Spyware removal – Read Before Posting

Yahoo IM worm hijacks Internet Explorer Installs fake browser

A worm that installs a ‘Safety Browser’ and plays screeching music is circulating via IM.

The annoyance starts with a link apparently sent by a friend in Yahoo’s IM program.

IM security company FaceTime Communications described the malware, which it calls “yhoo32.explr”,

The malware infects the PC with two elements. The first element is a web browser called “Safety Browser.” This stand-alone application has no uninstaller and disguises itself with an Internet Explorer logo in some instances. The application also hijacks the personal homepage in Internet Explorer and points users to Safety Browser’s homepage (demoplanet.tv). The hijack also plays looped music that cannot be stopped when the user starts up the PC or Safety Browser. The second element is the self-propagating worm. This worm installs an .exe file that spreads the infection through Yahoo Messenger to everyone on the Contacts List.

as “insidious” in a security advisory last week.

When the link is clicked, a worm installs the so-called ‘Safety Browser’, a program that leads the user to pages mined with adware and viruses, FaceTime said. The Safety Browser uses an Internet Explorer logo to make it look more legitimate.

Malware spread through instant-messaging programs is on the rise. However, FaceTime said this malware appeared to be the first to install a browser without the user’s permission.

The bug also hijacks Internet Explorer’s home page, directing users to the Safety Browser’s site.

After it is launched, the worm sends itself to others on the user’s instant-messaging contact list.

The malware is engineered to overwrite instant messages typed by a user, the infected message can be changed on the fly, the company said.

Read more here.

Coolwebsearch.info – new site from the Coolwebsearch family

Sunbelt reported about new CWS site – Coolwebsearch.info.
This site is an affiliate of Coolwebsearch.com that installs a toolbar which hijacks the home page without a EULA.

Run by our Best Friend Ever, Vadmim Praha
Whois Data:

Fedorov Vadim Praha CZ hali @ volny.cz
Fedorov Vadim Praha CZ sp @ prague-sex.com
Fedorov Vadim Prtaha 5 CZ sovsem @ nevest.net
Fedorov Vadim Praha CZ radmin @ radmin.kirov.ru

And he’s got lots more sites under the IP 194.187.96.195, which you are welcome to put into your blocklists.

Mirotino.com Domainname4you.com
Shopknights.com Fukingmachines.info
Adult-friends-finder.net Girls-porn-life.com
nevest.net Hogtied.info
Best-porn.biz Machinesboys.com
Analmaids.com Meninpain.biz
Boyknights.com Mirotino.com
Ultimatesurrender.biz pansion.cz
Mirotino.com Pereulok.net
coolsearcher.info Pornfree.info
Coolwebsearch.info Pornosaity.com
coolwebsearch.org Pornpic.org
Domainname4you.com Porn-sex-free.biz
Fukingmachines.info Prague-porn.biz
Girls-porn-life.com prague-sex.com
Hogtied.info rape-cool-video.com
Machinesboys.com Salabon.com
Meninpain.biz Sebastacz.com
Onlyfuck.com Sex-prague.com
pansion.cz Shopknights.com
Pavlovbooks.com Spviphost.com
Peniscontent.com Ultimatesurrender.biz
Pereulok.net Waterbondage.biz
Pornfree.info Zaseyan.com
Pornosaity.com Adultdvdlist.com
Pornpic.org Analmaids.com
Prague-porn.biz Boyknights.com
prague-sex.com nevest.net
rape-cool-video.com Onlyfuck.com
Sebastacz.com Zaseyan.com
Waterbondage.biz Adult-friends-finder.net
Zaseyan.com 100pantyhose.com
100pantyhose.com Pavlovbooks.com
Best-porn.biz jonnylinks.com
coolsearcher.info beesearch.info
Coolwebsearch.info Pantyhose-bangs.com
coolwebsearch.org planet-high-heels.com

If you don`t know how to block this sites, try next howto: How to use HOST file for block sites

Also if you can`t remove CWS hijacker or toolbar, try it: How to remove CWS Hijacker

HOSTS file hijacking and bank password stealing

HOSTS file hijacking combined with bank password stealing trojans is one of the more egregious spyware tricks currently being seen. Here’s the scenario. A user is infected with a trojan and other malware that, among other things, changes the HOSTS file so that websites commonly used for online banking are redirected to the spyware pusher/thief’s site which is made to look nearly identical to the real bank site.
HOSTS file hijacking can be prevented with a number of apps including several anti-spyware programs and utilities, including one of my favorites, WinPatrol.

