www.google.com/webhp keeps popping up...

[negster22]

The ESET scan detected nothing unexpected (aka new) so that's encouraging.

OK, let's run the previous mbr command like this and you should not get rebooting -

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

mbr.exe -s -t > "%userprofile%\desktop\mbr.log"

Leave the command prompt open.

Copy / Paste the following command and hit Enter:

del /a /f "c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe"

Please let me know if any errors came up in response to the above command..

Close the command prompt.

Open mbr.log by double-clicking mbr.log

Copy and paste the contents of mbr.log into your next reply.

[nick20z71]

no errors....

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: Maxtor_6Y120P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86764AB8]

3 CLASSPNP[0xF788FFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000005e[0x867743B8]

5 ACPI[0xF77E6620] -> nt!IofCallDriver[0x804E13B9] -> \Device\Ide\IdeDeviceP0T0L0-3[0x86767940]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user & kernel MBR OK

copy of MBR has been found in sector 9 !

[negster22]

That looks good so what I want You to do is surf with your computer for the next couple days to test whether everything is OK. Then report back to me, and let me know how it went. If all is still OK, we'll remove the tools we used and perform some final clean-up measures.

[nick20z71]

Sounds good...will let you knoW!! Again, Thanks for all the help!!

[negster22]

You're very welcome Nick, and if I need any more info (logs) from You in the interim, I'll just post a reply here. Good Luck!

[nick20z71]

Everything looks good. No pop-ups, everything loading smoothly. I have been using IE8 now ,though, vs. Firefox. I origanlly switched to firefox from IE8 because it seemed to load faster. But now it almost seems the oppisite, IE8 seems to boot up quicker and load programs faster. Plus Firefox always seems to hold onto its RAM after I close it....ANy suggestions? Also where do we go from here....

Nick

[negster22]

Hi Nick,

I'm glad to hear that your PC is still behaving well!!

We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 22, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 22, then follow these steps:

1. Download the latest JRE version clicking the "Agree and Start Free Download" button.

2. Save the installer to your desktop.

3. Close any programs you may have running - especially your web browser.

4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

5. Reboot your system

6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform

7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for any Java applications.

8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

--------------------

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
  
• Next, click on the Delete Files button
  
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    
  • Trace and Log Files
    

  [*]Click OK on Delete Temporary Files Window

  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  [*] Click OK to leave the Temporary Files Window

  [*]Click OK to leave the Java Control Panel.

As Java Cache can be an infection repository, You can quickly scan it periodically for infectious elements, by right-clicking the following folder and selecting the "Scan with <Your antivirus>" option:

The location of this folder usually is:

In XP:

C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\

In Vista and Windows 7:

C:\Users\<user_name>\AppData\LocalLow\Sun\Java\Deployment\cache\

==

If I asked you to download and run an ARK (Anti-rootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:

• Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
  
• Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)
  

If I asked You to download TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location).

To remove Combofix and it's quarantine folder:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\combofix.exe" /uninstall

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• Flush your system restore points and create a new restore point.
  
• Rehide your system files and folders
  
• Reset your system clock
  

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are acquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your start-ups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

As far as browsers go, I use Firefox and IE9 (which really flies but You have to have Vista or W7 (or Windows Server 2008) to run it. On my other slower computer, I mainly use Google Chrome because it is super fast (IE9 is reputed to be even faster) but the drawback is that has many security flaws (vulnerabilities):

FYI: Google Chrome tops 'Dirty Dozen' vulnerable apps list

Here is a browser comparison called Internet Browser Software Review :

Happy Surfing!