1. /
  2. Security Response/
  3. Adware.FindemNow

Adware.FindemNow - Removal

Updated:
February 13, 2007 11:36:54 AM
Type:
Adware
Risk Impact:
High
File Names:
Msxmlpp.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the virus definitions.
  2. Remove the registry values that the adware added.
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Adware.FindemNow, and then restart in normal mode.
  5. Reset the Internet Explorer settings.
  6. Remove the lines that were added to the hosts file.
For details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

    2. Removing the registry values that load the Adware


    WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type regedit

      Then click OK. (The Registry Editor opens.)

    3. Navigate to the key:

      HKEY_LOCAL_MACHINE\TypeLib\

    4. In the left pane, delete the subkey:

      {53B95204-7D77-11D2-9F80-00104B107C96}

    5. Navigate to the key:

      HKEY_CLASSES_ROOT\Interface\

    6. In the left pane, delete the subkey:

      {53B95210-7D77-11D2-9F80-00104B107C96}

    7. Navigate to the key:

      HKEY_CLASSES_ROOT\

    8. In the left pane, delete the subkey:

      Xmlmimefilter.XMLMimeFilterPP.1

    9. Navigate to the key:

      HKEY_CLASSES_ROOT\

    10. In the left pane, delete the subkey:

      {53B95211-7D77-11D2-9F80-00104B107C96}

    11. Navigate to the key:

      HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about

    12. In the right pane, restore "CLSID" to it's original value.
      The probable original value is:

      "CLSID" = "{53B95211-7D77-11D2-9F80-00104B107C96}"
    3. Restarting the computer in Safe mode
    Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

    4. Scanning for and deleting the files
    1. Start your Symantec antivirus program and run a full system scan.
    2. If any files are detected as Adware.FindemNow, click Delete.
    3. Restare the computer in Normal mode. For instructions, read the document, "How to start the computer in Safe Mode."

    5. Resetting the Internet Explorer settings
    1. Start Internet Explorer.
    2. Click the Tools menu > Internet Options.
    3. On the Programs Tab, click "Reset Web Settings."
    4. In the Reset Web Settings box, make sure that "Also reset my home page" is selected, and then click Yes.
    6. Removing the lines from the Hosts file


    Note: The location of the Hosts file may vary and some computers may not have this file. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and it is located in the C:\WINNT\system32\drivers\etc folder in Windows 2000. There may also be multiple copies of this file in different locations.

    Follow the instructions for your operating system:
    • Windows 98/Me/2000
      1. Click Start, point to Find or Search, and then click Files or Folders.
      2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
      3. In the "Named" or "Search for..." box, type:

        hosts

      4. Click Find Now or Search Now.
      5. For each one that you find, right-click it, and then click "Open With."
      6. Deselect the "Always use this program to open this program" check box.
      7. Scroll through the list of programs and double-click Notepad.
      8. Delete any lines begin with:

        213.159.117.235
      9. Close Notepad and save your changes when prompted.

    • Windows XP
      1. Click Start, and then click Search.
      2. Click All files and folders.
      3. In the "All or part of the file name" box, type:

        hosts

      4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
      5. Click "More advanced options."
      6. Check "Search system folders."
      7. Check "Search subfolders."
      8. Click Search.
      9. Click Find Now or Search Now.
      10. For each one that you find, right-click it, and then click "Open With."
      11. Deselect the "Always use this program to open this program" check box.
      12. Scroll through the list of programs and double-click Notepad.
      13. Delete any lines begin with:

        213.159.117.235.
      14. Close Notepad and save your changes when prompted.


    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report, Volume 17
    Symantec DeepSight Screensaver