Nyeff.

This is of the link you were given. Although it refers to Norton Antivirus if you can follow the instructions it will still work for you.

Adware.ZestyFind
Last Updated on: February 17, 2004 12:12:33 PM






Type: Adware

Name: ZestyFind

Publisher: Look2me.com
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

Removal: Medium
Damage: Low




Intelligent Updater Definitions*
February 17, 2004


LiveUpdate™ Definitions **
February 18, 2004


*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.





This threat can be detected only by Symantec products that support expanded threats. For more information on expanded threats, please go here.




Behavior
Adware.ZestyFind monitors visited web sites, uploads the information to a server, and then displays pop-up advertisements.

Symptoms

Pop-up ads appear.
You Symantec program detects Adware.ZestyFind.
C:\WINNT\msg117.dll is inaccessible.

Transmission
This adware component can be manually installed or installed as a component of another program.



File names:
msg117.dll

When the Adware.ZestyFind is executed, it performs the following actions:


Drops a file, %System%\msg117.dll.


--------------------------------------------------------------------------------
Note: %System% is a variable. The adware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
--------------------------------------------------------------------------------


Creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Shell Extensions\Approved\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}
HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}


URLs visited are logged, uploaded to www.look2me.com, and then pop-up advertisements are shown.


Replaces any of its registry keys, if they are deleted.


Causes errors when users or antivirus scanners attempt to access it. For example Norton AntiVirus will show the following error message:

Unable to open the file C:\WINNT\System32\msg117.dll. The file is in use by another application or you don't have permission to open the file


--------------------------------------------------------------------------------
Note: Reports indicate this adware can cause severe system instability on Windows 95/98/Me. It may also cause instability on other operating systems.
--------------------------------------------------------------------------------





The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


Rename msg117.dll.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Delete the subkeys from the registry.
Run a full system scan and delete all the files detected as Adware.ZestyFind.

For specific details on each of these steps, read the following instructions.


1. Rename msg117.dll.

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer.

Press the F8 key while rebooting, then select "Safe mode command prompt only" in Windows 95/98/Me or "Safe Mode with Command Prompt" in Windows NT/2000/XP.

At the command prompt, type:

ren %system%\msg117.dll zesty.nav


Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer.


By the way you are still running Hijack this from a temp file. You need to run it from the directory you copied it to .