Read more here and here.

How to remove the Aurora, Nail.exe, Epolvy Hijackers

Nail.exe is a is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of it’s author’s sponsors. This program is usually installed through consent, however is sometimes packaged as another product. Aurora.exe is an advertising program by Aurora. This process monitors your browsing habits and distributes the data back to the author’s servers for analysis. This also prompts advertising popups etc…..

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

You should to download some programs to aide in our fix. Do Not Run Them now

1. Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

2. Download and Install Ewido Security Suite. When installing, under “Additional Options” uncheck :
- “Install background guard”
- “Install scan via context menu”
Launch Ewido, there should be an icon on your desktop double-click it. You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

3. Download and Install Ad-aware SE. If you have a previous version of Ad-Aware installed during, the installation of the new version, you will be prompted to uninstall the older version – be sure to uninstall the previous version.
Run Ad-Aware. Click on the world icon at the top right of the Ad-Aware window and let AdAware update the reference list for the adware and malware. Close Ad-Aware.

4. Download the VX2 Cleaner from here.
Run Ad-Aware SE Personal. Click Add-Ons. Double-click VX2 Cleaner. Click Ok to Execute this tool.
If malware is found click Clean System. When it’s done click Start in Ad-Aware SE Personal. Make sure Perform smart system scan is checked. Click Next. Let it clean anything it finds.

ok, it`s all programs.
Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Run Ewido Security Suite
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- You will be prompted to clean the first infection.
- Select “Perform action on all infections”, then proceed.
Close ewido security suite

Now you need to run HijackThis and click “Do a system scan only”

If you have the nail trojan, fix the following entry if it is there:

F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

If you have the epolvy trojan fix the following entry if it is there if present:

Any entry that had a random “.exe” file in the 04 section, with a “r” at the end:

O4 – HKLM\..\Run: [hdprwdl] C:\WINDOWS\system32\xigvkfa.exe r
O4 – HKLM\..\Run: [qywgyfm] C:\WINDOWS\System32\tocmgs.exe r

If you have any other symptons of Aurora then fix the following if present :

O2 – BHO: BolgerObj Class – {302A3240-4805-4a34-97D7-1645A0B08410} – C:\WINDOWS\Bolger.dll
O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe

Finally, restart your computer.
Now your computer should no longer be infected with Aurora – Nail.exe – Epolvy Hijackers.

How to remove Needupdate (securityerrors) hijacker (uninstall)

Also you can try the tutorial, if you have got redirect to these domains:
dns404.net, needupdate.com, yoursystemupdate.com, systemwarning.com, warningmessage.com, syserrors.com, notfound404.com, updateyoursystem.com, securityerrors.com, hdnsservidce.com, downldboost.com

You should to download some programs to aide in our fix :Do Not Run Them now

1. Download smitRem.exe and save to your desktop. Double- click it to extract it to it’s own folder on the desktop.

2. Download and Install Ad-aware SE. If you have a previous version of Ad-Aware installed during, the installation of the new version, you will be prompted to uninstall the older version – be sure to uninstall the previous version.
Run Ad-Aware. Click on the world icon at the top right of the Ad-Aware window and let AdAware update the reference list for the adware and malware. Close Ad-Aware.

3. Download and Install Ewido Security Suite. When installing, under “Additional Options” uncheck :
- “Install background guard”
- “Install scan via context menu”
Launch Ewido, there should be an icon on your desktop double-click it. You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

4. Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.
It`s all programs.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.
Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis and click “Do a system scan only”
Place a check next to the following entries (if they are still there):

R3 – URLSearchHook: (no name) – {4D25F926-B9FE-4682-BF72-8AB8210D6D75} – C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

O2 – BHO: HomepageBHO – {1ca480cd-c0e5-4548-874e-b85b17905b3a} – C:\WINDOWS\system32\hp4BCE.tmp
(maybe another filename, hp6810.tmp, for example)

Click Fix Checked

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.

