Spyware Warrior

[rayb2001]

Not sure how I got it but whenever I would search using either Google or Yahoo from FF, a new set of "sponsored links" would show up on the left. Seems I got a plug-in that sends a request to SmarterSearch to put these up.

Using HijackThis, I was able to find a BHO but after removing it with HighackThis, it was still showing up.

After hours of looking through the registry and file system, I finally found that the file (which apparently gets named differently on every system) was hiding in the firefox directory: c:\Program Files\Mozilla Firefox\components

So, for those looking to remove this, the file name was the same as reported by HijackThis. But HijackThis showed the file as in c:\windows\system32. Maybe it was there also and it copied itself to the firefox directory, I can't tell.

Just deleting the file (ozwcpyqydyzmhiolq.dll) fixed the problem for me.

Hope this helps someone save some time!

[rahul_t]

Thanks for your valuable tips. Its really help me and others. I think nest time I don't have to reinstall windows when I attack by virus.

[suzi]

[rayb2001]

After this, I found another problem and followed these instructions to fix:

Someone has already written an automated removal tool for this:
http://jpshortstuff.247fixes.com/GooredFix.exe

The use instructions for this tool are:
- Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...)
- Select Option#1 - Find Goored (no fix), by typing 1 and pressing Enter
- A logfile should popup shortly.

- Take a look at the section "Suspect Goored Entries". There should be an entry there with a random string of numbers and letters enclosed in {} (in this case {ABB56C42-1843-46EF-A93E-482DE0F5B5AA}), that shows a folder in C:\Documents and Settings\<your name>\Local Settings\Application Data\{the same random numbers and letters}.

- If this entry is present, and if there are no other entries in the "Suspect Goored Entries" section, then do the following:
- Close all Windows and Browsers, especially any Firefox Windows.
- Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...)
- Select Option#2 - Fix Goored by typing 2 and pressing Enter.
- At the prompt, type y and press Enter.
- GooredFix will now remove the infection, and a new log will popup. Please proceed to Step 2.

A ton of people are reporting success resolving this issue with this tool, so hopefully it works for you.

[rayb2001]

Sorry, forgot to add step two which is to run HiJackThis and confirm that there are no other problems.

[suzi]

rayb2001, we appreciate you sharing, but we do not recommned folks to remove anything with HijackThis on their own without the advice of a trained helper. There is a significant risk of doing serious damage to the system when untrained people start deleting things with HijackThis. All helpers at this and other similar forums are required to go through extensive training at one of the malware removal schools, where they are supervised closely before they are allowed to assist with malware removal independently.

Maybe you would be interested in Malware Removal University.

http://www.malwareremoval.com/university.php

Most our helpers are graduates of that school.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.