Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed - Adrotator & Fotomoto Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 premchandj

premchandj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 03 March 2008 - 06:32 PM

My computer is infected with AdRotator & FotoMoto (and Adware.Advertising & Application.TrackingCookies)......i found this by running PC Tools spyware doctor. I keep getting weird behaviour with the system. Can somebody help me to get rid of these spyware/adware. I have HijackThis installed, and can give the log if needed. Thanks in advance for your help.

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:57 AM

Posted 03 March 2008 - 07:37 PM

Hi premchandj and welcome to Bleeping Computer.

You have 2 nice ones there.

Step 1
Download Roguescanfix.
  • Double-click roguescanfix_setup install automatically to C:\Program Files\Roguescanfix.
  • Accept the agreement and click Next.
  • Under additional icons, check "create a desktop icon", click Next, then Install.
  • You will be prompted to launch roguescanfix now. Click "Finish"
  • At the DOS window that opens "Press any key to continue..."
Note: This tool needs internet connection because it downloads an additional file to let the tool work properly. If your firewall gives an alert, allow it instead of blocking it.

In case you still get the message "BFU.exe is not present", download BFU.zip from here.
Unzip it and place BFU.exe inside the Roguescanfix folder. Then double-click Run.bat again.
  • The tool will uninstall some programs and delete related files and registry keys.
  • When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
  • Please make sure the uninstall of the programs are finished before you click Yes to reboot.
  • A textfile wil open. Place the contents of that file in your next reply. (The textfile can also be found at C:\Program Files\Roguescanfix\task.txt)
Step 2
Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs, Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy & Paste the entire report in your next reply.

BBPP6nz.png


#3 premchandj

premchandj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 03 March 2008 - 08:59 PM

Here you go




Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:57 AM

Posted 04 March 2008 - 02:33 AM

Hi premchandj

Is that all there is?
Have you checked:
C:\Program Files\Roguescanfix\task.txt for the full report?

Did you run the F-Secure online scan?

BBPP6nz.png


#5 premchandj

premchandj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 March 2008 - 04:40 AM

Here are the contents of C:\Program Files\Roguescanfix\task.txt

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



------------------------------------------------------------------------------
Show Report from F-Secure Online Scanner

Scanning Report
Tuesday, March 04, 2008 00:25:20 - 01:34:09

Computer name: APPLEINSIDE-LX
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 4 malware found
RemoteAdmin.Win32.WinVNC (spyware)

* System

Tracking Cookie (spyware)

* System

Trojan:W32/Agent.EDP (virus)

* System
* C:\PROGRAM FILES\ROGUESCANFIX\SHAREDTASKSREM.EXE

Statistics
Scanned:

* Files: 58807
* System: 5075
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 4
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\SFU\VAR\ADM\UTMPX
* C:\SFU\VAR\ADM\WTMPX

Options
Scanning engines:

* F-Secure USS: 2.20.0
* F-Secure Blacklight: 1.0.64
* F-Secure Hydra: 2.6.7470, 2008-03-04
* F-Secure Pegasus: 1.20.0, 2008-01-25
* F-Secure AVP: 7.0.171, 2008-03-04

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:57 AM

Posted 04 March 2008 - 05:29 AM

Hi premchandj

Let's try this:
Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.

    Now close SuperantiSpyware down.

    Next, please reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, a menu with options should appear;
    You will need to use the 'keyboard arrow keys' to navigate on this menu.
    * Select the first option, to run Windows in Safe Mode, then press "Enter".
    * Then choose your usual account.

    Restart SuperantiSpyware
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

BBPP6nz.png


#7 premchandj

premchandj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 March 2008 - 12:07 PM

Here is the SUPERAntiSpyware Scan Log
===
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/04/2008 at 08:48 AM

Application Version : 4.0.1154

Core Rules Database Version : 3413
Trace Rules Database Version: 1405

Scan type : Complete Scan
Total Scan Time : 00:39:25

Memory items scanned : 269
Memory threats detected : 0
Registry items scanned : 5749
Registry threats detected : 0
File items scanned : 97148
File threats detected : 21