Run Ad-aware
Click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window:
In the General window make sure the following are selected in green:

Under Safety:
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)

Under Definitions:
- Prompt to update outdated definitions – set the number of days
Click on the Scanning button on the left and select in green:

Under Driver, Folders & Files:
- Scan Within Archives

Under Select drives & folders to scan:
- Choose all hard drives

Under Memory & Registry:all green
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URLs
- Scan my Hosts file

Click on the Advanced button on the left and select in green:

Under Shell Integration:
- Move deleted files to recycle bin

Under Logfile Detail Level:all green
- include addtional object information
- DESELECT – include negligible objects information
- include environment information

Under Alternate Data Streams:
- Don’t log streams smaller than 0 bytes
- Don’t log ADS with the following names: CA_INOCULATEIT

Click the Tweak button and select in green:

Under Scanning Engine:
- Unload recognized processes during scanning
- Scan registry for all users instead of current user only

Under Cleaning Engine:
- Let Windows remove files in use at next reboot

Under Log Files:
- Include basic Ad-aware SE settings in logfile
- Include additional Ad-aware SE settings in logfile
- Please do not check: Include Module list in logfile

Click on Proceed to save the settings. Click Start. Choose Perform Full System Scan.

- DESELECT “Search for negligible risk entries”, as negligible risk entries (MRU’s) are not considered to be a threat.

Click Next and Ad-Aware will scan your hard drive(s) with the options you have selected and clean automatically. If Ad-Aware finds bad entries, you will receive a list of what it found in the window. Click on Next and check all the boxes in the window. Click next and OK to remove. Close Ad-Aware.

Run Ewido Security Suite
Click on scanner. Click on Complete System Scan and the scan will begin. NOTE:During some scans with ewido it is finding cases of false positives.
**See Below**

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game “Risk”)

You will need to step through the process of cleaning files one-by-one.
If Ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select “Perform action on all infections”
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report. Click Save report. Save the report .txt file to your desktop.
Now close Ewido Security Suite.

Next go to Control Panel, Display, Desktop, Customize Desktop, Web, Uncheck Security Info (if present)
Open Windows Explorer, locate and Delete the following files in BOLD : (if present)

C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\hp4BCE.tmp or other file, get name from HijackThis log, O2 Entry
C:\WINDOWS\system32\nvctrl.exe

Restart your computer in normal mode.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Finally, restart your computer.

Hijack Removal “How to”

Any of the products below will remove most hijackers completely, unless it is one which has just started spreading.

Spybot S&D [recommended]
Ad-aware

If you have a hijack that is not fixed by any of these products, you may use these solutions below that I have gathered after helping to fix these same problems countless times through email and at a comp tech forums. Read on…

Your browser now has a new start page and a new search page. Every time your browser loads a page that doesn’t exist, you end up at some strange site, probably filled with popup ads.

Skip any step that deals with a problem that doesn’t effect you

1. Assuming that none of the spyware removal programs listed above helps you, the very first thing you need to do is download and run HijackThis. Put a check mark next to every search and start page setting it lists which you haven’t put there yourself and choose fix. Do the same for any hosts file entries. If it lists anything as O5, O6, or O7*, fix those as well. Please ask for advice at a comp tech forums before using HijackThis to change anything else.
*Note: Spybot S&D, Start Page Guard, Settings Sentry, and similar programs may provide options to lock settings against unauthorized changes. If you have these options enabled, HijackThis will detect that as a restrictions hijack. Disable those options before scanning with HijackThis.

2. Second, you have to put Internet Options back into the control panel. Do a file search and look for a file named “control.ini”. Open it in Notepad. You may see something like this:
[don't load]
inetcpl.cpl=yes

Delete the “inetcpl.cpl=yes” line under “[don't load]“. Save and close the file, then try the control panel again. If it’s still not there, restart your machine and it should be there.
For Windows 2000 and XP, you will need to edit the registry to do this. Go to the start menu > RUN command > type REGEDIT and press enter. Navigate through the registry keys until you get to HKEY_CURRENT_USER\Control Panel\don’t load\. Look and see if inetcpl.cpl is listed. If it is, delete the entry for it and log off.

3. Run a search on your hard drive for any files ending with *.hta or *.js. If you find any, open them in notepad or some other text editor and look for the URLs that you have been hijacked to. Any file with those URLs, delete them. Also delete all *.tmp files on your drive; some of them contain malicious code (for e.g. browser hijacks or malware (re)installations). Besides, deleting *.tmp files doesn’t hurt, unlike dll’s which are also used sometimes for this purpose. (Thanks to cexx.org for the additional info in this step).

