BleepingComputer.com: Google Analytics Pop-up browser window

Jump to content

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Google Analytics Pop-up browser window

#1 User is offline   romvich 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 27-October 10

Posted 27 October 2010 - 07:47 PM

Like some of the other posts here I am having what seems to be a malware problem where a new window or tab (depending on the browser) opens with a random or slightly related site while I am browsing the web. I am not having a redirect problem as in some of the other posts. I have been able to access all sites, but I am concerned that this may be a symptom of a greater problem.

I ran TDSSKiller and it did not find anything.

Please let me know which logs to post or if there is a thread that can address this problem.


Thank you

This post has been edited by romvich: 27 October 2010 - 09:33 PM
Reason for edit: Move to AII for initial assistance. ~ OB

#2 User is offline   boopme 

  • To Insanity and Beyond
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 48,761
  • Joined: 10-September 04
  • Gender:Male
  • Location:NJ USA

Posted 27 October 2010 - 11:52 PM

Hello and welcome, I think we need a couple logs to get some further info.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#3 User is offline   romvich 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 27-October 10

Posted 01 November 2010 - 07:45 AM

Hi boopme,

I followed all the instructions, although I could not update Malware Bytes automatically or manually as the link on their website was not working and I kept getting an update error in the program. I also was not able to complete the a full scan in safe mode with SUPER. After 11 hours it wasn't close to being done and I needed my computer. At that point it had found 104 adware cookies.

Then my computer would not even go into safe mode using the F8 method, when I tried it the next day. I eventually completed the scan in normal mode in 2 hours and it found another 17 cookies. After all this, I had the same problem: while browsing in firefox a new window opens with the url address starting either in google.analytics or epoclick. There is usually no content in the window other than a button that says "continue" or "the document has moved here". I never click on anything in the window, just close it.

The logs are below.

Thank you.
**********************************************************************************************************************

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/29/2010 3:00:38 PM
mbam-log-2010-10-29 (15-00-38).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 204805
Time elapsed: 1 hour(s), 1 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.

**********************************************************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/01/2010 at 03:23 AM

Application Version : 4.45.1000

Core Rules Database Version : 5782
Trace Rules Database Version: 3594

Scan type : Complete Scan
Total Scan Time : 02:13:19

Memory items scanned : 425
Memory threats detected : 0
Registry items scanned : 6655
Registry threats detected : 0
File items scanned : 86568
File threats detected : 17

Adware.Tracking Cookie
media.mtvnservices.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
.partypoker.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.partypoker.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.partypoker.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.epoclick.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.mtvn.112.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.epoclick.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
statse.webtrendslive.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.farecastcom.122.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.dmtracker.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.epoclick.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
**********************************************************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/31/2010 at 09:15 AM

Application Version : 4.45.1000

Core Rules Database Version : 5782
Trace Rules Database Version: 3594

Scan type : Complete Scan
Total Scan Time : 11:11:05

Memory items scanned : 227
Memory threats detected : 0
Registry items scanned : 6643
Registry threats detected : 0
File items scanned : 75332
File threats detected : 104

Adware.Tracking Cookie
a.ads2.msads.net [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
accounts.key.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
adsatt.espn.go.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
b.ads2.msads.net [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
bannerfarm.ace.advertising.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
cdn4.specificclick.net [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
core.insightexpressai.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
ec.atdmt.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
googleads.g.doubleclick.net [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
ia.media-imdb.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
imagec05.247realmedia.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
interclick.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
lisasparxxx.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
m1.2mdn.net [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
macromedia.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
media.intrawest.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
media.kyte.tv [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
media.mtvnservices.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
media.noob.us [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
media.resulthost.org [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
media.scanscout.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
media1.break.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
msnbcmedia.msn.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
objects.tremormedia.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
s0.2mdn.net [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
spe.atdmt.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
static.2mdn.net [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
udn.specificclick.net [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
www.crackle.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
.casalemedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
stat.onestat.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
stat.onestat.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.andomedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.myroitracking.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.clicksor.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.clicksor.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.clicksor.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.clicksor.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.clicksor.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.adxpansion.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.sextube.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
statse.webtrendslive.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.statcounter.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
in.getclicky.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.partypoker.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.partypoker.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.dmtracker.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
pluckit.demandmedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.xiti.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.mtvn.112.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
accounts.key.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.futureaccountant.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.futureaccountant.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.futureaccountant.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.futureaccountant.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lstat.youku.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lstat.youku.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.epoclick.com [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
bridge2.admarketplace.net [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.admarketplace.net [ C:\Documents and Settings\Roman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]

This post has been edited by romvich: 01 November 2010 - 07:47 AM

#4 User is offline   boopme 

  • To Insanity and Beyond
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 48,761
  • Joined: 10-September 04
  • Gender:Male
  • Location:NJ USA

Posted 01 November 2010 - 11:24 AM

Hello, remove (*.google-analytics.com) from your Restricted Sites list (Security tab of Internet Options)


Internet Explorer 6.X
1.Open Internet Explorer.
2.Select Internet Options from the Tools menu.
3.In Internet Options dialog box select the Security tab.
4.Click Custom level button at bottom. The Security settings dialog box will pop up.
5.Under Scripting category enable Active Scripting, Allow paste options via script and Scripting of Java applets
6.Click OK twice to close out.
7.Hit Refresh.