Adware.Tracking Cookie
C:\Documents and Settings\prem\Cookies\prem@doubleclick[1].txt
C:\Documents and Settings\prem\Cookies\prem@adbrite[1].txt
C:\Documents and Settings\prem\Cookies\prem@msnportal.112.2o7[1].txt
C:\Documents and Settings\prem\Cookies\prem@specificclick[1].txt
C:\Documents and Settings\prem\Cookies\prem@ad.yieldmanager[2].txt
C:\Documents and Settings\prem\Cookies\prem@tribalfusion[2].txt
C:\Documents and Settings\prem\Cookies\prem@atdmt[2].txt
C:\Documents and Settings\prem\Cookies\prem@mediaplex[2].txt
C:\Documents and Settings\prem\Cookies\prem@ads.adbrite[3].txt
C:\Documents and Settings\prem\Cookies\prem@ads.joinaxxess[1].txt
C:\Documents and Settings\prem\Cookies\prem@clicksor[1].txt
C:\Documents and Settings\prem\Cookies\prem@incentaclick[1].txt
C:\Documents and Settings\prem\Cookies\prem@ipoint.targetpoint[2].txt
C:\Documents and Settings\prem\Cookies\prem@ipoint.targetpoint[3].txt
C:\Documents and Settings\prem\Cookies\prem@lotsof.smilingtraffic[2].txt
C:\Documents and Settings\prem\Cookies\prem@media6degrees[1].txt
C:\Documents and Settings\prem\Cookies\prem@richmedia.yahoo[2].txt
C:\Documents and Settings\prem\Cookies\prem@sr1.ads2media[2].txt
C:\Documents and Settings\prem\Cookies\prem@tremor.adbureau[1].txt
C:\Documents and Settings\prem\Cookies\prem@videoegg.adbureau[2].txt
C:\Documents and Settings\prem\Cookies\prem@www.qwefind[2].txt

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:57 AM

Posted 04 March 2008 - 01:15 PM

They are only tracking cookies, nothing to worry about.
The scans are looking ok.
How is the computer running? are you still getting the problems you had before?

BBPP6nz.png


#9 premchandj

premchandj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 March 2008 - 01:42 PM

Things seem ok. A couple of doubts

At one time, i had deleted 'sprt_ads.dll' file from the windows directory suspecting it to be a Spyware DLL. Because of that, every time i login to my windows machine, i get a message "Error loading sprt_ads.dll". I am not sure if it is any problem at all.

In *INternet explorer*, when i go to google, and search for something, in the results page, i get a 'Sponsored Links', on the left side & right side of the page. I always remember sponsored links show up only on the right side of the page. I checked it on firefox, for the same result page, the sponsored links show up only on the right. Is this a work done by the spyware/adware?

Thanks for your help.

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:57 AM

Posted 04 March 2008 - 03:28 PM

Hi premchandj

At one time, i had deleted 'sprt_ads.dll' file from the windows directory suspecting it to be a Spyware DLL

You were right to delete this, it is malware. :thumbsup:

i get a message "Error loading sprt_ads.dll". I am not sure if it is any problem at all

Ok, what's happening is that there's still a startup entry trying to run it.
There's a couple of ways we can fix this.
Can you tell me if you have 'Spybot Search & Destroy' on your system?
If you have, we can use the 'startup manager' to clear this for you.
If you don't have the program.... we can do it another way.

In *INternet explorer*, when i go to google, and search for something, in the results page, i get a 'Sponsored Links', on the left side & right side

Got me there.
I've tried IE on XP and Vista this evening and only get the 'Sponsored Links' on the right side.
I've never heard of this before.

Let me know about the Spybot and we'll get rid of that startup for you.

BBPP6nz.png


#11 premchandj

premchandj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 March 2008 - 04:28 PM

Hi,
I looked under my Start-->programs, and didnt see ''Spybot Search & Destroy''. So I don't believe that i have it installed.
Thanks
- premchandj

#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:57 AM

Posted 04 March 2008 - 04:47 PM

Ok, no problem.
It's just that would have been the easiest way of doing it.

Click start ... Run .... and type in msconfig
When the page loads.... click on the startup tab.
Look in the list for anything that looks like this line:
HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\sprt_ads.dll" DllStart
it may only say...sprt_ads.dll or [spa_start]
When you find it.... untick it.
Then click apply and ok
You will then be asked to restart your pc..... do this.
When the pc starts up again, you may get a 'configueration window' come up.... just click not to show it again and ok.

You should be ok now.

We could also have gotten rid of the startup using Hjt..... but we don't use that in this forum.

If you are still having problems after this, i'd suggest posting a Hjt log and having that looked at.
We can only do so much without looking at a log.
Hope this has helped.

BBPP6nz.png


#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,960 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:57 AM

Posted 29 March 2008 - 11:19 PM

Hello premchandj,

You posted a fresh topic here: http://www.bleepingcomputer.com/forums/t/136397/dcads-please-help/ concerning your computer infection. In both places, the verdict was to post an HJT log which you have now done here: http://www.bleepingcomputer.com/forums/t/136986/infected-with-dcads-adrotator-and-much-more-please-help/ Because you have posted this log DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is EXTREMELY busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response by, let's say April 7, add a response to the five days no response topic and paste in the link to your thread.

To avoid confusion, I am closing this topic.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users