4. HijackThis will list any BHO(browser help object) installed on your computer. Check the BHOs listed against the list of all known BHOs. If you find one listed as some sort of spyware/malware/hijackware, run HijackThis again and find that BHO in the list. Check its box and have HT fix it.
If you find a BHO that is not included in the list, please make a post in the Browser Hijackings section of comp tech support forums with the HijackThis log pasted in along with an explanation of your problem. Please wait for replies before deleting this BHO, as it may be a new one which I can have added to various spyware/malware cleaning programs. It may also be an innocent file that is not causing your problem, so please wait for advice before deleting it.

5. Now you need to see if there is a startup entry for your hijacker file. The next time you reboot, the hijack might come right back. The reason for this would be an entry in the run section of the registry.
Look in HijackThis for 04 startup items. Check the entries listed against Pacman’s List. Items listed as virus, malware, spyware, or something else that is undesirable, put a checkmark next to it and “fix” it.

Again, it will be absolutely necessary for you to close all open Internet Explorer windows before any of these changes will take effect. That includes this window. Some changes may even require a log off or even a reboot before they have any effect.

Still not fixed?

I hope this helps anyone who has become a victim of a browser hijack. If it does, great.
If the problem still remains after doing all of the above, you can visit comp tech support forums and post the specifics of your problem there.

HijackThis – your first tool for remove homepage hijackers

HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It’s up to you to decide what should be removed. Some items are perfectly fine. You should not remove them. Never remove everything. Doing that could leave you with missing items needed to run legitimate programs and add-ins.

Continue reading HijackThis – your first tool for remove homepage hijackers…

Browser Hijacking

There is a despicable trend that is becoming more and more common wherein the browser settings of web surfers are being hijacked forcibly by malicious web sites and software which modifies your default start and search pages.

Sometimes internet shortcuts will be added to your favorites folder without asking you. The purpose of this is force you to visit a web site of the hijacker’s choice so that they artificially can inflate their web site’s traffic for higher advertising revenues.

In some cases, these changes are reversible simply by going into internet options and switching them back. Not always, however. Sometimes it’s necessary to edit the windows registry (gasp!) to undo the changes made. Sometimes there is even a combination of registry setting and files clandestinely placed on your hard drive that redo your settings every time you reboot the computer.

No matter how often you change your settings back, they are changed again the next time you restart. There have even been cases where internet options have been removed from the tools menu by registry hacking to prevent you from controlling your own computer!

Even AOL has become a browser hijacker by placing their web site free.aol.com in Internet Explorer’s trusted sites security zone, thereby bypassing the most frequently used security settings. This occurs after installing their AOL software, AOL Instant Messenger, Netscape 6.x and ICQ2001b has reportedly done this. AOL then exploits this by downloading ActiveX components to your computer without your consent. The CWS trojan also does this.

How to remove CWS Hijacker

This is old news, but and now many peoples have a question:
“How to remove CWS Hijacker from my pc ?“.
Read below.

CWS is a trojan that hijacks Internet Explorer start and search settings to one of several different web sites (see below). Most of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. There could be other domains involved in the future.

This hijack is similar to the datanotary.com hijack discovered last month. As with datanotary, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the trojan involved with CWS is an updated version of the same malware involved with datanotary.

In the original variant, the start and search settings were changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also made it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker’s web site.

An executable file named bootconf.exe is copied to the \windows\system32\ folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.

More current variants also install a small web server, contained in a file named svchost32.exe. It adds several google addresses (google.de, google.ch, google.ca, etc) search.yahoo.com, and search.msn.com to the HOSTS file, telling windows that the IP addresses for those sites is 127.0.0.1, and that’s where it’s webserver is listening.

Yet another variant hijacks Internet Explorer’s SearchHook setting with a file named dnsrelay.dll. This redirects all search and start page settings to allhyperlinks.com.

Finally, the trojan lists the hijacker’s web site in Internet Explorer’s trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer’s file system.

We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.

This trojan is detected by Computer Associates antivirus products under the following names :
Win32.Startpage.C
JS.CSSPopup.B,
JScript/IEstart.Trojan,
Win32/IEstart.Trojan

Removal Instructions

Merijn, author of HijackThis and StartupList, has created CWShredder specifically to remove this parasite. Please make certain that all browser and folder windows are closed before using CWShredder.