Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"insecure Internet Activity" ...like I'd Buy That...


  • Please log in to reply
8 replies to this topic

#1 iacker

iacker

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 27 August 2008 - 01:16 AM

Hi All,
A couple weeks ago my machine, which runs Vista, was infected with massive amounts of spyware. Most of it was removed with AVG and Malwarebytes. Because I'm cheap, I have just the free versions. Anyhoo, whenever I browse in Firefox, I get this message:

Insecure Internet activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register Antivirus 2008.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended).


I've tried SuperAntiSpyware as well, but it doesn't find anything. I have HijackThis but don't really know how to use it. Can anyone here help?

Thanks,

Isaac

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 27 August 2008 - 10:46 AM

Helo, please do not perform any actions with HiJackThis on your own. If needed you may post the complete log in the Hijack malware removal forum.
You have run MBam and it did not remove AV 2008? Please post the scan log, thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 iacker

iacker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 27 August 2008 - 11:46 PM

Here's the log that removed the first batch:

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 6.0.6001 Service Pack 1

4:29:05 PM 8/20/2008
mbam-log-08-20-2008 (16-29-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 132422
Time elapsed: 1 hour(s), 10 minute(s), 4 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 19
Registry Values Infected: 13
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 26

Memory Processes Infected:
C:\Program Files\AdwareAlert\AdwareAlert.srv.exe (Rogue.AdwareAlert) -> Unloaded process successfully.
C:\Program Files\Antivirus2008y\antvrs.exe (Rogue.Antivirus2008) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Delete on reboot.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\adwarealertsrv (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\adwarealertsrv (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adwarealertsrv (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarealert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\programdata\microsoft\windows\start menu\programs\adwarealert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcvgrj0ec99 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Somefox (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\Helper (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Local\Mozilla\Firefox\Profiles\yuj0dof6.default\Cache\18D98749d01 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Local\Mozilla\Firefox\Profiles\yuj0dof6.default\Cache\9E6E5346d01 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.srv.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.url (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\DataBase.ref (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\vistaCPtasks.xml (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\NetProject\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\NetProject\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\NetProject\uninst.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus2008y\antvrs.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AdwareAlert\AdwareAlert on the Web.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AdwareAlert\AdwareAlert.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert\Log\2008 Aug 20 - 03_00_01 AM_707.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert\Log\2008 Aug 20 - 03_00_02 AM_279.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert\Log\2008 Aug 20 - 03_10_57 PM_643.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert\Log\2008 Aug 20 - 12_32_52 AM_606.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Roaming\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Windows\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\1809.tmp.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Users\Public\Desktop\AdwareAlert.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.


And here's the log from a few days later:

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 6.0.6001 Service Pack 1

18:55:23 8/22/2008
mbam-log-08-22-2008 (18-55-23).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 130373
Time elapsed: 1 hour(s), 11 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The problem still exists. Any ideas?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 28 August 2008 - 07:42 PM

OK please update the malwarebytes as it is behind some 20 updates,then rescan and repost the new log. Tell us if has improved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 iacker

iacker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 30 August 2008 - 12:07 AM

Just finished the scan with MBAM newly updated.

Malwarebytes' Anti-Malware 1.25
Database version: 1096
Windows 6.0.6001 Service Pack 1

23:05:26 8/29/2008
mbam-log-08-29-2008 (23-05-26).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 131500
Time elapsed: 1 hour(s), 8 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 30 August 2008 - 05:47 AM

There still might be an infection on your system, usually they would be hidden in the system32 folder.

1) start>all programs>accessories>system tools> right click on command prompt then run as administrator
2) now type in cd\windows\system32
3) dir /a:h /o:d > c:\hiddenfiles.txt (this would show all the hidden files in chronological order, we need to arrange it in chronological order so that it would be easier to spot the viruses that infected your system)
4) now post only the files that are on your system a month from now
5) you can also do the same command in windows folder, just make sure to change hiddenfiles.txt to something else

#7 iacker

iacker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 30 August 2008 - 08:42 PM

7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

and

7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

These are two of only three files in that directory, but these are both from 8/30/2008.

#8 iacker

iacker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 01 September 2008 - 08:31 PM

Last night I used System Restore and my computer shows no signs of spyware or viruses. I've reinstalled firefox and have run a few scans just to make sure, but things look okay. Thanks for all your help.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 01 September 2008 - 11:13 PM

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users