You will need to eventually upgade to IE 7 then 8 as you are exposed to security risks in 6.

Try to Update and run MBAM again. Did you get an error number??
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine..

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#5 User is offline   romvich 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 27-October 10

Posted 06 November 2010 - 10:53 AM

Hi,

Yes I noticed that MBAM says that I am running IE 6. I don't use it but I do have IE installed. I followed your instructions related to IE, but did not find any sites listed under "restricted." Could you please explain the rationale behind enabling scripts and remove sites from the restricted list.

I also noticed that IE was not in the add/remove programs list. According to my internet research this is because I have SP2 installed and I need to uninstall that to be able to uninstall IE6. Is that something I should do?

I had an add-on for Firefox called IEviewlite, which I have deleted after your last post. I updated firefox and removed all exceptions from the security settings in Firefox.

I did finally get the update for MBAM and it seems like it was being blocked on my computer. I had to email it to myself from a different computer.

I reran MBAM which found no new threats after the update (both in quick scan and in complete scan). I then reran ASF and SUPER in Safe Mode. SUPER found another 26 ad tracking cookies and deleted them (after a 14 hour scan).

I also noticed that my firewall (COMODO) has been blocking itself recently. cfpupdat.exe and cmdgent.exe are the two updater files for it and it blocks them when they want access to the internet. I don't know if this is related.

I still have the problem: randomly opening windows with urls beginning either with "epoclick" of "google.analytics". The logs are below.

Thank you again for your help.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5009

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

11/5/2010 12:43:51 PM
mbam-log-2010-11-05 (12-43-51).txt

Scan type: Quick scan
Objects scanned: 140377
Time elapsed: 10 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/06/2010 at 05:55 AM

Application Version : 4.45.1000

Core Rules Database Version : 5782
Trace Rules Database Version: 3594

Scan type : Complete Scan
Total Scan Time : 16:41:59

Memory items scanned : 229
Memory threats detected : 0
Registry items scanned : 6643
Registry threats detected : 0
File items scanned : 80768
File threats detected : 26

Adware.Tracking Cookie
media.mtvnservices.com [ C:\Documents and Settings\Roman\Application Data\Macromedia\Flash Player\#SharedObjects\KCXQ4JL2 ]
.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
stat.onestat.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
stat.onestat.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.andomedia.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.statcounter.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
clicks.fastlookupdirectory.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.mtvn.112.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.hitbox.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.ehg-cygnusbm.hitbox.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.ehg-cygnusbm.hitbox.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.hitbox.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.countrycodes.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.countrycodes.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.clickability.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.clickability.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
.112.2o7.net [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]
www.epoclick.com [ C:\Documents and Settings\Roman\Application Data\Mozilla\Firefox\Profiles\z7ity5xh.default\cookies.sqlite ]

#6 User is offline   boopme 

  • To Insanity and Beyond
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 48,761
  • Joined: 10-September 04
  • Gender:Male
  • Location:NJ USA

Posted 06 November 2010 - 06:15 PM

Your HOSTS file may be infected. So let's replace it, reboot in Safe Mode with Networking.
Click on Start then Run and type: %windir%\system32\drivers\etc\
Delete the following file: C:\WINDOWS\system32\drivers\etc\hosts

While in safe mode, launch MBAM and try to update the definition database. DO NOT scan yet. Reboot normally, then perform a new Quick Scan and check all items found for removal. You must reboot normally after the scan to remove the malware.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



We will install SP3 etc... after your clean.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#7 User is offline   Lars69camaro 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 31-October 10

Posted 07 November 2010 - 05:34 PM

Rom
Are you using a wireless unsecured router?

#8 User is offline   Lars69camaro 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 31-October 10

Posted 07 November 2010 - 05:41 PM

Had the same thing on 2 of my systems
Went through ALL I mean ALL the Mbam, Combofix,Root Virus tools and found some stuff but never fixed it.
Investigated my router settings and found the problem.
See my post
http://www.bleepingcomputer.com/forums/topic356785.html/page__p__2003929__hl__epoclick__fromsearch__1#entry2003929

#9 User is offline   romvich 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 27-October 10

Posted 07 November 2010 - 07:19 PM

Thanks Lars. I'll try it.

r

#10 User is offline   romvich 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 27-October 10

Posted 10 December 2010 - 07:06 PM

The problem was in fact the router, as these symptoms do not appear when I use other networks. Please close this topic.

Thank you for your help boop.

R

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users